pentesting, pci, red team

Linkedin Top 50 Leaked Passwords

May 19th, 2016 by admin in cracking, Life, Password Info

Earlier this week passwords that were jacked from LinkedIn from 2012 were offered for sale online. What initially thought to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords. The cache of stolen accounts were hashed with the recently deprecated SHA-1 algorithm. was able to get their hands on the dump the passwords weren’t salted and easily cracked. Below are their results.

Rank Password Frequency
1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
6 111111 57,210
7 1234567 49,652
8 sunshine 39,118
9 qwerty 37,538
10 654321 33,854
11 000000 32,490
12 password1 30,981
13 abc123 30,398
14 charlie 28,049
15 linked 25,334
16 maggie 23,892
17 michael 23,075
18 666666 22,888
19 princess 22,122
20 123123 21,826
21 iloveyou 20,251
22 1234567890 19,575
23 Linkedin1 19,441
24 daniel 19,184
25 bailey 18,805
26 welcome 18,504
27 buster 18,395
28 Passw0rd 18,208
29 baseball 17,858
30 shadow 17,781
31 121212 17,134
32 hannah 17,040
33 monkey 16,958
34 thomas 16,789
35 summer 16,652
36 george 16,620
37 harley 16,275
38 222222 16,165
39 jessica 16,088
40 ginger 16,040
41 michelle 16,024
42 abcdef 15,938
43 sophie 15,884
44 jordan 15,839
45 freedom 15,793
46 555555 15,664
47 tigger 15,658
48 joshua 15,628
49 pepper 15,610

FBI Be All Like…

February 20th, 2016 by admin in cracking, Life


25 Most Popular Passwords of 2015

January 19th, 2016 by admin in cracking, Life

Every year, SplashData complies a list of the millions of stolen passwords made public throughout the last twelve months, then sorts them in order of popularity. This year the results, based on a total of over 2 million leaked passwords, are not the list of random alpha-numeric characters you might hope for. Rather, they’re a lesson in exactly how not to choose a password.

Hashcat Now Open Source

December 4th, 2015 by admin in cracking


hashcat and oclHashcat have gone open source. Creator atom, posted on his forum earlier today, that he decided to finally open the source code to developers under the MIT license. He hopes to expand the tool to support new algorithms, native OSX support, and the ultimate reason to decide to go open source was the implementation of the bitsliced DES GPU kernels. Check out the code at:

The top 100 passwords on Ashley Madison

September 16th, 2015 by admin in cracking, Life

Accounts exposed in the hack of Ashley Madison, had passwords that were just as weak as the rest of the internet, according to research group, CynoSure Prime, that cracked the encryption on 11.7 million of them. The top three: 123456, 12345, and password.

Here are the top 100 most common passwords found:


Lastpass breached

June 16th, 2015 by admin in cracking, Password Info

Lastpass team discovered suspicious activity on their network 6/12. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses. Although they harden your authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, you should change your password and add some multifactor authentication to be on the safe side.

Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash.

If you are using an easily guessed dictionary based password as described by Errata Security you should change your password. Although on a NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash using the password algorithm:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // what’s stored in the auth db

85,100 Forbidden Dropbox Passwords

June 8th, 2015 by admin in cracking

Jerod Brennen was messing around with opening the dropbox mobile app and stumbled across a javascript file that checked a user’s signup password. Inside was a file called pw.html, which had a line inside the javascript that had 85100 passwords that users were forbidden to use when signing up. It was part of an old project that Dropbox had integrated into their app called zxcvbn (You can test it live ::HERE::). Apparently WordPress also has the JavaScript library into their code too.

They had based most of the passwords on a study by Mark Burnett from 2005 and 2012 that compiled the 500 and 10000 most common passwords which we covered a few years back. The handy password cracking list is available on Jerod’s site for download ::HERE::

PixieWPS – router WPS passwords in seconds

May 4th, 2015 by admin in cracking, Wireless

Pixiewps is a tool used for offline brute forcing of WPS pins. It dramatically speeds up the WPS brute force attack time from what was taking up to 12 hours to a a few seconds by exploiting the low or non-existing entropy of some wireless access points. It’s based on the pixie dust attack, discovered by Dominique Bongard (slides and video). Notes on how to install it are in the video below, if you are using Kali Linux then just apt-get update && apt-get upgrade.

NetSPI’s Top Cracked Passwords for 2014

March 2nd, 2015 by admin in cracking

NetSPI collected 90,977 domain hashes during their penetration tests this year. Of the collected hashes, 27,785 were duplicates, leaving 63,192 unique hashes. Of the total 90,977 hashes, we were able to crack 77,802 (85.52%). Out of those hashes they calculated the top 10 passwords used.

Here’s nine of the top passwords that we used for guessing during online brute-force attacks:

  • Password1 – 1,446
  • Spring2014 – 219
  • Spring14 – 135
  • Summer2014 – 474
  • Summer14 – 221
  • Fall2014 – 150
  • Autumn14 – 15*
  • Winter2014 – 87
  • Winter14 – 63

*Fall14 is too short for most complexity requirements

Researcher releases 10 million username and password combinations

February 10th, 2015 by admin in cracking, Life

Security researcher Mark Burnett has released 10,000,000 username/password combos he’s downloaded from well-publicized hacks.


You can quickly check here: (limited to first 25 results)

Next Article »