Brute Forcing Passwords and Word List Resources

Sunday, February 20, 2011

Rob Fuller


Brute force, even though it's gotten so fast, is still a long way away from cracking long complex passwords.

That's were word lists come in handy. It's usually the crackers first go-to solution, slam a word list against the hash, if that doesn't work, try rainbow tables (if they happen to have the tables for that specific hash type), and then the full on brute force.

Some would say those first two steps are reversed, and it really is the choice of the the person doing it and the word lists they have to work with.

Matt Weir and company created a cool tool that has the best of both worlds, Dictionary based Rainbow Tables with Dr-Crack, which you can find here:

But, back to the reason of this post, word lists. Where do you get them? Here are a couple of my favorite places in no particular order:

I like to keep 3 size word lists:

1. small and fast: usually based on the output of one of the tools i'm about to tell you about

2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I'm pretty picky about what goes into this list

3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd:

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

Update on Sunday, February 21, 2010 at 1:57AM by Rob Fuller

I missed one hell of a treasure trove of word lists:

Right now, there list is this:

Update on Tuesday, March 30, 2010 at 12:19AM by Rob Fuller

Recent additions:

Update on Friday, February 11, 2011 at 3:01AM by Rob Fuller

Cross-posted from Room362

Possibly Related Articles:
Network Access Control
Passwords Pen Testing Access Control Penetration Testing Brute Force Word Lists
Post Rating I Like this!
Ben Keeley Had most of these but not the most recent ones, thank you. Excellent resource.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.