Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: passwords

DeepSEC: Passwords in the wild: What kind of passwords do people use, and how do we crack them?

Passwords in the wild: What kind of passwords do people use, and how do we crack them? Ron Bowes

Password cracking

Standard tool: John the Ripper

  • –wordlist
    • Allows you to use your own wordlist
    • default list is around 3100 entries
  • –rules
    • Used for mangling
    • Each password becomes 50!
  • –stdin
  • –stdout

With wordlist you can crack more passwords on average than pure brute-force

Examples of general dictionaries

  • English words
  • German words
  • Cities
  • Names

Not good enough…. we need something more real


Public Facebook data harvested for more real data (that’s another story)

Other sources

  • words from the holy bible
  • words from various wikis
    • Star trek
    • The muppets

The best source however is previous breaches… they’re real passwords after all.

Site specific dictionaries

Keep on topic

If you crack a geek/sci-fi site, then use something with Star Trek words

Same for porn/adult sites

Aside: Carders.CC database mirrored onto skullsecurity (ask for access)


Lots of information and dictionaries on the blog


Compromised through phishing attacks

This makes them low quality (people might have known and used faked passwords)

  1. password1
  2. abc123
  3. fuckyou
  4. monkey1
  5. iloveyou1

The 3rd entry is probably from people who knew it was a phishing attempt.

33% of passwords where based on names


Biggest exposure available


Passwords were in MD5 hashed

  • currently 184,389 of 189,667 cracked
  • 97,2% are cracked
  1. 123456
  2. password
  3. phpbb

44% of passwords were based on names… also a high degree of success with the star trek and muppets dictionaries


Biggest breach of all time > 3 millions passwords

Basis of the nmap password list

The biggest plain text breach

  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. rockyou

> 40% were based on names


“Smart Aleck”

Passwords found on pastebin

Clear text

Small breach, but interesting as it’s not English

  1. salsana
  2. 123456
  3. perkele
  4. 12345
  5. qwerty

80% were based on names (much more than any other breach)

>60% could be cracked by using words spidered from the site itself


Found by accident

Stored in 4 different ways

  • Plaintext
  • md5
  • sha1
  • Salted sha1

This is due to changes on the site where users get a new hash once they log back in.

Cracked around 75% unsalted, and around 50% salted

  1. salasana
  2. 123456
  3. perkele
  4. 12345
  5. qwerty

40% of passwords based on names


Christian book site

Breach due to access control problems

Admins deny compromise ever happened

Passwords where all in plaintext!

Lots of password re-use between these and other accounts (Facebook, email, etc…)

  1. 123456
  2. <blank>
  3. writer
  4. jesus1
  5. christ
  6. blessed
  7. john316
  8. jesuschrist

>50% based on names


Discovered by accident (10,000 passwords)

>70% based on names

>15% based on bible dictionary


Salted sha-1

Cracked around 60% so far

Top 3 passwords all numeric

  1. 123456
  2. 12345678
  3. 123456789
  4. hallo123
  5. hurensohn

>35% based on names

>50% could be cracked based on spidering the site itself


7 out of 10 were plaintext

Of those 3 hashed (MD5, SHA-1, ALL)

Salted passwords where obviously harder to crack

Dictionary Performance

Names were the biggest but also the best dictionary

Bible does poorly (except on porn sites it seems)

Scraping sites does very well (site dependant)

Cracking Strategies

John’s mangling rules

  • Written in specific language
  • All lowercase dominates


  • Majority use 6 digits (followed by 8,7,9,5,)
  • Numerical Suffixes
    • Most common 2 digits (1,4,3,)
    • Lots of people use classofXX for passwords
      • Graphing is very smooth (classof08 and classof09 are most popular)

L33t passwords

  • English dictionary with translations
    • O –> 0 is most common
    • I –> 1
    • E –> 3
  • PHPBB and Rockyou both crack less than 1% using this
  • Able to crack things only because the original word was based on a dictionary word
    • degeneration –> d3g3n3ration

Although the L33t cracks far fewer, it cracks passwords that the other’s won’t

Other methods

Misspelled words

Other languages (Japanese symbols, phonetic versions)

Unicode Symbols

Keyboard patterns (not qwerty or qwertz)


Sites are always being breached

People choose poor passwords

Most passwords are alphabetic

<Checkout the slides on skullsecurity.com>


Mobile devices lowering web security

iphone_kbd1It’s been over a month now since I finally made the move to an iPhone. For the last 6 months or so I’ve been using a Blackberry (with mixed results) but this was mostly business use. The one thing that struck me when I started using the iPhone for Internet use, reading blogs, and access services like twitter, was the keyboard. I know it sounds strange, but having to click through 3 different menus just to get to the special keys portion of the keyboard puts a serious dent in your typing speed. Once you’re used to things, then it’s OK to work with. However this started me thinking how many average users of the iPhone (or blackberry, Nokia, G1, <insert current mobile device of the week here>) have given up constantly typing their suitably complex web-mail or forum password and changed it to something easier and quicker to enter on a mobile keypad.

With things constantly moving towards mobile computing (like it or not) the input of passwords will become more and more of an issue. Devices are getting smaller and smaller, keyboard and input is moving from the standard layout, to miniature input, gestures, and handwriting recognition. These are difficult enough to deal with as it is, without having to make sure you get it 100% correct. After all, you can’t having a spelling mistake in your password and get away with it.

So, how long before we start to see a shift in password use on web-services to more mobile friendly passwords. For example, those displayed on the main iPhone keypad. This means no special characters or numbers. Unless the web-service forces strong passwords, users will go with convenience over security most of the time. This is just human nature. This increasingly limited input range will it easier to brute-force the passwords of mobile users and reduce overall security. Just as we’ve finally started to get the general public to embrace complex passwords. One step forward, and two steps back.

Hopefully this doesn’t spell a return to the use of “god”, “sex”, “love” and “secret” as our main passwords of choice.