[cryptography] Password Blacklist that includes Adobe's Motherload?

dan at geer.org dan at geer.org
Wed Nov 13 23:31:04 EST 2013


> Is anyone aware of a blacklist that includes those 150 million records
> from Adobe's latest breach?
> 
> I tried finding a list and was not successful. Bonus points if
> implemented as a bloom filter (I'm interested in seeing how small that
> list can be in practice, and I'd like to use it for its small
> footprint).

I do not.

However, I was on the Committee that awarded Dr. Joseph Bonneau the
NSA's "best science of security paper" for 2012.[1]  His work, in
case you are not already familiar with it, was done under the
supervision of Ross Anderson and is entitled "The science of guessing:
analyzing an anonymized corpus of 70 million passwords" and can be
found at [2].  If you are perhaps thinking that doing the same study
again but on the Adobe corpus, then I'd be eager to read what you
come up with, to be sure.  Bonneau's paper is certainly careful and
detailed enough to enable a confirmatory study.

--dan


[1] www.nsa.gov/public_info/press_room/2012/cybersecurity_paper.shtml

[2] www.jbonneau.com/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf



More information about the cryptography mailing list