Zeroday Passwords.

Publicated on : 1194383297
Okay, I admit: I did something that isn't done before.

Those of you who signed up last days, joined my funny little secret experiment. Confused already? Let me explain what I mean. I constructed a splash page telling that this webzine is going underground, because of this and that and the other. This was to trigger people to sign up at my website. I did ask for your name, company name, email, username and password. The reason I did that was because I always wanted to launch a hacking contest, But like Gareth Heyes told me once: "The best hacker contest, is based upon real life flaws." And that is exactly what I planned here. No, not to hack this site, but to phish for your passwords. Just a moment ago when the number of users reached 400, I decided to tell you what I was up to. I learned some interesting facts about this experiment.

Here are my findings:

I am pretty stunned by the fact that people sign up within a blink, using passwords that are weak -probably used for other accounts as well- and one of the biggest sins: for trusting me.

Obviously the gross signing up thought I just hash the pass and store it. I did that, but I also send a clear text copy to an email address to analyze them. This is exactly how security works, in security you cannot trust anything or anyone. This setup could be deployed anywhere, and there is no way you know if the passes are hashed or not, and being collected by hackers who build elite pass lists. When analyzing these passwords, I found that most are too hard to memorize for a disposable account like this webzine. Some combinations of passes were used for easy memorizing. Which led to a small conclusion that some passes are being re-used. If there is another sin in security, it is the re-usual of passwords.

A few readers didn't trust it, for very good reasons of course. I got about 400 or so sign ups, ranging from large international corporations, banks, browser vendors, black hats, other hackers, security people and students. The smallest password was 5 chars long without any numbers. Such a password can be brute forced in seconds. Some used birth dates, and others used names of females or girlfriends. Another group had common brute-forceable library passes. The longest passwords ranged from 16 to 32 characters with a lot of different characters used. Roughly 20% used pass phrases and about 10% used very, very strong passwords.

Lastly: a password can give a clue how someone thinks, often it's possible to deduct a certain pattern out of it. If someone uses: girlname20 it is likely he will use the same method on other passes, maybe only changing the digits? Or if he uses phrases like: football1 or h4ck3r1. Those can indicate that all his passes are probably guessable to some degree.

Conclusion:

A very rough guess is that 30% of all passwords submitted are clearly