Most Common Passwords

[White_Eskimo]

lol i have 2 passwords in that list my problem is that i am too lazy to remember and complex password. bah, if anyone wants to hack into my AOL account so that they can read all my penis enlargment emails, go ahead, just please delete them when you are done

[DOHC]

You getting those emails too White_Eskimo

I'm glad to see that only one of my passwords was in there, which is not bad considering that I've had to change my p/word to something unique every couple of weeks for the last 5 years. One good thing that we have at work (from a secy point of view) is that you can't reuse a password, not sure where it stores your previous p/words now that I come to think of it?

Most people just add an incrementing number to the start or end of their p/word but it does keep everyone on their toes and stops the same p/word (ie dog's name) from being used repeatedly.

Cheers All,

R.

[whizkid2300]

Cobra Depends. Let's say you go and take the list that Spools posted and write a script to run through all those passwords no. There are also other ones where all they do is. Go through the entire Dictionary. (And I do mean Entire)

Those more then likely won't either. Now on a Brute Force it kind of all depends. I have seen Programs that will just go and go until they get it. Actually I am asking a friend about that right now.

But I will answer your question with a very old but true statement. If you take the watch on your wrist and break it into a million pieces and keep droping it. How long would it take for that watch to come together. It is very possible that it will but it will just take a hell of a long Time. Something most people don't have. Which mainly why they write Crackers to do it for them.

So with out the Stupid ass explanation yes. It very well could crack your password. Itjust needs *("TIME")*

The last thing to add to this is that. Most End Users have this great Idea that it isn't going to happen to them and that is the exact type of people that are looked for. It won't happen to you, so you don't need a FW,AV or anything. I won't happen to me so I can have Windows just remember my password to everything for me.

That said, there is always just one more thing that can mess up your password.

You can have a password like. (Hello203My-0-rotvvee234334254234) and guess what, there is always one way to. Get that password that is usually more sure then any Brute.

Ask

[Noia]

I would post my 70Mb Passw file, but I don't think JpM would be impressed :P
I wrote a post somewere on how to make good passwords that will not be cracked by any Dictionary method and will take almost forever to bruteforce, I'm to lazy to find the post atm, but if the search function is working, it can be found through that.

- Noia

[MrLinus]

Noia, you mean this thread: http://www.antionline.com/showthread...hreadid=244205

Or was it this one:

http://www.antionline.com/showthread...hreadid=243599 ?

[Vigge]

You guys should read this document at security focus:

Ten Windows Password Myths
by Mark Burnett
http://www.securityfocus.com/infocus/1554

[fourdc]

If the system you use is case sensitive try a 7 character password with at least 1 number, 1 uppercase and 1 lower case.

The best password generator I ever had was my son. He's autistic. When he decided to become verbal he would string the wildest sylables together and he didn't seem to ever repeat.

[thehorse13]

a brute force attack would even crack a password like 4bn9hi7u£$ but it would take a very long time

Not exactly. Depending on the OS (i.e. Windows ), it may actually be *quicker* to crack a password that is longer than 7 characters. Sounds crazy, but it is true. The good folks at Foundstone have an excellent paper on this(and it appears in the Hacking Exposed series of books too).
To sum it up, a program like Lopht will split the hash into seven character blocks and crack them separately. This may speed it up because it would be like playing a game of Wheel of Fortune. You may be able to guess the password by seeing one of the other blocks cracked. This is a weakness in the LANMAN hash implementation originally developed by IBM. Send your complaints to the boys in blue.

[ammo]

Originally posted here by thehorse13


Not exactly. Depending on the OS (i.e. Windows ), it may actually be *quicker* to crack a password that is longer than 7 characters. Sounds crazy, but it is true. The good folks at Foundstone have an excellent paper on this(and it appears in the Hacking Exposed series of books too).
To sum it up, a program like Lopht will split the hash into seven character blocks and crack them separately. This may speed it up because it would be like playing a game of Wheel of Fortune. You may be able to guess the password by seeing one of the other blocks cracked. This is a weakness in the LANMAN hash implementation originally developed by IBM. Send your complaints to the boys in blue.

True, but it only works on LANMAN hashes (which is deprecated), not, on NTLM and NTLMv2 (and even less kerberos)... And yes, lanman hashes are still computed and stored by default in the SAM even on W2k and XP but it is possible to disable the generation of these (don't remember the exact reg key, but it is possible...)

Ammo

[thehorse13]

And yes, lanman hashes are still computed and stored by default in the SAM even on W2k and XP but it is possible to disable the generation of these (don't remember the exact reg key, but it is possible...)

Yep, indeed this is true. Just pointing it out because I see this enabled on 95% of the machines I look at.

Here is the regkey:

Function Do Not Send LanMan Password
Hive HKEY_LOCAL_MACHINE
Key \System\CurrentControlSet\Control\Lsa
Value LMCompatibilityLevel
Type REG_DWORD
Data 0-5
Benefit This parameter specifies the type of authentication to be used when an NT client is authenticating to another machine. Setting this value to 4 or 5 may prevent Win9x clients from accessing server resources.
Level 0 Send LM response and NTLM response; never use NTLMv2 session security (default).
Level 1 Use NTLMv2 session security if negotiated
Level 2 Send NTLM authenication only. Never send LM authentication.
Level 3 Send NTLMv2 authentication only.
Level 4 DC refuses LM authentication.
Level 5 DC refuses LM and NTLM authentication (accepts only NTLMv2).