back to article L337 crackrz use dumb passwords too

Black hats are just as blithe about the passwords they use as the rest of the world, according to a bit of research by security outfit Avast. The anti-virus company's Antonín Hýža, writes here that after he'd built a dictionary of hacked hackers' passwords, the most common password was “hack”. Hýža says his work began because …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Nothing suprising about it.

    > and interestingly, when he had to resort to brute force, in all cases the passwords were six characters or fewer.

    Thats because he will have completely exhausted the 1 to 6 character search space but might still be searching the 7+ address space.

    It all depends upon how efficient his brute force attack is. If it is pathetically slow and only manages 100,000 attempts per second it will take him about 3 months to exhaustively search* the 6 character password space and nearly 25 years to do the same with the 7 character address space.

    * This assumes each character is one of the 96 printable ASCII characters. If he uses the reduced character set in the article then it would take 10 days to exhaustively search the 6 character address space and over 20 months to search the 7 character one.

  2. Cliff

    What about 'f'?

    Those character sets seem to have some holes, or am i misunderstanding? Yes I know the researcher isn't English, but passwords still could/are likely to be.

    1. Irongut Silver badge

      Re: What about 'f'?

      That's the point. He found that he only needed to use those characters to break the passwords on his list. Apparently hackers have gaps in their ABCs.

      1. Wensleydale Cheese

        Re: What about 'f'?

        " Apparently hackers have gaps in their ABCs"

        It might tell us something about the keyboards they are using.

        On the various non-English keyboards I have used things like square brackets, braces etc are obtained by using Alt or Gr Alt modifiers..

        And some have "dead" keys which don't get through until the next character is typed. These can be a nightmare for password use so are best avoided.

      2. Tom 13

        Re: That's the point.

        I think the counterpoint is that FukU2 or variations thereof would seem to be the sorts of things a careless and haughty script kiddie would select, even in Russian or Chinese.

  3. Extra spicey vindaloo


    What is the current recommended password length that is secure?

    1. NumptyScrub

      Re: Policies

      The maximum length supported by whatever application requires the password, as long is it is not guessable using phrase based attacks. For instance using a password of:

      Now, witness the power of this fully operational battle station

      is going to be far less secure than

      np0b8yp(BG)Til;ghp789tK:HG)*(&B PIUp97p( &TP ~(U~L@K

      which I derived by mashing this keyboard and deleting extra stuff until it looked about the same length ;)

      1. 4ecks
        Paris Hilton

        Re: Re: Policies

        Thanks for the randomly generated new Ebay password, but are the 14th and 34th characters I's or l's ?

        You know it's damned hard to read the invisible ink on these post-it notes that I use for keeping track of all the different passwords. ;)

      2. Tom 13

        Re: Policies

        Obligatory XKCD since you seem to have missed it:

        1. d3rrial

          Re: Policies

          @Tom 13

          That xkcd works great against standard brute-force attacks, agreed.

          You're going to run into trouble fast, tho, if you think you're safe from dictionary / phrase-based attacks.

          correct horse battery staple basically has the security of 4 elements of a set. The set here are simple english words. I don't know the exact amount of words there are in this set, but I'd approximate it's between 2000-5000. @ 10,000,000 tries per second with a set of 2000 words, it'd take a maximum of ~18 days to crack "correct horse battery staple".

          You'd get a much more secure password if you used the same number of characters with completely random chars. Assuming 96 characters of ASCII with 28 characters we get:

          3.1885594968609569219249376411887986022218245751739252736... × 10^55 permutations with random characters and

          625000000000000 permutations with a 5000 word charset of simple english words.

          Noticing a difference?

        2. NumptyScrub

          Re: Policies

          quote: "Obligatory XKCD since you seem to have missed it:


          I like that XKCD, but note that for your 44 bits of entropy, you need to extend the length of password by a factor of 2 or more, and you are only using lowercase letters. You could add another 4 bits per word using the same common substitutions, and an extra 7 by adding numeral-punctuation at the end, for 67 bits of entropy using the same base password string. An extra 23 bits of entropy that also changes it from a 4-word dictionary attack to effectively a brute force on a 30 character password.

          I still stand by the "most secure" password being one that is the maximum size that the application allows, and that is composed of a random character stream which includes all allowable characters, as that is the only way to maximise the effort required to crack it; you have to brute force because a dictionary attack will never get it. It is not easy to remember, but that's why there are a myriad of password suites around now to help people use secure passwords without needing to memorise random sequences of gibberish.

          For most practical applications, the XKCD method of random word association combined with basic substitutions should yield ok results though. It does at least get people used to using longer passwords, which can only be a good thing :)

  4. Jin

    Interference of Memory

    It is probably because shrewd hackers also suffer the strong "interference of memory" when using text passwords. This report probably proves how common this cognitive phenomenon is among human beings.

  5. crediblywitless

    Someone should research what sysadmins use for passwords...

    1. 4ecks

      Ok, I'll start you off..

      nimda or 64632, the admin password for the PBX system where I used to work, at least they changed it from the default 23646. ;)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020