Analyzing Passwords for Patterns and Complexity

Digininja’s site has an interesting password analyzing program called “Pipal“. The program takes a list of passwords and returns the top passwords used, a graph showing password lengths, dates used and a ton of other information.

In this demonstration, I used a list of leaked sanitized passwords (a password dump from a real site with account names and e-mail addresses removed) from SkullSecurity.

Simply download Pipal, provide it a password list and sit back and watch it go. This list of about 9,000 Hotmail passwords took only a few seconds. Larger lists could take significantly longer, one Diginija analyzed with millions of passwords took about 24 hours!

Let’s look at some of the more interesting data returned from Pipal. Here is a list of the top ten base words:

Top 10 base words
angel = 10 (0.11%)
beto = 9 (0.1%)
diciembre = 7 (0.08%)
abril = 6 (0.07%)
amor = 5 (0.06%)
acuario = 5 (0.06%)
junio = 5 (0.06%)
daniel = 5 (0.06%)
alex = 5 (0.06%)
beatriz = 5 (0.06%)

This is obviously a dump from a Spanish speaking country, but you will notice  the prefix “angel” was used 10 times, and a lot of user’s passwords started with a name or a month.

How long was the average password?

Password length (count ordered)
6 = 1823 (20.41%)
8 = 1769 (19.81%)
7 = 1306 (14.62%)
9 = 1098 (12.3%)
10 = 773 (8.66%)
11 = 565 (6.33%)
12 = 406 (4.55%)
13 = 285 (3.19%)
14 = 216 (2.42%)
16 = 178 (1.99%)
5 = 175 (1.96%)
15 = 158 (1.77%)
17 = 59 (0.66%)
4 = 37 (0.41%)
18 = 19 (0.21%)
20 = 16 (0.18%)
21 = 13 (0.15%)
22 = 9 (0.1%)
2 = 9 (0.1%)
19 = 8 (0.09%)
3 = 7 (0.08%)
1 = 5 (0.06%)
24 = 5 (0.06%)
23 = 4 (0.04%)
27 = 4 (0.04%)

Looks like 6 characters is the winner, followed closely by 8. I am actually surprised by the number of people who used 20+ character passwords. But as this is from a website password dump, it apparently didn’t do them any good…

Okay, how about complexity – how strong were the passwords:

Password Strength:
Only lowercase alpha = 3716 (41.61%)
Only uppercase alpha = 197 (2.21%)
Only alpha = 3913 (43.82%)
Only numeric = 1654 (18.52%)

First capital last symbol = 23 (0.26%)
First capital last number = 240 (2.69%)

Ouch, looks like a good chunk of them were simple passwords.

Okay, what about dates, did any of the passwords have a date in them?

Months
march = 2 (0.02%)
may = 18 (0.2%)
june = 1 (0.01%)
july = 1 (0.01%)
august = 1 (0.01%)
october = 1 (0.01%)

Days
None found

Months (Abreviated)
jan = 15 (0.17%)
feb = 8 (0.09%)
mar = 184 (2.06%)
apr = 8 (0.09%)
may = 18 (0.2%)
jun = 17 (0.19%)
jul = 19 (0.21%)
aug = 2 (0.02%)
sept = 4 (0.04%)
oct = 14 (0.16%)
nov = 21 (0.24%)
dec = 7 (0.08%)

Days (Abreviated)
mon = 61 (0.68%)
wed = 1 (0.01%)
fri = 14 (0.16%)
sat = 11 (0.12%)
sun = 13 (0.15%)

Years (Top 10)
2008 = 38 (0.43%)
1985 = 30 (0.34%)
2006 = 27 (0.3%)
1983 = 26 (0.29%)
1980 = 26 (0.29%)
2007 = 25 (0.28%)
1987 = 24 (0.27%)
1984 = 23 (0.26%)
1979 = 22 (0.25%)
1981 = 21 (0.24%)

Pipal provides a lot more information than what was provided here, but I think this gives you a good idea of what it can do.

I think this is a great tool to see the trends and patterns in password security. After so many years of users being warned about password security, it is very disheartening to see that the majority of users are still using short, simple passwords.

But what is more alarming is the number of password dumps that are available from compromised websites.

~ by D. Dieterle on December 13, 2011.

2 Responses to “Analyzing Passwords for Patterns and Complexity”

  1. […] were publicly released. He then analyzed the cracked passwords with the password analysis program Pipal, which searches password lists and returns several statistics, like most used passwords and […]

  2. […] https://cyberarms.wordpress.com/2011/12/13/analyzing-passwords-for-patterns-and-complexity/ Поделиться:FacebookTwitterLinkedInPrintEmailTumblrStumbleUponDiggRedditPinterestLike this:LikeBe the first to like this. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: