|
Hacking passwords
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
The phollowing is another phine phile of phacts from the Phixer.
--- A Presentation of The Free Press ---
The Fixer Presents...
This episode: Password Hacking, a Scientific Breakdown.
First off, I would like to point out that the info in this file
is -=> not <=- to be used to crash a BBS. If I may quote a well known file,
only real idiots crash boards, except when they are run by other real idiots.
The info used to compile this file originally came from a Rodent's efforts at
crashing a popular and well-respected local BBS, for which he (a) was kicked
off all the BBS's in town, and (b) lost pretty much all his friends. For these
reasons I will notname the board that this file is based upon, nor will I
mention any specific usernames. OK, Here is a scientific breakdown of the
types of passwords thatpeople generally choose. It is scientific because there
were (at the time) 185 users of the BBS that these figures are drawn from, and
therefore a fair deal of accuracy can be obtained. Male first names: 5.4%
Female first names: 4.3% It is interesting to note that these generally are
not the names of boyfriends or girlfriends, as I encountered many male first
names being used as passes by several males, and these were not the users' real
names. These guys aren't queer, they just know that you won't likely think of a
male name for their pass when hacking. 4 to 8 letter English words: 47.6% If
you put a dictionary hacker program to a given users account, about half the
time you will (eventually) get access. Trouble is, there are around 50 thousand
such words in the language, and the diversity of words I encountered shows that
most of these passes could be anything in the dictionary. Also,the BBS that
this info came from only allows 8-char passwords. I only encountered a few
words that were truncated or abbreviated from longer than 8 letters. Words of
3 letters or less: 8.6% These are the easiest to hack, because there are fewer
3 letter words. This security laxness shows up in the figures: only 16 of the
185 users used this kind of PW. Still, if you pick 2 or 3 accounts and hit 'em
with a dictionary hacker of 1 to 3 characters, odds are you will get 2 or 3
accounts. Pseudo-Random sequences: 13.0% These included randomly picked
letters and/or numbers and/or punctuation. These are nearly impossible to hack
at because of the manymillions of possible combinations. Also included in this
category are acronyms, foreign words, and keyboard sequences, e.g. ZXCVBNM
et al. Statistically, you are best off not bothering to write/use a hacking
program for this type of password, although I should note that it is valid to
try some keyboard sequences manually. Special Characters: 3.8% These usually
consisted of punctuated words, passes with control characters, passes with
up/down/left/right arrows inserted in them, compound words separated by a
special character (e.g.pass*word) etc. These are also very difficult and
unworthwhile to hack at. Contains Users Name: 5.4% Ten of the 185 users of
the BBS that our rodent buddy krashed used either their pseudo, part of their
pseudo, their real name, or a part of their real name, as a password. When you
are manually hacking passwords, this is not statistically the best thing to
hope for, but it isan obvious giveaway, so it should be one of the first passes
you try. It is such an obvious slipup that if you come across such an account,
then the user is an idiot and deserves to have his account hacked. Name of
computer equipment: 0.5% Only one user used the name of part of his system (a
radio shack dmp series printer) as a password. This was surprising to me
because this sort of password would be difficult to hack at because computer
peripheral names usually look like the above mentioned pseudo-random sequences,
and yet would be easy for the user to remember (after all, his pass would be
right there embossed into his computer's case, and no-one would suspect that as
a password if they visited his system). This scheme may grow in popularity;
until it does don'tbother hacking this type of pass. (if, say, 5-10% of users
did this sort of thing, then it would be easy to hack a pass of this type; just
find out what computer and peripherals the guy has). A Number: 3.8% Seven
users used a 3 to8 digit number as a password. The most common number of digits
was 4, and many of these started with 19 (i.e. the name of a year). If you know
a bit about the person whose account you are hacking, try the year he got
married, the year he was born, the year his kid was born, the year he graduated
high-school, the year of his car or "hog". You may even try this year. 2 Or
More Words: 7.6% Ifthe system you are hacking only allows 8 character
passwords, you may still encounter a lot of 2-word passes (7.6% as above) but
these are somewhat hard to hack. Sometimes the user puts a space between the
words, sometimes he doesn't. You would need a specialized dictionary hacker
program to have any success at this type of pass. Well, I hope that helps
you find a few accounts. There are two points I would like to re-inforce: (1)
again, never try crashing a BBS, even though the info in this file came
directly from a BBS's userlog. (2) Repeated hacking at a password is very
visible to a sysop; only do it late at nite when he is home asleep. Also, this
is the most basic form of password theft there is. It is the most difficult and
slowest way to get a password in the hacking world, and generally only
beginning hackers use this kind of technique. But at least those who hack this
way are out getting their own accounts, rather than rodentially leaching off of
boards......... Somecommon passes before I go: love, sex, secret, password,
kill, death, mega, alpha, beta, gamma, delta, number 1, drugs, beer, god, fuck,
shit, <first names>, <music groups>, <clubs>, <own first name>, <same as
account number>, <sysop's name> ad nausaeum.
|
|
