-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
32 lines (24 loc) · 1.43 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
p4ssw0rd analyzes the given password, and gives a worst-case time to crack based
on known mutations used by password crackers and recovery software.
A basic demo is online at: http://www.2kx2k.com/p4ssw0rd
This is intended to check against offline attacks in a typical situation, where
passwords are salted and hashed with SHA-1 a single time. Crack time is based
on online (1,000 guesses per second) and offline (1,000,000,000 guesses per
second - a single modern GPU).
Entropy is not considered, since this is doing full dictionary attack simulation.
"Random Password" functionality requires a password list - just put it in the
root directory as "random.txt". The demo uses the entire RockYou password leak.
Key graphs are based on concepts from Dan Wheeler's zxcvbn, which is one of the
best client-side password analyzers out there. https://github.com/lowe/zxcvbn
Password lists:
ftp://ftp.openwall.com/pub/wordlists/
http://www.skullsecurity.org/wiki/index.php/Passwords
http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists
http://contest-2010.korelogic.com/wordlists.html
Theory:
http://www.troyhunt.com/2011/07/science-of-password-selection.html
Common mutations for recovery software:
http://blog.crackpassword.com/2009/04/smart-password-mutations-explained/
http://www.elcomsoft.com/help/ewsa/index.html?dictionary_mutations.html
http://www.passcape.com/windows_password_recovery_dictionary_attack
http://contest-2010.korelogic.com/rules.html