Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Jun 2016 21:21:03 +0300
From: Solar Designer <>
Subject: Re: Am I Overlooking any Practical Attacks?

On Sun, Jun 19, 2016 at 01:33:55PM -0400, Scott Arciszewski wrote:
> I was referring to this post by Mark Burnett from 2011 and the subsequent
> lists released:
> I also wasn't aware that he released a follow-up with 10,000,000. :)

There are some inconsistencies in Mark's data (suggesting data
processing errors on his part), as I pointed out in this Twitter thread:

One of the easiest to spot is that his "10k most common" and "10k most
common with frequency" differ by 5 passwords, but that's minor.  What's
worse is that Mark's 2011 analysis greatly overestimated the percentage
of passwords that fall into top 10k (and was also inconsistent about
this percentage).  Re-reading this Twitter thread now, it looks like it
was ~99% in 2011 vs. ~24% in 2014 - clearly not an actual change, but
just (major) data processing errors or/and biases.

With inconsistencies like this, I wouldn't rely on the data for anything
serious, and certainly not as the only source.

That said, I just ran a test of passwdqc on Mark's top 10k list above
(using my copy I downloaded during that discussion in 2015, but I assume
it hasn't changed):

[solar@...l passwdqc-1.3.0]$ time while read -r pw; do echo $pw | LD_LIBRARY_PATH=. ./pwqcheck -1 > /dev/null && echo $pw; done < ../xato/'10k most common.txt'

real    0m6.538s
user    0m1.843s
sys     0m8.302s

So this list somehow contains the passphrase films+pic+galeries.
I think it's fine that it meets passwdqc's default policy.  Is this
also the one that passes Zxcvbn?


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.