Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160619182103.GA22987@openwall.com>
Date: Sun, 19 Jun 2016 21:21:03 +0300
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: Re: Am I Overlooking any Practical Attacks?

On Sun, Jun 19, 2016 at 01:33:55PM -0400, Scott Arciszewski wrote:
> I was referring to this post by Mark Burnett from 2011 and the subsequent
> lists released: https://xato.net/10-000-top-passwords-6d6380716fe0
> 
> I also wasn't aware that he released a follow-up with 10,000,000. :)

There are some inconsistencies in Mark's data (suggesting data
processing errors on his part), as I pointed out in this Twitter thread:

https://mobile.twitter.com/m8urnett/status/558073405497671684

One of the easiest to spot is that his "10k most common" and "10k most
common with frequency" differ by 5 passwords, but that's minor.  What's
worse is that Mark's 2011 analysis greatly overestimated the percentage
of passwords that fall into top 10k (and was also inconsistent about
this percentage).  Re-reading this Twitter thread now, it looks like it
was ~99% in 2011 vs. ~24% in 2014 - clearly not an actual change, but
just (major) data processing errors or/and biases.

With inconsistencies like this, I wouldn't rely on the data for anything
serious, and certainly not as the only source.

That said, I just ran a test of passwdqc on Mark's top 10k list above
(using my copy I downloaded during that discussion in 2015, but I assume
it hasn't changed):

[solar@...l passwdqc-1.3.0]$ time while read -r pw; do echo $pw | LD_LIBRARY_PATH=. ./pwqcheck -1 > /dev/null && echo $pw; done < ../xato/'10k most common.txt'
films+pic+galeries

real    0m6.538s
user    0m1.843s
sys     0m8.302s

So this list somehow contains the passphrase films+pic+galeries.
I think it's fine that it meets passwdqc's default policy.  Is this
also the one that passes Zxcvbn?

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.