Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+E3k92Fxu9T-vr-wVasT-EehSEzXjuv6w=-7yUn_i5Sw7moJQ@mail.gmail.com>
Date: Tue, 18 Aug 2020 08:21:12 -0800
From: Royce Williams <royce@...ho.org>
To: john-users@...ts.openwall.com
Subject: Re: any experience with hasheshorg2019 wordlist?

Hello, Albert -

On Tue, Aug 18, 2020 at 7:17 AM Albert Veli <albert.veli@...il.com> wrote:

> Hello, I have not used that list. But the site https://hashes.org/ had
> many leaks of live hashes and I suspect the wordlist you mention is a
> collection of cracked hashes from the live ones. As you can see on the
> site it had a failure (hard drive?) and is currently down.
>

>From my read of s3's blog posts, the previous server ended up having bad
RAM, which was slowly corrupting the Cassandra database. The database is
being reconstructed on new hardware, which takes quite a bit of time (and
has to be interleaved with other activities, as time allows).

A static version of the site, including all of the found lists, is
currently available at temp.hashes.org.


> Typically if you want statistics it is better to use rockyou since it
> has a big collection of all real passwords, while the hashes.org only
> has cracked ones and is missing maybe 10% of the hardest passwords.
> That way the statistics gets skewed and only reflect the weakest 90%
> of the passwords.
>

I'll have to disagree with you there. :) The hashes.org founds contain 100%
of RockYou - as well as 100% of other similar plaintext leaks (such as the
more recent LiveJournal leak) - due to their presence in other lists (such
as the Have I Been Pwned corpus). Since these were cracked using those
original plaintexts, they are fully represented.

The leaks on hashes.org are from a variety of sources, platforms, and time
periods - and therefore a variety of demographics / cultures / countries.

Also, the crack rate for fast hashes is much higher - on the order of 99%
and up for many leaks based on fast hashes. And the success rate is
constantly going up, as new leaks are made public elsewhere and are used as
raw material to attack old lists.

For these reasons, the superset of all hashes.org "founds" is one of the
most efficient broad-spectrum attack wordlists (that is publicly and freely
available) for real human passwords.

(The hashes.org "junk" founds are those founds that are less likely to be
human-generated passwords, but are also very useful as a later pass, for
cleaning up non-human-generated founds in target hashes.)

Royce


> On Tue, Aug 18, 2020 at 2:18 PM Johny Krekan <krekan@...nykrekan.com>
> wrote:
> >
> > Hello, after some time I went to weakpass.com and I have found
> > hashesorg2019, which seems quite new and big. Do you have any experience
> > with this wordlist (success in finding passwords). Do you think that it
> > could contain many new passwords or is it recompilation of old ones?
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.