rootkit.com succumbed to a social engineering attack and more than 42000 of its user's passwords were made available on internet in clear (here). John the Ripper was used to recover the passwords. Out of curiosity, I analyzed certain aspects of passwords. The results of that analysis are shared below:
Password Entropy:
Entropy of various cracked passwords was calculated using Eric Monti's rbkb's entropy function that performs chi-square calculation. Clearly, higher the entropy, lesser chances that your password will be guessed or cracked. Having said that, how easy is to remember and key in the passwords that are extremely random and are more than 16 characters in length?
Cracked Passwords with Highest Entropy:
Certain cracked passwords had entropy in excess of 4 bits. Table below lists down the cracked passwords with highest entropy. A good dictionary allowed JTR to crack most of the passwords.
Password Distribution:
Finally, I looked at password distribution. An overwhelming 51% of cracked passwords were only in lowercase, this was followed by only numeric passwords close to 24%. Passwords using uppercase alphabets along with numerics were least favorite.
Password Lengths: The shortest password in the list was 1 character long and longest was 20 characters in length. A whopping 38.74% passwords were 6 characters in length. Here is the distribution of password lengths:
| Length | Occurences | Percentage |
| 1 | 16 | 0.04% |
| 2 | 20 | 0.05% |
| 3 | 270 | 0.64% |
| 4 | 1444 | 3.41% |
| 5 | 2646 | 6.24% |
| 6 | 16424 | 38.76% |
| 7 | 8258 | 19.49% |
| 8 | 9786 | 23.09% |
| 9 | 2029 | 4.79% |
| 10 | 971 | 2.29% |
| 11 | 250 | 0.59% |
| 12 | 157 | 0.37% |
| 13 | 62 | 0.15% |
| 14 | 23 | 0.05% |
| 15 | 8 | 0.02% |
| 16 | 3 | 0.01% |
| 17 | 1 | 0.00% |
| 18 | 0 | 0.00% |
| 19 | 2 | 0.00% |
| 20 | 4 | 0.01% |
Password Entropy:
Entropy of various cracked passwords was calculated using Eric Monti's rbkb's entropy function that performs chi-square calculation. Clearly, higher the entropy, lesser chances that your password will be guessed or cracked. Having said that, how easy is to remember and key in the passwords that are extremely random and are more than 16 characters in length?
| Entropy | Count |
| 0 to <1 | 1620 |
| 1 to <2 | 7388 |
| 2 to <3 | 32071 |
| 3 to <4 | 1292 |
| 4 to <5 | 3 |
| 5 to <6 | 0 |
| 6 to <7 | 0 |
Cracked Passwords with Highest Entropy:
Certain cracked passwords had entropy in excess of 4 bits. Table below lists down the cracked passwords with highest entropy. A good dictionary allowed JTR to crack most of the passwords.
| # | Entropy | Password |
| 1 | 4.321928095 | q1w2e3r4t5y6u7i8o9p0 |
| 2 | 4.321928095 | 1234567890qwertyuiop |
| 3 | 4.321928095 | 1q2w3e4r5t6y7u8i9o0p |
| 4 | 4 | 1234qwerasdfzxcv |
| 5 | 3.807354922 | abcdefg1234567 |
| 6 | 3.700439718 | qwertyuiop123 |
| 7 | 3.700439718 | superman12345 |
| 8 | 3.700439718 | 1qazxcvbnm,./ |
| 9 | 3.664497779 | kingoftheworld |
| 10 | 3.664497779 | qwertyuiop[]\\ |
| 11 | 3.584962501 | !@#$%^&*()_+ |
| 12 | 3.584962501 | fucktheworld |
| 13 | 3.584962501 | 1q2w3e!Q@W#E |
| 14 | 3.584962501 | qazxswedcvfr |
| 15 | 3.584962501 | 123qweasdzxc |
| 16 | 3.584962501 | 1qazxsw23edc |
| 17 | 3.584962501 | q1w2e3r4t5y6 |
| 18 | 3.584962501 | asdfghjkl;\' |
| 19 | 3.584962501 | qwerty123456 |
| 20 | 3.584962501 | 4rfv5tgb6yhn |
| 21 | 3.584962501 | qwe123rty456 |
| 22 | 3.584962501 | 1qaz2wsx3edc |
| 23 | 3.584962501 | 1a2b3c4d5e6f |
| 24 | 3.584962501 | 123456qwerty |
| 25 | 3.584962501 | 1q2w3e4r5t6y |
Password Distribution:
Finally, I looked at password distribution. An overwhelming 51% of cracked passwords were only in lowercase, this was followed by only numeric passwords close to 24%. Passwords using uppercase alphabets along with numerics were least favorite.
| Password Type | Percentage Share |
| Only Lowercase | 51.81 |
| Lowercase AND Numerals | 23.92 |
| Only Numeric | 19.9 |
| Alphabets (Uppercase AND Lowercase) | 1.32 |
| Alphanumeric | 1.25 |
| Passwords With Special Characters | 1.11 |
| Only Uppercase | 0.45 |
| Uppercase AND Numerals | 0.24 |
No comments:
Post a Comment