Linked-“Be great at what you do”-In, bringing you modern social networking with less than modern password protection – like, about 1970s UNIX modern. The passwords in this dump not only rejected a robust, well-known password hashing scheme like PBKDF2, they didn’t even salt the passwords. As a historical reference, salts are something FreeBSD introduced around 1994.
It also appears some users are confused as to what constitutes a good password. Length? Characters? Punctuation? Phrases? An unfortunate number of users went for length, but couldn’t be bothered hitting the shift key, space bar, or one of those numbers above qwerty.
I sat down for 20 minutes with shasum and grep – and my bookshelf for inspiration – to guess some possible passwords without resorting to a brute-force dictionary crack.
grep `echo -n myownpassword | shasum | cut -c6-40` SHA1.txt
The grep/shasum trick works on Unix-like command lines. John the Ripper is the usual tool for password cracking without entering the super assembly of GPU customization.
I love sci-fi and fantasy. I still run an RPG on a weekly basis; there’s no dust on my polyhedrals. Speaking of RPGs. I started the guesswork with 1st Edition AD&D terms only to strike out after a dozen tries, but the 2nd edition references fared better:
waterdeep – Under Mountain was awesome, unlike your password.
menzoberranzan – Yeah, mister dual-scimitars shows up in the list, too. This single-handedly killed the Ranger class for me. (Er, not before I had about three Rangers with dual longswords; ‘cause that was totally different…)
No one seems to have taken “1stEditionAD&D”. Maybe that’ll be my new password – 14 characters, a number, a symbol, what’s not to love? Aside from this retroactive revelation?
tardis – Come on, that’s not even eight characters. Would tombaker or jonpertwee approve? I don’t think so. But no Wiliam Hartnell? Have you no sense of history? Even for a timelord?
doctorwho – Longer, but…um…we just covered this.
badwolf – Cool, some Jack Harkness fans out there, but still not eight characters.
torchwood – Love the show, but your anagram improves nothing.
kar120c – I’m glad there’s a Prisoner fan out there. It was a cool series with a mind-blowingly bizarre, pontificating, intriguing ending that demands discussion. However, not only is that password short, it even shows up in my book. I should find out who it was and send them a signed copy.
itsatrap – Seriously? You chose a cliched, meme-laden movie quote that short? And you couldn’t be bothered with an exclamation point at the end? At least you chose a line from the best of the three movies.
myprecious – Not anymore.
onering – Onering? While you were out onering your oner a password cracker was cracking your comprehension of LotR. By the way, hackers have also read earthsea, theshining and darktower. Hey, they’ve got good taste.
I adore the Dune books. Dune is near the top of my favorites. Seems I’m not the only fan:
benegesserit – Don’t they have some other quotes? Something about fear?
fearisthemindkiller – Heh, even the hackers hadn’t cracked that one yet. Referencing The Litany Against Fear would have been a nice move except that if “fear is the mind killer” then “obvious is the password.”
entersandman, blackened, dyerseve – What are you going to do when you run out of Metallica tracks? Use megadeath? It’s almost sadbuttrue. And jethrotull beat them at the Grammy’s. So, there.
loveiskind – Love is patient, love is kind, hackers aren’t stupid, passwords they find.
h4xx0r – No, probably not.
notmypassword – Actually, it is. At least you didn’t choose a 14-character secretpassword. That would just be dumb.
stevejobs – Now how is he going to change his password?