07-21-2016, 05:22 PM
(07-21-2016, 12:53 AM)Kgx Pnqvhm Wrote: The bigger question of whether we can do without certain rules isn't something I recall reading any research about. Since you (epixoip) and atom represent the practical opinion side, for the academic side I've posed the question to Matt Weir (@lakiw), of http://reusablesec.blogspot.com. (He may be too busy preparing for his next talk to answer.)
It is likely that with all those leaked lists, enough GPU rules may eventually create candidates that would've been created with CPU rules, but I'll leave that research to the researchers.
That's certainly something that I can look into. My gut feeling is that most of the missing rules will not have a big impact on cracking sessions. I just don't see too many people creating passwords by removing character classes. Aka while rare, deleting individual characters does happen, (password -> pssword). Deleting classes of characters though ... (password -> paword), I'm skeptical that happens in more than in a few cases.
Once again, this is my pure gut feeling with no tests behind it, but I expect you'll still get cracks with rules like that but they will mostly be due to it stretching your input dictionary. Aka 'paword' might be a new Pokemon type vs a user deleting the s's. If that's the case, a better way for cracking those passwords might be using Mask/Markov hybrid rules.
To help me out, do you have the full list of mangling rules that are no longer supported? Thanks!