Wrote up a new blog entry on improving the OMEN password cracking algorithm. The changes have also been included in the new version of the PCFG password cracking toolset. Link: https://reusablesec.blogspot.com/2025/08/omen-improvements.html
Matt Weir
- 171 Followers
- 66 Following
- 143 Posts
Security researcher. Password enthusiast. Entropy debunker. Securer of medical devices.
Will HuntMy talk from Security Fest is now live for any interested security enthusiasts, pentesters, red teamers and password crackers. Fun fact, my voice is that annoying in real life too.
Plundering and pillaging password and passphrase plains for profit - Will Hunt
brunoc"... a system that isn’t resilient against happenstance can’t possibly be resilient against active attack." That's a beautiful sentence, @kevinriggle I'm adding this to my highlights :)
Tinker ☀️I have to get some sensitive documents notarized.
My library offers notary services for free.
I must say, the sensitivity and grace the librarians have continues to amaze me.
Royce WilliamsThe protective value of "k-anonymity"¹ for Have I Been Pwned / Pwned Passwords API lookups is significantly reduced because frequency data is included. And the more common the password, the more this effect is magnified.
An example:
https://gist.github.com/roycewilliams/2034c9253d46fbcaefb13f8e5d42daa2
... with cracks:
https://gist.github.com/roycewilliams/2bb471cc90cce7f6834204344590fcac
Using "k-anonymity"¹ to return all hashes that begin with b2e98 is less "anonymous" ... when 98.6% of the passwords (by frequency across all leaks) are the top one.
It's not really hiding a needle in a haystack if you just lay it on top.
Edit: in fact, even without the frequency data, since some passwords are much more common than others ... left-skewed distribution is an intrinsic property of password data. Missing frequency data can be largely reconstructed from public cracking efforts. (And even if that weren't true, the hashes can just be cracked using traditional methods. If the cracking community can get a 97%+ cracking rate², what is being achieved other than plausible deniability?)
K-anonymity [as implemented by HIBP, anyway -- true K-anonymity is different¹] may just be a bad fit for password hashes.
¹ Not actually k-anonymity at all:
https://en.wikipedia.org/wiki/K-anonymity
² Actually closer to 99.29% across the entire corpus, publicly:
https://gist.github.com/roycewilliams/40f0e8c93ec9c69f5b5a1874c76f2587
This is one of the few times I can directly pointing to marketing working. Here I was playing Batmud, updating my Batmud guide, and feeling vaguely guilty about not doing real research. Suddenly a Llama ad comes up on my Pandora feed. Me:
Starting to play around with llama LLMs. I need to get smarter about the current state of systems, and making API calls to OpenAI and Claude just isn't cutting it.
I fully expect to spend a week hitting my head against the wall but hopefully I'll have learned something at the end of it.
While I appreciate CISA cybersecurity alerts, it's hard to not take the title of their newest one personally: Threat Actors Continue to Exploit OT/ICS through Unsophisticated Means
As a researchers focusing on password security, it hurts that some rando can send a phishing e-mail from [email protected] and be labeled an "Advanced Persistent Threat" while someone who spends time researching the default password for a water management software's control system is labeled "Unsophisticated".
There's an interesting new phishing campaign targeting infosec and crypto currency tools going on, where the attacker is posting the phishing link via github issues to the toolsets. If you are curious about which repos are being targeted, here is a github search link for the phishing string:
https://github.com/search?q=IMPORTANT%21+Join+https%3A%2F%2Fdiscord.gg%2Fgruppe&type=issues&p=1
The attack itself isn't that novel, but the targeting they are using certainly sparked my interest.
CrackMeIfYouCan@lakiw I think we win! =)