Passphrase Dictionary?

Anything else. Come in, say hi!
  • Ads

Passphrase Dictionary?

Postby aliby » Mon Feb 20, 2012 1:11 pm

Hey all,

I was curious if anyone knew of a dictionary/wordlist of common passphrases (14+ characters).

I've tried a few dictionary attacks, including using RockYou with mangling rules, double words (passwordpassword), etc. Any other thoughts or ideas on how to break some longer passphrases would be great :-)

Posts: 13
Joined: Sat Jan 09, 2010 4:15 pm

Re: Passphrase Dictionary?

Postby Bitweasil » Mon Feb 20, 2012 3:11 pm

I was playing around with the concept of merging wordlists with the Wordyforcer in SVN, but I never got performance up where it needed to be to really be useful.

I might try that again once the new framework is done.

Passphrases are still pretty good.
Site Admin
Posts: 912
Joined: Tue Jan 20, 2009 4:26 pm

Re: Passphrase Dictionary?

Postby frosty » Tue Nov 06, 2012 11:57 am

I was thinking about this after thinking about the XKCD comic about password complexity of shorter "random" passwords with large charsets, vs the passphrase approach.

Obviously brute forcing a very long (say 14+ char) password even just lower alpha is a practical impossibility (at least right now), but that's obviously a pretty dumb way to attack that problem.

Could you take a standard dictionary attack and simply get it to try all possible combinations of common lower case words, a quick search says there's about 170,000 English words, so that would be a fairly good guess at dictionary size.

Assuming one of your words was <blank> an attack on passwords of length n words would search for all password combinations between 1 and n?

So to search where n=3 we'd also include all n=2, n=1 attempts as well?

170,000^3 = 4,913,000,000,000,000 permutations

If we make a wild assumption that overhead for the code to build the password list isn't a terribly big overhead for code execution time (especially if we dump our password list in very fast vRAM) and we assume a single GPU cracking at about 300M/sec for something like NTLM, that gives us an estimate of:

4,913,000,000,000,000 / 300,000,000
16,376,666 Seconds, about 190 days.

Not really feasible for someone with a single video card, but doable for distributed computing in fairly reasonable time frames, your 154B/sec rig from your blog would do that in about

4,913,000,000,000,000 / 154,000,000,000
31,902 seconds, about 9 hours!

So your admin password could be "reverse"+"systematic"+"encryption" (27 char) and that would be do-able. Although 4 words and above become practically infeasible again, so I guess it's a similar problem to passwords, without better (slower) encryption you need some minimum complexity from the user.
Posts: 39
Joined: Sat Sep 22, 2012 4:58 pm

Re: Passphrase Dictionary?

Postby Bitweasil » Tue Nov 20, 2012 2:03 am

Thanks for doing the math on that - I had not done so.

It certainly looks interesting! I hope to play in this problem space soon...
Site Admin
Posts: 912
Joined: Tue Jan 20, 2009 4:26 pm

Return to General Chatter

Who is online

Users browsing this forum: No registered users and 1 guest