Black datamining archeology: what could be more effective than a dictionary attack?
For those who are lazy to read further, I will immediately say the answer: the attack “login is equal to password”. According to statistics, login equal password is more common than the most common password from the dictionary. Further in the article there will be some statistical studies on this topic, and a story from which it all began.
')
Therefore, in today's study, I decided to check how often passwords are found that are either equal to or are a small modification of their passwords.
For a start, in addition to 6 million passwords for mail entries, I connected to the study a database of passwords from a single non-mail site for 3.5 million entries. These are fresh entries (May 2015), containing quite a few invalid passwords. I built statistics on passwords from this site separately.
Password is equal to login
The number of entries where the password is equal to the login: approximately 87 thousand for mail passwords, 50 thousand for passwords from the site. Is it a lot or a little? For comparison, I cite the two most common passwords (1st and 2nd place in the distribution). Also for convenience, I quote values in thousandths (‰) of the total number of passwords.
Overlap
Next, let's see how often there are cases where the password is a small modification of the login. Such cases are not so frequent, but this is offset by the small complexity of the attack.
In terms of frequency, all these cases fall into the top 50 most common passwords:
Conclusion
Now on many mail portals (but very rarely on regular sites and forums) you cannot set a password equal to the login. However, for all the time I met only one site in which it was impossible to set a password by adding one character to the login. The site wrote: “your password is very similar to the login”. However, such a situation on the modern Internet is more the exception.
Meanwhile, attacks with the selection of a password by a small modification of the login are quite effective in terms of the frequency of occurrence, and do not require great complexity in terms of the number of options.
Of course, if we compare the integral complexity, a dictionary attack is somewhat more advantageous. On the other hand, attacks by login modification are not counted in security systems, even on large portals.
Previous issue: Black Archeology Mining Date
In the next issue: a comparison of the mail password database with the password database of a non-mail website. How useful were mail passwords leaked in 2014?
')
One such story, which happened back in 2000 with a certain young man, prompted me to begin such a study. Not being a hacker, he wanted to crack the mailbox of one person. Her login ended in two digits, like this: masha86@mail.com. After the trivial passwords that did not come up, the guy suggested that the password might look like this: mashaDD, where DD is two random numbers. The complexity of this attack is only 100 attempts, and at about the twentieth attempt the password came up, the box was cracked. What can you not do in your youth because of jealousy and for the sake of love ...
Therefore, in today's study, I decided to check how often passwords are found that are either equal to or are a small modification of their passwords.
For a start, in addition to 6 million passwords for mail entries, I connected to the study a database of passwords from a single non-mail site for 3.5 million entries. These are fresh entries (May 2015), containing quite a few invalid passwords. I built statistics on passwords from this site separately.
Password is equal to login
The number of entries where the password is equal to the login: approximately 87 thousand for mail passwords, 50 thousand for passwords from the site. Is it a lot or a little? For comparison, I cite the two most common passwords (1st and 2nd place in the distribution). Also for convenience, I quote values in thousandths (‰) of the total number of passwords.
| Mail passwords | Passwords from the site | |||||
| amount | ‰ | amount | ‰ | |||
| Password is equal to login | 86908 | 14.3 | Password is equal to login | 49327 | 14.0 | |
| Top 1 "123456" | 82830 | 13.6 | Top 1 "qwerty" | 33322 | 9.5 | |
| Top 2 qwerty | 53144 | 8.7 | Top 2 "123456" | 21775 | 6.2 | |
Overlap
Next, let's see how often there are cases where the password is a small modification of the login. Such cases are not so frequent, but this is offset by the small complexity of the attack.
| Mail passwords | Passwords from the site | ||||
| Type of attack | Complexity | amount | ‰ | amount | ‰ |
| Password and login are different one last character | ~ 70 | 1835 | 0.30 | 20869 (!) | 5.93 |
| Differ by two characters, and the numbers: | 100 | 1702 | 0.28 | 1226 | 0.35 |
| One character added for password | ~ 100 | 5508 | 0.90 | 1930 | 0.55 |
| Or two | ~ 10,000 | 5087 | 0.84 | 3269 | 0.93 |
| Added 4, but only numbers | from 100 up to 10,000 | 7267 | 1.19 | 3252 | 0.92 |
In terms of frequency, all these cases fall into the top 50 most common passwords:
Top 50 Email Passwords
| 123456 | 82830 |
| qwerty | 53144 |
| 123456789 | 23286 |
| 111111 | 13831 |
| qwertyuiop | 12399 |
| qwe123 | 9021 |
| 1234567890 | 8364 |
| 1234567 | 7452 |
| 12345 | 6420 |
| password | 6410 |
| 12345678 | 6374 |
| 123321 | 6170 |
| 7777777 | 5861 |
| 123123 | 5533 |
| 0 | 4977 |
| 666666 | 4197 |
| 1qaz2wsx | 4181 |
| qazwsx | 4143 |
| 1q2w3e4r | 3982 |
| 654321 | 3760 |
| 555555 | 3539 |
| 123qwe | 2973 |
| 1q2w3e4r5t | 2967 |
| zxcvbnm | 2832 |
| qweqwe | 2816 |
| gfhjkm | 2806 |
| 1q2w3e | 2748 |
| klaster | 2695 |
| 112233 | 2565 |
| 121212 | 2445 |
| 987654321 | 2371 |
| 159753 | 2338 |
| 777777 | 2204 |
| qwer1234 | 2015 |
| 1234qwer | 1999 |
| qwerty123 | 1846 |
| 1234 | 1801 |
| asdfgh | 1779 |
| abc123 | 1722 |
| 123654 | 1568 |
| 222222 | 1557 |
| I love you | 1508 |
| 987654321 | 1432 |
| samsung | 1427 |
| zxcvbn | 1422 |
| ghbdtn | 1313 |
| 88888888 | 1311 |
| marina | 1284 |
| 131313 | 1268 |
| asdfghjkl | 1243 |
Top 50 passwords from the site
| qwerty | 33322 |
| 123456 | 21775 |
| (empty password) | 20002 |
| UsdopaA (bots) | 16016 |
| 123456789 | 8298 |
| 1234567890 | 4117 |
| qwertyuiop | 2247 |
| 123321 | 2235 |
| 1234567 | 2214 |
| 1q2w3e4r5t | 2142 |
| 111111 | 2004 |
| 1q2w3e4r | 1682 |
| 123qwe | 1554 |
| 123123 | 1364 |
| qazwsx | 1319 |
| 1q2w3e | 1256 |
| qazwsxedc | 1196 |
| qwe123 | 1186 |
| qweasdzxc | 1126 |
| 9379992 | 1020 |
| 0 | 1018 |
| 4815162342 | 1015 |
| I love you | 991 |
| 12345678 | 979 |
| 666666 | 977 |
| zxcvbnm | 957 |
| asdfgh | 930 |
| Jskasgfdfjg | 923 |
| gfhjkm | 914 |
| qwertyuiop [] | 904 |
| 1234qwer | 899 |
| 1q2w3e4r5t6y | 890 |
| qwerty123 | 839 |
| nastya | 799 |
| 555555 | 770 |
| 987654321 | 755 |
| ghbdtn | 746 |
| 12345qwert | 740 |
| 159753 | 737 |
| loveyou | 735 |
| 1234554321 | 716 |
| 7777777 | 711 |
| 1qaz2wsx | 708 |
| 123123123 | 679 |
| samsung | 670 |
| 123qweasdzxc | 662 |
| adidas | 642 |
| asdfghjkl | 641 |
| 789456123 | 636 |
Conclusion
Now on many mail portals (but very rarely on regular sites and forums) you cannot set a password equal to the login. However, for all the time I met only one site in which it was impossible to set a password by adding one character to the login. The site wrote: “your password is very similar to the login”. However, such a situation on the modern Internet is more the exception.
Meanwhile, attacks with the selection of a password by a small modification of the login are quite effective in terms of the frequency of occurrence, and do not require great complexity in terms of the number of options.
Of course, if we compare the integral complexity, a dictionary attack is somewhat more advantageous. On the other hand, attacks by login modification are not counted in security systems, even on large portals.
R-code, if anyone is interested
################################################ DATA <- readRDS( file = "ClearData.rds" ) ################################################ ################################################ # : 3520000 nrow(DATA) # : 49327 length( which( DATA$login == DATA$passwd) ) ################################################ # : 1930 length( which( substr( DATA$login ,0, nchar(DATA$login) ) == substr( DATA$passwd ,0, nchar(DATA$passwd)-1 ) ) ) # : 3269 length( which( substr( DATA$login ,0, nchar(DATA$login) ) == substr( DATA$passwd ,0, nchar(DATA$passwd)-2 ) ) ) ################################################ # ( ): 3252 length( which( ( substr( DATA$login ,0, nchar(DATA$login) ) == substr( DATA$passwd ,0, nchar(DATA$passwd)-4 ) ) & ( grepl( "\\d\\d\\d\\d", substr( DATA$passwd ,nchar(DATA$passwd)-3,nchar(DATA$passwd) ) ) ) ) ) ################################################ # : 20869 length( which( ( substr( DATA$login ,0, nchar(DATA$login)-1 ) == substr( DATA$passwd ,0, nchar(DATA$passwd)-1 ) ) & ( DATA$login != DATA$passwd ) ) ) ################################################ # (1477), : 1226 length( which( ( substr( DATA$login ,0, nchar(DATA$login)-2 ) == substr( DATA$passwd ,0, nchar(DATA$passwd)-2 ) ) & ( DATA$login != DATA$passwd ) & ( substr( DATA$login ,0, nchar(DATA$login)-1 ) != substr( DATA$passwd ,0, nchar(DATA$passwd)-1 ) ) & ( grepl( "\\d\\d", substr( DATA$passwd ,nchar(DATA$passwd)-1,nchar(DATA$passwd) ) ) ) ) ) ################################################ ################################################ ### library(dplyr) tmpD <- DATA[,c(3,4)] PASS_SUM <- summarise(group_by(tmpD,passwd), count = sum(count) ) PASS_SUM <- arrange(PASS_SUM,desc(count)) # : 2132935 nrow(subset(PASS_SUM, PASS_SUM$count==1)) # : 887 nrow(subset(PASS_SUM, PASS_SUM$count>64)) PASS_100 <- PASS_SUM[1:100,] write.csv(PASS_100,file = "SpPassSum100.csv", row.names = F) ########################################### Previous issue: Black Archeology Mining Date
In the next issue: a comparison of the mail password database with the password database of a non-mail website. How useful were mail passwords leaked in 2014?
Source: https://habr.com/ru/post/261331/
All Articles