Home Forums SQLServerCentral.com Editorials Your Password has Failed the Test RE: Your Password has Failed the Test

  • October 8, 2012 at 10:40 am

    #1546842

    WayneS (10/6/2012)

    Hi Phil,

    I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?

    1) Be careful looking -

    1a) Never download anything except a text file or a compressed file

    2b) Virus scan everything first

    2c1) Download using a LiveCD without a hard drive

    2c2) Download using a LiveCD with a hard drive unmounted

    2c2.5) Download using a disposable installation (install, download, wipe with DBan or another DOD wiper) - credit to GSquared

    2c3) Download using a VM

    2c4) Only go to known reasonable sites

    2) Public domain dictionaries (1913 Webster edition, etc.) are available.

    3) Name lists are available from the U.S. Census .gov site http://www.census.gov/genealogy/www/data/1990surnames/names_files.html

    4) As Gail said, crossword lists

    4a) English Open Word List

    4b) UK Advanced Cryptics Dictionary (UKACD)

    5) Linux distribution wordlists - watch for copyright and licensing, not all are licensed under GPL

    5a) dictionary-common wordlists

    5b) aspell wordlists (the U.S. one is under copyright, so find and read the license first)

    5b1) Shell script: aspell -l $1 dump master | aspell -l $1 expand | tr ' ' '' >$1.txt

    5b1i) replace $1 with the language you want to get.

    6) Known cracking wordlists from reputable sources (usually cracking competition teams or security vendors)

    6a) Go to any of these at YOUR OWN RISK - see 2b and 2c1.

    6b) Skullsecurity

    6c) Openwall

    6d) Korelogic

    6e) Facebook breach list

    6f) phpbb breach list (very small, very good for the size)

    7) Your own additions for whatever industry and company you're in or deal with, or people involved. People _love_ to have company information, personal information, etc. in their passwords, from names to cars to kids.

    7a) Be clever, think up some way of using the company name that's just so clever. Try it. Repeat until you crack at least one password.

    7a1) If you've got more than 50 ordinary human-generated passwords and you haven't cracked one in at least 50 tries, get someone else to try generating words and case variations. Someone more normal :).

    8) Use a tally table to generate lists of dates in various formats, the last 100 and next 50 years, etc. to add to words if you really insist on using PWDCOMPARE instead of a rules based cracker; Jennifer2007 is not as uncommon a password for people with 5 year old daughters as you might think.