Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <80d7e4091002031911g77a838e7x7d1ba3f7dbbb839f@mail.gmail.com>
Date: Wed, 3 Feb 2010 20:11:59 -0700
From: Stephen John Smoogen <smooge@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Replacement for all.chr based on "Rock You" 
	Passwords. URL inside.

On Wed, Feb 3, 2010 at 4:21 PM, Minga Minga <mingakore@...il.com> wrote:
> All,
>
> As you may know, there was a HUGE list of passwords recently revealed
> via a 3rd party web-site attack. This list contained approximately
> 32 million passwords. Numerous articles were made on the statistics
> of the passwords.  All the articles were fine and dandy, but not really
> impressive because the "research" done was as simple as 'sort | uniq'
> stuff.
>
> As a password cracking community, we CAN make use of this disclosure
> in order to make better dictionaries, but also to improve our brute
> forcing technique.
>
> I dont exactly remember how/when all.chr was created, and I have no
> idea the last time it was updated, but I propose we update it
> with a .CHR file from the 'RockYou' list mentioned above.

I would be a bit apprehensive to use 'just' the RockYou list as the
basis of the all.chr set. Yes it is a significant amount of passwords
but I would say that someone would need to see how it compares to the
older all.chr or a combined all.chr and such versus a sample set of
hashes to see 'better' it is. I am guessing that is the research your
group will be posting in the future.

> Now, I have many opinions about the passwords from the RockYou list.
> They are NOT representative of "real" passwords by trained users in
> corporate environments. But they ARE representative of idiots on the
> Internet. And I guess thats a good enough place to start, as any, for
> the default behaviour of JtR. I propose the all.chr update because we
> cannot continue to use and propagate a .CHR file that is so outdated
> (assuming it is?).
>
> Since the .chr created from the 'RockYou' list - can NOT be used
> to re-create the exact list of passwords, it is not a disclosure of
> personal information (up for debate). Therefore, I make the assumption
> it is safe for use.

Well you can't get the exact list used to create the original all.chr,
but you can create enough of the list by using  'john -i --stdout' to
hum a few bars. I would expect that it would be the same.


> As a note: The wordlist will not be revealed (nor the dictionaries
> created from it) by KoreLogic due to it's sensitive nature. If you
> have this list, please keep it private for the sake of all users
> of this Internet thing everyone is talking about ;)

I am pretty sure the list is sadly pretty much common knowledge now..
there are torrents and various sites have copies of it enough that
even I found a couple versions today :).

> Here is the CHR file, and the README associated with it including
> instructions for use, etc. If we don't want to replace all.chr -
> instructions are included for using rockyou.chr separately.
>
> http://www.korelogic.com/tools.html#jtr
>
> -Minga
> KoreLogic
>
>
> ------------
>
> Sample output of new .chr file:
>
> ~/.john$ ./john -i:all -stdout | more
> 1233
> 1990
> 1991
> 1920
> 1922
> 1231
> anana
> maran
> maras
> maris
> marie
>



-- 
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.