Re: "Proactive" Password Checking

[Andreas Gunnarsson <zzlevo () dd chalmers se>]

On Thu, 11 Nov 1999, Rick Smith wrote:

> Has anyone heard of attempts to turn this around, and use the Markov
> model to generate candidate passwords for a dictionary attack? I
> suppose I'm looking for an algorithm that might generate passwords
> containing shorter words concatenated together before it generates
> longer but less common words.

I don't know the Markov model, but I have made a program that when fed a
dictionary generates other strings that resemble those words. It works
with trigrams; it keeps track of how many times a given trigram occurs in
the dictionary, and then it generates words consisting of the most common
trigrams. It deals with the first trigram, last trigram and any trigram in
the middle of the word separately. The number of words generated can be
controlled by setting the threshold for "common" trigrams.

When feed your article through the program, the following words were
generated:
fords genet modea model peral peram seven sever stack words
Only "model" and "words" actually occurs in the article.

I've used this to generate word lists for "crack" when checking how secure
passwords are at the system I'm administrating, but only few hits have
been found that aren't in a word list.

   Andreas

------------------------------------------------------------------------------
zzlevo () dd chalmers se * Andreas Gunnarsson * http://www.dd.chalmers.se/~zzlevo