I know what your password was last summer…

We've spent the last six months studying passwords that have been cracked over the past two years and have created several tools to better understand password creation strategies. And this is what happened as a result.

As security professionals, we often encounter the age-old problem of passwords in various environments, systems, implementations and other chaos. An interesting aspect that we regularly encounter when organizations are compromised is the psychology behind people's password choices. This article reveals patterns and trends in password creation in the Windows environment, shedding light on common vulnerabilities and human factors that affect password security.

Understanding these psychological elements is critical to developing more effective security strategies and educating users on secure password practices. It is no less important when creating hacking techniques that allow you to effectively assess the level of security of an organization and select the keys to its possessions.

This article examines trends identified over the past two years and compares strong and weak password policies. It also examines the user behavior that is shaped by these policies.

We use hashcat as a strategic and systematic approach to developing our projects over time, especially in the area of ​​cracking password hashes. This method has proven effective in finding the plaintext of a variety of interesting passwords, providing valuable insight into organizational trends and practices when developing password policies.

Additionally, this approach underpins our password guessing and endpoint spray strategies, improving our understanding of industry-specific thought processes and how certain security controls can be bypassed.

Key data

All analysis in this article comes from cracking windows NTLM passwords over a period of two years; The total number of hashes was 186,149, unique hashes – 99,918, and 31,200 were hacked, resulting in many identical passwords for different users and companies.

Analysis of this vast array of data allows us to draw valuable conclusions:

1. Password reuse: A large number of identical passwords indicates a widespread problem of password reuse among different users and companies, which significantly reduces security.

2. Common weak passwords: Success in cracking a significant portion of hashes indicates that many users continue to use weak passwords that are vulnerable to cracking tools and techniques.

3. Industry models: Data can reveal patterns in password creation and policy enforcement across companies, providing insight into industry-specific security.

Our Hashcat rules and settings

Depending on the type of hash will determine how we approach cracking it on our hardware; Typically, to quickly crack hashes such as NTLM, we use a list of words to quickly brute-force, then rules, then specifics related to the company name, and other suitable phrases or phrases.

NTLM cracking speed is ~600 GHz/s. We combined several RTX 4090, 3090 and other video cards.

We use a selection of custom and standard word lists when targeting specific organizations. Here are the standard public lists we use with various rules:

As for rulesets, we also use public and private sets, and here are the public ones we use:

Finally, in addition to word lists and rules, there are several custom masks that we often use when working with specific organizations, but there is also a standard list of hashcat masks and commands:

CompanyName?a?a?a?a?a?a
Colour?a?a?a?a?a?a

A common trend seen in various companies is the use of situational or time-structured passwords. Users often create passwords that include elements such as the current season, month, day, company or department name, usually followed by a date. This predictable pattern makes it easier to crack such passwords using hashcat rules and masks, providing efficient and fast password guessing.

Andy Gillone of our consultants, wrote a package of tools for analyzing pot files, which we used to create basic word lists and standard rules:

The hacking process typically involves selecting a company using a custom word list and rule sets, brute force up to a nine-character keyspace against the optimized keyspace, parsing the profile, and then comparing the hacked list again to the ruleset to identify patterns.

What was your password last summer?

As companies grow, so do their password policies. Gone are the days when many of our clients limited themselves to simplySummer2024! and you are standing at the front door. But we still see SeasonYYYY or its variations from time to time in less advanced companies. Here are some examples of seasons used and references:

We wrote our own password analysis tool. Given the cracked hashes as input, he analyzed common words, phrases and other attributes. The results of this tool are shown in the following screenshots: common passwords, best passwords, days of the week, months of the year, seasons, and colors.

The average length of 11 characters indicates a good improvement over last year and a sign of more mature password policies across organizations. While there are still anomalies, overall business coverage appears to be on an improving trajectory.

Even though people are big fans of summer, it turns out that the winter months are more common in passwords.

The title of this article makes it clear that people really love summer, and this can be seen in their password creatives.

Many people's favorite color is blue, followed by red and green.

Of the year's best passwords, 108 were smart passwords designed to last through 2025; attackers would never think of such a thing!

Interesting passwords

We come across many interesting passwords; here are some of our favorites we've seen over the past couple of years, both safe and fun.

<Passw0rd1><Passw0rd2>
#1PeppermintPatty
Grits&Gravy4u
HelloSummertime2023!
Security4You
Sec9re_NobodyWillGuessMe
Gustavo12345678901234567890
Green eggs and ham!
Why $o Serious?

These passwords were cracked using a combination of mask, wordlist, and rule-based attacks. In addition, the basic password lists were used iteratively to crack other passwords. Remember that password complexity and length can make cracking it time-consuming and resource-intensive, especially for high-entropy passwords.

Subsequent analysis of duplicates

Our analysis revealed a significant number of duplicates and unique users with common passwords. A recurring pattern was observed where accounts created by an organization for specific purposes had the same passwords, often as a result of mass reset procedures.

In addition, there have been cases where users with multiple accounts, especially those with privileged access, have reused passwords across different organizations. The study also shed light on cases where users, after changing organizations, continued to use bad passwords, carrying the same weak passwords to new places of work.

• Total number of hashes: 186149

• Total number of duplicate hashes: 56648

• Total users with duplicate passwords: 11359

Successfully cracked passwords were analyzed against publicly available lists from SecLists(https://github.com/danielmiessler/SecLists/tree/master/Passwords/) to identify interesting matches in public word lists.

2020-200_most_used_passwords.txt: 19 matches
2023-200_most_used_passwords.txt: 20 matches
500-worst-passwords.txt: 39 matches
bt4-password.txt: 212 matches
cirt-default-passwords.txt: 7 matches
clarkson-university-82.txt: 7 matches
common_corporate_passwords.lst: 118 matches
darkc0de.txt: 135 matches
darkweb2017-top10.txt: 5 matches
darkweb2017-top100.txt: 9 matches
darkweb2017-top1000.txt: 54 matches
darkweb2017-top10000.txt: 161 matches
days.txt: 17 matches
dutch_common_wordlist.txt: 105 matches
dutch_passwordlist.txt: 724 matches
months.txt: 48 matches
Most-Popular-Letter-Passes.txt: 94 matches
mssql-passwords-nansh0u-guardicore.txt: 118 matches
openwall.net-all.txt: 143 matches
probable-v2-top12000.txt: 148 matches
probable-v2-top1575.txt: 65 matches
probable-v2-top207.txt: 26 matches
richelieu-french-top20000.txt: 104 matches
richelieu-french-top5000.txt: 67 matches
scraped-JWT-secrets.txt: 8 matches
seasons.txt: 40 matches
twitter-banned.txt: 34 matches
unkown-azul.txt: 9 matches
UserPassCombo-Jay.txt: 23 matches
xato-net-10-million-passwords-10.txt: 4 matches
xato-net-10-million-passwords-100.txt: 16 matches
xato-net-10-million-passwords-1000.txt: 53 matches
xato-net-10-million-passwords-10000.txt: 121 matches
xato-net-10-million-passwords-100000.txt: 284 matches
xato-net-10-million-passwords-1000000.txt: 525 matches
xato-net-10-million-passwords-dup.txt: 523 matches
xato-net-10-million-passwords.txt: 755 matches

The results show that all identified passwords are already known and included in standard word lists. This indicates a greater likelihood of successful compromise by attackers.

Tips for creating passwords

When choosing a password, it is traditionally recommended to use a combination of special characters, numbers, uppercase and lowercase letters, and its length should be at least 8 characters. However, these recommendations are changing. Observations from our more experienced customers indicate that prioritizing password length over complexity and changing passwords less frequently promote passphrase adoption. They are easier to remember but remain difficult to hack, striking a balance between security and usability.

Both UK and US government security agencies give excellent advice on creating passwords, so here's their advice to help you create strong passwords:

1. Length matters a lot; When creating an Active Directory policy, try to use at least 16 characters.

To help users create long passwords, try suggesting using four random words and joining them with a special character – or $. This increases the complexity and length at the same time. An example could be:

• Sunset" class="formula inline">GuitarJourney or Cloudy-Envelope-Rainbow-Dinosaur (Don't use these two examples, as they are also in our word list 😉 )

Both phrases fit into a decent length, since the phrase “Cloudy-Envelope-Rainbow-Dinosaur” consists of 32 characters, including hyphens, and “SunsetPuzzle$Journey” – 28 characters, including dollar signs.

2. When setting default or primary passwords for an organization, it is recommended that you use an algorithm to generate unique user passwords rather than relying on a static value. If such an algorithm is not feasible, an alternative approach is to require users to change their password the first time they log in to the system. This practice helps minimize security risks.

3. To ensure that users maintain unique passwords, it is useful to encourage and implement password managers. These tools not only help you generate strong passwords but also create separate and unique passwords for different accounts. This approach allows users to avoid easily cracked passwords such as basic phrases, common words (such as “welcome” or “password”), seasons, months, years, and places. Instead, users can choose the recommended method of combining four random words, which can then be stored securely in a password manager. This strategy improves overall password security and management.

Conclusion

This article focuses on password security in Windows environments, especially from the perspective of internal use of data collected across many information systems. However, it is important to emphasize that a strong password policy should not be an organization's only line of defense. In addition to strong passwords, additional security measures must be taken.

Key among them is the implementation of multi-factor authentication (MFA), which provides an additional layer of security beyond the password. MFA requires users to provide two or more verification factors to gain access to a resource, such as an application, online account, or VPN. This significantly reduces the risk of unauthorized access. Where possible, some customers are implementing MFA for access to internal resources, using existing single sign-on providers and similar identity and access management technologies to limit the possibility of lateral movement.

In addition, organizations should adhere to the principle of “defense in depth”. This is a comprehensive approach to cybersecurity that involves the use of several protective mechanisms. If one mechanism fails, the other immediately takes over to prevent the attack. This approach includes technology solutions, as well as policies, procedures and staff training to close all possible security gaps.

Using these techniques along with a strong password policy creates a more resilient and secure environment, reducing the likelihood of successful cyberattacks and increasing the overall security of the organization.