Hackers use weak passwords just like the rest of us.
Nearly two thousand passwords used by hackers were leaked this week, when I tried to decode a PHP shell without knowing the key. Because I did not know the exact content of the encoded file and searching the key could take me years, I chose a different approach. I decided to find out how strong passwords used by hackers are and create a dictionary. :)
Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers' passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.
Passwords that nobody will guess
About 10% of the passwords were beyond normal capabilities of guessing or cracking. Of those, I found words as long as 75 characters, probably generated by a computer. Some of them were in long sentence form mixed with special characters such as lol dont try cracking 12 char+. Too bad it was stored in plain text. ;)
There were also passwords that don't use characters from an English keyboard. But there was still a 90% chance it could be a normal word, maybe with some number in it. No less than 9% of the passwords could be found in an English dictionary.
The table on the right shows which characters are used in hackers' passwords. The first row means that 58% of passwords contained only lower-case alphabet characters a-z.
One password is not included in this table because I found this hash: d41d8cd98f00b204e9800998ecf8427e. It is a hash of "empty string."
Most used password and characters
The table on the right shows how long hackers' passwords are. The average password length is 6 characters. There were only 52 passwords longer than 12 characters.
Generally, there are many variations of words from the IT field and English words, including names and whole sentences, but almost none of them contain uppercase letters. Some of the passwords are created as English words but using leet speak. This is a way of writing where you use numbers that look like letters. For example, A looks like 4, I looks like 1. Using leet speak a character with letters "o, i, e, a, s, t" are replaced with their equivalent 0, 1, 3, 4, 5, 7.
On the table below the occurrence of lower-case alpha characters used in passwords is displayed. The most used character is letter a and letters f, j, v, w, y, z are used very seldom. This is the largest set of characters so 38 occurrences of lower-case letter q is still more frequently used than the upper-case character set where S has 28 occurrences. In the special character set, lower-case q is used almost the same as most frequently used "." with count of 42.
Upper case letters and their occurrence is displayed on the next table. They are all very rarely used and when they are, it is either the first letter in the password, or the entire word is written with upper case letters. Only a few passwords actually uses a combination of both upper and lower case.
The next table shows which special characters are preferred by hackers and how much they use them to improve passwords. The first character in this table is a space and it revealed one interesting thing: One or five spaces could be a pretty clever password, but not very secure as it gets tested right from the beginning. Not all special characters are listed below because " , = ~ | [ ] " were not used at all.
The last table on the right displays the occurrence of numerals. Numerals were used in almost 30% of passwords so the table goes to quite large numbers. The most used is numeral is 1 with 356 occurrences.
By now, you may be wondering what password hackers use the most. There was lot of variations of the word pass and root and also hax was used many times, but if I omit one common 4-letter word, the most frequently used word in this dictionary is hack. It is worth mentioning that many PHP shells I analysed had only default passwords like r57, c99, password or yourpass.
When I compare all findings from the graphs above, I can tell that the average hackers' password will be at a maximum six characters long, contain lower case letters and numbers and it's derived from the English language. That was not as hard as I expected, and most of hackers' passwords are even weaker than those that normal people use, as you can find in this article for example. But what if I stumble on a hacker who actually uses a strong password and cares about security? Then I need to have a character set with special characters, but as small as possible so a brute force attack will take only days instead of months.
Best character set for cracking hackers' passwords
If I use only the previous statistics, I can made up two character sets that should hit most passwords used in various shells and bots. When the dictionary fails, there are not many ways to continue, but there is always brute force.
1) acdehiklmnorstu01234579!-.@_ (28 characters)
2) acdehiklmnorstubgpxyw0123456789!-.@_#$+*{space} (41 characters)
They are not as small as I want them to be, but it is not so important, since every time I needed to crack a password for shell with force, it had only 6 or 7 characters and it was quick.
For malware researchers interested in the dictionary described in this article, please write me from a trusted email address to hyza at avast dot com and get your free copy today.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.