International Password Awareness Day

September 16th, 2015 by admin in Life


Today is now International Password Awareness Day!! If you share passwords, don’t have unique passwords between services/sites, use words that can be found in a dictionary, or have passwords that are less than at least 10 characters (extra points for the longer and more complex) GO CHANGE YOUR PASSWORDS. There are so many pieces of software out there like keepass, lastpass, passwordsafe that will allow you to store your passwords. Not being able to remember your passwords is not a good enough excuse anymore.


We can fix this problem if we hold each other to higher standards!

Android 5.x Lockscreen Long Password Bypass

September 16th, 2015 by admin in Android, Privilege Escalation

If you’ve got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it’s best to use a PIN or pattern to secure your lock-screen.

“By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen,” University of Texas researchers said. They published their findings at

Below is a demonstration of the attack:

The top 100 passwords on Ashley Madison

September 16th, 2015 by admin in cracking, Life

Accounts exposed in the hack of Ashley Madison, had passwords that were just as weak as the rest of the internet, according to research group, CynoSure Prime, that cracked the encryption on 11.7 million of them. The top three: 123456, 12345, and password.

Here are the top 100 most common passwords found:


Lastpass breached

June 16th, 2015 by admin in cracking, Password Info

Lastpass team discovered suspicious activity on their network 6/12. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses. Although they harden your authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, you should change your password and add some multifactor authentication to be on the safe side.

Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash.

If you are using an easily guessed dictionary based password as described by Errata Security you should change your password. Although on a NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash using the password algorithm:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // what’s stored in the auth db

85,100 Forbidden Dropbox Passwords

June 8th, 2015 by admin in cracking

Jerod Brennen was messing around with opening the dropbox mobile app and stumbled across a javascript file that checked a user’s signup password. Inside was a file called pw.html, which had a line inside the javascript that had 85100 passwords that users were forbidden to use when signing up. It was part of an old project that Dropbox had integrated into their app called zxcvbn (You can test it live ::HERE::). Apparently WordPress also has the JavaScript library into their code too.

They had based most of the passwords on a study by Mark Burnett from 2005 and 2012 that compiled the 500 and 10000 most common passwords which we covered a few years back. The handy password cracking list is available on Jerod’s site for download ::HERE:: hacked

May 22nd, 2015 by admin in Life, News

Adult Friend Finder, the no-strings sex solicitation service that’s familiar to anyone who’s ever visited a porn site, was apparently just the victim of an enormous data breach, exposing millions of people who clicked banner ads hoping to get laid.

The person behind the leak, who goes by ROR[RG], claims he hacked Adult Friend Finder because they owed a friend of his money:

ADULTFRIENDFINDER.COM > this is for owing my guy $247,938.28 BITCH!!!!!!!!!!!

You have been ROOTED ;D

Cuz Itz Pay yo DUEZ or we COMIN 4 U!!!!!!

shout outz to Hell for the bandwidth:

Word to the wise, don’t use your work email address for kinky sex sites. .gov accounts anyone?

UPDATE: now you can check if your email was in the dump

PixieWPS – router WPS passwords in seconds

May 4th, 2015 by admin in cracking, Wireless

Pixiewps is a tool used for offline brute forcing of WPS pins. It dramatically speeds up the WPS brute force attack time from what was taking up to 12 hours to a a few seconds by exploiting the low or non-existing entropy of some wireless access points. It’s based on the pixie dust attack, discovered by Dominique Bongard (slides and video). Notes on how to install it are in the video below, if you are using Kali Linux then just apt-get update && apt-get upgrade.

Break open any Master Combo Lock in 8 tries or less

April 28th, 2015 by admin in Life

Crack open any Master combination lock in 8 combinations or less! This online tool and new technique will allow you to learn the combination of any Master combo lock with only eight attempts.

Statistics Will Crack Your Password

April 28th, 2015 by admin in Password Info

Security firm Praetorian analyzed 34 million passwords that were jacked from the LinkedIn, eHarmony and Rockyou breaches, and found that 50% of all the passwords followed 13 basic structures. Over 20 million passwords in the sample have a structure within the top 13 masks. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective. Part of the problem is with the websites themselves, as they just require one upper case letter or number. The result is that many sites falsely mark passwords as “strong” that could be cracked in a matter of minutes.


NetSPI’s Top Cracked Passwords for 2014

March 2nd, 2015 by admin in cracking

NetSPI collected 90,977 domain hashes during their penetration tests this year. Of the collected hashes, 27,785 were duplicates, leaving 63,192 unique hashes. Of the total 90,977 hashes, we were able to crack 77,802 (85.52%). Out of those hashes they calculated the top 10 passwords used.

Here’s nine of the top passwords that we used for guessing during online brute-force attacks:

  • Password1 – 1,446
  • Spring2014 – 219
  • Spring14 – 135
  • Summer2014 – 474
  • Summer14 – 221
  • Fall2014 – 150
  • Autumn14 – 15*
  • Winter2014 – 87
  • Winter14 – 63

*Fall14 is too short for most complexity requirements

Next Article »