Friday, September 11, 2015

CsP: Our take on the cracked AM passwords thus far



We would like to present some statistics based on our current finds of roughly 11.7 million passwords. Firstly, we would like to state that we are predominantly targeting a 15 million subset of the 36 million potential passwords. Secondly, bear in mind that we still haven't cracked about 4 million tokens, all of which could affect the findings presented here.

Total password entries = 11,716,208
Total unique password entries = 4,867,246


The majority of passwords that we have cracked so far appear to be quite simple, either being lowercase with numbers or just lowercase. We also observed some UTF-8 encoded passwords. Passwords containing purely numbers also appear to be relatively popular. Note that we crack passwords in gradual increasing complexity, so it is normal that we have recovered most of the simpler ones first.

 
 
The shortest password we cracked had a character length of 1 (length 1), while the longest was length 28. We normally would expect to see more length 7 characters, but as evident from the above results, this was not the case. It is possible that there were fewer length 7 passwords compared to length 6 and 8 because we covered larger bruteforce attacks for the length 6 keyspace. We also observed some extremely long passwords, some of which were caused by users using either their email address or their lengthy usernames as their password.

Going beyond the 15 million vulnerable hashes and another interesting find

User data as passwords

We were curious as to how many users use their username as their password. A full run against all 36 million users was conducted in parallel and we discovered that there were over 630,000 matches. We tried each username against its corresponding bcrypt hash and performed some simple case toggling. This number shows that even without using the discoveries outlined in our previous blog post, more than 630,000 bcrypt hashes could have been easily recovered. We would like to note that this search was not exhaustive, as we only tried common case mutations. We suspect that this figure would have been higher if we had tried more upper and lower case combinations, though this would have taken much longer. It is also worth noting that a similar approach can be tried, but using the email address or other user data.

Suspicious accounts

Our very brief analysis of the passwords suggests that the possible ‘suspicious’ accounts used the following passwords: 

asdferfa324 hello DEFAULT
123456 asdfg superman
iloveyou 111111iwillneverdoitagain welcome

Top Interesting passwords

Rather than bore everyone with the standard top 10/50/100 lists, one of our members has kindly put together a top interesting passwords classified by various categories purely for your entertainment.

Those that think adding a few more words to the word password makes it harder to crack:
mypasswordispassword
superhardpassword
thebestpasswordever
thisisagoodpassword

Those that are having doubts about using the site:
ishouldnotbedoingthis
ithinkilovemywife
thisiswrong
whatthehellamidoing
whyareyoudoingthis
cheatersneverprosper
donteventhinkaboutit
isthisreallyhappening

Those that are in denial:
likeimreallygoingtocheat
justcheckingitout
justtryingthisout
goodguydoingthewrongthing

Those who think this is a dating site:
lookingfornewlife
friendswithbenefits

Those who trusted AM:
youwillneverfindout
youwillnevergetthis
secretissafewithme

Passwords from xkcd (https://xkcd.com/936/):
batteryhorsestaple
correcthorsebatterystaple

Those that might have figured out what AM is doing:
nothingfound
theywererobots
nobodyhere

Other funnies:
everynameitriedwastaken
allthegoodpasswordshavegone
lickemlikeshelikesit
lildickinyourpussyn0w
satisfactionwithlicking
blackfromthewaistdown
smalldickbuthardworker

A package has been sent out to the press containing all the statistical analysis and data derived from the cracked passwords.  If you are affiliated with the media, reporting on this story or related stories and wish to acquire these statistics, then please email us.

#FOLLOW_US #JOIN_US #LOVE_US #HATE_US #CONTACT_US @CynoPrime
Twitter: @CynoPrime 
Blog: cynosureprime.blogspot.com
Email: cynosureprime@gmail.com

56 comments:

  1. To protect my own passphrases, how did you crack pass phrases like:
    allthegoodpasswordshavegone ?
    Can't be character/masked/Markov based brute force, can it? Were those phrases in the dictionary already? Even if the right dictionary was used, was combining up to 6 common words perhaps a stroke of luck?

    ReplyDelete
    Replies
    1. There's nothing you can do to protect your own passphrases. You put the trust in the company holding the information and the way they store and encrypt it. What you can do is have a different password for every site you use so the problem is at least minimized and isolated. Hope this helps.

      Delete
    2. Well,I am convinced you can, since most of the published passphrases appear to be Tags of some kind, like hash tags. So a Diceware generated pass phrase of the randomly chosen 6 (recommended ) words should protect my phrases. Cracking such a pass phrase is a stroke of luck I think, assuming the cracker uses the right dictionary.

      Delete
    3. I would like to know this as well...

      Delete
    4. This one is hard to answer. We use a wide range of techniques and analysis tools. This makes even odd/weird passphrases potentially crackable.

      Delete
    5. This one is hard to answer.

      Come on, surely you can say more than that.

      Delete
    6. Well....... the answer is on
      http://arstechnica.com/security/2015/09/ashley-madison-passwords-like-thisiswrong-tap-cheaters-guilt-and-denial/?comments=1&start=90 (post by dick99999)
      It appears that most of the phrases revealed were hash tags, so I take it that the 'wide range of techniques and analysis tools' does not include a unknown way of paraphrase cracking, at least not with any success for long phrases.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Pretty sure that my husband had an account with Ashley Madison. I seen this in his search history before. And on his phone Kaysensualsexyforyou am/sd. Pretty obvious. I was pregnant when I discovered it.

    ReplyDelete
    Replies
    1. I want to say that this post is awesome, nice written and include almost all important information. I would like to peer more posts like this. Funny WiFi Names

      Delete
  4. Could the relatively few 7 character passwords be because of a shift in the minimum password length at some time. Older accounts may still have six character passwords, while newer ones were forced to use eight.

    ReplyDelete
    Replies
    1. Yes this is possible. We will analyze the data in a few days since we have over 13M finds now to see if the stats have shifted.

      Delete
  5. Replies
    1. Sorry, due to the scale the low values for those aren't shown. We will regenerate the graphs in a couple of days with the latest data set with labels

      Delete
  6. Do you have any plans to release the passwords with the hashes? I'm getting pretty far along with method 1 just using rockyou, rules, and a couple R9 290x's but I don't want to waste electricity on the method 2 hashes if you guys are going to release it all anyway. Great find by the way.

    ReplyDelete
  7. Thanks for the Password Dictionary
    you may also want to check this
    Password Dictionary

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. Password security is a joke. I’ve been an IT contractor for over a dozen different companies on various program and the way that employees share with utter disregard for security protocol is scary. I’m astonished more companies don’t get hacked into. They all need to start using a serious password manager like PasswordWrench yesterday.

    ReplyDelete
  13. Dear Students, Faculty member, and other participants of Nptel (Results). We should provide verified information of latest Nptel Exam Results.

    ReplyDelete
  14. very good article.. thanks for sharing.
    you also can check difference between ram and rom

    ReplyDelete
  15. this is a great piece of conten, very well written and easy to read. dard bhari shayari

    ReplyDelete
  16. Auto transport city the best leading platform for the shippers and customers to ship their cars within secure payment and 24/7 support assistance. car transport service

    ReplyDelete
  17. very good article.. thanks for sharing.

    https://newsbuzzz.me

    ReplyDelete
  18. This is Very very nice article. Everyone should read. Thanks for sharing and I found it very helpful. Don't miss WORLD'S BEST CarGames

    ReplyDelete
  19. Thanks for sharing it is loved your Blogspot blog and now create a blog on Blogspot.

    ReplyDelete
  20. OvoQQ-Agen Poker Online Terpercaya se-Indonesia
    Cari Bonus Apa Cari Menang Bos?
    Kalo Cari Bonus Mungkin Disini Standard
    Kalo Cari Menang, Disini Tempatnya
    Server Boleh Sama, Hoki Yakin Beda

    LINK ALTENATIF OVOQQ
    LINK ALTENATIF OVOQQ
    CARA BERMAIN POKER
    LINK ALTENATIF OVOQQ
    LINK ALTENATIF OVOQQ
    CERITA SEX
    BIANG BOKEP
    hoyapoker

    ReplyDelete
  21. Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information. Globtier provide mobile app design and development in New Jersey USA that makes an impact and trending on App store and play store.

    mobile application development in New Jersey USA

    application development company in new jersey USA

    ReplyDelete
  22. Good article and have a nice content, really enjoy it. thanks for sharing.
    Visit our site on :

    Bola88
    Dewa Poker
    Jasa Bola
    Judi Slot Online
    Liga88
    Judi Slot
    Judi Poker
    Slot Online

    ReplyDelete
  23. Banyak pilihan situs togel online yang menawarkan Promo menarik dan salah satunya adalah situs togel online terpercaya Bolalotto. Juga ada banyak bonus yang siap menunggu anda yang akan membuat anda batah dalam bermain togel di situs kami. Kesempatan emas hanya datang sekali, daftar togel singapura online terpercaya Bolalotto dan mainkan togel terbaik se-Asia ini dan menangkan hadiah Juataan Rupiah!

    ReplyDelete
  24. What a wonderful information you have provided us. So greatful to
    see this information would like to come back and watch more.
    Also see our wonderful

    led tv repairing course in delhi

    led tv repairing institute

    led tv repairing course

    ReplyDelete
  25. Good article and have a nice content, really enjoy it. thanks for sharing.

    agen bola
    agen pokerv online
    agen poker online
    agen casino online

    ReplyDelete
  26. I enjoyed reading your blog its quite interesting! Seeking for dispensaries worry no more!
    Wonderful Blog! satta king
    Thank for sharing but may also work in your like commercially.
    Ask your dealer for a aggressive offer for a provided service that includes web site style, growth and hosting.

    ReplyDelete
  27. rajaremi
    adalah agen judi online terlengkap dan terpercaya

    ReplyDelete
  28. satta king OMG Mind is Play Bazaar blowing with all games for the live game king result chart

    ReplyDelete
  29. satta king is the biggest market players in making the largest games on the google. Making easy and simple way to find out the best result

    ReplyDelete
  30. satta king is good website for the all blogspot users. Easily get the live all games results and play bazaar result

    ReplyDelete
  31. satta king making the life simple with play bazaar know with all games of satta matka games results chart

    ReplyDelete
  32. satta king making free games result chart with satta king game result chart satta matka blogspot users find all leak and games result chart leak or suubstitute

    ReplyDelete
  33. satta king brilliant ideas grooming and partenrs making the good idea after the marriage leak can change your life simple easy way

    ReplyDelete
  34. satta king is now with mark zukerburg and they are making new business idea for the future. Mind the game if your know very well.

    ReplyDelete
  35. Password should always be secured and should not be dummy, either your ATM password or WiFi Password. all should be wisely.

    ReplyDelete