Stupid ones in production - the seclist

At Convex, we once had a major security campaign to encourage all employees to consider their passwords in concert with the green book. We were building a C2 level trusted OS at the time and it became obvious how important this was to the OS.

In the process we ran a password cracking program against /usr/etc/passwd to get everyone’s password. Never mind this was a supercomputer company and we had lots of cheap super-computing cycles available.

The very first thing the password cracker did was compare passwords to a large dictionary of words. Then it used other methods to determine passwords that are not in the dictionary. One method was a brute force method. Not so hard to write really, especially if you have access to lots of free super-computing cycles.

The net result was that a lot of users had easy to remember common word passwords like pet names, children’s names or fun words like “mesmerize” or “sex” Surprisingly some had the word “password” as their password. Our CEO, an EE by education, used his wife’s maiden name as his password. We let him know at an executive meeting he needed to change it. He asked us if we knew any of the other execs’ passwords. We did. About 50% were cracked easily while others took a little more time, but eventually all were cracked.

We implemented a required password change, an educational process and ran the cracker in the background daily. Somehow, we continued to find lots of violators of the policy.

It is no wonder we need something more than passwords to protect our data, like two level authentication and bio-metrics, but our passwords need to be more complex, too.

1 Like

“monthyear” (ie: March2019) is extremely common. Especially for systems that require you to change it every 3 months. Ironically that gives you 3 easy tries before a lock out.

Yeah, JTR (john the ripper) is really good but so is rainbow tables. But surprising the most common passwords these days are found from porn sites and tend to also be the same ones for banking info, social media sites and email providers. (yeah the irony of backdooring oneself is not lost)

This list above surprisingly was accepted from my own pull request. Only one is really found in production the others are fuzz. Though one should check out some of the other master lists.

NIST Special Publication 800-series General Information:
Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.

“Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.”