n00bz Network

My computer has a NVidia Quadro 2000M video card.

I am not a gamer, but I know that one can use a GPU to crack passwords.  I decided to play with oclHashcat.  This is an awesome tool which uses your GPU to crack hashes.  I obtained some hashes online and I loaded up my dictionary and added some rules for mangling and let the cat do its thing.  After a short time, I had quite a large sample set of passwords. 

 Passwords are interesting.  Users are encouraged to use complexity.  Uppercase, Numbers, Special Characters.  Cracking passwords is an interesting science.  Everyone at Derbycon knows my thoughts on password cracking.

http://xkcd.com/538/

User behavior makes password cracking a mix between art and science.  Looking at my list, I noticed a large percentage contain numbers. The research of the ROCKYOU password list  says that numbers were at the end of 64% of the passwords.  This makes sense as we are trained to make "complex" passwords often requiring that digit. 

Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords

Using excel, I created a function that would pull the last character of the password.

=VALUE(RIGHT(A1,1))

I created a table that would count the number of times a character appeared in the list.

=COUNTIF(B:B,digit)

Looking for only numbers, I identified the top 3 numbers a password would end with.

3, 4, and 1 found themselves in the top 3.

If your passwords have the following patterns below, you are not being clever.  The password abc123 was #10 in the top 10 passwords from ROCKYOU.

abc123

abc1234

abc1

Human beings are creatures of pattern.  Don't let your passwords be.  Choose a really good password and if possible, add 2 factor. 

Just don't select "correcthorsebatterystable" as your password.  It is in my dictionary.

http://xkcd.com/936/