Password research
Here I will try to put together and analyze all the information about user passwords on various resources.
The study of Troy Hunt, who took the Sony Pictures user base for his research, is worth noting that all passwords were stored in clear text. And then he analyzed the user passwords. Here are the results he had.
As we can see, the main number of passwords with a length of 6 to 10 characters. In addition, half of it is less than 8 characters.
')
Cryptographic strength of a password is determined by the variation of letters of different registers + numbers + specials. characters ^ password length. In this example, we can observe that the same type of passes are used.
In this test, a dictionary of 1.7 million words was used. You can take it here dazzlepod.com/site_media/txt/passwords.txt As we see the result is disappointing, more than a third of the passes are vocabulary.
The Sony Pictures database also includes passwords for other services. Actually, the table shows how many users use the same pass everywhere.
Since all the passwords were stored in clear form, but even if they were hashes, we would be able to decrypt approximately 82% of the total, using rainbow tables.
An independent researcher in the field of information security got into the hands of a list of + 20K accounts from various mailers, like email; pass. The lists are divided into 2 parts, you can take here:
Passwords can not even try to compare, because the whole thing was going to be mixed. Since the goal was not to compromise users, but to analyze the passwords used. Initially, the list consisted of 24,546 entries. All of them had the following username @ domain / password format. After a little cleaning, there are 23,573 accounts left. Then duplicates were removed and the output was a list of 21,686 account.
The bulk of these were mylniki popular foreign mailer hotmail.com. But it should be noted that other mail systems were also present, such as Yahoo, Gmail, AoL, etc. The top 20 domains and the number of accounts for each of them will be presented below.
If we look at user names, we can observe that the first 9,586 of them are arranged in alphabetical order. They begin with the letters βAβ & βBβ. Based on the passwords they use, it can be concluded that they belong to the Latin community. But there are also accounts from around the world.
The most frequently used password is still 123456. As you can see below, out of a total of 21,866 passwords, 91 of them are 123456. Here are the TOP-100 most frequently used passwords from the list.
According to the password format, you can extract the following statistics.
43.3% - letters, in lower case. Example: monkey
2.1% - letters, upper and lower case. Example: Thomas
15.8% - only numbers. Example: 123456
35.1% - letters and numbers. Example: j0s3ph
3.6% - letters, numbers and specials. characters. Example: sandra19_1961
30% - ends with a number. Example: hello1
If we look at the length of the password in the following graph, we will see that most of them are 6-character.
On February 6, 2011, as part of an attack on HBGary, the group Anonymous, using social engineering methods, Jussi Jaakonaho, one of their technical admins rootkit.com, was able to compromise. As a result, a full dump of the resource with the entire database, including users, was acquired.
John the Ripper was used for decryption. Most of the passwords were selected using the 17.5 MB dictionary, and the rest were achieved using other combined attacks. Below are the 10 most frequently used passwords.
As we can see, the already beaten 123456 is again lit up. It is also worth noting that the 3rd place in popularity has taken a password similar to the name of the resource, as many as 341 results. I also want to add, based on my numerous experiences, when working with databases, to decrypt passes, quite often there are resources that use the address of this resource as a password. However, this observation is not a rule. But in my practice there were already portals, where the% of such passes was quite large, and there were where they were never used at all. I have not yet found the dependence of this observation.
And the following link will give you the TOP-500 passwords used on the rootkit.com resource:
dazzlepod.com/rootkit/password
The speed of selection using a password can be described by a simple mathematical formula: the number of possible characters raised to the power of the password length divided by the number of passwords to be recruited per second. The result is an estimated time in seconds. However, in order to prove to a person what a simple password actually means, it is not necessary to load him with mathematics. Just go to the website How Secure Is My Password ?, enter <> (the word βpasswordβ in the Latin layout) and show that such a pass will be downloaded on a regular PC in 30 seconds. In general, it is quite interesting to test passwords: it becomes immediately clear that the password length is much more important than its complexity. Hacking "# R00t $ H3ll" will take 195 years, and the seemingly simple "abcdefg1234567" will take 5722 years.
Link:
howsecureismypassword.net
Related links [what to read]:
Analysis of password protection problems in Russian companies
Statistics from 10,000 leaked Hotmail passwords
And as once wrote admin insidepro:
An interesting observation - the last couple of weeks, our base hash.insidepro.com on the parameter "Webcrack today" daily leads, which is good news. Moreover, the βon the heelsβ service of www.md5decrypter.co.uk (a very worthy service, IMHO) has a base of 5 billion hashes, but it turns out that our 33 million base is more efficient, despite the fact that it is less than in 150 times. This once again confirms the thesis - βthe matter is not in quantity, but in qualityβ.
Therefore, in order to successfully open and decrypt passwords, it is not necessary to immediately climb to download the rainbow table that weighs hundreds of gigabytes. And enough to understand the question, then a relatively small base, which you will replenish from time to time, will show very good penetrability results.
Resources from which material was scooped:
personal experience
wikipedia.org
troyhunt.com
stormsecurity.wordpress.com
dazzlepod.com
[parole] β , . . Β« β Β» .Sony Pictures database
The study of Troy Hunt, who took the Sony Pictures user base for his research, is worth noting that all passwords were stored in clear text. And then he analyzed the user passwords. Here are the results he had.
Password length
As we can see, the main number of passwords with a length of 6 to 10 characters. In addition, half of it is less than 8 characters.
')
Used characters
1% -
4% -
45% -
50% -Cryptographic strength of a password is determined by the variation of letters of different registers + numbers + specials. characters ^ password length. In this example, we can observe that the same type of passes are used.
Vocabulary passwords
36% -
64% -In this test, a dictionary of 1.7 million words was used. You can take it here dazzlepod.com/site_media/txt/passwords.txt As we see the result is disappointing, more than a third of the passes are vocabulary.
Uniqueness test
8% -
92% -The Sony Pictures database also includes passwords for other services. Actually, the table shows how many users use the same pass everywhere.
Bruteforce hash
18% -
82% -Since all the passwords were stored in clear form, but even if they were hashes, we would be able to decrypt approximately 82% of the total, using rainbow tables.
Email password's
An independent researcher in the field of information security got into the hands of a list of + 20K accounts from various mailers, like email; pass. The lists are divided into 2 parts, you can take here:
users - box.net/shared/m9fv11hcrc
passwords - box.net/shared/jek7g37fjkPasswords can not even try to compare, because the whole thing was going to be mixed. Since the goal was not to compromise users, but to analyze the passwords used. Initially, the list consisted of 24,546 entries. All of them had the following username @ domain / password format. After a little cleaning, there are 23,573 accounts left. Then duplicates were removed and the output was a list of 21,686 account.
The bulk of these were mylniki popular foreign mailer hotmail.com. But it should be noted that other mail systems were also present, such as Yahoo, Gmail, AoL, etc. The top 20 domains and the number of accounts for each of them will be presented below.
1. hotmail.com β 12478
2. yahoo.com β 3012
3. aol.com β 827
4. gmail.com β 512
5. msn.com β 443
6. hotmail.fr β 346
7. comcast.net β 321
8. aim.com β 287
9. sbcglobal.net β 275
10. hotmail.co.uk β 206
11. neomail.com β 153
12. hotmail.es β 117
13. cox.net β 116
14. verizon.net β 96
15. bellsouth.net β 95
16. live.com.mx β 71
17. yahoo.ca β 63
18. yahoo.co.uk β 63
19. charter.net β 47
20. earthlink.net β 46If we look at user names, we can observe that the first 9,586 of them are arranged in alphabetical order. They begin with the letters βAβ & βBβ. Based on the passwords they use, it can be concluded that they belong to the Latin community. But there are also accounts from around the world.
The most frequently used password is still 123456. As you can see below, out of a total of 21,866 passwords, 91 of them are 123456. Here are the TOP-100 most frequently used passwords from the list.
1. 123456 β 91
2. neopets β 39
3. monkey β 27
4. 123456789 β 26
5. 123321 β 24
6. password β 23
7. iloveyou β 17
8. princess β 16
9. horses β 16
10. tigger β 15
11. pokemon β 14
12. cheese β 14
13. 111111 β 13
14. kitty β 13
15. purple β 12
16. dragon β 12
17. nicole β 12
18. 1234567 β 11
19. alejandra β 11
20. daniel β 11
21. bubbles β 10
22. alejandro β 10
23. michelle β 10
24. 12345 β 10
25. hello β 10
26. c***** β 10
27. chocolate β 9
28. hottie β 9
29. alberto β 9
30. 12345678 β 9
31. fluffy β 9
32. buddy β 9
33. 123123 β 9
34. cassie β 9
35. andrea β 9
36. secret β 9
37. shadow β 9
38. tequiero β 9
39. ****llica β 9
40. poop β 8
41. hi β 8
42. sebastian β 8
43. jessica β 8
44. adopt β 8
45. 654321 β 8
46. justin β 7
47. newpw123 β 7
48. scooter β 7
49. soccer β 7
50. holly β 7
51. hannah β 7
52. flower β 7
53. 1234 β 7
54. jessie β 7
55. ashley β 7
56. tiger β 7
57. lauren β 7
58. football β 7
59. elizabeth β 7
60. casper β 7
61. roberto β 7
62. 000000 β 7
63. legolas β 7
64. estrella β 7
65. 159753 β 7
66. anime β 7
67. sabrina β 6
68. moomoo β 6
69. angelica β 6
70. cat123 β 6
71. bonita β 6
72. buster β 6
73. kitten β 6
74. killer β 6
75. qwerty β 6
76. chelsea β 6
77. sasuke β 6
78. olivia β 6
79. theresa β 6
80. america β 6
81. beatriz β 6
82. mariposa β 6
83. oscar β 6
84. rainbow β 6
85. yellow β 6
86. cool β 6
87. ginger β 6
88. maggie β 6
89. friends β 6
90. asdfgh β 6
91. abc123 β 6
92. neopet β 6
93. dancer β 6
94. amanda β 6
95. avatar β 6
96. boogie β 6
97. greenday β 6
98. thumper β 6
99. 666666 β 6
100. bob β 6According to the password format, you can extract the following statistics.
43.3% - letters, in lower case. Example: monkey
2.1% - letters, upper and lower case. Example: Thomas
15.8% - only numbers. Example: 123456
35.1% - letters and numbers. Example: j0s3ph
3.6% - letters, numbers and specials. characters. Example: sandra19_1961
30% - ends with a number. Example: hello1
If we look at the length of the password in the following graph, we will see that most of them are 6-character.
Rootkit.com
On February 6, 2011, as part of an attack on HBGary, the group Anonymous, using social engineering methods, Jussi Jaakonaho, one of their technical admins rootkit.com, was able to compromise. As a result, a full dump of the resource with the entire database, including users, was acquired.
John the Ripper was used for decryption. Most of the passwords were selected using the 17.5 MB dictionary, and the rest were achieved using other combined attacks. Below are the 10 most frequently used passwords.
Rank Password Accounts
1 | 123456 | 1023
2 | password | 392
3 | rootkit | 341
4 | 111111 | 190
5 | 12345678 | 181
6 | qwerty | 175
7 | 123456789 | 170
8 | 123123 | 99
9 | qwertyui | 92
10 | letmein | 91As we can see, the already beaten 123456 is again lit up. It is also worth noting that the 3rd place in popularity has taken a password similar to the name of the resource, as many as 341 results. I also want to add, based on my numerous experiences, when working with databases, to decrypt passes, quite often there are resources that use the address of this resource as a password. However, this observation is not a rule. But in my practice there were already portals, where the% of such passes was quite large, and there were where they were never used at all. I have not yet found the dependence of this observation.
And the following link will give you the TOP-500 passwords used on the rootkit.com resource:
dazzlepod.com/rootkit/password
To verify password strength
The speed of selection using a password can be described by a simple mathematical formula: the number of possible characters raised to the power of the password length divided by the number of passwords to be recruited per second. The result is an estimated time in seconds. However, in order to prove to a person what a simple password actually means, it is not necessary to load him with mathematics. Just go to the website How Secure Is My Password ?, enter <> (the word βpasswordβ in the Latin layout) and show that such a pass will be downloaded on a regular PC in 30 seconds. In general, it is quite interesting to test passwords: it becomes immediately clear that the password length is much more important than its complexity. Hacking "# R00t $ H3ll" will take 195 years, and the seemingly simple "abcdefg1234567" will take 5722 years.
Link:
howsecureismypassword.net
Related links [what to read]:
Analysis of password protection problems in Russian companies
Statistics from 10,000 leaked Hotmail passwords
And as once wrote admin insidepro:
An interesting observation - the last couple of weeks, our base hash.insidepro.com on the parameter "Webcrack today" daily leads, which is good news. Moreover, the βon the heelsβ service of www.md5decrypter.co.uk (a very worthy service, IMHO) has a base of 5 billion hashes, but it turns out that our 33 million base is more efficient, despite the fact that it is less than in 150 times. This once again confirms the thesis - βthe matter is not in quantity, but in qualityβ.
Therefore, in order to successfully open and decrypt passwords, it is not necessary to immediately climb to download the rainbow table that weighs hundreds of gigabytes. And enough to understand the question, then a relatively small base, which you will replenish from time to time, will show very good penetrability results.
Resources from which material was scooped:
personal experience
wikipedia.org
troyhunt.com
stormsecurity.wordpress.com
dazzlepod.com
Source: https://habr.com/ru/post/129052/
All Articles