As part of its Penetration Testing services, the CDW Security Assessment team analyzes passwords – A LOT of passwords. Whenever we are able to obtain administrator privileges through our testing, which is most of the time on internal assessments, we perform an analysis of password security. We start the process by “dumping” the encrypted passwords from Active Directory, and then running them through tools like oclHashCat.
Recently, one of the security assessment team members, David Reflexia, aggregated the results from nearly a thousand password files spanning more than two hundred separate customers, with many thousands of unique passwords, and found some interesting results. Looking at just the top 100 passwords, there are some useful lessons to learn.
Using the season and the year continues to be a popular option. This is likely because many users are asked to change their passwords quarterly, which lines up with the four seasons quite nicely. Given any especially large user population, it is very likely to find someone who takes this approach. Among the most popular are those formatted with the season, capitalized, followed by the full year, such as Summer2014 (3930 occurrences). Also popular was the same with a two-digit year such as Summer14 (6126 occurrences). You will note that only one of these variations, such as fall15, is short of the default Windows password length of seven characters.
Also popular are variations on the word password. David found no less than 21,328 instances of the password password. Also popular was a capitalized version, with a one to three digit number at the end, such as Password123 (19,472 instances). Last but not least, we see the perpetual trick of “leet speak” vowel substitution, which hasn’t been a fresh idea for at least fifteen years. Vowel substitution replaces a letter like O with a zero or @ sign. David found 12,134 passwords formatted in this way.
Finally, rounding out the top 100, were initial user passwords and help desk passwords. David found 34,147 passwords containing a variation on the world welcome, with Welcome1 topping out the list at 22,538 instances. I don’t know about new employees, but it certainly makes penetration testers and hackers feel welcome! Thank you very much! Not to be forgotten are the variations on help desk, with 4,105 of passwords based on the word helpdesk, with good old helpdesk pulling in 1,629 occurrences.
None of this information is new to hackers. This is the low-hanging fruit of hacking. It is far easier to attack a system through user carelessness than through vulnerabilities such as unpatched web servers. The take-away from this is that a wise network administrator will specifically disable the use of words such as the season, welcome or helpdesk in their password policy. This may be painful, and may even require a third-party product, but it is well worth the effort. It is also a very good idea to test the security of your own passwords, either by cracking them yourself or by having a penetration test performed that includes this service in its scope.
There is plenty more interesting information to be gleaned from this new research. If there is interest, email me or leave a comment below, and I can write more about the most statistically likely password length and non-alpha character usage.