Showing posts from June, 2009

Using online password crackers

Online password crackers are extremely popular and it's easy to see why. Instead of having to go through the trouble of cracking the password yourself, why don't you just submit it to someone else who has gigabytes, (to terabytes), of pre-calculated hashes to crack it for you. Just as a warning though, there are some privacy concerns when using these sites, (what? You don't think they store the hashes that are submitted to them?). According to , which keeps track of the effectiveness of these sites, (quick disclaimer: recently the reporting mechanism seems to be having issues), most of these sites crack around 20 to 40% of the passwords submitted to them which is fairly good, (actually really good since most of them rely on quick lookups in pre-generated tables). This statistic matches what I've seen both from my own testing and looking at other people's results, (aka the person who attacked submitted some of the passwords to one of the

Site News Update

As stated in the previous post, I'm in the middle of creating a new site to hold all the tools, custom dictionaries, and research papers I'm working on. It's fairly bare bones right now but I'm plugging away at it. Expect the layout to change quite a bit. I'd recommend only linking to the main page for the next month just because I'm still juggling around which pages should go where. I'm making the change since everyone ,(including me), hated the old googlepages site. The new site also allows comments so if you want to talk about a specific tool, file a bug report, or make a request please do. My one worry is hosting space, (aka some of these dictionaries and the rainbow tables in particular are large), but I'll cross that bridge when I get to it. The new site can be acessed from the link in the sidebar to the right or by going to

Cracking Web Hosting Talk

I'm working on completely redoing my tools page so hopefully I'll be able to start posting some new dictionaries, password cracking programs and scripts sometime this weekend. Enough site news, on to the post! I've talked previously about cracking password lists from and the finnish78k list. Now I would like to discuss another list that I've been working on. Back in March, a site called " Web Hosting Talk " was compromised via a flaw in their backup server . The attacker then distributed a list containing user information, (usernames, e-mail addresses, and password hashes), to several file sharing sites. I wasn't able to obtain a copy of this list, (and trust me, I tried), but I'm actually pretty happy about that as it means WHT was able to yank most copies of it offline quickly. What I wasn't happy about was the "advice" WHT gave their users regarding changing their passwords... "Passwords are hashed with salt. It would b

In which a milestone is reached..

I think I've made as many posts this month as I have readers ;)  I just want to remind the four or five of you that your input really matters to me. If there is something you want me to look into or you disagree with a post, please let me know.

Rule #31 of Hacking: Bypass the Crypto

It's a story as old as time. A webmail company says their security is unbreakable. They give out their CEO's username/password and offer a $10,000 reward to anyone who can break into his account. Guess how this ends ? Despite the predictable outcome, this story has been really interesting to me, not only for the issues it brings up but how the security community has been reacting to it.   I think security contests can be a good strategy for a company. That being said, it really matters how they approach it. Google's take on it with their Native Client hacking contest was spot on. Not only did they get a lot of positive buzz, but they also attracted some of the smartest hackers out there to compete for only $8,192. You normally can't even get a CISSP to give you a Nessus scan for that type of money. The reason for this of course is that hackers don't do it for the money, but for the challenge and bragging rights. Looking at other such   events , a couple rules

ASCII Art in Password Cracking

Just a quick warning but almost all the links presented here are NSFW, (more from an embarrassment factor due to ascii representations of male and female genitalia). As pointed out in the comments of this post  not all passwords are created from dictionary words or pass-phrases. One other way of creating a password is to use ascii art instead. For example: /><{{{{">     --fish ///\oo/\\\  --spider d[ o_0 ]b    --robot You get the idea. Of course the most common ascii art used is that of the male genitalia. I'll spare you the examples of that on the front page of this blog ;) The question then is what is the best way to attack these passwords? My gut feeling is that a standard dictionary based approach is the way to go, but instead of input words you can use a wordlist full of ascii art instead. To test this I googled various terms such as "ascii penis", "ascii porn", "one line ascii art", along with some actual pictures of said ascii art

Re: Test the Strength of Your Password Policy

Reading  sraveau's twitter posts , I was directed to this article by Robert Grimes on evaluating password policies . It's an interesting read and it includes an Excel spreadsheet where you can enter in your password creation policy, (aka passwords must be 8 characters long and contain an uppercase letter), the expected attacker strength (number of guesses per minute), and your password expiration policy. In turn it will output the probability of an attacker being able to crack one of your user's passwords. I do have a few issues with it though, hence this post. 1)I'm becoming more and more convinced that the protocols that govern login attempts are a bigger deciding factor on password security than password creation policies. This actually merits it's own post, but the short answer is that login attempts need to become more "costly" as the number of incorrect logins increases. This prevents a legitimate user from being locked out due to a password guessi

Frequency Analysis for Stronger Passwords

As a commenter pointed out in my last post, the previous frequency analysis was based on a set of passwords where there was no strong password creation policy in place. What happens when you look at only "strong" passwords? Well, I went through the MySpace list, the list and the Finnish list and extracted all the passwords that would meet stronger password creation rules, (at least 8 characters long, containing at least 1 lowercase letter, 1 uppercase letter, 1 digit, and 1 special character). This gave me a grand total of 214 passwords, (an impressive number I know...).  I belatedly realized that I forgot to copy a couple of other lists, (such as from Millw0rm,, etc), from my school computer back in Tallahassee, so I'll try to get someone to send them to me so I can update this post with a larger data set. As you can see below, uppercase characters dominate the first character set, and numbers/special characters dominate the last character set. Admi