Showing posts from April, 2009

About that missing 11.1%

In reference to my last post, I just want to remind everyone, (and myself), that with the list I still haven't cracked around 11% of the passwords. For example, I was expecting around 4-8 percent of the people to use special characters in their passwords, but so far less than one percent of the cracked passwords contain special characters, (and please note I don't count non-english letters as special characters). Now imagine if half of the remaining passwords contain a special character. That would mean 5-6 percent of the total passwords contained a special character which would match what I was expecting. Looking at the passwords I'm cracking right now, there's a very good possibility that might actually come true. That's where plain-text lists of passwords, (such as the MySpace List, list, list, etc), are so useful since they give you a better idea of how people actually create the HARD passwords, vs getting fixated only on

Ok, some actual results...

First an explanation, For a little over a month I've been cracking passwords from two different lists. You may have heard of it from this posting on darkreading . Here is some background. The site got hacked via a 0-day attack, (by that I mean there was no patch available,) against their forum software. The hacker weaponized a proof of concept exploit posted on Millw0rm and then used various other escalation attacks to gain full control over the site. I guess what I'm trying to say was the attacker wasn't your regular script kiddie. Here is where things get a little convoluted. had close to 400,000 user accounts on it, but there were in the process of switching users over to a more secure password hash. The problem was, they were doing it in such a way that the user would have to log in again before their password hash was changed. So about 100,000 users were protected by the stronger hash, and the remaining 259,000 users only had their passwords protec

Social Engineering Explained

Click on this link