Re: Replacing passwords.lst

[Ron <ron () skullsecurity net>]

On Tue, 16 Mar 2010 23:18:28 -0700 Fyodor <fyodor () insecure org> wrote:
> I agree with you that that each list is a bit biased and that RockYou
> is so huge that it dominates the other lists.  But as you note, "we
> don't know how biased each list is", so I think treating them exactly
> equally is completely arbitrary.  And it introduces its own biases.
> It would mean that the seven people from the religious site
> faithwriters who chose "godisgood" as their password could count as
> much as passwords that hundreds or thousands of people chose on
> Rockyou.  After all, Rockyou has almost 2,000 times as many passwords
> as Faithwriters, so I think we'd be terribly discounting that huge and
> valuable sample size if we treated it the same way as the cheesy
> little lists.
The problem is, lists like Faithwriters have very specific audiences. If you're bruteforcing a religious site, 
Faithwriters is going to work great. If you're doing anything else, it'll be nearly worthless. Phpbb and Rockyou are 
going to be more useful in that regard, because they're a reasonable cross section. But I agree with Brandon that they 
should be weighted somehow to remove bias that either one has. 

> If RockYou's 14 million passwords is
> overly dominant, let's fix that by finding some more password files.
> Come on guys!  Get to hacking!  I'll send a free signed copy of Nmap
> Network Scanning to whoever gets me the Facebook or Twitter password
> list first :).  
GSoC project for 2010? :D

> OK, that's a bad joke, but I do think we'll be able to
> collect more password lists over time.  I even have a lead on a couple
> now.  And I think that would be the best way to remove the biases.
That'd be great! Be sure to post what you find so I can mirror it too. I've been trying to find lists myself and did a 
decent job with rockyou/faithwriters/etc, but more is always better. 

> BTW, we currently do a little bit of subjective massaging.  David's
> script automatically takes out a handful of terribly biased results
> such as the "rockyou" password which is found more than 20,000 times
> in the rockyou DB.
I actually checked to make sure he did that as soon as he posted the list. I saw that as the biggest tripping point. 

> Cheers,
> -F

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/