Nmap Development mailing list archives
Re: Replacing passwords.lst
From: Ron <ron () skullsecurity net>
Date: Wed, 17 Mar 2010 08:25:04 -0500
On Tue, 16 Mar 2010 23:18:28 -0700 Fyodor <fyodor () insecure org> wrote:
I agree with you that that each list is a bit biased and that RockYou is so huge that it dominates the other lists. But as you note, "we don't know how biased each list is", so I think treating them exactly equally is completely arbitrary. And it introduces its own biases. It would mean that the seven people from the religious site faithwriters who chose "godisgood" as their password could count as much as passwords that hundreds or thousands of people chose on Rockyou. After all, Rockyou has almost 2,000 times as many passwords as Faithwriters, so I think we'd be terribly discounting that huge and valuable sample size if we treated it the same way as the cheesy little lists.
The problem is, lists like Faithwriters have very specific audiences. If you're bruteforcing a religious site, Faithwriters is going to work great. If you're doing anything else, it'll be nearly worthless. Phpbb and Rockyou are going to be more useful in that regard, because they're a reasonable cross section. But I agree with Brandon that they should be weighted somehow to remove bias that either one has.
If RockYou's 14 million passwords is overly dominant, let's fix that by finding some more password files. Come on guys! Get to hacking! I'll send a free signed copy of Nmap Network Scanning to whoever gets me the Facebook or Twitter password list first :).
GSoC project for 2010? :D
OK, that's a bad joke, but I do think we'll be able to collect more password lists over time. I even have a lead on a couple now. And I think that would be the best way to remove the biases.
That'd be great! Be sure to post what you find so I can mirror it too. I've been trying to find lists myself and did a decent job with rockyou/faithwriters/etc, but more is always better.
BTW, we currently do a little bit of subjective massaging. David's script automatically takes out a handful of terribly biased results such as the "rockyou" password which is found more than 20,000 times in the rockyou DB.
I actually checked to make sure he did that as soon as he posted the list. I saw that as the biggest tripping point.
Cheers, -F
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Replacing passwords.lst, (continued)
- Re: Replacing passwords.lst Ron (Mar 06)
- Re: Replacing passwords.lst David Fifield (Mar 06)
- Re: Replacing passwords.lst Martin Holst Swende (Mar 06)
- Re: Replacing passwords.lst David Fifield (Mar 12)
- Re: Replacing passwords.lst Fyodor (Mar 12)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst Fyodor (Mar 16)
- Re: Replacing passwords.lst Ron (Mar 17)
- RE: [BULK] Re: Replacing passwords.lst Norris Carden (Mar 17)
- Re: [BULK] Re: Replacing passwords.lst Ron (Mar 17)
- Re: Replacing passwords.lst Ron (Mar 16)
- Re: Replacing passwords.lst Fyodor (Mar 16)
- Re: Replacing passwords.lst Fyodor (Mar 16)