Password munging is the art of changing a word that is easy to remember until it becomes a strong password. This is how most people make up passwords.
Munge stands for Modify Until Not Guessed Easily.
The trouble is that it doesn't work very well. We can guess the modifications.
Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password.
newyork
No! They are told they must include capital letters
NewYork
No! They are told they must include numbers
N3wY0rk
No! They are told they must include a special character
N3wY0rk!
There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords.
There are a number of ways that they could munge their password but the vast majority are fairly predictable: l33t sp33k, CamelCasing, adding numbers to the end of the Password12 and favorite special characters!$
I have put together a python script which runs through 200-300 munges and put it up on github here.
Pretty well.
As an example that you can repeat, I used the corncob dictionary as my starting point. It contains 58110 words. After munging that dictionary explodes to about 11.6 million words. That's about 200 times bigger.
./munge.py -l 9 -i corncob_lowercase.txt -o munged_wordlist.txt
For my test I've used the rockyou list of 14.3 million passwords. Using our dictionary list alone we would crack 300 of those passwords, but after munging our dictionary and attacking the rockyou list again that rockets up to 141496 cracked passwords.
Our hit rate is over 470 times better. Not a bad return on investment.
Well there is no escaping from the fact that our word list after munging is 200 times bigger and is going to take 200 times as long to complete... but we did crack 470 times more passwords.
Passing the munged password list through some sort of regular expression to match company password policies is a must. I'll write an article on that some time...
Munge stands for Modify Until Not Guessed Easily.
The trouble is that it doesn't work very well. We can guess the modifications.
Password selection.
Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password.
newyork
No! They are told they must include capital letters
NewYork
No! They are told they must include numbers
N3wY0rk
No! They are told they must include a special character
N3wY0rk!
There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords.
Scripting similar munges
There are a number of ways that they could munge their password but the vast majority are fairly predictable: l33t sp33k, CamelCasing, adding numbers to the end of the Password12 and favorite special characters!$
I have put together a python script which runs through 200-300 munges and put it up on github here.
How well does it work?
Pretty well.
As an example that you can repeat, I used the corncob dictionary as my starting point. It contains 58110 words. After munging that dictionary explodes to about 11.6 million words. That's about 200 times bigger.
./munge.py -l 9 -i corncob_lowercase.txt -o munged_wordlist.txt
For my test I've used the rockyou list of 14.3 million passwords. Using our dictionary list alone we would crack 300 of those passwords, but after munging our dictionary and attacking the rockyou list again that rockets up to 141496 cracked passwords.
Our hit rate is over 470 times better. Not a bad return on investment.
What's the downside?
Well there is no escaping from the fact that our word list after munging is 200 times bigger and is going to take 200 times as long to complete... but we did crack 470 times more passwords.
Further optimizations.
Passing the munged password list through some sort of regular expression to match company password policies is a must. I'll write an article on that some time...
Comments
Post a Comment