Brute Force Password Heuristics

[Temujin_12]

I'm writing an all-purpose password brute forcer and am wondering what password heuristics can be applied to reduce the search space (ie: searching through all possible 6 character passwords just isn't computationally feasible).

So far I've come up with the following:

• Specify what password to start/stop with
• List of characters to ignore (ie: characters that are unlikely to be used in the password)
• Max amount of adjacent identical characters (ie: 'fooo' has 3 'o's next to each other
• Max number of non alpha-numeric characters that may be in a row (passwords usually have at least one or two alpha-numeric characters

Can anyone else think of any other heuristics that could reduce the search space?

PS: I know that dictionary attacks will probably find passwords created by the average user in less time, but there's plenty of those out there and those won't work against more robust passwords.

[WingedPanther]

If a dictionary attack fails, your brute force has to account for pretty much everything.

[Temujin_12]

Quote:

If a dictionary attack fails, your brute force has to account for pretty much everything.

To cover every possible password of a particular length, then yes you have to account for everything. But the point of the program isn't just to brute force every possible ASCII combination, it is to apply some useful heuristics that reflect patterns in human-generated passwords (even when the user creates a 'robust' password).

Thinking of all the passwords I've come up with myself as an admin as well as asking other techie-friends of mine, the above heuristics seem reasonable. Of course making a password to specifically be immune to the above heuristics wouldn't be that hard. But I'm running this against a password that wasn't created specifically to be immune to my program.

Of course, as with all heuristics, the more they reduce the search space, the greater your chances are of missing the solution. But that's a risk you always take when applying heuristics. The point of heuristics is to reduce the search space while minimizing this risk.

[v0id]

I would rather come up with a list with all the characters it should check, instead of a list with all the characters it should not. There's so many characters, like if you're working with Unicode, so instead of making a long list of characters not to check, I'll put in characters it actually should.

[thes3raph1m]

i like the idea of repeating characters... i mean if these heuristics were able to be switched on or off by the user that would be best...

i mean i know my mom uses stupid passwords, so i dictionary attack
my brother on the other hand uses stupid passwords, but inserts "l33t sp33k" into it to make it immune to standard dictionary attacks

i on the other hand use an alphanumeric sequence that is very long and means nothing to anyone but me, so brute force would be required... its also 13 characters long... which iirc would take at least a few days to get a hit.