Cenzic 232 Patent
Paid Advertising
web application security lab

Guessing Passwords

I’ve been interested in password research for over a decade. One of my very first “hello world” type programs was a trojan horse that emulated a UNIX TTY session (figuring out how to suppress keyboard output “stty -echo” was the only tricky part). I’ve spent hundreds of hours looking at password uniqueness, entropy, etc… think of it as part of my passion. However, one aspect of passwords has eluded me for years, and simply because I don’t have the necessary data to test my theory.

Once upon a time I was talking with a female friend of mine and I told her I could probably guess her password. Of course I was completely kidding, but she thought I was serious. Playing along I said, “It is a word followed by a number, maybe two numbers.” Her eyes got big - maybe I was onto something, “It’s an effeminate word, no more than six characters” You should have seen her eyes at this point, “It’s not a word like pony, that’s too little-girl for you…” Of course I never guessed her password, and I had to admit at this point that I was full of crap, but herein lies my dilemma - was I full of crap?

If you look at user statistics you can often derive certain things about people. Younger people tend to like certain things that are different than older people. So too, do security people tend to pick harder passwords than non security people. By knowing a little bit of demographic information about users, you can quickly narrow down the possibilities (I think). Of course I have no proof of this. I would need a huge database of user interests, language type, age, sex, profession, and of course passwords… The more data the better. Including things like password policies of the sites the passwords came from.

Of course there will be significant anomalies, like the fact that people often use the password that mixes the name of the site they are on into it “myspace01″ and the common passwords like “password1″ and the obscenity passwords. And you’ll never guess if people use random numbers or pet names for their cat, but you can get close (I think). Has anyone done this sort of research before? I’d love to get my hands on some user data like this for testing (no usernames, where the passwords came from or email addresses required). Anyway, food for thought.

12 Responses to “Guessing Passwords”

  1. Spider Says:

    If you missed it, Bruce Schneier did an analysis on the phised myspace passwords. Interesting stuff. From it, I was able to guess a friends password exactly.

    http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

  2. gustavo Says:

    I made this suggestion to a fellow, maybe we could optimize the password search using a pattern strategy.

  3. neoeno Says:

    I have a list of around 10000 pairs that I grabbed off a myspace phisher’s site about 6 months ago. Contact me if you’re interested.

  4. Quadszilla Says:

    The most common is “password”.

    Having to guess someones password is tricky. Many people use the same password for everything. Give me 3 passwords that a user created for different accounts, and then I’ll know if I have a shot at guessing a 4th or 5th.

  5. adam Says:

    I was just reading that thing about myspace passwords, and one point he makes is that the average passwords are eight characters long.

    Now, I don’t know about you but the first password I properly used was the one for my hotmail, which at the time, had to be at least eight letters.

    Maybe, that’s not as significant as I think but I don’t know anyone who has myspace who doesn’t have msn (and consequently a hotmail account) and if most people use the same password for every/most things then it’s not so suprising.

    blink182 as one of the most popular passwords, heh.

    Interesting stuff though.

  6. RSnake Says:

    Or maybe we can think of this in reverse. If we know a user is a certain demographic because they have entered some information ahead of time, maybe we can warn them that attackers who know their demographic will tend to guess things like ____ whatever (based on their input).

  7. dusoft Says:

    There was one guy in Slovakia that hacked one of the largest free hostings and he did get plenty of passwords. He made an analysis afterwards and it was fun to read it.

  8. ChrisP Says:

    Damn you guessed my password.

  9. Rich Says:

    I briefly looked at this a few years ago. I was concerned about password complexity at my company so set about dumping all the user passwords and cracking them over a couple of days to see how difficult (or easy) it would be. It wasn’t an especially scientific study and I no longer have the data, but I do recall some interesting facts.

    Firstly, very few passwords were of sufficient complexity to remain uncracked.

    The majority of passwords had been left as the default.

    A significant proportion of the young women in the company had chosen passwords based on boyfriend’s names and several clearly had designs on Robbie Williams! Many also based their passwords on the time of year with references to things like “summer”, “sunshine” or “christmas” or a recent/upcoming holiday destination. I was surprised to find that quite a few of them were not afraid to use various obscenities, although I’m sure they were all far too ladylike to use such words out loud :))

    A sizeable proportion of the young men in the company based their passwords on football teams with references to “arsenal” or “gunners” being very common. Lots of them were obviously very keen on Kylie Minogue, various makes or models of fast car and certain brands of lager (Stella being particularly popular). Various obscenities also featured quite highly.

    The older people in the company appeared far more likely to choose a password to which I could attach no particular relevance, presumably basing them on some very obscure, private item of knowledge, although children’s/grandchildren’s names did feature occasionally.

    Apart from concluding that passwords were not complex enough at this company, I realised that knowing something about a person can certainly give you significant clues to what their password may be. Conversely, knowing a password can sometimes give you significant information about its owner!

  10. RSnake Says:

    Verrry interesting. I hadn’t thought about the converse. Very cool. Thank you, Rich! I like having my suspicions work out to be true.

  11. Chris_B Says:

    Alot of us go thru this interest it seems.

    The idea of language/culture variance is important as well. About 8 years ago I noticed an interesting thing about the Japanese language; there are common phonemes between words and numbers and since there are a limited number of names (both family and given) I made a guess that some people would do something like joe/j0e but with the phonemes of the numbers rather than the visual appearance. A little testing proved the theory right.

    I made a second assumption that celebirty/anime character names might also be used either in plain form or modified using the same technique. That also proved to be valuable.

    The pseudo rainbow file and test tool never really got out of the casual research stage. I think I still have the HD it was on and may revisit this some day.

  12. John W. Jordan Says:

    Mark Burnett collected almost 4 million passwords and made some very interesting conclusions. He wrote a book “Perfect Passwords: Selection, Protection, Authentication. He said that remarkably, the whole bunch pretty well matched the patterns he noticed in the first 500 he collected. Human nature sure is human! He goes on to provide some real good tips on strong, easy to remember passwords, with the math to back them up. (no interest, just liked the book).