About a year ago the weak pass project started. It’s never possessed to be “best from the best” or something like that, but made for only one purpose – dictionary that can be used for cracking that contains as much as possible wordlists at once. Without cracking with lots of wordlists and test “qwerty” and “password” again-again and again, the dictionary that contains tons of unique passwords. Also the main idea is to get fine results when you have no good hardware, GPU and much time.
First, there were so ideas:
Make dictionary compilation.
How many common passwords in dictionaries?
Because it was made for testing purposes, all site look like trash and dictionary were bad (there were ton’s of errors and never been used). Only one good feature was there – commonness in dictionaries. There was a statistic about how many `parts` of dictionaries were in each dictionary. Like (below just a sample):
Because of no practical usage, it was fully rebuilt.
There were made a lot of changes and improvements:
Testing dictionaries – to see how good can be dictionary for hash recovering. It was very simple – get couple of hash lists and try to crack them with dictionary. After that calculate how many passwords were recovered.
Make some side project for auto passwords collecting from various sources.
Create wordlist that is more effective to WPA/WPA2 cracking (passwords with length 8 and more)
At the beggining there was some rule – add one dictionary each week.There was only one option to get weakpass – direct download and google drive(mostly for backup).
The result wordlist contains about ~260 dictionaries and was really good for dictionary attacks. Especially in those cases when hashes were “fast” like md5, sha1, ntlm, netntlm and so on, it takes about a couple of minutes to get results.
It’s overall crack rating is 62.7% and size ~ 36 gb
After some time weakpass specially for wifi was made. It was the same as weakpass, but contains passwords from 8 to 32.
But there were some crucial disadvantages
Size – it was really big and direct download is sometimes not an option.
Tons of junk, that badly affected on recovery speed.
Errors while in scripts, arhitecture and whole process.
Many useless options.
I tried to take into account the mistakes that were made during previous work and to make the project a global update.
To reduce traffic load and disk space – everything were moved to dropbox
List for testing was increased from ~8 to 50.
Weakpass now contains passwords from 4 to 40 chars.