The Happiest Passwords on Earth
Sunday, January 1, 2012 at 4:44PM So there was a dump a few days ago that had several companies including Yahoo, Google, Core Security, and Disney.
The Disney data interested me. Disney is awesome. I love going there even as an adult. There is something about that Disney brand of magic. It maybe expensive, but you get a premium experience with Disney.
I wanted to see what type of password logic was in place at that company. It takes a special right brained creative person to make Disney magic. What type of creative passwords did they have? Not very! All passwords were 8 characters or less! @purehate_ pointed out that DES hashes only allow 8 char max. Set Hashcat accordingly!
Below is a redacted output report from Pipal, an awesome tool for password analysis created by @digininja! Head over to digininja.org to download Pipal or fire up BT5 and apt-get it!
Total entries = 426
Total unique entries = 419
Password length (length ordered)
1 = 4 (0.94%)
3 = 2 (0.47%)
4 = 6 (1.41%)
5 = 9 (2.11%)
6 = 203 (47.65%)
7 = 97 (22.77%)
8 = 112 (26.29%)
Password length (count ordered)
6 = 203 (47.65%)
8 = 112 (26.29%)
7 = 97 (22.77%)
5 = 9 (2.11%)
4 = 6 (1.41%)
1 = 4 (0.94%)
3 = 2 (0.47%)
|
|
|
|
|
|
|
| |
|||
|||
|||
|||
|||
|||
|||
|||||||||
012345678
One to six characters = 219 (51.41%)
One to eight characters = 426 (100.0%)
More than eight characters = 0 (0.0%)
Only lowercase alpha = 186 (43.66%)
Only uppercase alpha = 1 (0.23%)
Only alpha = 187 (43.9%)
Only numeric = 13 (3.05%)
First capital last symbol = 1 (0.23%)
First capital last number = 12 (2.82%)
Single digit on the end = 83 (19.48%)
Two digits on the end = 43 (10.09%)
Three digits on the end = 14 (3.29%)
Last number
0 = 12 (2.82%)
1 = 54 (12.68%)
2 = 23 (5.4%)
3 = 10 (2.35%)
4 = 11 (2.58%)
5 = 12 (2.82%)
6 = 6 (1.41%)
7 = 10 (2.35%)
8 = 12 (2.82%)
9 = 8 (1.88%)
|
|
|
|
|
|
|
|
|
||
||
||
||| || |
|||||| |||
||||||||||
||||||||||
0123456789
Last digit
Character sets
loweralpha: 186 (43.66%)
loweralphanum: 170 (39.91%)
loweralphaspecial: 25 (5.87%)
numeric: 13 (3.05%)
mixedalphanum: 9 (2.11%)
mixedalpha: 7 (1.64%)
loweralphaspecialnum: 6 (1.41%)
upperalphanum: 2 (0.47%)
mixedalphaspecialnum: 2 (0.47%)
special: 2 (0.47%)
mixedalphaspecial: 2 (0.47%)
upperalpha: 1 (0.23%)
Character set ordering
allstring: 194 (45.54%)
stringdigit: 134 (31.46%)
stringspecial: 21 (4.93%)
stringdigitstring: 21 (4.93%)
othermask: 16 (3.76%)
digitstring: 15 (3.52%)
alldigit: 13 (3.05%)
stringspecialdigit: 4 (0.94%)
stringspecialstring: 3 (0.7%)
specialstring: 3 (0.7%)
allspecial: 2 (0.47%)
Hashcat masks (Top 10)
?l?l?l?l?l?l: 104 (24.41%)
?l?l?l?l?l?l?l?l: 40 (9.39%)
?l?l?l?l?l?l?l: 34 (7.98%)
?l?l?l?l?l?l?d: 26 (6.1%)
?l?l?l?l?l?d: 23 (5.4%)
?l?l?l?l?l?l?l?d: 18 (4.23%)
?l?l?l?l?d?d: 18 (4.23%)
?l?l?l?l?l?l?d?d: 11 (2.58%)
?d?d?d?d?d?d: 10 (2.35%)
?d?l?l?l?l?l?l?l: 10 (2.35%)
As of 1/1/2012, Disney did have 3 jobs related to Information Security open.