Password Dumps and analysis (articles compilation)

Posted: 14/07/2012 in Uncategorized

  1. Yahoo Password Dump Analyzed

  2. Wow, not one, but two password dumps in one day. Hackers leaked a very large number of Billabong and Yahoo passwords in plain text with no need to try to crack them. We looked at the Billabong one earlier today using the password analysis tool Pipal, now let’s take a look at the Yahoo dump.

    This one is huge, almost 450,000 users. Though from numerous reports most of these accounts leaked were not active, the latest reports are saying that many of the included cracked accounts were passwords to other sites. According to ABC News:

    Some of the Yahoo Voices’ accounts listed email addresses with AOL, Gmail, Hotmail and Windows Live. Security firm Sucuri said that more than 100,000 Gmail addresses were included in the breach.”

    And take into account that many people never change their passwords or use the same password at multiple sites and this is very concerning. Well, let’s go ahead and take a look at the dump as analyzed with Pipal.

    Here are the top 7 Password Lengths:

  3. The Complexity of the Passwords:
  4. And Character Sets Used:
  5. And as always, for some odd reason the password “monkey” always seems to show up in the top 10 lists. But this time it did not make it as a top 10 password:
  6. It seems to have been supplanted by the password “0″. Two hundred and two people actually used “0″ as a password!

    Okay for the record, “monkey” was not a complete no-show. It was one of the top 10 base words!

  7. It beat out Jesus, love, money and ninja!

    All joking aside, what is bothersome is that some of the passwords leaked are pretty good passwords.

    Check these out:

    $coreS1BgM0rsl4me$r87*CQG>36rkM

    These would have taken a long time to crack if they had to be cracked manually. But here is the kicker, as the database that held the passwords was compromised via SQL injection, the hackers were able to grab the contents of the entire database. It doesn’t matter that some of the users had 17 character complex passwords. There was a web application security issue that led to the entire account database being dumped.

    This really should drive home the fact of using good security measures at the network and especially the application server levels.

  8. Billabong Password Dump Analysis

  9. Over 20,000 passwords, supposedly leaked from Billabong have been floating around. And as usual, I like to grab the passwords and analyze them for patterns. So I took 21,435 of them and ran them through the password analysis program Pipal.

    Here are the top 7 Password Lengths:

  10. The Complexity of the Passwords:
  11. And Character Sets Used:
  12. And finally, and most importantly, the question that we always ask and the one that everybody wants to know.

    Was “Monkey” one of the top passwords?

    The answer is….

  13. YES!

    Pfhew, had us worried there. It slipped down to #10 – but as usual in password dumps – along with the company name, “password”, and “12345″ – our favorite password “monkey” is there!

  14. Shmoocon Stratfor Password Analysis

  15. Chris Truncer presenting at Shmoocon with an interesting analysis of the Stratfor password dump. When Strategic Forecasting Inc (Stratfor) was hacked, the Hacktivist group Anonymous released hundreds of thousands of user’s accounts, including user names, credit card numbers and hashed versions of the user’s passwords.

    At the recent Shmoocon security conference, (Video above) Chris Truncer presented a short analysis on this password dump. Using oclhashcat-plus Chris was able to decode about 70% of the password hashes that were publicly released. He then analyzed the cracked passwords with the password analysis program Pipal, which searches password lists and returns several statistics, like most used passwords and character use percentages.

    Though the top ten passwords used didn’t seem to match the top passwords from last year, it is interesting to note that when users received a password from Stratfor, apparently many never changed it, or worse, many changed it to something less secure.

  16. Analyzing Passwords for Patterns and Complexity

  17. Digininja’s site has an interesting password analyzing program called “Pipal“. The program takes a list of passwords and returns the top passwords used, a graph showing password lengths, dates used and a ton of other information.

    In this demonstration, I used a list of leaked sanitized passwords (a password dump from a real site with account names and e-mail addresses removed) from SkullSecurity.

  18. Simply download Pipal, provide it a password list and sit back and watch it go. This list of about 9,000 Hotmail passwords took only a few seconds. Larger lists could take significantly longer, one Diginija analyzed with millions of passwords took about 24 hours!
  19. Let’s look at some of the more interesting data returned from Pipal. Here is a list of the top ten base words:

    Top 10 base words
    angel = 10 (0.11%)
    beto = 9 (0.1%)
    diciembre = 7 (0.08%)
    abril = 6 (0.07%)
    amor = 5 (0.06%)
    acuario = 5 (0.06%)
    junio = 5 (0.06%)
    daniel = 5 (0.06%)
    alex = 5 (0.06%)
    beatriz = 5 (0.06%)

    This is obviously a dump from a Spanish speaking country, but you will notice  the prefix “angel” was used 10 times, and a lot of user’s passwords started with a name or a month.

    How long was the average password?

    Password length (count ordered)
    6 = 1823 (20.41%)
    8 = 1769 (19.81%)
    7 = 1306 (14.62%)
    9 = 1098 (12.3%)
    10 = 773 (8.66%)
    11 = 565 (6.33%)
    12 = 406 (4.55%)
    13 = 285 (3.19%)
    14 = 216 (2.42%)
    16 = 178 (1.99%)
    5 = 175 (1.96%)
    15 = 158 (1.77%)
    17 = 59 (0.66%)
    4 = 37 (0.41%)
    18 = 19 (0.21%)
    20 = 16 (0.18%)
    21 = 13 (0.15%)
    22 = 9 (0.1%)
    2 = 9 (0.1%)
    19 = 8 (0.09%)
    3 = 7 (0.08%)
    1 = 5 (0.06%)
    24 = 5 (0.06%)
    23 = 4 (0.04%)
    27 = 4 (0.04%)

    Looks like 6 characters is the winner, followed closely by 8. I am actually surprised by the number of people who used 20 character passwords. But as this is from a website password dump, it apparently didn’t do them any good…

    Okay, how about complexity – how strong were the passwords:

    Password Strength:
    Only lowercase alpha = 3716 (41.61%)
    Only uppercase alpha = 197 (2.21%)
    Only alpha = 3913 (43.82%)
    Only numeric = 1654 (18.52%)

    First capital last symbol = 23 (0.26%)
    First capital last number = 240 (2.69%)

    Ouch, looks like a good chunk of them were simple passwords.

    Okay, what about dates, did any of the passwords have a date in them?

    Months
    march = 2 (0.02%)
    may = 18 (0.2%)
    june = 1 (0.01%)
    july = 1 (0.01%)
    august = 1 (0.01%)
    october = 1 (0.01%)

    Days
    None found

    Months (Abreviated)
    jan = 15 (0.17%)
    feb = 8 (0.09%)
    mar = 184 (2.06%)
    apr = 8 (0.09%)
    may = 18 (0.2%)
    jun = 17 (0.19%)
    jul = 19 (0.21%)
    aug = 2 (0.02%)
    sept = 4 (0.04%)
    oct = 14 (0.16%)
    nov = 21 (0.24%)
    dec = 7 (0.08%)

    Days (Abreviated)
    mon = 61 (0.68%)
    wed = 1 (0.01%)
    fri = 14 (0.16%)
    sat = 11 (0.12%)
    sun = 13 (0.15%)

    Years (Top 10)
    2008 = 38 (0.43%)
    1985 = 30 (0.34%)
    2006 = 27 (0.3%)
    1983 = 26 (0.29%)
    1980 = 26 (0.29%)
    2007 = 25 (0.28%)
    1987 = 24 (0.27%)
    1984 = 23 (0.26%)
    1979 = 22 (0.25%)
    1981 = 21 (0.24%)

    Pipal provides a lot more information than what was provided here, but I think this gives you a good idea of what it can do.

    I think this is a great tool to see the trends and patterns in password security. After so many years of users being warned about password security, it is very disheartening to see that the majority of users are still using short, simple passwords.

    But what is more alarming is the number of password dumps that are available from compromised websites.

  20. used articles

Comments
  1. D. Dieterle says:

    Thanks for the re-post Yury, I appreciate it!

  2. […] Password Dumps and analysis (articles compilation) « Yury … Posted in software | Tags: account, attacks, cracked, dictionary, dictionary attacks, easily, multi word passwords, passwords, words […]

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s