$Id: README-rockyou.txt,v 1.1 2010/02/03 22:24:11 hlein Exp $ What is rockyou.chr? Recently a large database was compromised, and millions of valid passwords for other Internet based web sites were discovered. Statistics were generated based on these passwords, and placed into a "chr" file that can be used with the password cracking tool John the Ripper (http://www.openwall.com/john/) Why is this important/useful: When John the Ripper is used, there is a file called all.chr is used to brute force credentials (once dictionary attackes, and rule-based attacks are completed). The all.chr file is not simply a list of AAA AAB AAC strings, but instead contains rules that generate a weighted 'brute force' list based upon statistics of previous passwords. This is a must smarter way of performing brute force attacks against passwords. The current all.chr was generated some time ago and is based upon passwords from (likely) a small subset of data. Since this new (as of Dec 2009) list of user chosen passwords is so large, and reflects current password-selection user behavior, creating a new "chr" file based upon this data is only logical. The rockyou.chr file can be used independently, or as a replacement to the all.chr file included with the John the Ripper tool. How to use rockyou.chr: Place the rockyou.chr file into your ~/.john/ directory (or whatever directory your all.chr is currently located, such as /etc/john/). Place the following lines into your john.conf file: [Incremental:rockyou] File = $JOHN/rockyou.chr MinLen = 1 MaxLen = 8 CharCount = 95 And to use it: # john -i:rockyou passwordfile Or, if you wish to just replace the default all.chr which is used for all password 'level 3' password cracking, perform the following commands: # cp all.chr all.chr.orig # cp rockyou.chr all.chr And to use it: # john -i:all passwordfile To obtain a sample of the passwords it will generate: # john -i:rockyou -stdout | more Can I obtain the dictionary file that contains all the passwords this 'chr' file is based off of? Possibly, but not from us. The output of the rockyou.chr file is more relevant to password cracking, and does not place individual users at risk of disclosure.