So, I was doing some research last night, and I found something funny that I wanted to share. I posted this on Twitter, too, and I'm going to be including it in a couple talks I'm doing (if they post videos of the talks, I'll link them).
Anyway, I generated a bunch of dictionaries (http://www.skullsecurity.org/wiki/index.php/Passwords#Miscellaneous_non-hacking_dictionaries) for cracking passwords (bruteforcing guessing hashes -> passwords). I have, for example, US cities (http://downloads.skullsecurity.org/passwords/us_cities.txt), human names (from Facebook), English words (http://downloads.skullsecurity.org/passwords/english.txt), German words (http://downloads.skullsecurity.org/passwords/german.txt), etc. Yesterday, I decided to generate one that's based on the Holy Bible (http://downloads.skullsecurity.org/passwords/bible-withcount.txt) (the King James version, for what it's worth). Then I tested it against the various password breaches I've collected to see what it's most effective against.
Now, I expected it to work well against the passwords from singles.org (http://downloads.skullsecurity.org/passwords/singles.org-withcount.txt) and Faithwriters (http://downloads.skullsecurity.org/passwords/faithwriters.txt), because they're religious sites. And it did -- over 8% of people at each of those sites used a variation of a Biblical word as their passwords. What surprised me, though, is that one site did better -- 12% of people from a porn site (http://downloads.skullsecurity.org/passwords/porn-unknown-withcount.txt) used a variation of a biblical term as their password.
No other sites came close to the religious sites or porn site.
So, what do you think? Most people who like porn are sex-deprived Christians? People at porn sites choose biblical passwords out of guilt? Huge coincidence? :)
Don't leave us hanging iago. Tell us the passwords!
See those light blue words in my post? Most of them are links to the dictionaries. The blue words 'porn site' is the list of passwords from the porn site.
Quote from: iago on November 07, 2010, 12:06:38 PM
See those light blue words in my post? Most of them are links to the dictionaries. The blue words 'porn site' is the list of passwords from the porn site.
So I went to singles.org, and I typed in 221 for User ID and 123456 for password. (I got this from the link called 'singles.org' in blue.) But it didn't work...
What's the porn site, btw?
Maybe I'm not understanding your approach correctly, but I was under the impression that the Bible covered a lot of the English language, doesn't it? It's kind of like the pigeonhole principle, no?
Quote from: Ender on November 07, 2010, 04:13:07 PM
Quote from: iago on November 07, 2010, 12:06:38 PM
See those light blue words in my post? Most of them are links to the dictionaries. The blue words 'porn site' is the list of passwords from the porn site.
So I went to singles.org, and I typed in 221 for User ID and 123456 for password. (I got this from the link called 'singles.org' in blue.) But it didn't work...
What's the porn site, btw?
221 isn't the user id, and I don't release user ids. That would be unethical. 221 is the count (the number of people who used that password).
I'm doing this to study passwords, not to break into sites.
Quote from: MyndFyre on November 07, 2010, 05:15:30 PM
Maybe I'm not understanding your approach correctly, but I was under the impression that the Bible covered a lot of the English language, doesn't it? It's kind of like the pigeonhole principle, no?
Yes, to some degree, but different sets of words work remarkably differently against different sites. The fact that most of the words are English balance out and the differences show up more.
It IS hard to come up with good numbers for comparison, though, for that exact reason. I generally try to keep stuff relative and not assign exact numbers.
I'm curious as to how you have access to this list of passwords. Is it from people hacking the databases and then releasing the data? Or do your employers get them for studies? I'm so confused.
Quote from: dark_drake on November 10, 2010, 10:15:38 PM
Is it from people hacking the databases and then releasing the data?
Yes. It's often difficult to find the hacked databases, but when I get ahold of them I mirror 'em and make it easy. :)
Quote from: MyndFyre on November 07, 2010, 05:15:30 PM
Maybe I'm not understanding your approach correctly, but I was under the impression that the Bible covered a lot of the English language, doesn't it? It's kind of like the pigeonhole principle, no?
Not at all. A lot of the English language comes from Latin and French. The influence of both these languages on English comes after the writing of the Bible. I think Latin was mostly assimilated during the Middle Ages, and French came with William the Conqueror in 1066 (don't ask me how I know that date lol).
Also... the Bible was written in Greek (New) and Hebrew (Old). So you're saying the translations helped define/legitimize the English language? Perhaps... but the problem with that is so did Shakespeare... so there are just so many sources for English vocabulary.
LOL.
Quote from: iago on November 07, 2010, 05:47:43 PM
Quote from: MyndFyre on November 07, 2010, 05:15:30 PM
Maybe I'm not understanding your approach correctly, but I was under the impression that the Bible covered a lot of the English language, doesn't it? It's kind of like the pigeonhole principle, no?
Yes, to some degree, but different sets of words work remarkably differently against different sites. The fact that most of the words are English balance out and the differences show up more.
It IS hard to come up with good numbers for comparison, though, for that exact reason. I generally try to keep stuff relative and not assign exact numbers.
While the English Bible of course contains a lot of vocabulary from the English vocabulary, it also contains a significant subset of vernacular that may not exist as a whole in any one English dictionary (since there is no one universal English dictionary because the language consists of many subsets of dialects and contexts from modern English to Old English). I would think that it is the association of the elements in this subset of vocabulary and vernacular that is more important. I haven't looked at any of iago's linked data, but I would bet that it's specifically the biblical nouns that are the key distinguishing elements of success.
Quote from: while1 on November 15, 2010, 08:11:32 AM
Quote from: iago on November 07, 2010, 05:47:43 PM
Quote from: MyndFyre on November 07, 2010, 05:15:30 PM
Maybe I'm not understanding your approach correctly, but I was under the impression that the Bible covered a lot of the English language, doesn't it? It's kind of like the pigeonhole principle, no?
Yes, to some degree, but different sets of words work remarkably differently against different sites. The fact that most of the words are English balance out and the differences show up more.
It IS hard to come up with good numbers for comparison, though, for that exact reason. I generally try to keep stuff relative and not assign exact numbers.
While the English Bible of course contains a lot of vocabulary from the English vocabulary, it also contains a significant subset of vernacular that may not exist as a whole in any one English dictionary (since there is no one universal English dictionary because the language consists of many subsets of dialects and contexts from modern English to Old English). I would think that it is the association of the elements in this subset of vocabulary and vernacular that is more important. I haven't looked at any of iago's linked data, but I would bet that it's specifically the biblical nouns that are the key distinguishing elements of success.
I would think the fact that the Bible frequently has words like "Jesus", "God", "prayer", etc. is more important than anything else.
Quote from: Sidoh on November 15, 2010, 12:55:05 PM
I would think the fact that the Bible frequently has words like "Jesus", "God", "prayer", etc. is more important than anything else.
That's not what iago's statement was, though. He didn't say anything about the frequency of usage, he specified that the word was contained in the Bible.
There are plenty of proper nouns that come out of the Bible that you could use, but even many of these are found in other media or variations thereof. (For instance, most people probably wouldn't recognize that Nebuchadnezzar, the name of the ship from
The Matrix, was the name of a Biblical king).
I think more investigation is necessary.
Well, using the bible gets ~10% of passwords people use, using an english dictionary is about 25%, using a wiki (like muppets or star trek wikis from wikia) tend to get about 35%. They're all based on English, but they have vastly different results when using them to crack passwords.
Of course, depending on which breach I test them against, I get wildly different results.
<edit> I should take the difference between an english dictionary and the bible, and see what's left. Mostly names, I imagine.
Quote from: iago on November 16, 2010, 08:41:23 AM
<edit> I should take the difference between an english dictionary and the bible, and see what's left. Mostly names, I imagine.
I was just thinking exactly that. You'd definitely get a ton of names.