Nmap Development mailing list archives

Re: Replacing passwords.lst

From: Ron <ron () skullsecurity net>
Date: Fri, 5 Mar 2010 09:19:19 -0600

On Thu, 4 Mar 2010 22:27:16 +0000 Brandon Enright <bmenrigh () ucsd edu>
wrote:

Ron, what percentage of the PHPBB password would we crack with the
current 200 versus your new suggested 200?  Do we see a similar
increase?

Surprisingly, there doesn't seem to be a strong correlation between the rockyou passwords and the phpbb passwords. The 
top 500 phpbb passwords almost all appear somewhere on the rockyou list, but there doesn't appear to be a strong 
correlation between the rankings. That being said, the top 1000 Rockyou.com passwords would crack 742 phpbb passwords. 
The passwords just aren't in the top 1000 phpbb passwords -- they're all over the place. 

I think the problem is the scales. phpbb only has 30,000 or so passwords (correct me if that's wrong), so it isn't a 
huge statistical base. Rockyou.com, on the other hand, had 33,000,000 passwords, 1000x more, which gives a much better 
base for statistics. 

Anyway, enough talking, I'll give some raw numbers. I took the stats as, "The top X Rockyou.com passwords would crack Y 
phpbb passwords" -- this doesn't take volumes into account. 

Rockyou_PWs  Cracked_phpbb
10           9
100          93
200          182
500          413
1000         742
5000         2118
20000        3583
50000        4492

Note that these aren't 100% perfect, I had to fudge things a bit (like remove passwords that looked like wildcards and 
play with the case a bit), but it's pretty close.


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkuQM84ACgkQqaGPzAsl94IaDACbBsOyLQiXpnoyFClRaPSBy1h2
1IcAmgIGl2eLOamJz7S0piBqS6VDalT8
=3krT
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Replacing passwords.lst Ron (Mar 04)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
  - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst David Fifield (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
    - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Fyodor (Mar 06)
    - Re: Replacing passwords.lst Ron (Mar 06)
    - Re: Replacing passwords.lst David Fifield (Mar 06)

(Thread continues...)