Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DeepSEC: Passwords in the wild: What kind of passwords do people use, and how do we crack them?

2 Comments Posted by on November 26, 2010

Passwords in the wild: What kind of passwords do people use, and how do we crack them? Ron Bowes

Password cracking

Standard tool: John the Ripper

  • –wordlist
    • Allows you to use your own wordlist
    • default list is around 3100 entries
  • –rules
    • Used for mangling
    • Each password becomes 50!
  • –stdin
  • –stdout

With wordlist you can crack more passwords on average than pure brute-force

Examples of general dictionaries

  • English words
  • German words
  • Cities
  • Names

Not good enough…. we need something more real

Facebook!

Public Facebook data harvested for more real data (that’s another story)

Other sources

  • words from the holy bible
  • words from various wikis
    • Star trek
    • The muppets

The best source however is previous breaches… they’re real passwords after all.

Site specific dictionaries

Keep on topic

If you crack a geek/sci-fi site, then use something with Star Trek words

Same for porn/adult sites

Aside: Carders.CC database mirrored onto skullsecurity (ask for access)

Breaches

Lots of information and dictionaries on the blog

MySpace

Compromised through phishing attacks

This makes them low quality (people might have known and used faked passwords)

  1. password1
  2. abc123
  3. fuckyou
  4. monkey1
  5. iloveyou1

The 3rd entry is probably from people who knew it was a phishing attempt.

33% of passwords where based on names

PHPBB

Biggest exposure available

Jan/09

Passwords were in MD5 hashed

  • currently 184,389 of 189,667 cracked
  • 97,2% are cracked
  1. 123456
  2. password
  3. phpbb

44% of passwords were based on names… also a high degree of success with the star trek and muppets dictionaries

RockYou

Biggest breach of all time > 3 millions passwords

Basis of the nmap password list

The biggest plain text breach

  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. rockyou

> 40% were based on names

Alypaa

“Smart Aleck”

Passwords found on pastebin

Clear text

Small breach, but interesting as it’s not English

  1. salsana
  2. 123456
  3. perkele
  4. 12345
  5. qwerty

80% were based on names (much more than any other breach)

>60% could be cracked by using words spidered from the site itself

Finnish-unknown

Found by accident

Stored in 4 different ways

  • Plaintext
  • md5
  • sha1
  • Salted sha1

This is due to changes on the site where users get a new hash once they log back in.

Cracked around 75% unsalted, and around 50% salted

  1. salasana
  2. 123456
  3. perkele
  4. 12345
  5. qwerty

40% of passwords based on names

Faithwriters

Christian book site

Breach due to access control problems

Admins deny compromise ever happened

Passwords where all in plaintext!

Lots of password re-use between these and other accounts (Facebook, email, etc…)

  1. 123456
  2. <blank>
  3. writer
  4. jesus1
  5. christ
  6. blessed
  7. john316
  8. jesuschrist

>50% based on names

Porn-unknown

Discovered by accident (10,000 passwords)

>70% based on names

>15% based on bible dictionary

Carders.cc

Salted sha-1

Cracked around 60% so far

Top 3 passwords all numeric

  1. 123456
  2. 12345678
  3. 123456789
  4. hallo123
  5. hurensohn

>35% based on names

>50% could be cracked based on spidering the site itself

Summary

7 out of 10 were plaintext

Of those 3 hashed (MD5, SHA-1, ALL)

Salted passwords where obviously harder to crack

Dictionary Performance

Names were the biggest but also the best dictionary

Bible does poorly (except on porn sites it seems)

Scraping sites does very well (site dependant)

Cracking Strategies

John’s mangling rules

  • Written in specific language
  • All lowercase dominates

Numeric

  • Majority use 6 digits (followed by 8,7,9,5,)
  • Numerical Suffixes
    • Most common 2 digits (1,4,3,)
    • Lots of people use classofXX for passwords
      • Graphing is very smooth (classof08 and classof09 are most popular)

L33t passwords

  • English dictionary with translations
    • O –> 0 is most common
    • I –> 1
    • E –> 3
  • PHPBB and Rockyou both crack less than 1% using this
  • Able to crack things only because the original word was based on a dictionary word
    • degeneration –> d3g3n3ration

Although the L33t cracks far fewer, it cracks passwords that the other’s won’t

Other methods

Misspelled words

Other languages (Japanese symbols, phonetic versions)

Unicode Symbols

Keyboard patterns (not qwerty or qwertz)

Conclusions

Sites are always being breached

People choose poor passwords

Most passwords are alphabetic

<Checkout the slides on skullsecurity.com>

Links:

Conference, Security , , ,

2 responses to “DeepSEC: Passwords in the wild: What kind of passwords do people use, and how do we crack them?

  1. Pingback: Week 47 in Review – 2010 | Infosec Events

  2. Pingback: Week 47 in Review – 2010 - 博客与新闻 - Network Security - 网络安全 - 信息安全播客网