The week before last, I confessed to password tweaking.
Recently Troy Hunt released 320 million hashed passwords collected from breaches (https://haveibeenpwned.com/Passwords) so I thought I’d run an experiment on that data based on common password tweaking techniques. I wanted to see if I could find tweaked variations of a given password in Troy’s data set.
I found a simple password fuzzer on github and modified it to take a string of characters and generate SHA-1 hashes of each tweaked variation based on the following criteria:
- Changing the case of characters
- Replacing numbers for letters (cuz we’re all 1337)
- Adding special characters and or numbers to the end (up to four)
I loaded Troy’s data set into SQLite to ease looking up the SHA-1 values. Not exactly a high speed sophisticated cracking machine but effective none the less.
As a start point, I guessed a password I thought was in the data set s#!t123 and got a hit (no, that’s not my password). Looking at the phrase, it’s not too hard to figure out the original word and that ‘123’ was added to pad the length. I took that seed word and ran it through my little password tweaker script to quickly come up with 2,432,304 SHA-1’d permutations. Yes, I made a rainbow table out of s#!t.
Of the 2,432,304 tweaks, I found 1,023 in the dataset to include 5hlt900 and $#[email protected]$$. In three minutes I was able to run 2,432,304 guesses against 320,000,000 hashed passwords to find 1,023 valid passwords in the set based off just one password being known. Pretty slick.
I decided to test my twenty-year oldie but goodie as well. It’s a little longer than four characters so my script generated 51,889,152 permutations and took about 20 minutes to run. I found FIVE tweaked variations of my password along with something interesting. One of the five passwords was not mine. It certainly LOOKED like my original password but it wasn’t a tweak I’ve ever made. What are the odds of someone else using the same phrase to make their password? Interesting…
So, “Whoopty Do, What does it all mean?”
It means that tweaking passwords is a very bad idea and if one of your tweaked versions is lost, you should throw all of them away. It also shows that using a phrase or sentence to generate a password might not be a good idea if that sentence or phrase is well known. A well known or popular phrase means someone else might also use it as well for their password, increasing the odds of YOUR password showing up in a hacker’s rainbow tables. Hackers know that people tweak passwords so hackers will apply these techniques to previously uncracked password lists.
There is a lot of focus on stolen username/password re-use (credential stuffing). People use the SAME passwords at different sites and attackers will use stolen username/password combinations to gain access to those other sites. This is true and is a very real concern. Just as real is the concern that stolen passwords give hackers start points and password tweaking gives them predictable sequences when cracking newly stolen password hashes. These two things in combination greatly reduce the time needed to crack otherwise strong passwords. With a known password as a starting point and predictable password tweaking techniques, an attacker can reduce the workload to crack newly stolen passwords from trillions of operations to millions of operations. In some cases, an otherwise economically “uncrack-able” password could be guessed in minutes.
Think about that the next time you add $#1t to the end of your bank password to ‘make it strong’.