Passphrase Dictionary?
Posted:
Mon Feb 20, 2012 1:11 pmby aliby
Hey all,
I was curious if anyone knew of a dictionary/wordlist of common passphrases (14+ characters).
I've tried a few dictionary attacks, including using RockYou with mangling rules, double words (passwordpassword), etc. Any other thoughts or ideas on how to break some longer passphrases would be great
Thanks!
Re: Passphrase Dictionary?
Posted:
Mon Feb 20, 2012 3:11 pmby Bitweasil
I was playing around with the concept of merging wordlists with the Wordyforcer in SVN, but I never got performance up where it needed to be to really be useful.
I might try that again once the new framework is done.
Passphrases are still pretty good.
Re: Passphrase Dictionary?
Posted:
Tue Nov 06, 2012 11:57 amby frosty
I was thinking about this after thinking about the XKCD comic about password complexity of shorter "random" passwords with large charsets, vs the passphrase approach.
Obviously brute forcing a very long (say 14+ char) password even just lower alpha is a practical impossibility (at least right now), but that's obviously a pretty dumb way to attack that problem.
Could you take a standard dictionary attack and simply get it to try all possible combinations of common lower case words, a quick search says there's about 170,000 English words, so that would be a fairly good guess at dictionary size.
Assuming one of your words was <blank> an attack on passwords of length n words would search for all password combinations between 1 and n?
So to search where n=3 we'd also include all n=2, n=1 attempts as well?
170,000^3 = 4,913,000,000,000,000 permutations
If we make a wild assumption that overhead for the code to build the password list isn't a terribly big overhead for code execution time (especially if we dump our password list in very fast vRAM) and we assume a single GPU cracking at about 300M/sec for something like NTLM, that gives us an estimate of:
4,913,000,000,000,000 / 300,000,000
16,376,666 Seconds, about 190 days.
Not really feasible for someone with a single video card, but doable for distributed computing in fairly reasonable time frames, your 154B/sec rig from your blog would do that in about
4,913,000,000,000,000 / 154,000,000,000
31,902 seconds, about 9 hours!
So your admin password could be "reverse"+"systematic"+"encryption" (27 char) and that would be do-able. Although 4 words and above become practically infeasible again, so I guess it's a similar problem to passwords, without better (slower) encryption you need some minimum complexity from the user.
Re: Passphrase Dictionary?
Posted:
Tue Nov 20, 2012 2:03 amby Bitweasil
Thanks for doing the math on that - I had not done so.
It certainly looks interesting! I hope to play in this problem space soon...