Nifty article for those interested

Here's the beginning of the article. If you're interested, please go to the site, the formatting won't transfer well to forum posts without some time consuming editing on my part.

Full article: http://blog.thireus.com/look-back-on...ing-techniques

Look Back on 2012′s Famous Password Hash Leaks – Wordlist, Analysis and New Cracking Techniques

by Collaborative_Work on Jan.01, 2013, under Crack1ng, Hack1ng. 4,461 views
This article is a collaborative work between 3 authors. This is our look back on 2012′s most famous public password leaks.
Authors: m3g9tr0n, Thireus, CrackTheHash | Copy Editor: Thireus.


Nowadays, different hacking communities around the World publish their leaks on various online paste Web Services like Pastebin, Paste2.org, and others. The most usual target’s vulnerability is SQL Injection. These leaks contain elements like usernames, passwords, addresses, zip codes, telephone numbers and even paypal accounts or credit card nubers. In a small amount of them, passwords are in plain text which makes hackers’ job very easy.

In this article, we gathered a big amount of public published leaks with main purpose to check the strength of users’ passwords and password policy which is applied for each service. Some well known leaks, included in our article, are LinkedIN, Stratfor, Gamigo, NVidia, Adobe and eHarmony. We are going to present our cracking techniques and tools which we used to crack passwords from these leaks. And as a gift gave to our readers, you will find attached to the end of this article a wordlist containing all cracked passwords from these leaks.


CRACKING METHODOLOGIES AND TOOLS… (m3g9tr0n)

The tools we used to accomplish our cracking process are John the Ripper and Hashcat-suite. In other words, we took advantage of both CPU and GPU.

When dealing with password cracking the most important thing is to know as many elements as possible about your target. For the case of Stratfor we had all the appropriate elements needed for effective password cracking. These are usernames, first name, last name and e-mails. Many users use their e-mail or username (or part of) as password or keyword. Knowing these information really speeds the cracking process as it is more effective to create a wordlist based on these information for our first cracking step. On the other side, LinkedIN and other well known leaks contained only hashes… that makes the cracking process more difficult and time consuming. But, with good rules and techniques some interesting results can be achieved. For better documentation, we are going to analyze each case separately by showing the techniques and custom rules.