INSIGHTS Hamburg1! and other terrible password habits

It’s not big news that password breaches happen all the time. Just recently we’ve seen one of the biggest password dumps posted online. According to [1] the two most common passwords in 2018 were 123456 and password . It makes you think “Are people that bad at coming up with passwords?”. I decided to check it myself and I would like to share the results with you.

A while ago, I was involved in an internal phishing campaign for a company during which my team managed to successfully steal around 150 valid credentials. After this, every affected user was forced to change his/her password and, frankly, after being phished you’d expect everyone to come up with a unique and strong password. Fast forward to now, I had an idea to try to mutate every stolen password a little and see if any of 150 users changed their old leaked password just a little by, for example, adding a ! symbol at the end, changing case of characters, etc.

After getting a permission from the company to do such a test, I started searching for tools that could help me with this task. In the end my choice fell on two programs:

  1. John the Ripper, specifically the —-rules flag.
  2. badtouch — a scriptable credential confirmation tool.

So, let’s begin. John the Ripper (JTR) is capable of applying predefined rules on every password to simulate common changes users make when they are forced to change passwords. JTR can add numbers to a password, change case of letters, reverse the password, append a year and more. For example, look at the command below. The single_password.lst is a file with the word “password” in it (no quotes).

john --wordlist=single_password.lst --rules -stdout

The output of the command above will be the following (around 900 mutations):


Now if we try all these variations of the word “password” on someone who was known to use this as his password, we might have a chance of exploiting their lack of creativity.

I applied this principle to all 150 accounts and was stunned by the results: 55 out of 150 credentials were guessed. Thats more than 35% people!

Let me show you an example of someone who used to have a password hamburg1 .

Gotcha! As you can see the new password is Hamburg1! . And there is no reason to blame this user, the password is 9 characters long, has uppercase and lowercase letters, a number and a special character. Strong password, right? This technique can be applied during your penetration testing assessments or security awareness campaigns, just remember to be ethical in your actions.

Call for action

I do not exaggerate when I say that there are hundreds of articles on the internet about password security and general recommendations on protecting your online privacy. To summarise, here are few tips:

  1. Use a password manager to generate unique and strong passwords.
  2. Use multi-factor authentication everywhere you can.
  3. Read about phishing attacks and how to recognise them.

I recommend reading this post to get more information on online safety. And, of course, don’t think that you have nothing to hide or nothing to fear, it’s just a matter of time before your bad online security habits are used against you.

It’s in your hands to make small changes in your internet habits TODAY in order not to become a victim of an attack TOMORROW