I Know What Your Password Was Final Summer season…

As safety professionals, we frequently run into the age-old subject of passwords throughout a number of environments, programs, implementations, and different chaos. An fascinating side we commonly encounter when compromising organisations is the psychology behind how individuals select their passwords. This perception reveals patterns and tendencies in password creation, shedding gentle on frequent vulnerabilities and the human elements influencing password safety.  

Understanding these psychological parts is essential for creating more practical safety methods and educating customers about safer password practices. It’s equally necessary when constructing cracking methodologies to successfully assess an organisation’s safety posture and crack the keys to the dominion.

This put up delves into the developments recognized over the previous two years, providing insightful comparisons between robust and weak password insurance policies. It additionally explores the person behaviors that develop resulting from these insurance policies.

We use hashcat as a strategic and systematic method to advancing our engagements over time, significantly within the realm of cracking password hashes. This methodology has confirmed efficient in acquiring the cleartext values for numerous fascinating passwords, offering useful insights into organisations’ developments and practices in establishing their password insurance policies.

Moreover, this method informs our methods for password guessing and spraying assaults towards endpoints, enhancing our understanding of the thought processes prevalent in particular industries and the way sure safety controls might be bypassed.

The Core Information

All the evaluation on this put up is from an amalgamation of cracking over two years; the whole quantity of hashes was 186149, distinctive hashes have been 99918, and 31200 have been cracked, leading to many repeat passwords throughout customers and industries.

The findings from this in depth information set provide useful insights:

1. Password Reuse: The massive variety of repeat passwords suggests a widespread subject of password reuse throughout totally different customers and industries, a apply that considerably compromises safety.
2. Frequent Weak Passwords: The success in cracking a considerable portion of the hashes signifies that many customers proceed to depend on weak passwords, that are weak to cracking instruments and strategies.
3. Trade Patterns: The information doubtlessly reveals patterns in password creation and coverage enforcement throughout numerous industries, offering an understanding of industry-specific safety postures.

Our Hashcat Guidelines and Setups

Relying on the hash sort will rely upon how we method cracking it on our rig; sometimes, faster to crack hashes akin to NTLM, we’ll method with a wordlist for a fast flyover adopted by guidelines, adopted by specifics across the firm identify, and different related wording or phrases.

Our collective NTLM cracking charge is ~600GH/s, comprised of a number of RTX 4090s, 3090s, and different playing cards.

We use a set of customized and customary wordlists when focusing on organisations. The usual public lists we strive with numerous guidelines are proven:

As for rulesets, we use private and non-private ones once more, however listed below are the general public ones we use:

Lastly, on high of wordlists and guidelines, there are some customized masks we ceaselessly use when focusing on particular organisations, however there’s a core listing of masks and hashcat instructions:

CompanyName?a?a?a?a?a?a
Color?a?a?a?a?a?a

A prevalent pattern noticed in numerous environments is the usage of situational or time-structured passwords. Customers typically create passwords incorporating parts akin to the present season, month, day, firm, or division identify, sometimes adopted by a date. This predictable sample makes it simpler to crack these passwords utilizing hashcat guidelines and masks, permitting for environment friendly and swift password reversal.

Andy Gill, considered one of our consultants, wrote a toolkit for parsing pot recordsdata that we have leveraged to construct grasp wordlists and customary guidelines:

GitHub – ZephrFish/PotUtils

Contribute to ZephrFish/PotUtils development by creating an account on GitHub.

The crack movement course of sometimes follows focusing on the corporate with a choose wordlist and rulesets, brute-forcing as much as the nine-character keyspace with optimized keyspace, parsing the profile, and working the cracked listing towards a ruleset once more to fish out patterns.

What was your password final summer time?

As corporations mature, so do their password insurance policies; gone are the times when a lot of our shoppers have been merelySummer2024! , and also you’re within the entrance door. We nonetheless see SeasonYYYY or variations of it in much less mature environments once in a while. Listed below are a few of the examples we have seen of seasons and mentions of them:

We wrote an in-house software to do password evaluation. When given an enter of cracked hashes, it might analyze frequent phrases, phrases, and different attributes. The outcomes from stated software are proven within the following screencaps detailing frequent passwords, high passwords, days of the week, months of the 12 months, seasons, and hues.

The typical size of 11 characters exhibits an excellent enchancment 12 months on 12 months and extra mature password insurance policies being utilized throughout organisations. Whereas there are nonetheless outliers, the final protection of estates seems to be to be on an upward trajectory for enchancment.

Regardless of individuals being large followers of summer time, it might seem the winter months are extra prevalent in passwords.

The title of this put up provides it away, however persons are large followers of summer time, and it is obvious of their password creations, too.

Many people have a favorite color of blue, with crimson and inexperienced following carefully behind.

Of the highest years in passwords, 108 have been ahead thinkers, getting that 2025 a number of years forward; attackers won’t ever consider that!

Attention-grabbing Passwords

We come throughout many fascinating passwords; listed below are a few of our favourites we have seen within the final couple of years, each safe and humorous.

<Passw0rd1><Passw0rd2>
#1PeppermintPatty
Grits&Gravy4u
HelloSummertime2023!
Security4You
Sec9re_NobodyWillGuessMe
Gustavo12345678901234567890
Inexperienced eggs and ham!
Why $o Critical?

If you’re within the respective hashcat masks for the passwords cracked above, whereas they weren’t all obtained utilizing a masks assault, some have been with wordlist mixture assaults.

<Passw0rd1><Passw0rd2>

• Masks: ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
• Rationalization: This masks is for a sample that begins and ends with angle brackets. Inside, it follows a sample of “Passw0rd” adopted by a digit, repeated twice. Nevertheless, Hashcat does not straight assist angle brackets in its masks. An choice could be to deal with these characters individually or use a customized charset (?1) to characterize them.

#1PeppermintPatty:

• Masks: ?s?d?u?l?l?l?l?l?l?l?l?l?l?l
• Rationalization: It begins with a particular character, adopted by a digit, then an uppercase letter and the remaining are lowercase letters.

Grits&Gravy4u:

• Masks: ?u?l?l?l?l?s?l?l?l?l?d?l
• Rationalization: It begins with an uppercase letter, adopted by 4 lowercase letters, a particular character, 4 extra lowercase letters, a digit, and a lowercase letter.

HelloSummertime2023!:

• Masks: ?u?l?l?l?l?u?l?l?l?l?l?l?l?d?d?d?d?s
• Rationalization: It begins with an uppercase letter, adopted by 4 lowercase letters, one other uppercase letter, seven lowercase letters, 4 digits, and a particular character.

Security4You:

• Masks: ?u?l?l?l?l?l?l?d?u?l?l
• Rationalization: It begins with an uppercase letter, adopted by six lowercase letters, a digit, an uppercase letter, a lowercase letter, and an uppercase letter.

Sec9re_NobodyWillGuessMe:

• Masks: ?u?l?l?d?l?s?l?l?l?l?l?l?u?l?l?l?l?l?l?u?l
• Rationalization: It begins with an uppercase letter, adopted by two lowercase letters, a digit, a lowercase letter, a particular character, six lowercase letters, an uppercase letter, 5 lowercase letters, and an uppercase letter.

Gustavo12345678901234567890:

• Masks: ?u?l?l?l?l?l?l?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d
• Rationalization: Begins with an uppercase letter, adopted by six lowercase letters, after which twenty digits.

Inexperienced eggs and ham!:

• Masks: ?u?l?l?l?l?s?l?l?l?s?l?l?l?s?l?l?l?s
• Rationalization: Begins with an uppercase letter, adopted by 4 lowercase letters, an area, three lowercase letters, an area, three lowercase letters, an area, three lowercase letters, and a particular character.

Why $o Critical?:

• Masks: ?u?l?l?s?s?l?s?u?l?l?l?l?l?s
• Rationalization: Begins with an uppercase letter, adopted by two lowercase letters, a particular character, a lowercase letter, a particular character, 5 lowercase letters, and a particular character.

These masks are primarily based on the seen sample of every password, assuming the commonest character units for every sort of character (uppercase ?u, lowercase ?l, digit ?d, Particular ?s). Do not forget that password complexity and size could make cracking them time-consuming and resource-intensive, particularly with high-entropy passwords.

Additional Evaluation on Duplicates

Our evaluation revealed important findings concerning duplicates and distinctive customers with shared passwords. A recurring sample was noticed the place accounts arrange by an organisation for particular functions shared an identical passwords, typically ensuing from mass-reset procedures.

Moreover, cases have been famous the place customers with a number of accounts, particularly these with privileged entry, reused passwords throughout totally different organisations. The analysis additionally sheds gentle on circumstances the place customers, upon altering organisations, continued to make use of poor password practices, carrying the identical weak passwords to their new workplaces.

• Complete Hashes: 186149
• Complete Duplicate Hashes: 56648
• Complete Customers with Duplicate Passwords: 11359

The efficiently cracked passwords have been analyzed on publicly out there lists from SecLists(https://github.com/danielmiessler/SecLists/tree/master/Passwords/) to uncover fascinating matches in public wordlists.

2020-200_most_used_passwords.txt: 19 matches
2023-200_most_used_passwords.txt: 20 matches
500-worst-passwords.txt: 39 matches
bt4-password.txt: 212 matches
cirt-default-passwords.txt: 7 matches 
clarkson-university-82.txt: 7 matches
common_corporate_passwords.lst: 118 matches 
darkc0de.txt: 135 matches
darkweb2017-top10.txt: 5 matches
darkweb2017-top100.txt: 9 matches 
darkweb2017-top1000.txt: 54 matches 
darkweb2017-top10000.txt: 161 matches
days.txt: 17 matches 
dutch_common_wordlist.txt: 105 matches
dutch_passwordlist.txt: 724 matches
months.txt: 48 matches
Most-In style-Letter-Passes.txt: 94 matches
mssql-passwords-nansh0u-guardicore.txt: 118 matches
openwall.net-all.txt: 143 matches
probable-v2-top12000.txt: 148 matches
probable-v2-top1575.txt: 65 matches
probable-v2-top207.txt: 26 matches
richelieu-french-top20000.txt: 104 matches
richelieu-french-top5000.txt: 67 matches
scraped-JWT-secrets.txt: 8 matches
seasons.txt: 40 matches
twitter-banned.txt: 34 matches
unkown-azul.txt: 9 matches
UserPassCombo-Jay.txt: 23 matches
xato-net-10-million-passwords-10.txt: 4 matches
xato-net-10-million-passwords-100.txt: 16 matches
xato-net-10-million-passwords-1000.txt: 53 matches
xato-net-10-million-passwords-10000.txt: 121 matches
xato-net-10-million-passwords-100000.txt: 284 matches
xato-net-10-million-passwords-1000000.txt: 525 matches
xato-net-10-million-passwords-dup.txt: 523 matches
xato-net-10-million-passwords.txt: 755 matches

The outcomes point out that each one the passwords recognized are already recognized and included in customary wordlists. This implies a higher chance of profitable compromise by attackers.

Recommendation For Password Creation

When choosing a password, typical recommendation has lengthy beneficial utilizing a mixture of particular characters, numbers, and higher and decrease case letters, with a minimal size of 8 characters. Nevertheless, this recommendation evolves. Observations from our extra mature shoppers point out that prioritizing password size over complexity and fewer frequent modifications encourages the adoption of passphrases. These are simpler to recollect but stay difficult to crack, providing a stability of safety and user-friendliness.

Each the UK and US authorities safety arms have nice recommendation round password creation; due to this fact, here’s a mixture of their recommendation that can assist you create robust passwords:

1. Size is critical; intention for no less than 16 characters when creating an energetic listing coverage.

To assist customers with creating lengthy passwords, strive suggesting utilizing 4 random phrases and connecting them with a particular character like a - or $, doing so will increase the complexity and on the identical time the size. An instance of this can be:

• Sundown$Guitar$Puzzle$Journey or Cloudy-Envelope-Rainbow-Dinosaur (Do not use these two examples as they’re additionally on our wordlist 😉 )

Each of those would fall inside a good size because the phrase “Cloudy-Envelope-Rainbow-Dinosaur” consists of 29 characters, together with the hyphens, and  “Sundown$Guitar$Puzzle$Journey” consists of 27 characters, together with the greenback indicators.

2. When organising default or preliminary passwords for the organisation, it’s advisable to make use of an algorithm for producing distinctive person passwords, quite than counting on a static worth. If implementing such an algorithm is just not possible, another method is to require customers to vary their password upon their first login. This apply helps in minimizing safety dangers.

3. To make sure that customers preserve distinctive passwords, it’s helpful to encourage and implement the usage of password managers. These instruments help not solely in producing stable passwords but additionally in creating distinct and distinctive passwords for various accounts. This method steers customers away from simply crackable passwords, akin to primary phrases, frequent phrases (like ‘welcome’ or ‘password’), seasons, months, years, and locations. As a substitute, customers can go for the beneficial methodology of mixing 4 random phrases, which may then be securely saved in a password supervisor. This technique enhances total password safety and administration.

Conclusion

This put up has primarily centered on the safety of passwords inside Home windows environments, significantly from an inner standpoint utilizing information collected throughout many datasets. Nevertheless, it’s critical to emphasize {that a} sturdy password coverage shouldn’t be an organisation’s sole line of defence. Along with robust passwords, it’s crucial to implement additional protecting measures.

Key amongst these is the adoption of multi-factor authentication (MFA), which provides a layer of safety past simply the password. MFA requires customers to supply two or extra verification elements to entry a useful resource akin to an software, on-line account, or a VPN. This considerably reduces the chance of unauthorised entry. The place attainable, we’ve got seen some shoppers implement MFA for entry to inner sources, utilising current single sign-on suppliers and related identification and entry administration expertise to limit lateral motion alternatives.

Furthermore, organisations ought to embrace the precept of ‘defence in depth’. It is a complete method to cybersecurity that layers a number of defensive mechanisms. If one mechanism fails, one other steps in instantly to thwart an assault. This method entails technological options and encompasses insurance policies, procedures, and consciousness coaching to make sure that all attainable safety gaps are lined.

Incorporating these practices alongside a sturdy password coverage creates a extra resilient and safe setting, lowering the chance of profitable cyberattacks and enhancing total organisational safety.