Word lists for passphrases

[David Sternlight]

At 12:45 AM -0700 7/15/96, Bill Stewart wrote:
>At 09:43 PM 7/8/96 -0700, you wrote:
>>If the purpose is for use with "Crack" or some similar program, it might be
>>better than you would think.  You won't get the "unusual" words, but you
>>will also get the words in common usage that do not appear in dictionaries.
>>(Such as fnord, jedi, killfile, and the like...)
>
>"fnord" is in _my_ dictionary - can't you find it in yours?  :-)
>
>
>
>>Another thing to look for when choosing dictionaries/wordlists for crack is
>>not sticking to english.  If you have a userbase that is known to have a
>>certain percentage of people of a non-english background, you will want to
>>find lists of words from that background.  (I had a sysadmin asking me about
>>Yiddish and Hebrew wordlists for just that reason.)  These can be a bit
>>harder.  (Especially for unusual languages.)
>
>Grady Ward has his Moby Words databases with some of this kind of information.
>In addition to the usual sets of languages, it's useful to include any
>available lexicons of Elvish, Klingon, Unix, and other popular
>hacker-languages,

It is pretty easy to defend against dictionary attacks by using an expanded
character set--mixed caps and lower case; numbers substituted for some
letters according to easily-remembered personal rules.

"Da5id" in "Snow Crash" by Neal Stephenson is an obvious example, since the
"v" is a roman numeral 5. Another is the "Compuserve method" of inserting
punctuation characters between words making up a password or key. Since the
length of the words used is unknown to the cracker, this makes his job
harder.

That is--a dictionary which accomodates such things as the above will be
pretty large. With the number rule, there would have to be 10 additional
versions of the one-letter word, 10 versions of each leading character
making up a two letter word, and then it starts increasing combinatorially.
Might as well use brute force.

David