[Cryptography] Checking for the inadvertent use of test keys

Ray Dillinger bear at sonic.net
Wed Sep 2 14:50:22 EDT 2015

On 09/02/2015 09:34 AM, John Denker wrote:
> On 09/02/2015 12:00 AM, Peter Gutmann wrote:
>> Let's say you've got some key-consuming code that's supposed to be fed random
>> keys and you want to catch inadvertent use of test keys and nonces, strings
>> like "012345678" and "\x01\x23\x45...", that sort of thing.  


> Existing password dictionaries were compiled largely by
> observation, e.g. by stealing passwords from vulnerable
> sites and adding them to the dictionary.

In fact I have such a file available.  It contains ten million
UserID/Password pairs from a banking system which leaked the
information to crackers about eight years(?) ago. The file
was later recovered and entered the public domain as trial
evidence, long after all the customers involved had been
required to change their passwords. I can make it available
to you if you'd like.

In many cases the UserIDs are more apparently-random than the
passwords.  Evidently obscenities of four to twelve characters
are better bets than most for a password guesser; perhaps
people find them more memorable.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150902/738e4896/attachment.sig>

More information about the cryptography mailing list