Observations from Key-logged Passwords

Published: 2014-05-03
Last Updated: 2014-05-03 16:23:04 UTC
by Kevin Liston (Version: 2)
8 comment(s)

I recently had the opportunity to look at a sample of key-logged passwords collected from compromised machine over a period of 4 years.  I wanted to share some of the takeaways, since I'm not comfortable sharing too many of the details.

From a collection of website credentials stolen by key-logger software I observed three common, trivially-predictable patterns.  The first was use of the term "password" slightly modified.  for example, Pa55w0rd, or PaSsW0rd, etc., etc.  The second was the use of a name followed by a 1.  For example, elizabeth1.  The surprise pattern, and the most common in the sample I got to look at involved the name of the site with 123 tacked on the end.  For example, isc123.

From a collection of remote-access passwords (shell, RPD, etc.) the usual suspects where admin/administrator (in various languages administrador, administrateur,) various permutations of "password," and the varying lengths of sequential digits (e.g. 1234, like your suitcase.)

In these samples, the source was a plain-text exposure, so it really didn't matter how complex or secure the passwords, since they were captured in the clear.  However, this gives us insight into how much effort is required to extract passwords when hashed credentials are exposed.  This also explains why brute-forcing remote access credentials is still profitable.

  • As a user, you should avoid using these quick, throwaway passwords.
  • As a website owner, you should not allow passwords ending in 1 or 123, that's a pretty simple filter to implement.
  • As a network owner, you should be brute forcing your own access credentials using a short hit-list.
  • As an ISC Handler, you should practice what you preach.
8 comment(s)
Diary Archives