User Password CreationThe general theme this year was users forced to change their passwords over time with stricter policies being enforced for each change. Nevertheless, the users continue making poor decisions about password choice. For all of these users' passwords, cracking their oldest/weakest history entries would reveal hints into their more recent passwords. Some iterated over previous passwords making incremental adjustments. Others used new passwords or phrases, but with similar inspiration or source material. They also attended security awareness training courses in big groups, so lots of them made similar decisions about how to l33t5p34k up their passwords.
Some other accounts had randomly generated passwords, but with the plaintexts stored in other account attributes in Active Directory, because admins and developers can make bad decisions too. This has been seen in the "wild" where the information was leaked via LDAP queries against the domain.
Here is a breakdown of themes, the percentage of all passwords of that type that were cracked by any Pro team, and the percentage of history0 (the current, and hardest) iteration of those passwords cracked by any Pro teams:
|Idea||Overall Pro Cracks||history0 Cracks||Description|
|Numbers||99.9%||100%||Mix of digits and written-out numbers. Examples of a
single user's passwords with increasing difficulty: |
eightsix 22fiftynine Fortytw2 Twelve1992? Fortyeight1990_ Hundredthirty1990( Fiftythousand2010_
|Games||82.2%||58.3%||Words related to various (mostly video) games. A certain
.rules file was used to generate manipulations. Example: |
iaraamed WFortnite FIFA_180l 2.Family! Cruis:nU0A928 Dance_Ae098obics 30TheWonde!ful101
|DEFCON||95.8%||88.3%||Words related to us going to Vegas for an event. Example source words: Defcon, Paris, LasVegas, Password, Nevada, KoreLogic, etc.|
|Months||100%||100%||Users love using months in their passwords. Example
passwords from a single user: |
moctay 530AuGust 38JuLy05 June%7992 fEBrUary^7837 1992September DecEMber*8073
|Names||99.9%||99.7%||A corpus of variations of names. The source name list was pulled from real data. Most of the manipulation involved either prepending or appending special characters and numbers.|
|Latin America||96.8%||98.2%||Latin American place names, with relatively simply
manipulations. Examples: |
currency Leiva2021 RiodeJan#4 Ecatepec2021# M@iqueti@19## M@drid202188$ #Oporapa20212
|Doubles||99.6%||99.4%||Simple word, then mutated, then doubled. Or, simple
word, doubled, then manipulated. Example of a single user's
cester retsehcP 1Chester Chester2021# @1Chester@1Chester 1ChesterChester@ 2011Chesterchester!
|Zack Ulloa generated (KoreLogic intern)||100%||100%||Simple words that are manipulated using rules and the
current year (21!). Example of a single user's passwords: |
excruciating excruciating21 Excruciating21! eXCRuCiaTiNG21! Excruc1at1ng21! Excruc1at1ng21!#! _!Excruc1!at1ng21!
|Mexico||88.6%||98.0%||Place names in Mexico. The users change their locations for each password change. Simple numbers appended to the end of each location.|
|Training||100%||100%||Random plains, stuck in the users' Description field in AD.|
|Webpage||0%||0%||Random plains, stuck in the users' Webpage field in
AD. The "webpage" or "homepage" field in AD should have been visible
via LDAP dumps, or NTDS.dit extraction. Example command when the
users were added: |
dsadd user cn=website-18475,CN=Users,dc=crackmeifyoucan,dc=com -samid website-18475 -mustchpwd no -webpg https://18475:8jmD3o612mDRdaTy@www.crackmeifyoucan.com/ -pwd 8jmD3o612mDRdaTy
|CMIYC2011||94.4%||87.9%||Previously-published plaintexts from CMIYC 2011. This list contained all the BonJovi and Obsessiveness plains.|
|MyHeritage||99.9%||100%||Cracked passwords from the recent MyHeritage data breach.|
|Song Lyrics||68.2%||8.0%||An artist/band name, short quotes from one work, then
shuffled words. Example user: |
Garcia1 "Jerry Garcia1" shine2 "sun will shine1" "shine in my1" "door my shine day one will" "d00r my 5h1n3 d4y 0n3 w1!!"
|Ferengi RoA||85.1%||0%||Rules of Aquisition number, then quoted, then
shuffled words. Example user: |
266. "Rule #266." doubt, "When in doubt,1" "doubt, lie.1" "When lie. in doubt," "WhEn 1:E. :n d.ub%,"
|King James Bible||96.0%||86.5%||Book of the KJB, then add chapter:verse, then
quoted/shuffled words. Examples: |
Chronicles1 "Chronicles 2:51" "Bethgader" "father of Bethgader." "the of Hareph Salma father" "t53 0f H@r3p5 S@lm@ f@t53r"
User-Idea MappingsHere are mappings from individual users to which source they used for inspiration:
Cracked HashesAll of the hashes, and their plaintexts, that were successfully cracked by at least one Pro team, and by at least one Street team:
UnCracked HashesAll of the hashes that were not cracked by any Pro team, or by any Street team: