Re: Word lists for passphrases
At 09:43 PM 7/8/96 -0700, you wrote:
If the purpose is for use with "Crack" or some similar program, it might be better than you would think. You won't get the "unusual" words, but you will also get the words in common usage that do not appear in dictionaries. (Such as fnord, jedi, killfile, and the like...)
"fnord" is in _my_ dictionary - can't you find it in yours? :-)
Another thing to look for when choosing dictionaries/wordlists for crack is not sticking to english. If you have a userbase that is known to have a certain percentage of people of a non-english background, you will want to find lists of words from that background. (I had a sysadmin asking me about Yiddish and Hebrew wordlists for just that reason.) These can be a bit harder. (Especially for unusual languages.)
Grady Ward has his Moby Words databases with some of this kind of information. In addition to the usual sets of languages, it's useful to include any available lexicons of Elvish, Klingon, Unix, and other popular hacker-languages, plus any names you can scam off MUDs, etc. # Thanks; Bill # Bill Stewart +1-415-442-2215 stewarts@ix.netcom.com # http://www.idiom.com/~wcs # Re-delegate Authority!
At 12:45 AM -0700 7/15/96, Bill Stewart wrote:
At 09:43 PM 7/8/96 -0700, you wrote:
If the purpose is for use with "Crack" or some similar program, it might be better than you would think. You won't get the "unusual" words, but you will also get the words in common usage that do not appear in dictionaries. (Such as fnord, jedi, killfile, and the like...)
"fnord" is in _my_ dictionary - can't you find it in yours? :-)
Another thing to look for when choosing dictionaries/wordlists for crack is not sticking to english. If you have a userbase that is known to have a certain percentage of people of a non-english background, you will want to find lists of words from that background. (I had a sysadmin asking me about Yiddish and Hebrew wordlists for just that reason.) These can be a bit harder. (Especially for unusual languages.)
Grady Ward has his Moby Words databases with some of this kind of information. In addition to the usual sets of languages, it's useful to include any available lexicons of Elvish, Klingon, Unix, and other popular hacker-languages,
It is pretty easy to defend against dictionary attacks by using an expanded character set--mixed caps and lower case; numbers substituted for some letters according to easily-remembered personal rules. "Da5id" in "Snow Crash" by Neal Stephenson is an obvious example, since the "v" is a roman numeral 5. Another is the "Compuserve method" of inserting punctuation characters between words making up a password or key. Since the length of the words used is unknown to the cracker, this makes his job harder. That is--a dictionary which accomodates such things as the above will be pretty large. With the number rule, there would have to be 10 additional versions of the one-letter word, 10 versions of each leading character making up a two letter word, and then it starts increasing combinatorially. Might as well use brute force. David
| It is pretty easy to defend against dictionary attacks by using an expanded | character set--mixed caps and lower case; numbers substituted for some | letters according to easily-remembered personal rules. | | "Da5id" in "Snow Crash" by Neal Stephenson is an obvious example, since the | "v" is a roman numeral 5. Another is the "Compuserve method" of inserting | punctuation characters between words making up a password or key. Since the | length of the words used is unknown to the cracker, this makes his job | harder. You should on the other hand be able to use the username as an indicator of what kind of password it is; user "warez" / pass "warez" (but better check the home directory for MS Word) user "l0pht" / pass "'l33t" user "feh" / pass "uk4n+r3dt13" (look for zines) Actually, these kids believe the language they use are hiding them, but I bet that the letter digrams they present is a immediate marker of "H4k3rz". It's definitively better than searching for normal "elite, hacker, phracker, exploit". I just used "l33t" (52), "d00d" (742), "h4qu3r" (5), "sux" (4053) on AltaVista, to name a few. -cwe
participants (3)
-
Bill Stewart -
Christian Wettergren -
David Sternlight