Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <056301ce8c02$0b9db070$22d91150$@edu>
Date: Sun, 28 Jul 2013 22:19:23 -0400
From: "Matt Weir" <cweir@...edu>
To: <john-users@...ts.openwall.com>
Subject: RE: Joseph Bonneau- The Science of Guessing

Luckily you'll get the short version since I'm frantically getting ready,
(aka panicking), for Passwords^13 and Defcon ;p

Basically Bonneau's team worked with Yahoo to set up proxy servers in front
of several Yahoo authentication servers so they could observe real user
passwords. There was a lot of work to properly anonymize the data and
protect the users. The plus side is his group was able to see real password
usage in the wild. The downside is he was looking at how "common" passwords
were, but he didn't have access to the real passwords. So he could see that
10001 users picked a particular password but he couldn't see what that
password was. That's why when reading the paper you'll see stuff about
overlap between different groups, or how effective a perfect attack is, but
not about how the actual attack is structured.

The high points:
The most common password occurred 1.08% of the time
Users who voluntarily change their passwords more often tend to have
stronger passwords
Users who use e-mail resets for forgotten passwords tend to have weaker
passwords
RockYou is still a pretty good training set for online passwords
Tailoring attacks to the target, (gender, language, etc), when you are
aiming for the weakest passwords doesn't help that much. It does matter
though as you try to crack a higher percentage of passwords though.

A good chunk of the paper was trying to estimate "guessing entropy". That
would require a lot more time to explain than I have, and quite honestly
there's still some parts of his work that I still don't fully understand.
Long story short though, the idea of "password strength" is still a fairly
nebulous concept that people are trying to define since it depends so much
on the attacker's strategies.

I'm really hoping he shows up as Password^13 so I can ask him questions in
person ;p

Matt







-----Original Message-----
From: kzug [mailto:kzug10@...il.com] 
Sent: Sunday, July 28, 2013 4:24 PM
To: john-users@...ts.openwall.com
Subject: Re: [john-users] Joseph Bonneau- The Science of Guessing



Shall we ask Matt W. for a translation in plain english?  (for us mortals)
:) 


On SundayJul 28, 2013, at 4:13 PM, Patrick Mylund Nielsen wrote:

> On Sun, Jul 28, 2013 at 1:03 PM, Rich Rumble <richrumble@...il.com> wrote:
> 
>> I have no idea what I just "read", but it won an RSA Science of 
>> Security Competition
>> 
>> http://www.jbonneau.com/doc/B12-IEEESP-analyzing_70M_anonymized_passw
>> ords.pdf It outlined a wide range of attacks, even gender based ones! 
>> Hadn't thought of that one... however I didn't see any mention of 
>> di/trigraphs. But in my defense if they were, my eyes were bleeding 
>> and my brain hemorrhaged, I'm feeling much better now :) -rich
>> 
> 
> It also won an NSA award for best academic cybersecurity paper:
> http://www.lightbluetouchpaper.org/2013/07/19/nsa-award-for-best-scien
> tific-cybersecurity-paper/

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.