Goodbye weakpass, hello weakpass 1.0

About a year ago the weak pass project started. It’s never possessed to be “best from the best” or something like that, but made for only one purpose – dictionary that can be used for cracking that contains as much as possible wordlists at once. Without cracking with lots of wordlists and test  “qwerty” and “password” again-again and again, the dictionary that contains tons of unique passwords.  Also the main idea is to get fine results when you have no good hardware, GPU and much time.

Some history

First, there were so ideas:
  • Make dictionary compilation.
  • How many common passwords in dictionaries?
Because it was made for testing purposes, all site look like trash and dictionary were bad (there were ton’s of errors and never been used). Only one good feature was there – commonness in dictionaries. There was a statistic about how many `parts` of dictionaries were in each dictionary. Like (below just a sample):
rockyou.txt
Has:Is in:
 10mostcommon:100%crackstation.txt: 73%
 twitter_banned:90%crackstation-human_only.txt: 70%
 500_worst:100%InsideProFull:56%
 hashkiller:10%
Because of no practical usage, it was fully rebuilt.
There were made a lot of changes and improvements:
  • Make dictionary compilation.
  • Make wordlists stats that can be useful (pipal)
  • Testing dictionaries – to see how good can be dictionary for hash recovering. It was very simple – get couple of hash lists and try to crack them with dictionary. After that calculate how many passwords were recovered.
  • Make some side project for auto passwords collecting from various sources.
  • Create wordlist that is more effective to WPA/WPA2 cracking (passwords with length 8 and more)
At the beggining there was some rule –  add one dictionary each week.There was only one option to get weakpass – direct download and google drive(mostly for backup).
Fine presentation about weakpass:


The result wordlist contains about ~260 dictionaries and was really good for dictionary attacks. Especially in those cases when hashes were “fast” like md5, sha1, ntlm, netntlm and so on, it takes about a couple of minutes to get results.
It’s overall crack rating is 62.7% and size ~ 36 gb
After some time weakpass specially for wifi was made. It was the same as weakpass, but contains passwords from 8 to 32.
But there were some crucial disadvantages
  1. Size – it was really big and direct download is sometimes not an option.
  2. Tons of junk, that badly affected on recovery speed.
  3. Errors while in scripts, arhitecture and whole process.
  4. Many useless options.

weakpass_1

I tried to take into account the mistakes that were made during previous work and to make the project a global update.
What’s new:
  1. To reduce traffic load and disk space – everything were moved to dropbox
  2. List for testing was increased from ~8 to 50.
  3. Weakpass now contains passwords from 4 to 40 chars.
  4. Also it was splitted to parts – each part contains 200KK passwords.
  5. Result dictionary can be downloaded with dropbox, torrent and direct link.
  6. Removed some junk dictionaries.
  7. You can see on the main page the progress of dictionaries
As a result, weakpass_1 overall crack rating is 69.1% and size ~ 33 gb
weakpass_wifi_1 overall crack rating is 45.4%  and size ~ 31 gb. 
UPD 1:
Few days after release, there were so much traffic that:
“This email is an automated notification from Dropbox that your Public links have been temporarily suspended for generating excessive traffic.”



Usernames as passwords




Got some idea – why not to use “words” that come from the people themselves. It seems to me that 647t1io4ZQ77F2n password can be only got from generator, but something likeSuperRainbowUnicorne88 could be used as a nickname by someone. Or on the other hand it is known that some people use their names (and / or surname) + year of birth as their passwords. Something like:
sarah98
x_terminator_x2001
andy1996
sadstranger
And many others. All of them are not  invented by people. As there is still a great rule –that a good password, is such that is difficult to remember. I think that when someone creates a login or uniq username, he spends the same amount of time, how much and to create a password. Therefore, why not use “human” potential to create a dictionary.
For test there were taken 10 leaked lists (all of them can be found on hashes.org). I took already cracked lists:
  • 3H4rm0ny
  • Bl1zz4rd.c0m.u4
  • bullch40nl1n3.c0m
  • Dh00l.txt
  • FFGB34ch.txt
  • Pr0j3c7 H3llf1r3.txt
  • Pr0j3c7 Wh173f0x.txt
  • R007k17.c0m.txt
  • S7r47f0r.txt
  • vegastripping.com.txt
As  passwords, logins/usernames/nicknames were taken from next sites:
NameCount
enjin4 156 091
fanfiction.net6 889 524
instagram872 653
roblox30 629 912
tetrisfriends1 636 438
twitter7 358 502
world_of_warcraft1 009 864
vk.com7 891 524
random_social153 500 497
Each of them was used as a standard dictionary. Just as the second type of testing – for each of them was applied best64.rule ( oclhashcat  was used). In order to understand the “success” of  decryption, there  were selected three popular dictionaries ( rule-based attack was not applied to them):

Testing

So let’s see how “usernames” succeed in this. In each table columns I, M ,U means how many nonsimilar “passwords” between lists:
I – InsideProFull
M – MegaCracker
U -uniqpass

3H4rm0ny.txt

Total count: 1492863
InsideProFull: 1100822
MegaCracker: 295345
uniqpass: 19816
List name3H4rm0ny.txt
wordlist
FoundIMU
enjin69017227685
fanfiction.net50819152504
instagram2000
random_social1330310
roblox743732431887394
tetrisfriends77626223775
twitter9155589
vk.com1000
world_of_warcraft5114

List name3H4rm0ny.txt
base64.rule
FoundIMU
enjin4224314591412542183
fanfiction.net4508626501469845018
instagram138811655315713835
random_social110060249248322109544
roblox195481975690266195190
tetrisfriends3444112691104134402
twitter15012409609114949
vk.com352229581202535153
world_of_warcraft10339402232310338
So without any rules – only usernames can crack less than 0.1% of all data. But when used rules – the success rate is much better. Also, there are a lot of uniq passwords that are not present in dictionaries  (InsidePro, uniqpass, megacracker).

 Bl1zz4rd.c0m.u4

Total count: 14561
InsideProFull: 8964
MegaCracker: 7002
uniqpass: 1809

List nameBl1zz4rd.c0m.u4
wordlist
FoundIMU
enjin95017
fanfiction.net105017
instagram23000
random_social3655370
roblox2491106
tetrisfriends53012
twitter0000
vk.com98070
world_of_warcraft21015

List nameBl1zz4rd.c0m.u4
base64.rule
FoundIMU
enjin26232030
fanfiction.net26821728
instagram126142
random_social6301810432
roblox497115335
tetrisfriends18631020
twitter18021517
vk.com32663917
world_of_warcraft8631319
Even with rules, “usernames” have bad luck with this list.

 bullch40nl1n3.c0m.txt

Total count: 1009
InsideProFull: 430
MegaCracker: 375
uniqpass: 433
List namebullch40nl1n3.c0m.txt
wordlist
FoundIMU
enjin39000
fanfiction.net34000
instagram18000
random_social133495
roblox89232
tetrisfriends22000
twitter1111
vk.com28032
world_of_warcraft14000
List namebullch40nl1n3.c0m.txt
base64.rule
FoundIMU
enjin101676
fanfiction.net97686
instagram78111
random_social318428043
roblox232264726
tetrisfriends76566
twitter86564
vk.com114131614
world_of_warcraft31322
Same as Bl1zz4rd.c0m.u4. But with rules up to 30% crack rate.


Dh00l.txt

Total count: 12002
InsideProFull: 6403
MegaCracker: 6252
uniqpass: 2868

List nameDh00l.txt
wordlist
FoundIMU
enjin351165
fanfiction.net368045
instagram184010
random_social938116916
roblox6443227
tetrisfriends279023
twitter4000
vk.com3732134
world_of_warcraft216042
List nameDh00l.txt
base64.rule
FoundIMU
enjin932124944
fanfiction.net987144853
instagram655102720
random_social1612115259159
roblox141872163109
tetrisfriends794164638
twitter868205142
vk.com10813810161
world_of_warcraft603133226


FFGB34ch.txt

Total count: 133632
InsideProFull: 91396
MegaCracker: 80212
uniqpass: 87992
List nameFFGB34ch.txt
wordlist
FoundIMU
enjin127591284451443
fanfiction.net163832777211778
instagram81649515850
random_social378629832497970
roblox42732236942633011
tetrisfriends15885183353611
twitter242314439
vk.com15079176449190
world_of_warcraft754436181668
List nameFFGB34ch.txt
base64.rule
FoundIMU
enjin46596168135315031
fanfiction.net55197270850726483
instagram3111691819481897
random_social756466812121999677
roblox85559101911607214423
tetrisfriends51990235045405799
twitter35777126525363445
vk.com49963256148464193
world_of_warcraft2887870416472778
Pretty awesome – most of the lists with rules can crack this list up to 60%. Even without base64 – roblox usernames recover 31% of hashes. Also, there are many passwords that are not present in specialized dictionaries.

 R007k17.c0m

Total count: 56805
InsideProFull: 53709
MegaCracker: 54487
uniqpass: 50090

List nameR007k17.c0m
wordlist
FoundIMU
enjin6757023421
fanfiction.net5935021415
instagram41211120
random_social163971261
roblox1142900241
tetrisfriends476600155
twitter100012
vk.com7793340
world_of_warcraft4148114216

List nameR007k17.c0m
base64.rule
FoundIMU
enjin17466232986
fanfiction.net17057128961
instagram12159226221
random_social28028632905
roblox255414291226
tetrisfriends14953026750
twitter12802430544
vk.com18781729509
world_of_warcraft11425325601
Most of lists can crack with result near 20%.

S7r47f0r.txt

Total count: 770093
InsideProFull: 64119
MegaCracker: 133714
uniqpass: 140342
List nameS7r47f0r.txt
wordlist
FoundIMU
enjin113701081301935
fanfiction.net109781071402179
instagram725342240
random_social287779265690
roblox227538074111352
tetrisfriends90627861787
twitter21224922
vk.com130261431180
world_of_warcraft738122411030
List nameS7r47f0r.txt
base64.rule
FoundIMU
enjin3630419788945127
fanfiction.net3655319749015220
instagram241798483681012
random_social56461774527454474
roblox54970683825036447
tetrisfriends3232614807003904
twitter2498710354912757
vk.com37569264010462281
world_of_warcraft237749484493306

vegastripping.com.txt

Total count: 3940
InsideProFull: 3028
MegaCracker: 2852
uniqpass: 1595
List namevegastripping.com.txt
wordlist
FoundIMU
enjin4504732
fanfiction.net4422529
instagram254232
random_social80410259
roblox677122623
tetrisfriends3582310
twitter3000
vk.com457031
world_of_warcraft256109
List namevegastripping.com.txt
base64.rule
FoundIMU
enjin965275085
fanfiction.net977173580
instagram724151829
random_social128974126120
roblox132482140152
tetrisfriends920223973
twitter707101944
vk.com980356165
world_of_warcraft675131849

So is it possible to get good results with hashes recovery by creating dictionaries from collecting usernames/logins and other info that can be easily gotten from  public?  I think yes, because this info is generated by humans – not “machines”. Especially with good rules, someone can get good results while craking hashes.