164 lines
6.9 KiB
Plaintext
164 lines
6.9 KiB
Plaintext
The THC Hack/Phreak Archives: PASSHACK.FXR (157 lines)
|
|
Note: I did not write any of these textfiles. They are being posted from
|
|
the archive as a public service only - any copyrights belong to the
|
|
authors. See the footer for important information.
|
|
==========================================================================
|
|
----------====================((((((#######))))))====================----------
|
|
|
|
|
|
*********** **** **** **********
|
|
*** *** ***
|
|
*********** *** **********
|
|
*** *** *** *** ***
|
|
*** **** **** *** ***
|
|
|
|
|
|
The phollowing is another phine phile oph phacts phrom the Phixer.
|
|
|
|
|
|
--- A Presentation of The Free Press ---
|
|
|
|
|
|
----------====================((((((#######))))))====================----------
|
|
|
|
The Fixer Presents...
|
|
|
|
|
|
This episode: Password Hacking, a Scientific Breakdown.
|
|
|
|
|
|
First off, I would like to point out that the info in this file is -=> not <=-
|
|
to be used to crash a BBS. If I may quote a well known file, only real idiots
|
|
crash boards, except when they are run by other real idiots. The info used to
|
|
compile this file originally came from a R0dent's efforts at crashing a
|
|
popular and well-respected local BBS, for which he (a) was kicked off all
|
|
the BBS's in town, and (b) lost pretty much all his friends. For these reasons
|
|
I will not name the board that this file is based upon, nor will I mention any
|
|
specific usernames.
|
|
|
|
|
|
OK, Here is a scientific breakdown of the types of passwords that people
|
|
generally choose. It is scientific because there were (at the time) 185 users
|
|
of the BBS that these figures are drawn from, and therefore a fair deal of
|
|
accuracy can be obtained.
|
|
|
|
|
|
Male first names: 5.4%
|
|
Female first names: 4.3%
|
|
|
|
It is interesting to note that these generally are not the names of boyfriends
|
|
or girlfriends, as I encountered many male first names being used as passes
|
|
by several males, and these were not the users' real names. These guys aren't
|
|
queer, they just know that you won't likely think of a male name for their
|
|
pass when hacking.
|
|
|
|
|
|
4 to 8 letter English words: 47.6%
|
|
|
|
If you put a dictionary hacker program to a given users account, about half
|
|
the time you will (eventually) get access. Trouble is, there are around
|
|
50 thousand such words in the language, and the diversity of words I
|
|
encountered shows that most of these passes could be anything in the
|
|
dictionary. Also,the BBS that this info came from only allows 8-char passwords.
|
|
I only encountered a few words that were truncated or abbreviated from longer
|
|
than 8 letters.
|
|
|
|
|
|
Words of 3 letters or less: 8.6%
|
|
|
|
These are the easiest to hack, because there are fewer 3 letter words. This
|
|
security laxness shows up in the figures: only 16 of the 185 users used this
|
|
kind of PW. Still, if you pick 2 or 3 accounts and hit 'em with a dictionary
|
|
hacker of 1 to 3 characters, odds are you will get 2 or 3 accounts.
|
|
|
|
|
|
Pseudo-Random sequences: 13.0%
|
|
|
|
These included randomly picked letters and/or numbers and/or punctuation. These
|
|
are nearly impossible to hack at because of the many millions of possible
|
|
combinations. Also included in this category are acronyms, foreign words, and
|
|
keyboard sequences, e.g. ZXCVBNM et al.
|
|
Statistically, you are best off not bothering to write/use a hacking program
|
|
for this type of password, although I should note that it is valid to try some
|
|
keyboard sequences manually.
|
|
|
|
|
|
Special Characters: 3.8%
|
|
|
|
These usually consisted of punctuated words, passes with control characters,
|
|
passes with up/down/left/right arrows inserted in them, compound words
|
|
separated by a special character (e.g. pass*word) etc. These are also very
|
|
difficult and unworthwhile to hack at.
|
|
|
|
|
|
Contains Users Name: 5.4%
|
|
|
|
Ten of the 185 users of the BBS that our r0dent buddy krashed used either
|
|
their pseudo, part of their pseudo, their real name, or a part of their real
|
|
name, as a password. When you are manually hacking passwords, this is not
|
|
statistically the best thing to hope for, but it is an obvious giveaway, so
|
|
it should be one of the first passes you try. It is such an obvious slipup that
|
|
if you come across such an account, then the user is an idiot and deserves to
|
|
have his account hacked.
|
|
|
|
|
|
Name of computer equipment: 0.5%
|
|
|
|
Only one user used the name of part of his system (a radio shack dmp series
|
|
printer) as a password. This was surprising to me because this sort of password
|
|
would be difficult to hack at because computer peripheral names usually look
|
|
like the above mentioned pseudo-random sequences, and yet would be easy for the
|
|
user to remember (after all, his pass would be right there embossed into his
|
|
computer's case, and no-one would suspect that as a password if they visited
|
|
his system). This scheme may grow in popularity; until it does don't bother
|
|
hacking this type of pass. (if, say, 5-10% of users did this sort of thing,
|
|
then it would be easy to hack a pass of this type; just find out what
|
|
computer and peripherals the guy has).
|
|
|
|
|
|
A Number: 3.8%
|
|
|
|
Seven users used a 3 to 8 digit number as a password. The most common number
|
|
of digits was 4, and many of these started with 19 (i.e. the name of a year).
|
|
If you know a bit about the person whose account you are hacking, try the
|
|
year he got married, the year he was born, the year his kid was born, the
|
|
year he graduated high-school, the year of his car or "hog". You may even try
|
|
this year.
|
|
|
|
|
|
2 Or More Words: 7.6%
|
|
|
|
If the system you are hacking only allows 8 character passwords, you may still
|
|
encounter a lot of 2-word passes (7.6% as above) but these are somewhat hard
|
|
to hack. Sometimes the user puts a space between the words, sometimes he
|
|
doesn't. You would need a specialized dictionary hacker program to have any
|
|
success at this type of pass.
|
|
|
|
|
|
|
|
|
|
Well, I hope that helps you find a few accounts. There are two points I would
|
|
like to re-inforce: (1) again, never try crashing a BBS, even though the info
|
|
in this file came directly from a BBS's userlog. (2) Repeated hacking at a
|
|
password is very visible to a sysop; only do it late at nite when he is home
|
|
asleep. Also, this is the most basic form of password theft there is. It is
|
|
the most difficult and slowest way to get a password in the hacking world, and
|
|
generally only beginning hackers use this kind of technique. But at least those
|
|
who hack this way are out getting their own accounts, rather than r0dentially
|
|
leaching off of boards.........
|
|
|
|
|
|
Some common passes before I go:
|
|
|
|
love, sex, secret, password, kill, death, mega, alpha, beta, gamma, delta,
|
|
number 1, drugs, beer, god, fuck, shit, <first names>, <music groups>, <clubs>,
|
|
<own first name>, <same as account number>, <sysop's name> ad nausaeum.
|
|
|
|
|
|
-------------------------------------------------------------------------------
|
|
Call: Heart of Gold (604) 658-1581...10 mg Online, AE, BBS.....................
|
|
-------------------------------------------------------------------------------
|
|
|
|
|
|
|