Dictionary for long passwords - Tips and ideas
#3
(08-03-2018, 12:33 PM)DanielG Wrote:
(08-03-2018, 12:10 PM)eriden Wrote: My initial thought was that people using passwords of 16+ characters in length would mostly use pass phrases (I.e. "I love my two dogs!"). So perhaps combining words in a common wordlist would be a way to go? Right now I have created a list of approx 650k+ words, names, dates etc. Would combining these be a way to go? 

Yes this would be a logical assumption, I would advise however to do some quick maths to check if it is feasible. Assuming a list of 650k where words are around 5 chars average you would need 3 words to get to around 16 chars. This makes 650000 to the power of 3 possibilities which is 274625000000000000. On a GTX 1070Ti FE (40000 MH/s for NTLM) this would take 80 days to process
This is just adding 3 random words in your list and excluding adding small words like "I, a, am, the, etc" or complexity such as numbers and special characters to make 'real' sentences. Adding those small words or complexity would multiply this number of days fast.

See https://nakedsecurity.sophos.com/2012/03...ssphrases/ where Cambridge University tried a dictionary attack using lists of movie titles, sports team names, and dozens of other types of proper nouns crawled from Wikipedia, along with idiomatic phrases crawled from sources including Urban Dictionary.

This would be more efficient (although more difficult) than trying random words and hoping they make sentences that people would use.

Thank you so much for an elaborate reply. You make a good point regarding the amount of possible combinations. The article you refer to is also very interesting. Do you happen to know if the wordlists used in the article are published anywhere?

Your reply got me thinking...

What about generating a wordlist using movie titles, sport team names, books, names of places and people, as well as commonly used words from a dictionary. And then combining this into passphrases using for instance the Diceware Method. Finally using a rule set to create various combinations from the pass phrases such as uppercase letters, adding symbols/years etc. Would this be a sensible approach?

If so I have a couple of more questions:
* Do you know if there is decent tool/script that creates passphrases from a list of words?
* Any rule sets that you would recommend? (cause of the password complexity requirements)


Messages In This Thread
RE: Dictionary for long passwords - Tips and ideas - by eriden - 08-08-2018, 10:13 AM