Top 500 Passwords

The starting point of every password cracker (or should be). Of course the first ten from the list are: 123456, password, 12345678, 1234, pussy, 12345, dragon, qwerty, 696969, mustang. There are some small variations from top password lists around the web, but they cover up most of them.

Anyway take a look at the Top 500 Worst Passwords Of All Time to get the big picture of password complexity/safety from an average users perspective.

Wordlists

The most important resource when it comes down to password cracking. Some wordlists (and collections of wordlists): Oxford Uni Wordlists, The Argon Wordlists, Wordlists for brute forcing, Openwall Wordlists Collection, Outpost9 Wordlists, Packetstorm Wordlists. How was I to forget Milw0rm’s dictionary full of funky passwords.

Also don’t forget that some tend to use l33t passwords. Forging a l33t wordlist would also bring a higher success rate.

cat words.dic | sed s/e/3/g | sed s/a/4/g | sed s/i/1/g | sed s/o/0/g > leet.dic

Profiled Wordlists

If the above wordlists didn’t cover already all the words you needed, than you may be also interested in password profiling. One such tool (script) is Wyd which produces wordlists from given html, doc, mp3, jpeg, pdf, php files. You can imagine the abundity of uncommon words that may be extracted from files like doc, pdf, mp3.

Still not satisfied? As a last instance I would recommend the Associative Word List Generator.

The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.

Gave it a couple of tries and can say that it seems very useful. One thing that surprised me about it was that it threw some css/javascript code in the result. Parser bug? Who knows.

Password versus Pass Phrase

I think that passwords should be put in a chest and buried alongside with all the uppercase/lowercase, special characters enforcements. I really don’t want to have jk3$x@#I as a password.

Instead I would recommend developers to enforce passwords to a minimum of 10 characters. Also I would recommend sysadmins to check periodicaly the passwords with wordlists just to make sure that their systems won’t be penetrateble due to foolish passwords.

Remember password for this website!

I think that this is somewhere on top of the stupidest things a user can do. I mean seriously, once somebody knows the password (even your browser) than already it’s not a password. As talked today with somebody that used to store his passwords in a file on a encrypted partition. Even if they were secure this way, that also misses the point of passwords. Can’t remember it? Use a pass phrase that fits the scenario, not #h#41i”] as password.

And before we forget, by having your browser remember passwords you’re helping anyone interested in your private data with access to the PC. Kudos to you.

Password Anti-Pattern

There has never been an easier way to teach people how to get phished.

Wondering what this is about? Well, if imagine you’re in the following situation: you register on a website, the website asks you to “spam” your friends, you have to supply your email address and password to send them the message.

Sounds familiar? If yes, that’s a typical password anti-pattern.

You should never have to give your password to anybody (or any third party), for such situations there are special API’s and stuff like that. For example OpenID, OAuth… Didn’t use any of them (didn’t have the need till now), but people tend to praise them. If a website uses a password anti-pattern way, just let it be, it doesn’t deserve your time and private data security.

Write it down…

And people still tend to do this. The problem that people don’t realize that not only hackers are interested in your personal data (and most of the time they won’t be), but so do your so called friends…

What…

If you haven’t got anything that you think might create a negative image of yourself? Then just post your password all over the places, in every signature you’ve got, on every desktop, every picture, etc… and yes don’t forget to submit it to bug me not, some people might find it useful.

If there is a phrase that describes in the best way the distribution, it has to be the one from LinuxTracker:

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.

To be honest I didn’t play with it till now (even if have been a user of the website for a year or so) because off limited free time that I’ve got. But in the near future (hope so) I will give it a shot, you know demonstrate my “talents” to my work colleague, maybe even do a video to help out DVL.

More specific info about included vulnerabilities/tools you can find on this page, but just up to version 1.4, and the download mirrors can be found here.

If this is an unknown domain for you (security) I would recommend you firstly to start out with some basics before even taking a glimpse at DVL. In such a case you might be interested in David Melnichuk book The Hacker’s Underground Handbook.

Before I forget… You would highly be appreciated for seeding the torrent, not just leeching it, because the free stuff never gets seeded well, IMO.