Unattributed password list / license conflict in aletheia-resources/?

[ragibson]

(From openjournals/joss-reviews#5982)

The password list aletheia-resources/passwords.txt appears to be taken from the OWASP SecLists project, which is either under CC-by-SA 3.0 (mentioned in https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords) or the MIT License (2018 Daniel Miessler).

That said, the version in this repository has a very small number of edits where two of the passwords have been moved around and an erroneous "j" has been added on line 952663. Regardless, attribution is required and/or it should be moved to https://github.com/daniellerch/aletheia-external-resources, though I'm not sure if this file is needed by any of the scripts.

E.g.,

@@ -506891,7 +506891,6 @@ legally
 Legalize
 legalise
 legal123
-lega
 leg522
 leg0las
 leftys
@@ -879413,6 +879412,7 @@ xmanjadas
 xmanifestox
 xmango12
 xmanfan
+lega
 xmandrad
 xmandc
 xmandate

and

@@ -952660,6 +952660,7 @@ WddFKa
 Wddcbri2
 wdday1
 WDDaXuqvWXcJ
+j
 WdDAukDK
 WDd96Q
 wdd7rezl

[daniellerch]

I don't recall exactly where I obtained the original password file, so I've replaced it with a similar one from Daniel Miessler, and have also included the license.

On another note, the scripts don't use this file; I'm providing it merely as a convenience for users who want to utilize the brute force attacks offered by Aletheia without having to search for a password file themselves.

[ragibson]

@daniellerch Just a heads up that it doesn't seem like you pushed the change -- aletheia-resources/passwords.txt in master still seems to be the version from ~2 years ago.

[daniellerch]

Sorry, I forgot to push the changes. The updated files are now on the master branch.