Friday, September 11, 2015

CsP: Our take on the cracked AM passwords thus far



We would like to present some statistics based on our current finds of roughly 11.7 million passwords. Firstly, we would like to state that we are predominantly targeting a 15 million subset of the 36 million potential passwords. Secondly, bear in mind that we still haven't cracked about 4 million tokens, all of which could affect the findings presented here.

Total password entries = 11,716,208
Total unique password entries = 4,867,246


The majority of passwords that we have cracked so far appear to be quite simple, either being lowercase with numbers or just lowercase. We also observed some UTF-8 encoded passwords. Passwords containing purely numbers also appear to be relatively popular. Note that we crack passwords in gradual increasing complexity, so it is normal that we have recovered most of the simpler ones first.

 
 
The shortest password we cracked had a character length of 1 (length 1), while the longest was length 28. We normally would expect to see more length 7 characters, but as evident from the above results, this was not the case. It is possible that there were fewer length 7 passwords compared to length 6 and 8 because we covered larger bruteforce attacks for the length 6 keyspace. We also observed some extremely long passwords, some of which were caused by users using either their email address or their lengthy usernames as their password.

Going beyond the 15 million vulnerable hashes and another interesting find

User data as passwords

We were curious as to how many users use their username as their password. A full run against all 36 million users was conducted in parallel and we discovered that there were over 630,000 matches. We tried each username against its corresponding bcrypt hash and performed some simple case toggling. This number shows that even without using the discoveries outlined in our previous blog post, more than 630,000 bcrypt hashes could have been easily recovered. We would like to note that this search was not exhaustive, as we only tried common case mutations. We suspect that this figure would have been higher if we had tried more upper and lower case combinations, though this would have taken much longer. It is also worth noting that a similar approach can be tried, but using the email address or other user data.

Suspicious accounts

Our very brief analysis of the passwords suggests that the possible ‘suspicious’ accounts used the following passwords: 

asdferfa324 hello DEFAULT
123456 asdfg superman
iloveyou 111111iwillneverdoitagain welcome

Top Interesting passwords

Rather than bore everyone with the standard top 10/50/100 lists, one of our members has kindly put together a top interesting passwords classified by various categories purely for your entertainment.

Those that think adding a few more words to the word password makes it harder to crack:
mypasswordispassword
superhardpassword
thebestpasswordever
thisisagoodpassword

Those that are having doubts about using the site:
ishouldnotbedoingthis
ithinkilovemywife
thisiswrong
whatthehellamidoing
whyareyoudoingthis
cheatersneverprosper
donteventhinkaboutit
isthisreallyhappening

Those that are in denial:
likeimreallygoingtocheat
justcheckingitout
justtryingthisout
goodguydoingthewrongthing

Those who think this is a dating site:
lookingfornewlife
friendswithbenefits

Those who trusted AM:
youwillneverfindout
youwillnevergetthis
secretissafewithme

Passwords from xkcd (https://xkcd.com/936/):
batteryhorsestaple
correcthorsebatterystaple

Those that might have figured out what AM is doing:
nothingfound
theywererobots
nobodyhere

Other funnies:
everynameitriedwastaken
allthegoodpasswordshavegone
lickemlikeshelikesit
lildickinyourpussyn0w
satisfactionwithlicking
blackfromthewaistdown
smalldickbuthardworker

A package has been sent out to the press containing all the statistical analysis and data derived from the cracked passwords.  If you are affiliated with the media, reporting on this story or related stories and wish to acquire these statistics, then please email us.

#FOLLOW_US #JOIN_US #LOVE_US #HATE_US #CONTACT_US @CynoPrime
Twitter: @CynoPrime 
Blog: cynosureprime.blogspot.com
Email: cynosureprime@gmail.com