Hacker Passwords: Stronger than Yours? Uh, No

Brian Wood Blog

Like watching a movie about gangsters or members of a drug cartel, its eerily fascinating to peer into the lives and behaviors of the bad guys.

Such is the gist of the article below regarding the strength (or not) of a bunch of hacker passwords.

Summary article by Paul Mah in FierceCIO; original post by Antonín Hýža in Avast.

Emphasis in red added by me.

Brian Wood, VP Marketing


Report: Even hackers use bad passwords

It appears that even the bad guys don’t make use of good passwords, according to a new study by a researcher at antivirus vendor Avast.

Curious about the average strength of passwords used by hackers, Antonín Hýža conducted an analysis by tapping into his company’s database of 40,000 samples of hackers’ malware such as backdoors, bots and shells.

For a start, it proved surprisingly easy to gain access to the passwords in the first place, with many of them stored in plain text or encoded in the easily cracked MD5 hashing algorithm. After recovering a sample of 1,601 passwords and 300 hashes, Hýža proceeded to conduct a detailed analysis of their length and complexity.

“I can tell that the average hackers’ password will be at a maximum six characters long, contain lower case letters and numbers and it’s derived from the English language,” wrote Hýža in a blog post detailing his findings. In fact, he concluded that most of the hackers’ passwords are even weaker than those used by “normal people”.

Ultimately, the study shows that the topic of weak passwords is not related to one’s computer savviness, but probably related to very human traits such as laziness and convenience. With this in mind, the solution could be to quit persuading users to come up with stronger passwords by themselves, but to mandate the use of a good password manager app–and rely completely on lengthy, randomly generated passwords.

But if you are using passwords anyway, do make use of numerals and uppercase letters, as well as special characters. In addition, a length of more than eight characters is also crucial, according to Hýža.



Are hackers’ passwords stronger than regular passwords?

Hackers use weak passwords just like the rest of us.

librarian_dict_smNearly two thousand passwords used by hackers were leaked this week, when I tried to decode a PHP shell without knowing the key. Because I did not know the exact content of the encoded file and searching the key could take me years, I chose a different approach. I decided to find out how strong passwords used by hackers are and create a dictionary. :)

Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.

1Passwords that nobody will guess

Percentage of characters used in hackers' passwords

About 10% of the passwords were beyond normal capabilities of guessing or cracking. Of those, I found words as long as 75 characters, probably generated by a computer. Some of them were in long sentence form mixed with special characters such as lol dont try cracking 12 char+. Too bad it was stored in plain text. ;)

There were also passwords that don’t use characters from an English keyboard. But there was still a 90% chance it could be a normal word, maybe with some number in it. No less than 9% of the passwords could be found in an English dictionary.

The table on the right shows which characters are used in hackers’ passwords. The first row means that 58% of passwords contained only lower-case alphabet characters a-z.

One password is not included in this table because I found this hash: d41d8cd98f00b204e9800998ecf8427e. It is a hash of “empty string.”

2The average hacker password length is 6 charactersMost used password and characters

The table on the right shows how long hackers’ passwords are. The average password length is 6 characters. There were only 52 passwords longer than 12 characters.

Generally, there are many variations of words from the IT field and English words, including names and whole sentences, but almost none of them contain uppercase letters. Some of the passwords are created as English words but using leet speak. This is a way of writing where you use numbers that look like letters. For example, A looks like 4, I looks like 1. Using leet speak a character with letters “o, i, e, a, s, t” are replaced with their equivalent 0, 1, 3, 4, 5, 7.

On the table below the occurrence of lower-case alpha characters used in passwords is displayed. The most used character is letter a and letters f, j, v, w, y, z are used very seldom. This is the largest set of characters so 38 occurrences of lower-case letter q is still more frequently used than the upper-case character set where S has 28 occurrences. In the special character set, lower-case q is used almost the same as most frequently used  “.” with count of 42.
the occurrence of lower-case alpha characters used in hackers' passwordsUpper case letters and their occurrence is displayed on the next table. They are all very rarely used and when they are, it is either the first letter in the password, or the entire word is written with upper case letters. Only a few passwords actually uses a combination of both upper and lower case.
the occurrence of upper-case alpha characters used in hackers' passwordsThe next table shows which special characters are preferred by hackers and how much they use them to improve passwords. The first character in this table is a space and it revealed one interesting thing: One or five spaces could be a pretty clever password, but not very secure as it gets tested right from the beginning. Not all special characters are listed below because ,  =  ~  |  [  ] were not used at all.
the occurrence of special characters used in hackers' passwordsThe last table on the right displays the occurrence of numerals. Numerals were used in almost 30% of passwords so the table goes to quite large numbers. The most used is numeral is 1 with 356 occurrences.

By now, you may be wondering what password hackers use the most. There was lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4-letter word, the most frequently used word in this dictionary is hack. It is worth mentioning that many PHP shells I analysed had only default passwords like r57, c99, password or yourpass.

When I compare all findings from the graphs above, I can tell that the average hackers’ password will be at a maximum six characters long, contain lower case letters and numbers and it’s derived from the English language. That was not as hard as I expected, and most of hackers’ passwords are even weaker than those that normal people use, as you can find in this article for example. But what if I stumble on a hacker who actually uses a strong password and cares about security? Then I need to have a character set with special characters, but as small as possible so a brute force attack will take only days instead of months.


Best character set for cracking hackers’ passwords

If I use only the previous statistics, I can make up two character sets that should hit most passwords used in various shells and bots. When the dictionary fails, there are not many ways to continue, but there is always brute force.

1) acdehiklmnorstu01234579!-.@_ (28 characters)

2) acdehiklmnorstubgpxyw0123456789!-.@_#$+*{space}  (41 characters)

They are not as small as I want them to be, but it is not so important, since every time I needed to crack a password for shell with force, it had only 6 or 7 characters and it was quick.

onebit_24For malware researchers interested in the dictionary described in this article, please write me from a trusted email address to hyza at avast dot com and get your free copy today.