Breaking all the Password Managers?

August 13th, 2017 by admin in cracking, Life, News, Password Info

“Elcomsoft Distributed Password Recovery 3.40 now supports four major password manager apps including 1Password, KeePass, LastPass and Dashlane. The tool allows experts attacking a single master password and gaining access to the content of the encrypted vault, exposing any passwords, authentication credentials and other sensitive information (identity documents, credit card data etc.)”

The debate is on going about the legitimacy of the article many saying ElmcomSoft is spreading FUD and cheesy marketing. Open source project, Hashcat, has supported cracking of all the those password managers listed except Dashlane for a while now. The length of time to crack said password managers, if you are using a long enough password or passphrase, would make cracking not feasible. Especially a program such KeePass, the key transformation iteration count would greatly effect the speed of brute force attack.

In the comments of their article one of the developers of 1Password had this to say:

It would still take a number of months/days/years to crack most password managers, the use of password managers can increase overall security by relieving users from having to memorize a number of passwords. So keep on using yours as long as you have a good password/passphrase, keep your computer updated, and dont click shit, you shouldn’t be too worried anytime soon.

Cracking OpenBSD FDE

August 31st, 2016 by admin in Password Info, Privilege Escalation

Filippo lost his OpenBSD Full Disk Encryption password and is taking the time to figure out a way to extract and bruteforce the password, it’s currently a work in progress but a great way to learn.



427 Milllion Stolen MySpace Passwords Selling For $2,800

May 27th, 2016 by admin in Life, News, Password Info

The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever.
The passwords were originally hashed with the SHA1 algorithm, which is known to be weak and easy to crack, and they were not salted. “Salting” makes decrypting passwords exponentially harder when dealing with large numbers of passwords such as these.
Below are the top 55 passwords that LeakedSource cracked so far.

Rank Password Frequency
1 homelesspa 855,478
2 password1 585,503
3 abc123 569,825
4 123456 487,945
5 myspace1 276,915
6 123456a 244,641
7 123456789 191,016
8 a123456 165,132
9 123abc 159,700
11 qwerty1 141,110
12 passer2009 130,740
13 fuckyou1 125,302
14 iloveyou1 123,668
15 princess1 114,107
16 12345a 111,818
17 monkey1 106,424
18 football1 101,149
19 babygirl1 90,685
20 love123 88,756
21 a12345 85,874
22 iloveyou 85,001
23 jordan23 81,028
24 hello1 80,218
25 jesus1 78,075
26 bitch1 78,015
27 password 77,913
28 iloveyou2 76,970
29 michael1 75,878
30 soccer1 74,926
31 blink182 73,145
32 29rsavoy 71,551
33 123qwe 70,476
34 angel1 70,271
35 myspace 69,019
36 fuckyou2 68,995
37 jessica1 67,644
38 number1 65,976
39 baseball1 65,400
40 asshole1 63,078
41 1234567890 62,855
42 ashley1 62,611
43 anthony1 62,295
44 money1 61,639
45 asdasd5 60,810
46 123456789a 60,441
47 superman1 59,565
48 sunshine1 57,522
49 nicole1 56,039
50 password2 55,754
51 charlie1 54,432
52 shadow1 54,398
53 jordan1 54,004
54 1234567 51,131
55 50cent 50,719

Linkedin Top 50 Leaked Passwords

May 19th, 2016 by admin in cracking, Life, Password Info

Earlier this week passwords that were jacked from LinkedIn from 2012 were offered for sale online. What initially thought to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords. The cache of stolen accounts were hashed with the recently deprecated SHA-1 algorithm. was able to get their hands on the dump the passwords weren’t salted and easily cracked. Below are their results.

Rank Password Frequency
1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
6 111111 57,210
7 1234567 49,652
8 sunshine 39,118
9 qwerty 37,538
10 654321 33,854
11 000000 32,490
12 password1 30,981
13 abc123 30,398
14 charlie 28,049
15 linked 25,334
16 maggie 23,892
17 michael 23,075
18 666666 22,888
19 princess 22,122
20 123123 21,826
21 iloveyou 20,251
22 1234567890 19,575
23 Linkedin1 19,441
24 daniel 19,184
25 bailey 18,805
26 welcome 18,504
27 buster 18,395
28 Passw0rd 18,208
29 baseball 17,858
30 shadow 17,781
31 121212 17,134
32 hannah 17,040
33 monkey 16,958
34 thomas 16,789
35 summer 16,652
36 george 16,620
37 harley 16,275
38 222222 16,165
39 jessica 16,088
40 ginger 16,040
41 michelle 16,024
42 abcdef 15,938
43 sophie 15,884
44 jordan 15,839
45 freedom 15,793
46 555555 15,664
47 tigger 15,658
48 joshua 15,628
49 pepper 15,610

Lastpass breached

June 16th, 2015 by admin in cracking, Password Info

Lastpass team discovered suspicious activity on their network 6/12. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses. Although they harden your authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, you should change your password and add some multifactor authentication to be on the safe side.

Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash.

If you are using an easily guessed dictionary based password as described by Errata Security you should change your password. Although on a NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash using the password algorithm:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // what’s stored in the auth db

Statistics Will Crack Your Password

April 28th, 2015 by admin in Password Info

Security firm Praetorian analyzed 34 million passwords that were jacked from the LinkedIn, eHarmony and Rockyou breaches, and found that 50% of all the passwords followed 13 basic structures. Over 20 million passwords in the sample have a structure within the top 13 masks. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective. Part of the problem is with the websites themselves, as they just require one upper case letter or number. The result is that many sites falsely mark passwords as “strong” that could be cracked in a matter of minutes.



October 15th, 2014 by admin in Password Info, Uncategorized

DPAPIck is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API). The tool was updated to support Windows versions all the way to 8.1.

list of recoverable secrets are :

  • EFS certificates
  • MSN Messenger credentials
  • Internet Explorer form passwords
  • Outlook passwords
  • Google Talk credentials
  • Google Chrome form passwords
  • Wireless network keys (WEP key and WPA-PMK)
  • Skype credentials


Comprehensive list of Password dumping tools for windows

February 5th, 2013 by admin in cracking, News, Password Info, Privilege Escalation

Bernardo Damele compiled a list of password dumping tool into a google spreadsheet:

Top 25 passwords of 2012

November 9th, 2012 by admin in cracking, Life, Password Info

The rankings were created by SplashData who compiled from files containing millions of stolen passwords posted online by hackers in 2012 and ranked them in order of popularity. It’s all similar to year’s past but we’ve got some new additions at the end of the list in Jesus and password1. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” Slain said. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”


Here’s the full list: (more…)

Reveal Saved Browser Passwords without special software

May 22nd, 2012 by admin in Browsers, Password Info

When you type a password into your webbrowsers, they are often hidden behind bullets or asterisks, which is fine when you know the password, but if you can’t remember and it’s being filled in automatically, you have to look in the browser options or use a 3rd party utility to reveal it. We covered a way to use it using a simple javascript back in 2008. Here’s a simple way to reveal the password using built-in functionality of the browser developer tools. We’re going to show you how to do it on Firefox 12 and Internet Explorer 9. This is also tested and working in Google Chrome 18 and Opera 11.

Next Article »