Confessions of a Password Tweaker – Part 2 (Same s#!t123, different password)

Back to Blog
August 23, 2017
David Ross

 

The week before last, I confessed to password tweaking.

Recently Troy Hunt released 320 million hashed passwords collected from breaches (https://haveibeenpwned.com/Passwords) so I thought I’d run an experiment on that data based on common password tweaking techniques. I wanted to see if I could find tweaked variations of a given password in Troy’s data set.

I found a simple password fuzzer on github and modified it to take a string of characters and generate SHA-1 hashes of each tweaked variation based on the following criteria:

  1. Changing the case of characters
  2. Replacing numbers for letters (cuz we’re all 1337)
  3. Adding special characters and or numbers to the end (up to four)

I loaded Troy’s data set into SQLite to ease looking up the SHA-1 values. Not exactly a high speed sophisticated cracking machine but effective none the less.

As a start point, I guessed a password I thought was in the data set s#!t123 and got a hit (no, that’s not my password). Looking at the phrase, it’s not too hard to figure out the original word and that ‘123’ was added to pad the length. I took that seed word and ran it through my little password tweaker script to quickly come up with 2,432,304 SHA-1’d permutations. Yes, I made a rainbow table out of s#!t.

Of the 2,432,304 tweaks, I found 1,023 in the dataset to include 5hlt900 and $#[email protected]$$. In three minutes I was able to run 2,432,304 guesses against 320,000,000 hashed passwords to find 1,023 valid passwords in the set based off just one password being known. Pretty slick.

I decided to test my twenty-year oldie but goodie as well. It’s a little longer than four characters so my script generated 51,889,152 permutations and took about 20 minutes to run. I found FIVE tweaked variations of my password along with something interesting. One of the five passwords was not mine. It certainly LOOKED like my original password but it wasn’t a tweak I’ve ever made. What are the odds of someone else using the same phrase to make their password? Interesting…

So, “Whoopty Do, What does it all mean?”

It means that tweaking passwords is a very bad idea and if one of your tweaked versions is lost, you should throw all of them away. It also shows that using a phrase or sentence to generate a password might not be a good idea if that sentence or phrase is well known. A well known or popular phrase means someone else might also use it as well for their password, increasing the odds of YOUR password showing up in a hacker’s rainbow tables. Hackers know that people tweak passwords so hackers will apply these techniques to previously uncracked password lists.

There is a lot of focus on stolen username/password re-use (credential stuffing). People use the SAME passwords at different sites and attackers will use stolen username/password combinations to gain access to those other sites. This is true and is a very real concern. Just as real is the concern that stolen passwords give hackers start points and password tweaking gives them predictable sequences when cracking newly stolen password hashes. These two things in combination greatly reduce the time needed to crack otherwise strong passwords. With a known password as a starting point and predictable password tweaking techniques, an attacker can reduce the workload to crack newly stolen passwords from trillions of operations to millions of operations. In some cases, an otherwise economically “uncrack-able” password could be guessed in minutes. 

Think about that the next time you add $#1t to the end of your bank password to ‘make it strong’.

 

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact