Re: [nmap-svn] r12027 - nmap/docs

[Fyodor <fyodor () insecure org>]

On Sat, Feb 07, 2009 at 03:23:17PM -0600, Ron wrote:
> > +o Get better password data for unpw
> > +  o perhaps from Solar Designer.
> > +  o perhaps add phpbb hack data (there is at least a list of 28,635
> > +    passwords in phpbb_users.sql, and possibly more in other files.
>
> I put together a list of password lists on my wiki[1], the most
> interesting one being the list of phished MySpace passwords, ordered by
> the frequency of use. Might be worth looking at that one, too.

Nice.

> I'd like to add phpbb_users.sql to my list, does anybody know where I
> can get a copy of it (or does anybody have a unique username/password in
> the list that I can google for:) )? (the links I've seen have been taken
> down)

I don't want to publicly post all the files, because I'm sure many
users use the same password for their email and other accounts.  But a
list of just how many times each password was found doesn't hurt
anything.  So I placed such a list here in this temporary directory:

http://insecure.org/tmp/c/phbb-top-pw.txt

Of course my not posting the full files does little considering anyone
can get it from The Pirate Bay (search for phpbb).

I think these 28,635 passwords are just the easiest ones for the
hacker to crack.  So they are biased toward lame passwords.  We could
likely create a better file with some password cracking effort.
Though we might want to wait a month or more before posting any
results from such an effort, so the victims have more time to change
their passwords.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org