Skip to main content

Munging Passwords

Password munging is the art of changing a word that is easy to remember until it becomes a strong password. This is how most people make up passwords.

Munge stands for Modify Until Not Guessed Easily.

The trouble is that it doesn't work very well. We can guess the modifications.

Password selection.

Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password.


No! They are told they must include capital letters


No! They are told they must include numbers


No! They are told they must include a special character


There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords.

Scripting similar munges

There are a number of ways that they could munge their password but the vast majority are fairly predictable: l33t sp33k, CamelCasing, adding numbers to the end of the Password12 and favorite special characters!$

I have put together a python script which runs through 200-300 munges and put it up on github here.

How well does it work?

Pretty well.

As an example that you can repeat, I used the corncob dictionary as my starting point. It contains 58110 words. After munging that dictionary explodes to about 11.6 million words. That's about 200 times bigger.

./ -l 9 -i corncob_lowercase.txt -o munged_wordlist.txt

For my test I've used the rockyou list of 14.3 million passwords. Using our dictionary list alone we would crack 300 of those passwords, but after munging our dictionary and attacking the rockyou list again that rockets up to 141496 cracked passwords.

Our hit rate is over 470 times better. Not a bad return on investment.

What's the downside?

Well there is no escaping from the fact that our word list after munging is 200 times bigger and is going to take 200 times as long to complete... but we did crack 470 times more passwords.

Further optimizations.

Passing the munged password list through some sort of regular expression to match company password policies is a must. I'll write an article on that some time...


Popular posts from this blog

Snagging creds with Raspberry Pi Zero and Responder

So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs scripts.

I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.

Please note that this only works on the RPi Zero. Other RPi's will not work!

1.0 Setup the the RPi Zero for Ethernet over USB
Download and install the latest Jessie Lite from here onto an SD Card.

Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.

config.txt Go to the bottom and adddtoverlay=dwc2as the last line:

Save the config.txt file.

cmdline.txt After rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether

Wiggling your pointer with a Mouse Jiggler

What is a Mouse Jiggler? A mouse jiggler basically simulates physical movement of your mouse to prevent the computer from going to sleep, the screensaver from starting or the screen from turning off. They can also be handy if someone measures the idle time on your computer and you need to look busy, just saying.

Law enforcement use them to stop laptops and servers from going to sleep when making "lights on" arrests. This is especially important to avoid losing hard drive encryption keys. They have also been used by companies wishing to maintain access to machines that they dont have the password for when employees leave.

If the machine is awake, we can keep it that way with a mouse jiggler.

There are basically two kinds, hardware and software. Hardware devices retail for $20-$40 but you can make your own for less than $6.

All you need is some kind of ATMEGA32U4 arduino device. A quick check on ebay/amazon will reveal dozens of devices in all different form factors. Personal…