i suspect some people here don't really know in any detail how password cracking works.<p>you start with a dictionary. a good dictionary combines multiple passwords, slang, common patterns of keys on the keyboard, and old, known, passwords (so all the entries here will be added, for example).<p>but that's just the start. the cracking programs also have rules. in simple terms these can be "shift to upper case" or "combine two words from dictionary" or "reverse word" or "replace "e" with "3". and there are common sets of rules that people develop (and test) that do standard transformations like automatically making passwords "leet", or extending with common sequences (123), etc.<p>and you can automate this. so something like hashcat will generate <i>random</i> rules and apply them to the dictionary. because the rules are written so that they can be composed this is surprisingly powerful and probably explains some of the "harder" cracks on this list.<p>the only way to beat this, then, is to use random passwords (for example, as generated by keepass) and to make them large enough that just running through every combination doesn't work.<p>on size: what is important is the number of available combinations. systematic cracking - trying every possible combination - still uses common characters first so "size" is a combination of character variety <i>and</i> number of characters. again, something like keepass makes this easy.<p>finally, note that on some old or poorly maintained systems, you may be restricted (perhaps without knowing) to 8 characters. then using a wide range of characters is <i>critical</i>.<p>i know this is obvious to many, but some of the comments about "hard" passwords made me think it might be useful...
A few people seem to be commenting that the salt used for all of the passwords is the same.<p>This is not the case.<p>These are crypt(3) strings and the $1$ at the beginning signifies the <i>hash scheme</i> used, <i>not</i> the salt--$scheme$salt$hash. The 1 means that FreeBSD-MD5 is the algorithm used, which is basically MD5 with the salt iterated 1000 times.
A lot of them are just 6 characters. Even a random 6 character password can be brute forced in a few minutes. Many of the short ones were just single dictionary words, so wouldn't even get past the initial check for stupid passwords--they would fall in seconds.<p>Most of the longer ones seem to be simply combinations of a couple dictionary words, or a word and a number, or similar fairly low entropy combinations that would come early in a brute forcer's search.<p>Most of the ones that aren't like that are based on simple patterns on the keyboard, which would also be in a brute forcer's list of things to check early.
This is a brute force / dictionary attack. Only "bad" passwords have been cracked.<p>My password isn't on the list—it's a randomly generated 17-char string of alphanumeric and mixed case character.<p>Btw, you should all check out 1Password. Automates the process, syncs with all my devices and dropbox, and integrates with all the major browsers.
Hot damn some people have horrible passwords:<p>123456 -> 199 results.
password -> 118 results.<p>Who would use such weak passwords for an account with potential monetary value?
What you mean is that the ridiculously easy passwords have been cracked? Not really a surprise considering they have been out for so long.<p>While I'm glad I do not have a account there they would not have been able to crack my password :-)<p>Edit:<p>I am a fool, salted hashes are probably not in anyones rainbow tables :)
I take it straight up dic attack, i see no gen password with 32 chars in it. Guess this teaches you a lesson, 32 character generated password (or max pass size) as a requirement for 99% of sites. Now if only windows had a standard password storage API which programs can access using special rules and special admin programs can manage this way just like the web browser we can have password stores for windows + sync to cloud.
What kind of impact would having used something like sha-512 with a 128 bit salt have had over md5? How many more cycles do those take to generate? I assume the attacker had to brute force the salt from a known password as well, if that's sufficiently random that should provide some security as well shouldn't it?
Couldnt find mine.. thats a comfort. =) Unfortunately most web based system ive encountered has 20char as most for key. My new passphrase model is based on 128 char key using two values piped through sha512. It works... but friendface probably wont accept it :)
Could someone help this newbie understand why proper salting doesn't make this hard enough? And how does the cracker know they have the right password? Wouldn't they need to check it against the authentication mechanism or figure out the algorithm?
Here are the plain text passwords combined with their respective mail addresses: <a href="http://pastebin.com/RhheV8Gj" rel="nofollow">http://pastebin.com/RhheV8Gj</a>