Nmap Development mailing list archives

Re: Replacing passwords.lst

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 6 Mar 2010 00:09:14 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 5 Mar 2010 14:52:20 -0600
Ron <ron () skullsecurity net> wrote:

On Fri, 5 Mar 2010 11:46:07 -0700 David Fifield
<david () bamsoftware com> wrote:

And what does the Cracked_phpbb column look like with the top 10,
100, and 200 passwords from current passwords.lst?


So, this morning I was using Excel and doing a lot of old tricks I
learned in the before times. It looks like the results weren't 100%
accurate -- I'm using some Linux tools now and I'm getting different
(better!) results. I'll post the command that generated all these
after:

[...]


That's actually really surprising -- Nmap's list kicked ass against
Myspace, followed by Rockyou, John, and Cain&Able. phpbb was a much
closer run -- pretty much a tie between Rockyou and John, followed by
Nmap then Cain&Able. On the Hotmail passwords, which are more
difficult because Hotmail actually has password policies, the
Rockyou.com passwords were the clear winners.



Okay so I have another list we can test against (100k user accounts).  A
password complexity policy was in place for this list so the passwords
are "higher quality" garbage.  Since nearly all the passwords in this
list don't meet the complexity requirement I ran with "--rules" from
John 1.7.3.4 

Attached are the results an an image, also available here:
http://noh.ucsd.edu/~bmenrigh/list_quality.png

The result is that RockYou is the best but John and PHPBB are really
good too.

I'm pretty sure we can make a hybrid dictionary that weights the
lists.  That is, weight RockYou at say 70%, and John and PHPBB at 15%
and then take the top 70% (of 200) passwords from RockYou and then the
top 15% (of 200) from PHPBB and John that aren't already in the top 70%
RockYou.  We can probably determine the weights empirically by testing
against my list, the hotmail list, the myspace list, etc.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkuRnTEACgkQqaGPzAsl94J+zQCfezby1eo+pf7mcwQk0BTLpdS/
ICcAoIpZOv6jPFw5bOpUxWEPhkLX2Y5G
=lSOs
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Replacing passwords.lst Ron (Mar 04)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
  - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst David Fifield (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
    - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Fyodor (Mar 06)
    - Re: Replacing passwords.lst Ron (Mar 06)
    - Re: Replacing passwords.lst David Fifield (Mar 06)
    - Re: Replacing passwords.lst Martin Holst Swende (Mar 06)
    - Re: Replacing passwords.lst David Fifield (Mar 12)
    - Re: Replacing passwords.lst Fyodor (Mar 12)
    - Re: Replacing passwords.lst David Fifield (Mar 16)
    - Re: Replacing passwords.lst Brandon Enright (Mar 16)
    - Re: Replacing passwords.lst David Fifield (Mar 16)
    - Re: Replacing passwords.lst Brandon Enright (Mar 16)

(Thread continues...)