Entries in Passwords (5)


Lessons in LinkedIn Password Cracking

So this past week the password cracking community had some excitement.  Several dumps of hashes were leaked.  One of those was LinkedIN.  This caught my eye since most professionals use this social media service.  I am a fan of passwords ever since I met Matt Weir when he presented about the science of password cracking.  One of his talking points was that people can pick anything as passwords but generally follow a pattern.  How many of us have a capital first letter and end with the number 1?  Password1 is technically a strong password in the eyes of Active Directory.

A few months ago, digininja created a tool Pipal which allows analysis of passwords.  This allowed the community a common metric and analysis tool to run the various password dumps.  Using the various data from previous dumps, I was able to fine tune my hashcat rules to be able to crack over half the LinkedIn hashes.  

Lessons Learned

  1. Start with a good dictionary.  KoreLogic has a group of amazing word lists here.  In addition, SkullSecurity has a list of previously cracked passwords and various wordlists which I also added to my master_wordlist.dic.  To make my master_wordlist.dic I would "cat infile >> master_wordlist.dic".  Make sure to use the double >> or else you wipe over the words already in the master_wordlist.dic.
  2. After adding everything to your list, you need to sort and remove the duplicates.  In Windows it is a pain since your list is too big for Excel and Access just plain stinks to use.  Score 1 for Bash! The command "sort master_wordlist.dic | uniq > master_sorted_wordlist.dic" worked perfectly.
  3. Fire up hashcat and crack!  Don't forget to use some rules and masks!  You don't need a GPU but it helps.  One thing I learned was my Dell Laptop has a nVidia card so check your gear.
  4. Now that I have a cracked list in the hash:plaintext format we need to remove the hash part.  Score 2 for Bash! The command "grep -o '[^:]*$' infile > outfile" will remove the hashes leaving you a file with only plaintext passwords.
  5. At this point you can perform a Pipal analysis or you can run your list through hashcat again using the cracked passwords as your new dictionary and apply the rules and masks.


 You can find the Pipal Analysis of the LinkedIn dump here.  Happy Cracking!



Password Patterns 123

My computer has a NVidia Quadro 2000M video card.

I am not a gamer, but I know that one can use a GPU to crack passwords.  I decided to play with oclHashcat.  This is an awesome tool which uses your GPU to crack hashes.  I obtained some hashes online and I loaded up my dictionary and added some rules for mangling and let the cat do its thing.  After a short time, I had quite a large sample set of passwords. 

 Passwords are interesting.  Users are encouraged to use complexity.  Uppercase, Numbers, Special Characters.  Cracking passwords is an interesting science.  Everyone at Derbycon knows my thoughts on password cracking.

User behavior makes password cracking a mix between art and science.  Looking at my list, I noticed a large percentage contain numbers. The research of the ROCKYOU password list  says that numbers were at the end of 64% of the passwords.  This makes sense as we are trained to make "complex" passwords often requiring that digit. 

Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords


Using excel, I created a function that would pull the last character of the password.


I created a table that would count the number of times a character appeared in the list.


Looking for only numbers, I identified the top 3 numbers a password would end with.

3, 4, and 1 found themselves in the top 3.

If your passwords have the following patterns below, you are not being clever.  The password abc123 was #10 in the top 10 passwords from ROCKYOU.




Human beings are creatures of pattern.  Don't let your passwords be.  Choose a really good password and if possible, add 2 factor. 

Just don't select "correcthorsebatterystable" as your password.  It is in my dictionary.




Password Patterns

The password "Password.1" is technically a strong password, however that is a password that JtR would be able to crack with ease.  Today in Lifehacker I read a great article about passwords.

Remember, more systems fell due to weak passwords than exploits.

From Lifehacker:

Most people, though, use the same patterns when choosing their passwords, like having the number 1 at the end, making these easier for hackers to crack.

Security expert Roger Grimes writes at InfoWorld how easily passwords can be guessed and says that these days passwords need to be longer than the mere six-to-eight characters typically used. The average password guesser can determine portions of a large majority of users' passwords:

Most professional password guessers know there is a 50 percent chance that a user's password will contain one or more vowels. If it contains a number, it will usually be a 1 or a 2, and it will be at the end. If it contains a capital letter, it will be at the beginning, followed by a vowel. The average person has a working vocabulary of 50,000 to 150,000 words, and they are likely to be used in the password. Women are famous for using personal names in their passwords, and men opt for their hobbies. "Tigergolf" is not as unique as CEOs think. Even if you use a symbol, an attacker knows which are most likely to appear: ~, !, @, #, $, %, &, and ?.


Who's who of bad passwords!

People pick poor passwords.  Try saying that 3x fast.  As seen from the Gawker hack to Rockyou, people love to pick passwords that are no better then the combination that an idoit would have on his luggage.

Troy Hunt has a great write up about certain sites (Tom Tom, American Express, Singapore Air) which promote the idea that passwords MUST be poor.



How Secure is your Password?

This is a great site that will tell you how secure your password is and how long it would take to crack it.

Of course it doesn't help if you write it down next to your computer or tell that random person on IM who claims to be from your bank!