Online commonly used password database

From: Mike Shaw (mshaw@wwisp.com)
Date: 03/12/02


Date: Mon, 11 Mar 2002 17:20:32 -0600
To: pen-test@securityfocus.com
From: Mike Shaw <mshaw@wwisp.com>

Does anyone know of a commonly used password database? I know that
dictionaries and password list files abound. But what I'm thinking of is a
central Big-Ol'(tm) database of passwords that's constantly being updated
with everyone doing pen-test crack sessions out there. The site would
produce a daily file comprising of all the passwords in the list.

Why? Everyone on this list has seen "qwerty12345" and the like out
there. But what about "qwerty>12345"? Yet it's a safe bet that that
password has been used by at least a few people in the entire history of
passwords. The ultimate goal would be to crack the "monkeys with
typewriters" algorithm of password generation by securing the most common
things that the brain comes up with--even down to the level of commonly
used two letter combinations (note that this would be different than the
standard cryptographic techniques because people choose passwords
differently). But in the short term it would just be cool to have a
centralized list to pool efforts.

Of course, there would be security problems with what was
submitted. Something such as a password of "xyzcorpxyzcorp" would
obviously be a hazard since there is only one xyzcorp out there, so some
discretion would have to be exercised by the submitter. One option would
be to not have passwords "activated" in the downloadable password list
unless 2 instances of it occurred.

Of course I could be barking up a well worn tree. In that case I'd like to
see what work has been done in this area.

-Mike

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/