Friday, September 11, 2015

CsP: Our take on the cracked AM passwords thus far



We would like to present some statistics based on our current finds of roughly 11.7 million passwords. Firstly, we would like to state that we are predominantly targeting a 15 million subset of the 36 million potential passwords. Secondly, bear in mind that we still haven't cracked about 4 million tokens, all of which could affect the findings presented here.

Total password entries = 11,716,208
Total unique password entries = 4,867,246


The majority of passwords that we have cracked so far appear to be quite simple, either being lowercase with numbers or just lowercase. We also observed some UTF-8 encoded passwords. Passwords containing purely numbers also appear to be relatively popular. Note that we crack passwords in gradual increasing complexity, so it is normal that we have recovered most of the simpler ones first.

 
 
The shortest password we cracked had a character length of 1 (length 1), while the longest was length 28. We normally would expect to see more length 7 characters, but as evident from the above results, this was not the case. It is possible that there were fewer length 7 passwords compared to length 6 and 8 because we covered larger bruteforce attacks for the length 6 keyspace. We also observed some extremely long passwords, some of which were caused by users using either their email address or their lengthy usernames as their password.

Going beyond the 15 million vulnerable hashes and another interesting find

User data as passwords

We were curious as to how many users use their username as their password. A full run against all 36 million users was conducted in parallel and we discovered that there were over 630,000 matches. We tried each username against its corresponding bcrypt hash and performed some simple case toggling. This number shows that even without using the discoveries outlined in our previous blog post, more than 630,000 bcrypt hashes could have been easily recovered. We would like to note that this search was not exhaustive, as we only tried common case mutations. We suspect that this figure would have been higher if we had tried more upper and lower case combinations, though this would have taken much longer. It is also worth noting that a similar approach can be tried, but using the email address or other user data.

Suspicious accounts

Our very brief analysis of the passwords suggests that the possible ‘suspicious’ accounts used the following passwords: 

asdferfa324 hello DEFAULT
123456 asdfg superman
iloveyou 111111iwillneverdoitagain welcome

Top Interesting passwords

Rather than bore everyone with the standard top 10/50/100 lists, one of our members has kindly put together a top interesting passwords classified by various categories purely for your entertainment.

Those that think adding a few more words to the word password makes it harder to crack:
mypasswordispassword
superhardpassword
thebestpasswordever
thisisagoodpassword

Those that are having doubts about using the site:
ishouldnotbedoingthis
ithinkilovemywife
thisiswrong
whatthehellamidoing
whyareyoudoingthis
cheatersneverprosper
donteventhinkaboutit
isthisreallyhappening

Those that are in denial:
likeimreallygoingtocheat
justcheckingitout
justtryingthisout
goodguydoingthewrongthing

Those who think this is a dating site:
lookingfornewlife
friendswithbenefits

Those who trusted AM:
youwillneverfindout
youwillnevergetthis
secretissafewithme

Passwords from xkcd (https://xkcd.com/936/):
batteryhorsestaple
correcthorsebatterystaple

Those that might have figured out what AM is doing:
nothingfound
theywererobots
nobodyhere

Other funnies:
everynameitriedwastaken
allthegoodpasswordshavegone
lickemlikeshelikesit
lildickinyourpussyn0w
satisfactionwithlicking
blackfromthewaistdown
smalldickbuthardworker

A package has been sent out to the press containing all the statistical analysis and data derived from the cracked passwords.  If you are affiliated with the media, reporting on this story or related stories and wish to acquire these statistics, then please email us.

#FOLLOW_US #JOIN_US #LOVE_US #HATE_US #CONTACT_US @CynoPrime
Twitter: @CynoPrime 
Blog: cynosureprime.blogspot.com
Email: cynosureprime@gmail.com

20 comments:

  1. To protect my own passphrases, how did you crack pass phrases like:
    allthegoodpasswordshavegone ?
    Can't be character/masked/Markov based brute force, can it? Were those phrases in the dictionary already? Even if the right dictionary was used, was combining up to 6 common words perhaps a stroke of luck?

    ReplyDelete
    Replies
    1. There's nothing you can do to protect your own passphrases. You put the trust in the company holding the information and the way they store and encrypt it. What you can do is have a different password for every site you use so the problem is at least minimized and isolated. Hope this helps.

      Delete
    2. Well,I am convinced you can, since most of the published passphrases appear to be Tags of some kind, like hash tags. So a Diceware generated pass phrase of the randomly chosen 6 (recommended ) words should protect my phrases. Cracking such a pass phrase is a stroke of luck I think, assuming the cracker uses the right dictionary.

      Delete
    3. I would like to know this as well...

      Delete
    4. This one is hard to answer. We use a wide range of techniques and analysis tools. This makes even odd/weird passphrases potentially crackable.

      Delete
    5. This one is hard to answer.

      Come on, surely you can say more than that.

      Delete
    6. Well....... the answer is on
      http://arstechnica.com/security/2015/09/ashley-madison-passwords-like-thisiswrong-tap-cheaters-guilt-and-denial/?comments=1&start=90 (post by dick99999)
      It appears that most of the phrases revealed were hash tags, so I take it that the 'wide range of techniques and analysis tools' does not include a unknown way of paraphrase cracking, at least not with any success for long phrases.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Pretty sure that my husband had an account with Ashley Madison. I seen this in his search history before. And on his phone Kaysensualsexyforyou am/sd. Pretty obvious. I was pregnant when I discovered it.

    ReplyDelete
  4. Could the relatively few 7 character passwords be because of a shift in the minimum password length at some time. Older accounts may still have six character passwords, while newer ones were forced to use eight.

    ReplyDelete
    Replies
    1. Yes this is possible. We will analyze the data in a few days since we have over 13M finds now to see if the stats have shifted.

      Delete
  5. Replies
    1. Sorry, due to the scale the low values for those aren't shown. We will regenerate the graphs in a couple of days with the latest data set with labels

      Delete
  6. Do you have any plans to release the passwords with the hashes? I'm getting pretty far along with method 1 just using rockyou, rules, and a couple R9 290x's but I don't want to waste electricity on the method 2 hashes if you guys are going to release it all anyway. Great find by the way.

    ReplyDelete
  7. Thanks for the Password Dictionary
    you may also want to check this
    Password Dictionary

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. Password security is a joke. I’ve been an IT contractor for over a dozen different companies on various program and the way that employees share with utter disregard for security protocol is scary. I’m astonished more companies don’t get hacked into. They all need to start using a serious password manager like PasswordWrench yesterday.

    ReplyDelete