06-13-2015, 11:20 AM
I just started a similar kind of thread but in the context of WPA. But there is some crossover I believe, because with WPA the only constraint is the 8 chars, but there isn't rules for mixed case or numbers/symbols. I have very limited samples of both in terms of WPA and files to base my theory on, so I could be way off base, but I feel like without forced policy there is a better chance at exclusive use of base words, usually two or three words or a short phrase of smaller words.
The flipside argument is that the more people are trained to make their pw's on their web services and such more complex that habit spills over. But using the wordlists generated from leaked website dumps I don't get very good results from WPA compared to using scratch build lists made up of base words. I don't have great results either way, but if people were using similar passwords for WPA (and likewise files) you would expect to see more crossover success. I believe since WPA and often pw protected files are designed to be shared people don't use the same passwords, and they often make them easily verbally repeated, like a phrase or a couple words, perhaps with some numbers appended more often than a mixed case, number and symbol combo.
Again, my samples are too small to tell if these hunches hold water, so it'd be nice to hear from those who have been researching this longer with more data to point to any particular conclusions or to share lists or rules that can be used to test against our hashes to see if they show similar results.
The flipside argument is that the more people are trained to make their pw's on their web services and such more complex that habit spills over. But using the wordlists generated from leaked website dumps I don't get very good results from WPA compared to using scratch build lists made up of base words. I don't have great results either way, but if people were using similar passwords for WPA (and likewise files) you would expect to see more crossover success. I believe since WPA and often pw protected files are designed to be shared people don't use the same passwords, and they often make them easily verbally repeated, like a phrase or a couple words, perhaps with some numbers appended more often than a mixed case, number and symbol combo.
Again, my samples are too small to tell if these hunches hold water, so it'd be nice to hear from those who have been researching this longer with more data to point to any particular conclusions or to share lists or rules that can be used to test against our hashes to see if they show similar results.