Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <49013.128.173.192.90.1323694883.squirrel@webmail.tuffmail.net>
Date: Mon, 12 Dec 2011 08:01:23 -0500 (EST)
From: "Brad Tilley" <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: Password datasets with creation rules?


> Does anyone happen to know of any decent-sized, real-world leaked/attacked
> password datasets that are in the wild and employed password creation
> rules
> such as "must contain a number" or "minimum 8 characters"? Plaintext,
> hashed, or hashed/salted are all fine as long as I can make a guess
> against
> each entry and query for its existence in the database. I'm looking for
> full database releases, not just the cracked ones.
>
> All of the datasets I've found that have decent sample sizes (rockyou,
> gawker, phpbb, battlefield heroes beta) seem to have no creation rules
> enforced.
>
> Wesley

Wesley,

You work for (faculty/staff) or are a student at a higher ed? My advice
would be to get with your local IT Security/Audit Office and see if they
will allow you to work with them when they perform password audits. Start
by paying a visit to the school's ISO. This may require approvals from
administration, etc. but it's worth a shot as they'll have "real-world"
corporate-like password policies on the administrative systems.

Brad

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.