The Hacker Dictionary is the Jargon File.

I don't think the wordlist used by crackers is anything that special. I use all.lst that came with or near John the Ripper, and throw in a handful of customizations based on the userbase - company, town, and street names that might not be in the list.
posted by sohcahtoa at 8:36 AM on February 21, 2006

I don't think they are prized and traded. What makes you think they are? A bigger wordlist is useful because it has more words in it, and if someone else has a big one it saves you the trouble of finding or compiling your own, but I don't think anyone considers that a big deal.

Most password-cracking programs like John the Ripper come with tools that take a wordlist and apply common permutations to what's in it, but those programs are readily available (and since there's a wordlist CD for sale on that website, the dictionaries seem pretty available too).

A good wordlist is important because that's what the program uses, but they're readily available, not prized and traded.
posted by mendel at 8:37 AM on February 21, 2006

What sohcahtoa said, regarding what "The Hacker's Dictionary" means.

Of historical interest, here's the 1988 Internet Worm's dictionary. I'd heard that it was heavy in Bloom County and Star Trek terms; this proves to be false.
posted by Zed_Lopez at 8:52 AM on February 21, 2006

this seems more urban legend than fact to me. it's pretty simple to apply permutations to the free dictionary lists out there, whether hacker-speak or otherwise. beyond that, though, i think that the law of diminishing returns applies -- i mean, at some point, you will end up attempting systematic character combinations if none of your usual tricks work, and if you already have a copy of the password list, then it's just a matter of time...
posted by moz at 9:27 AM on February 21, 2006

Maybe your friend was thinking of rainbow tables? There are organisations who charge for those.
posted by blag at 9:45 AM on February 21, 2006

You can get rainbow tables in exchange for processor time from rainbowcrack.com.
posted by sohcahtoa at 9:48 AM on February 21, 2006

This is purely speculative on my part, but besides a normal dictionary, what might be extremely valuable for a dictionary attack would be a dictionary of real passwords.

Say, for example, a hacker managed to gain access to an unencrypted list of Amazon.com or Slashdot passwords. This list would be useful in a dictionary attack for two reasons:

1.) The user under attack might be on both systems, and have used the same password (even if under a different username). I personally frequently re-use most passwords (grouped by security level).

2.) Even if the user is different, people tend to be not as imaginative as they think they are. You might have thought 2b0rNot2b was original, but so did someone else.
posted by justkevin at 9:59 AM on February 21, 2006

p.s. a dictionary attack on hashed passwords is not considered sophisticated by any hacker, irrelevant of hat color.
posted by ori at 10:21 AM on February 21, 2006

Dictionary attacks, in general, are more hype than anything else. They are only useful on machines which you control (and can dominate CPU time and flood logins without raising suspicion) -- any other machine will shut you down after your n^th invalid password attempt.

And they are completely, 100% thwarted by decent passwords.

So I find the idea that these tables are valuable to "real" hackers (whatever that means) to be silly.
posted by teece at 10:48 AM on February 21, 2006

In my former job we had to evaluate staff passwords for security, our John the Ripper dictionary had a lot of Sci-Fi/ Fantasy stuff added by different admins as well as different permutations of the most common passwords that we were able to brute force;

The Green Bay Packers are kinda popular where i live, so we had a lot of permutations of Pack, GoPack, PackerFan, and other stuff like that.

But as stated above, dictionary attacks are generally useless unless you control the machines.
posted by quin at 10:56 AM on February 21, 2006

A dictionary attack doesn't always rely on repeated attempts to access the target machine.

If the the hacker somehow obtains a copy of the hashed passwords (e.g., salted crypts from the shadow file or md5/sha1 used in many web apps) s/he can do a dictionary attack on their own machine/time.

For example, let's say a hacker somehow finds a MySQL backup of a someone's website. He restores it and sees that it contains PhpBB tables. He can't get the username/passwords, because they're encrypted via a one-way hash.

So he runs a dictionary attack against the entire user table, and viola, it turns out a fraction of the users have passwords in his dictionary.

This is an example of where a hacker would have a use for a dictionary attack.
posted by justkevin at 11:28 AM on February 21, 2006

Yes, the term "dictionary attack" refers to downloading the hashed passwords and seeing what words hash to the hashes. No logins are involved.
posted by kindall at 12:29 PM on February 21, 2006

a friend of mine here at work said that these wordlists (good ones) were hard to come by and elite hackers were not likely to share them with others.

Either you're confused about what your friend said, or your friend is confused. It's definitely one or the other.
posted by AmbroseChapel at 12:47 PM on February 21, 2006

If the the hacker somehow obtains a copy of the hashed passwords

I'm aware of this -- but such attacks rely on a quite outdated security model. I won't use a system seriously that relies upon that.

Unix passwords, for instance, are not only shadowed and put into a root-only file (which means if the hacker got them, he's got root on your machine, which is more valuable than anything else), but it also adds a salt. The salt makes dictionary attacks essentially pointless -- even if the hacker can get your password file off of your machine, the salt makes the keyspace of the crack too big to be attacked.

But if the hacker can get a passwords file in the first place, either your security truly sucked, or you've been rooted. Either way, the hacker hardly needs to be spending many computer months bashing at password hashes.
posted by teece at 12:54 PM on February 21, 2006

AFAIK, the salt in /etc/shadow is simply the first two characters of the shadowed value. This only slows down precomputed dictionary attacks. If you have a wordlist, and are going to attack the hashed values, that salt isn't doing anything. If you have a wordlist that you pumped through the hasher, and then are just going to compare the precomputed hashes with the salt, you've just expanded your keyspace by 255^2.
posted by adamwolf at 2:19 PM on February 21, 2006

Nope. The salt expands the keyspace much more than that. Look it up.
posted by teece at 3:35 PM on February 21, 2006

This thread is closed to new comments.