03-24-2012, 05:09 AM
If you see a hash show up many times in a dump, it's almost always (in my experience) going to be a rather weak password, and usually something that breaks with an initial quick brute sweep. IMO, for a "best64" type rule list, the spirit of it should be to make rules that will apply to the widest range of unique hashes so that you have more information to begin analysis with and/or a fingerprint type of attack. A rule that got you 100 unique hashes would be much better for continued analysis than a rule that got 1000 of the same hash (only cracked one actual plain).
I do agree though that for some analysis purposes, like those for Markov models, the non-uniq'ed list would be more beneficial.
I do agree though that for some analysis purposes, like those for Markov models, the non-uniq'ed list would be more beneficial.