Re: Online commonly used password database

From: Lee Brotherston (lee.brotherston@uk.easynet.net)
Date: 03/15/02 

From: "Lee Brotherston" <lee.brotherston@uk.easynet.net>
To: <pen-test@securityfocus.com>, "Mike Shaw" <mshaw@wwisp.com>
Date: Thu, 14 Mar 2002 23:07:06 -0000

| Of course I could be barking up a well worn tree. In that case I'd
like to
| see what work has been done in this area.

I'm sure people will disagree with me on this. But I think that by
submitting passwords found in the wild that are not dictionary words,
other than those that are fairly standard guessable passwords (nouns,
in phrases "aybabtu, ph34r, etc", l33tspeak "p455w0rd"), you will just
end up in manually creating a list of the full range of passwords that
you would get by just running: john -i:all -stdout

Wordlists are good, but the idea is to put the most common words in
there so that these can be tried first, before your brute forcer goes
and tries all number/letter/punctuation combinations. So essentially
it does do the monkeys with typewriters thing without you needing to
list the words.

I would say that a wordlist should be restricted to dictionary words,
nouns, really common passwords, etc then using something like John you
can get all those permutations that you want. Infact taking john as
an example again, I think that their algorithm even does it's
permutations in a specific order to auto-generate the combinations
found in the wild most frequently first (but don't quote me on that
;P).

Anyway, enough of my babble ;)

  Lee 

--
Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: hacking a NT domain after the member server
    ... I have found the quickest way to compromise an NT domain is to try null ... or commonly used passwords. ... SQL server that is a member of the domain. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Novell NDS
    ... applied now create different file types after running a DSREPAIR. ... In the past and without the upgrade, once you have RCONSOLE access you can ... Pandora to break the .DIB file apart and crack the passwords with it. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: cracking cisco passwords
    ... Subject: cracking cisco passwords ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: cracking cisco passwords
    ... Subject: cracking cisco passwords ... > This list is provided by the SecurityFocus Security Intelligence Alert ... This list is provided by the SecurityFocus Security Intelligence Alert Service. ... For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: See what a weak password will get ya?
    ... > permutations of dictionary words. ... What also makes pretty good passwords is shifting your hands around on the ... on the keyboard, don't press the key you need but the on below it to the right ...
    (Debian-User)