[cryptography] Password Blacklist that includes Adobe's Motherload?

Jeffrey Goldberg jeffrey at goldmark.org
Fri Nov 15 14:35:07 EST 2013


On 2013-11-15, at 1:33 AM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:

> So if we find (and I haven’t correlated what I’m
> working on with actual passwords, so now this is hypothetical)
> that ioxG6CatHBw appears for the last block of the encryption
> of “password1”, then we know that that is the encryption of “1”
> plus padding.

Let spell that out with real data.

Jeremi Gosney of The Stricture Group has worked out that

  2fca9b003de39778d23e6fe47a8c787c

corresponds to “password1”, based on the techniques I described. (There
were 28350 instances of it in the data.) As that is a nine character
password, ending in “1” we now know that d23e6fe47a8c787c is the
encryption of “1” + padding.

So a quick (well nothing is quick with data this size) awk gives me

$ awk '$3 ~ /d23e6fe47a8c787c/ { sum += $2; ++count}; END {print sum, count}' password-ranked.txt 
1835669 927185

So we’ve got about 900K distinct nine character passwords that end with
“1” and these are used for about 1.8 million accounts. (I said “about”
because my matching would also hit 17, 25, … character passwords ending
in 1.)

I should point out that the kind of stuff I’m describing here was done
first (as far as I know) and more systematically by Steve Thomas,
https://twitter.com/Sc00bzT Indeed, he is the one who spotted that this
was ECB encrypted with a 64 bit block size. Adobe later confirmed that
it was 3DES. (Though if they are lying and it is actually just DES,
then hunting for the key might be worthwhile.)

At any rate, despite knowing that there are 56 million distinct
passwords in that dump, we don’t know what most of them are. So
this can’t be used to create a blacklist.

Cheers,

-j


More information about the cryptography mailing list