Embed Size (px)
Citation preview
Analysis of Passwords
Renier van Heerden and Johannes VorsterCSIR, DPSS
Research funded by DST, CSIR DPSS
© CSIR 2007 www.csir.co.zaSlide 2
Passwords are part of everyday life • From previous studies
• Average length 7 – 8 characters• Password advice are ignored when not enforced• Permutations of dictionary words and numbers are popular • Special characters use was very limited
• “Memory” is the most important factor
© CSIR 2007 www.csir.co.zaSlide 3
Collecting passwords: Internet
• Internet Search “password list” • Google (55 900 000)• Yahoo (1 380 000 000)• MSN (437 000 000)
• Adding specifications • Single phrase • English language • Text Files• 988 results
• Password lists found• Default password lists• SANS (SysAdmin, Audit, Network,
Security) Institute password list• Albums password list
© CSIR 2007 www.csir.co.zaSlide 4
Collecting passwords: Peer to Peer (P2P)
• P2P network consists• Multiple hosts • Inter Connected• Sharing
• Hosting • Bandwidth
• Used for • Distributing illegal content• High Bandwidth applications
© CSIR 2007 www.csir.co.zaSlide 5
Collecting passwords: Peer to Peer Results
• eMule results• Unix passwords • 45000 MySpace
accounts• Default password
list• FTP password list• Rapidshare
Premium Accounts• Wireless Access
Points Passwords
© CSIR 2007 www.csir.co.zaSlide 6
Previous studies
• Unix Passwords • The most popular password length is 6 characters with 34.7 % use• Common names are used in 4% of the passwords• Username and passwords are the same in 2.7% of passwords• Cartoons, Movies, fiction and place names are used in 1.4% of
passwords
© CSIR 2007 www.csir.co.zaSlide 7
Previous studies Top 10s
• PC Magazine • password• 123456• qwerty• abc123• letmein• monkey• myspace1• password1• bink182• (username)
• UK Web passwords • 123• password• liverpool• letmein (“let me in”)• 123456• qwerty• charlie• monkey• arsenal• thomas
© CSIR 2007 www.csir.co.zaSlide 8
Previous studies Online Students• List of passwords from online students
• 123456, 123, 123123, 01234, 2468, 987654, etc• 123abc, abc123, 246abc• First Name• Favourite Band• Favourite Song• first letter of given name then surname• qwerty, asdf, and other keyboard rolls• Favourite cartoon or movie character• Favourite sport, or sports star• Country of origin• City of origin• All numbers• Some word in the dictionary• Combining 2 dictionary words• any of the above spelled backwards• aaa, eee, llll, 999999, and other repeat combinations
© CSIR 2007 www.csir.co.zaSlide 9
Default Passwords
• Default Passwords Lists• Computer Hardware
(Vendors)• BIOS Backdoors• Many sites• http://defaultpassword.com/
© CSIR 2007 www.csir.co.zaSlide 10
Password Analysis, Data
• Password Lists used (# passwords)• Commercial Company (28 570)• Music Password list (1776)• Unix Password (3106)• Myspace Accounts (45 000)• FTP Sites (332)• Rapidshare passwords (32 028)• WiFi Passwords (925)• Default Passwords (251) (www.governmentsecurity.org) • Default2 Passwords (945) (http://defaultpassword.com/) )
© CSIR 2007 www.csir.co.zaSlide 11
Password Analysis, Most Popular
Password (MySpace)
#
1 password1 0.23
2 abc123 0.17
3 password 0.12
4 iloveyou1 0.10
5 iloveyou2 0.09
6 fuckyou1 0.08
7 soccer1 0.08
8 myspace1 0.08
9 iloveyou 0.07
10 iloveyou! 0.06
© CSIR 2007 www.csir.co.zaSlide 12
Password Analysis, Most Popular 2
Password (WiFi)
% Password (Default)
% Password (Default2)
% Password (Unix)
1 admin 8.3 admin 22 admin 8.8 12345
2 password 2.9 1234 14 password 5.6 abc123
3 sysadm 2.5 password 13 root 5.2 password
4 manager 1.8 manager 9 epicrooter 3.6 computer
5 system 1.5 none 6 sysadmin 2.4 123456
6 1234 1.4 system 6 access 2.4 tigger
7 guest 1.4 blank 5 smcadmin 2.0 1234
8 root 1.2 netman 5 sysadm 2.0 a1b2c3
9 access 1.1 tech 5 user 2.0 qwerty
10 cascade 1.0 netman 4 ADMINISTRATOR 1.6 123
© CSIR 2007 www.csir.co.zaSlide 13
Password Analysis, Most Popular 3
Password (FTP) % Use
1 leech 10.8
2 anonymous 3.3
3 mp3 1.5
4 leechme 1.2
5 mp3 1.2
6 warez 1.2
7 anon 0.9
8 [email protected] 0.9
9 L33ch 0.9
10 me 0.9
© CSIR 2007 www.csir.co.zaSlide 14
Character use
Password (Unix)
% Password (MySpace)
% Password (Commercial)
% English Dictionary
%
1 E 8.9 A 10.9 E 9.9 A 13.8
2 A 7.9 1 8.5 A 9.3 E 9.7
3 R 6.4 2 5.4 O 7.5 N 7.8
4 I 5.7 E 5.2 I 7.3 I 7.5
5 O 5.7 L 4.8 N 6.4 R 6.9
6 N 5.4 B 4.2 R 6.1 O 6.0
7 S 4.9 S 3.9 S 5.8 T 6.0
8 1 4.5 3 3.8 T 5.1 S 5.9
9 T 4.4 0 3.7 L 4.9 L 5.7
10 C 3.2 N 3.5 M 3.3 C 4.2
© CSIR 2007 www.csir.co.zaSlide 15
Character sequence
Password (Unix)
Password (MySpace)
Password (Commercial)
English Dictionary
1 E-R E-R A-N I-N 2 A-N A-N E-R E-R 3 A-R 1-2 0-0 E-S 4 I-N I-N O-O T-I 5 O-N 2-3 M-A T-E 6 L-E L-O I-N O-N 7 T-E A-R E-N R-E 8 E-L L-E A-R A-T 9 E-N O-N E-L N-G 10 M-A L-L O-N E-N
© CSIR 2007 www.csir.co.zaSlide 16
Conclusions
• Password lists are available on the Internet
• The term “password” is commonly used on the Internet
• eMule is more successful than search engines
• Default passwords are easily obtainable• Common passwords are:
• password• 123…• qwerty• Username• abc123
