TUCoPS :: Dialup BBSes :: passhack.txt

Misc: A statistical analysis of password types on a now-defunct BBS

----------====================((((((#######))))))====================----------


                      *********** ****     **** **********
                                     *** ***             ***
                      ***********      ***      **********
                      ***            *** ***    ***      ***
                      ***         ****     **** ***      ***


       The phollowing is another phine phile oph phacts phrom the Phixer.


                    --- A Presentation of The Free Press ---


----------====================((((((#######))))))====================----------

                              The Fixer Presents...


             This episode: Password Hacking, a Scientific Breakdown.


First off, I would like to point out that the info in this file is -=> not <=-
to be used to crash a BBS. If I may quote a well known file, only real idiots
crash boards, except when they are run by other real idiots. The info used to
compile this file originally came from a R0dent's efforts at crashing a
popular and well-respected local BBS, for which he (a) was kicked off all
the BBS's in town, and (b) lost pretty much all his friends. For these reasons
I will not name the board that this file is based upon, nor will I mention any
specific usernames.


OK, Here is a scientific breakdown of the types of passwords that people
generally choose. It is scientific because there were (at the time) 185 users
of the BBS that these figures are drawn from, and therefore a fair deal of
accuracy can be obtained.


Male first names: 5.4%
Female first names: 4.3%

It is interesting to note that these generally are not the names of boyfriends
or girlfriends, as I encountered many male first names being used as passes
by several males, and these were not the users' real names. These guys aren't
queer, they just know that you won't likely think of a male name for their
pass when hacking.


4 to 8 letter English words: 47.6%

If you put a dictionary hacker program to a given users account, about half
the time you will (eventually) get access. Trouble is, there are around
50 thousand such words in the language, and the diversity of words I
encountered shows that most of these passes could be anything in the
dictionary. Also,the BBS that this info came from only allows 8-char passwords.
I only encountered a few words that were truncated or abbreviated from longer
than 8 letters.


Words of 3 letters or less: 8.6%

These are the easiest to hack, because there are fewer 3 letter words. This
security laxness shows up in the figures: only 16 of the 185 users used this
kind of PW. Still, if you pick 2 or 3 accounts and hit 'em with a dictionary
hacker of 1 to 3 characters, odds are you will get 2 or 3 accounts.


Pseudo-Random sequences: 13.0%

These included randomly picked letters and/or numbers and/or punctuation. These
are nearly impossible to hack at because of the many millions of possible
combinations. Also included in this category are acronyms, foreign words, and
keyboard sequences, e.g. ZXCVBNM et al.
Statistically, you are best off not bothering to write/use a hacking program
for this type of password, although I should note that it is valid to try some
keyboard sequences manually.


Special Characters: 3.8%

These usually consisted of punctuated words, passes with control characters,
passes with up/down/left/right arrows inserted in them, compound words
separated by a special character (e.g. pass*word) etc. These are also very
difficult and unworthwhile to hack at.


Contains Users Name: 5.4%

Ten of the 185 users of the BBS that our r0dent buddy krashed used either
their pseudo, part of their pseudo, their real name, or a part of their real
name, as a password. When you are manually hacking passwords, this is not
statistically the best thing to hope for, but it is an obvious giveaway, so
it should be one of the first passes you try. It is such an obvious slipup that
if you come across such an account, then the user is an idiot and deserves to
have his account hacked.


Name of computer equipment: 0.5%

Only one user used the name of part of his system (a radio shack dmp series
printer) as a password. This was surprising to me because this sort of password
would be difficult to hack at because computer peripheral names usually look
like the above mentioned pseudo-random sequences, and yet would be easy for the
user to remember (after all, his pass would be right there embossed into his
computer's case, and no-one would suspect that as a password if they visited
his system). This scheme may grow in popularity; until it does don't bother
hacking this type of pass. (if, say, 5-10% of users did this sort of thing,
then it would be easy to hack a pass of this type; just find out what
computer and peripherals the guy has).


A Number: 3.8%

Seven users used a 3 to 8 digit number as a password. The most common number
of digits was 4, and many of these started with 19 (i.e. the name of a year).
If you know a bit about the person whose account you are hacking, try the
year he got married, the year he was born, the year his kid was born, the
year he graduated high-school, the year of his car or "hog". You may even try
this year.


2 Or More Words: 7.6%

If the system you are hacking only allows 8 character passwords, you may still
encounter a lot of 2-word passes (7.6% as above) but these are somewhat hard
to hack. Sometimes the user puts a space between the words, sometimes he
doesn't. You would need a specialized dictionary hacker program to have any
success at this type of pass.




Well, I hope that helps you find a few accounts. There are two points I would
like to re-inforce: (1) again, never try crashing a BBS, even though the info
in this file came directly from a BBS's userlog. (2) Repeated hacking at a
password is very visible to a sysop; only do it late at nite when he is home
asleep. Also, this is the most basic form of password theft there is. It is
the most difficult and slowest way to get a password in the hacking world, and
generally only beginning hackers use this kind of technique. But at least those
who hack this way are out getting their own accounts, rather than r0dentially
leaching off of boards.........


Some common passes before I go:

love, sex, secret, password, kill, death, mega, alpha, beta, gamma, delta,
number 1, drugs, beer, god, fuck, shit, <first names>, <music groups>, <clubs>,
<own first name>, <same as account number>, <sysop's name> ad nausaeum.


-------------------------------------------------------------------------------
Call: Heart of Gold (604) 658-1581...10 mg Online, AE, BBS.....................
-------------------------------------------------------------------------------

 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH