Last updated at Sat, 09 Dec 2023 23:06:32 GMT

*In previous posts, we’ve looked at the three most common passwords people use in a company environment and the common default passwords set for new employees.

Humans are predictable. As unique as we like to think we all are, our actions tend to be similar—and our choices when creating a password are no different. While this isn’t absolute and variations do happen, penetration testers and malicious actors don’t necessarily need the edge cases when trying to access a network. We need at least a single set of working credentials (i.e., a username and password) to gain a foothold. Since we know that people are predictable, we can make better-educated guesses at their passwords.

This doesn’t only apply to individual employees—this predictability also goes a step higher to include the predictable passwords that are set by the IT staff. Though standard policies may come from vendor recommendations, the requirements are also quite common. The majority of password requirements we have observed require at least three of the following:

  • Uppercase character
  • Lowercase character
  • Number
  • Special character

The minimum length is usually eight characters, though some companies may go higher. Because people must create passwords to match this policy, we’ve found those they create have predictable patterns that can be used to guess passwords or more easily crack password hashes that are obtained during a penetration test.

The password-cracking process

We use the free and open-source penetration testing tools such as Hashcat to crack passwords and Pipal (a tool created by Robin “Digininja” Wood) to analyze the resulting cracked passwords. Hashcat generates password “candidates” from a wordlist or pattern, then compares its hash with those in the list it’s trying to crack. If they match, the password is cracked. We usually generate these candidates from known password dumps and common password lists, then apply other changes to them—such as adding a “1” or exclamation point to the end. These changes are referred to as “rules.”

After we crack some of the password hashes, we analyze what we’ve cracked, looking for any type of patterns. For example, we had one penetration testing service engagement recently where the initial default password was the employee’s initials, the “@” symbol, then the month and year when it was set. Using that system, if I were to get my password today, I would be given PL@82018.

We saw many passwords matching this pattern, indicating that employees likely were not changing their default passwords. This allows us to target this pattern and crack more hashes. We told Hashcat to try to crack passwords in the format of “uppercase-uppercase-@-digit-digit-digit-digit-digit.” There are two big benefits to this. For one, it’s a pattern that was observed, so it was very likely that there would be more (which proved to be true). Second, we could really reduce the keyspace, which is defined as the possible characters in each position.

In our example, we wanted Hashcat to only try uppercase characters in the first position. There are 95 characters on a typical U.S.-based keyboard, but when we tell Hashcat to only check for 26 characters, the cracking goes much faster. The same goes for the rest of the positions. In the third position, we told Hashcat to only use the “@” symbol, and for the last five positions, to only try digits, of which there are only 10.

DIY password cracking

For those who might want to do some of this yourself with Hashcat, what we did was create a “mask” to tell Hashcat exactly which character sets to use. Other password-cracking tools such as John the Ripper have masks as well. The Hashcat wiki shows all the details for using a mask, but here’s an overview.

Using the mask described earlier, we would tell Hashcat to try to crack hashes with the following pattern: “?u?u@?d?d?d?d?d.” The question mark indicates that the next character defines a character set. The lowercase u says to only use uppercase letters in that position. We have two of the ?u, which tell Hashcat to only check for uppercase letters in the first two positions. Next, we have the @ all by itself. That tells Hashcat to only check for that character in that position.

Next, we have five instances of ?d, where the “d” is for “digit.” Hashcat will only check digits in those next five positions. If we wanted to check for a special character, such as @ or &, we would use ?s. Again, a benefit of using a mask is speed.

Bringing in Pipal

With our large volume of data and knowledge of the value of masks, we ran every checked password in our database through Pipal, which generates the mask that matches each password. When we ran the analysis, we ended up with more than 137,000 masks.

Next up was consolidating and finding the most common tasks. The top 20 we found included:

Instances Mask
953 ?u?l?l?l?l?l?d?d?s
859 ?u?l?l?l?l?l?l?l?d?d?d?d
803 ?u?l?l?l?l?l?l?l?d?l
769 ?u?l?l?l?l?l?l?l?d?d?d
721 ?u?l?l?l?l?l?l?d?d?d
700 ?l?l?l?l?l?l?d?d
640 ?u?l?l?l?l?d?l?l
620 ?u?l?l?l?l?l?l?d?d?s
615 ?l?l?l?l?l?l?l?l?l
601 ?l?l?l?d?d?d?d
595 ?u?l?l?l?l?l?l?d?s
575 ?u?l?l?l?l?l?d?d?d?d?s
565 ?u?l?l?l?l?l?l?l?d?u?u
562 ?u?l?l?l?l?l?l?l?l?l?d?d
547 ?u?l?l?l?l?l?l?l?d?s
534 ?l?l?l?l?l?l?l?d
456 ?u?l?l?l?l?d?d?d?d?s
428 ?u?l?l?l?d?d?d?d?s
421 ?u?l?l?l?d?l?l?l?s
415 ?u?l?l?l?l?l?l?d?u?u

The most common mask that we found uses an uppercase character, five lowercase characters, two digits, and a special character. Examples of passwords that match this mask could be Summer18! Or Winter17!.

Another thing to note in the patterns is that the first character is always a letter. In the top 20 masks, there are none with a digit or special character in the first position. By digging deeper, we see that 16 of the 20 start with an uppercase character. This is also what most penetration testers see in the field, and will usually make the first character an uppercase letter when guessing passwords.

In our research, the first mask that begins with something other than a letter is the 29th most common (?d?d?u?u?u?l?l?l) and appeared 323 times in our sample. The first mask that begins with a special character is in 60th place (?s?u?l?l?l?s?u?l?l?l?d), and appeared 197 times.

The takeaway

So, what can be learned from this information? Even when people try to create less common passwords, they still fall into guessable patterns. The best advice on how to break these patterns is using a password manager that can create more random values. Also, whenever possible, employ a multi-factor authentication mechanism so that even if a password is cracked, there is another hurdle that needs to be bypassed.