Analyzing Passwords for Patterns and Complexity

Tuesday, December 20, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Digininja’s site has an interesting password analyzing program called “Pipal“. The program takes a list of passwords and returns the top passwords used, a graph showing password lengths, dates used and a ton of other information.

In this demonstration, I used a list of leaked sanitized passwords (a password dump from a real site with account names and e-mail addresses removed) from SkullSecurity.

Simply download Pipal, provide it a password list and sit back and watch it go. This list of about 9,000 Hotmail passwords took only a few seconds. Larger lists could take significantly longer, one Diginija analyzed with millions of passwords took about 24 hours! (click image to enlarge):

image

Let’s look at some of the more interesting data returned from Pipal. Here is a list of the top ten base words:

Top 10 base words

angel = 10 (0.11%)
beto = 9 (0.1%)
diciembre = 7 (0.08%)
abril = 6 (0.07%)
amor = 5 (0.06%)
acuario = 5 (0.06%)
junio = 5 (0.06%)
daniel = 5 (0.06%)
alex = 5 (0.06%)
beatriz = 5 (0.06%)

This is obviously a dump from a Spanish speaking country, but you will notice  the prefix “angel” was used 10 times, and a lot of user’s passwords started with a name or a month.

How long was the average password?

Password length (count ordered)

6 = 1823 (20.41%)
8 = 1769 (19.81%)
7 = 1306 (14.62%)
9 = 1098 (12.3%)
10 = 773 (8.66%)
11 = 565 (6.33%)
12 = 406 (4.55%)
13 = 285 (3.19%)
14 = 216 (2.42%)
16 = 178 (1.99%)
5 = 175 (1.96%)
15 = 158 (1.77%)
17 = 59 (0.66%)
4 = 37 (0.41%)
18 = 19 (0.21%)
20 = 16 (0.18%)
21 = 13 (0.15%)
22 = 9 (0.1%)
2 = 9 (0.1%)
19 = 8 (0.09%)
3 = 7 (0.08%)
1 = 5 (0.06%)
24 = 5 (0.06%)
23 = 4 (0.04%)
27 = 4 (0.04%)

Looks like 6 characters is the winner, followed closely by 8. I am actually surprised by the number of people who used 20+ character passwords. But as this is from a website password dump, it apparently didn’t do them any good…

Okay, how about complexity – how strong were the passwords:

Password Strength:

Only lowercase alpha = 3716 (41.61%)
Only uppercase alpha = 197 (2.21%)
Only alpha = 3913 (43.82%)
Only numeric = 1654 (18.52%)

First capital last symbol = 23 (0.26%)
First capital last number = 240 (2.69%)

Ouch, looks like a good chunk of them were simple passwords.

Okay, what about dates, did any of the passwords have a date in them?

Months

march = 2 (0.02%)
may = 18 (0.2%)
june = 1 (0.01%)
july = 1 (0.01%)
august = 1 (0.01%)
october = 1 (0.01%)

Days

None found

Months (Abreviated)

jan = 15 (0.17%)
feb = 8 (0.09%)
mar = 184 (2.06%)
apr = 8 (0.09%)
may = 18 (0.2%)
jun = 17 (0.19%)
jul = 19 (0.21%)
aug = 2 (0.02%)
sept = 4 (0.04%)
oct = 14 (0.16%)
nov = 21 (0.24%)
dec = 7 (0.08%)

Days (Abreviated)

mon = 61 (0.68%)
wed = 1 (0.01%)
fri = 14 (0.16%)
sat = 11 (0.12%)
sun = 13 (0.15%)

Years (Top 10)

2008 = 38 (0.43%)
1985 = 30 (0.34%)
2006 = 27 (0.3%)
1983 = 26 (0.29%)
1980 = 26 (0.29%)
2007 = 25 (0.28%)
1987 = 24 (0.27%)
1984 = 23 (0.26%)
1979 = 22 (0.25%)
1981 = 21 (0.24%)

Pipal provides a lot more information than what was provided here, but I think this gives you a good idea of what it can do.

I think this is a great tool to see the trends and patterns in password security. After so many years of users being warned about password security, it is very disheartening to see that the majority of users are still using short, simple passwords.

But what is more alarming is the number of password dumps that are available from compromised websites.

Cross-posted from Cyber Arms

Possibly Related Articles:
18011
Network Access Control
Information Security
Passwords Authentication Access Control Tools Analytics metrics Information Security Pipal
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.