Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replacing passwords.lst

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 5 Mar 2010 19:00:17 +0000
Speaking of crappy phone, sorry for the premature post.
What I was trying to say is that even if there isn't much overlap between PHPBB and RockYou, I'm not entirely convinced that just because RockYou is bugger it is a more represenative list of passwords. 

Let's use a third list such as the MySpace list.  That is:

* What % of the MyS list would be cracked by the topN RY list?

* And the same for the PHPBB list topN?
* Does weigting the lists say, 80/20 from RY and PHP do better than each individually?
* What about throwing the John list in there too? SolarD says the list is pretty high quality.
I certainly want us to ship the "best" list but I dont think a single dataset alone is going to be the best we can do.
I have another idea for how to measure the relative quality of the lists but it involves math that I haven't fully thought through and is too complicated to type on a phone. 

Brandon
Sent from my phone. If you would like a digital signature of this message let me know and I'll sign it later. 

On Mar 5, 2010, at 18:50, Brandon Enright <bmenrigh () ucsd edu> wrote:
Sorry for the top-post I'm on a crappy phone. I was thinking the same as what David asked below. Also, Ron, I think you have shown than there isn't much overlap 


Brandon
Sent from my phone. If you would like a digital signature of this message let me know and I'll sign it later. 

On Mar 5, 2010, at 18:46, David Fifield <david () bamsoftware com> wrote:


On Fri, Mar 05, 2010 at 09:19:19AM -0600, Ron wrote:
On Thu, 4 Mar 2010 22:27:16 +0000 Brandon Enright <bmenrigh () ucsd edu> 
wrote:

Ron, what percentage of the PHPBB password would we crack with the
current 200 versus your new suggested 200?  Do we see a similar
increase?
Surprisingly, there doesn't seem to be a strong correlation between the rockyou passwords and the phpbb passwords. The top 500 phpbb passwords almost all appear somewhere on the rockyou list, but there doesn't appear to be a strong correlation between the rankings. That being said, the top 1000 Rockyou.com passwords would crack 742 phpbb passwords. The passwords just aren't in the top 1000 phpbb passwords -- they're all over the place.
I think the problem is the scales. phpbb only has 30,000 or so passwords (correct me if that's wrong), so it isn't a huge statistical base. Rockyou.com, on the other hand, had 33,000,000 passwords, 1000x more, which gives a much better base for statistics.
Anyway, enough talking, I'll give some raw numbers. I took the stats as, "The top X Rockyou.com passwords would crack Y phpbb passwords" -- this doesn't take volumes into account. 

Rockyou_PWs  Cracked_phpbb
10           9
100          93
200          182
500          413
1000         742
5000         2118
20000        3583
50000        4492
And what does the Cracked_phpbb column look like with the top 10, 100, 
and 200 passwords from current passwords.lst?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: