(08-03-2018, 12:10 PM)eriden Wrote: My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go?
Yes this would be a logical assumption, I would advise however to do some quick maths to check if it is feasible. Assuming a list of 650k where words are around 5 chars average you would need 3 words to get to around 16 chars. This makes 650000 to the power of 3 possibilities which is 274625000000000000. On a GTX 1070Ti FE (40000 MH/s for NTLM) this would take 80 days to process.
This is just adding 3 random words in your list and excluding adding small words like "I, a, am, the, etc" or complexity such as numbers and special characters to make 'real' sentences. Adding those small words or complexity would multiply this number of days fast.
See https://nakedsecurity.sophos.com/2012/03...ssphrases/ where Cambridge University tried a dictionary attack using lists of movie titles, sports team names, and dozens of other types of proper nouns crawled from Wikipedia, along with idiomatic phrases crawled from sources including Urban Dictionary.
This would be more efficient (although more difficult) than trying random words and hoping they make sentences that people would use.