Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Dec 2011 08:01:23 -0500 (EST)
From: "Brad Tilley" <>
Subject: Re: Password datasets with creation rules?

> Does anyone happen to know of any decent-sized, real-world leaked/attacked
> password datasets that are in the wild and employed password creation
> rules
> such as "must contain a number" or "minimum 8 characters"? Plaintext,
> hashed, or hashed/salted are all fine as long as I can make a guess
> against
> each entry and query for its existence in the database. I'm looking for
> full database releases, not just the cracked ones.
> All of the datasets I've found that have decent sample sizes (rockyou,
> gawker, phpbb, battlefield heroes beta) seem to have no creation rules
> enforced.
> Wesley


You work for (faculty/staff) or are a student at a higher ed? My advice
would be to get with your local IT Security/Audit Office and see if they
will allow you to work with them when they perform password audits. Start
by paying a visit to the school's ISO. This may require approvals from
administration, etc. but it's worth a shot as they'll have "real-world"
corporate-like password policies on the administrative systems.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.