Password Analysis

[Brandy Nauman]

Ilove KeePass so far. Does KeePass offer any analysis of passwords in a database. For example, does it offer "analysis" of relative password strength or non-unique entries? I think this would be quite valuable.

There are several plugins or techniques that you might find helpful. I use the Quality Column plugin but have not used or investigated the other two. You might find other password related plugins that are useful on the plugin page.

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

To increase the maximum number of passwords extracted from an email body, the hidden command "scanconfig > password_list_size" can be used in CLI. You can configure a maximum of 10 passwords.

Athanasios Avgetidis, Omar Alrawi, Kevin Valakuzhy, and Charles Lever, Georgia Institute of Technology; Paul Burbage, MalBeacon; Angelos D. Keromytis, Fabian Monrose, and Manos Antonakakis, Georgia Institute of Technology

Password Stealers (Stealers) are commodity malware that specialize in credential theft. This work presents a large-scale longitudinal study of Stealers and their operators. Using a commercial dataset, we characterize the activity of over 4, 586 distinct Stealer operators through their devices spanning 10different Stealer families. Operators make heavy use of proxies, including traditional VPNs, residential proxies, mobile proxies, and the Tor network when managing their botnet. Our affiliation analysis unveils a stratified enterprise of cybercriminals for each service offering and we identify privileged operators using graph analysis. We find several Stealer-as-a-Service providers that lower the economical and technical barrier for many cybercriminals. We estimate that service providers benefit from high-profit margins (up to 98%) and a lower-bound profit estimate of $11, 000 per month. We find high-profile targeting like the Social Security Administration, the U.S. House of Representatives, and the U.S. Senate. We share our findings with law enforcement and publish six months of the dataset, analysis artifact, and code.

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

On most internal pen-tests I do I generally manage to get a password dump from the DC. To do some basic analysis on this I wrote Counter and since I originally released it I've made quite a few mods to it to generate extra stats that are useful when doing reports to management.

Recently a good friend, n00bz, asked on Twitter if anyone had a tool that he could use to analyse some passwords he had. I pointed him to Counter and said if he had any suggestions for additions to let me know. He did just that and over the last month between us we have come up with a load of new features which we both think will help anyone with a large dump of cracked passwords to analyse. We also got some input from well known password analysts Matt Weir and Martin Bos who I'd like to give a big thanks to.

I have to point out before going on, all this tool does is to give you the stats and the information to help you analyse the passwords. The real work is done by you in interpreting the results, I give you the numbers, you tell the story.

Version 2 - Two big changes, the first a massive speed increase. This patch wassubmitted by Stefan Venken who said a small mention would be good enough, I wantto give him a big mention. Running through the LinkedIn lists would have takenmany many hours on version 1, version 2 went through 3.5 million records inabout 15 minutes. Thank you.

Second change is the addition of US area and zip code lookups. This littlefeature gives some interesting geographical data when ran across password listsoriginating in the US. The best example I've seen of this is the dump from theMilitary Singles site where some passwords could be obviously seen to be groupedaround US military bases. People in the UK don't have the same relationship withphone numbers so I know this won't work here but if anyone can suggest any otherareas where this might be useful then I'll look at building in some kind oflocation awareness feature so you can specify the source of the list and getresults customized to the correct area or just run every area and see if apattern emerges.

A non-code-base change is for version 2 is the move from hosting the code myselfto github. This is my first github hosted project so I may get things wrong, ifI do, sorry. A number of people asked how they could submit patches so thisseems like the best way to do it, lets hope it works out. See the Download section for more info.

So, what does Pipal do? The easiest way to explain this is to show the output generated by parsing a leaked password list. I've chosen the list of passwords from the phpBB leak which I grabbed from the SkullSecurity site.

The first output is the number of entries in the file parsed and the number of unique entries found. Unfortunately the list I chose has already been ran through unique so these two figures match in this example.

The top 10 passwords. In this situation the list I chose has already been passed through a filter to strip any duplicates, this is why each word only appears once. The cap of showing the top 10 is configurable by a parameter on the command line, I'd suggest playing with this limit as sometimes the next entry is the one that starts to explain things.

The next list is the number of base words. I define a base word as a word with any non-alpha character stripped from the start and end. This is useful to identify common words such as company names or places which the passwords have been based on. I did consider stripping all non-alpha but in one of the lists I tested on I found the base word "un1c0rn". Leaving the non-alpha in the word makes sense, removing them you get "uncrn" which doesn't really mean anything.

The external list is a list of words passed in to Pipal on the command line. I check how many times each of these words is included in each password. This is similar to base words but here you tell the app which base words to search for.

If you are wondering why "dragon" is only counted 76 times as a base word but shows 185 times here, that is because there are 109 base words which contain "dragon" but aren't just "dragon", for example "phpdragon".

The external list I'm using is the list claiming to be "The 25 Worst Passwords on the Internet". Another suggestion for a list of words to use is the domains from the Alexa top 1000 list, this could be good if you are analysing a list of passwords from an unknown origin or would like to know if a list from one domain is linked to any other domains.

We now look at months and days in both full and abreviated form. While "may" could be a persons name or normal word it looks like for some reason it is a popular word in the list. "June" and "April" are also popular but also names which could explain the higher proportion. For days of the week there is a very large preference for "monday" and "friday", guess which days people change their passwords.

Seeing as we've looked at months and days why not years. Looks like years around the turn of the milenium are popular in this list. I also ran this on the passwords from the myspace leak which showed years around 1990 were popular, maybe this says something about the age of the average user.

The common assumption is that when people are foced to use passwords with numbers in their general response is to add a single digit on the end. Looking at this next set of stats, in this list people actually prefered to add two digits onto the end. The assumption that the last digit will be "1" does however hold true.

Hashcat masks (Top 10)

?l?l?l?l?l?l: 18462 (0.0%)

?l?l?l?l?l?l?l?l: 17481 (0.0%)

?l?l?l?l?l?l?l: 13981 (0.0%)

?l?l?l?l?l?l?l?l?l: 8045 (0.0%)

?d?d?d?d?d?d: 7726 (0.0%)

?l?l?l?l?l?l?l?l?l?l: 5253 (0.0%)

?l?l?l?l?l: 5249 (0.0%)

?d?d?d?d?d?d?d?d: 5116 (0.0%)

?l?l?l?l?l?l?d?d: 4956 (0.0%)

?l?l?l?l?l?d?d: 3149 (0.0%)

When you run the app you'll get a nice progress bar which gives you a rough idea of how long the app will take to run. If you want to stop it at any point hitting ctrl-c will stop the parsing and will dump out the stats generated so far.

The progress bar is based on a line count from the file which it gets this using the wc command. If it can't find wc it will make a guess at the number of lines based on the file size and an average line length of 8 bytes so the progress bar may not be fully accurate but should still give you an idea.

If you aren't sure what you are doing with github just click the ZIP button on the approximately middle left and that will give you a zip file which you can decompress and use as you would the versions below.

This section was supposed to just contain a few sets of sample stats but as more sites are being hacked and passwords released I've decided to run analysis on any lists I can get my hands on and post the results here. The first six in the list are the original sample sets and are based on password lists from the SkullSecurity site, for the rest, I'll give whatever information I can about where the list came from.

3a8082e126