A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Sunday, 16 February 2014

Forbes Cracked Passwords from Feb 2014

Did a really quick analysis of the Forbes password hashes leaked by the Syrian Electronic Army earlier. From the 1,071,734 password hashes that hashcat recognised as WordPress, 2713 were cracked in about 30 minutes.

There were no switches, GPUs, rules or anything used.. I just used the unedited top 25 passwords taken from the top 10,000 list published by Mark Burnett (xato.net). -> blog post here

The results show that 975 people have 123456 as a password.. some things never change! Top 25 cracked hashes follow:

fully@SQ:~/hc$ cat forbescracked.txt|cut -d : -f 2| sort|uniq -c|sort -r -n
    975 123456
    534 password
    159 qwerty
    147 12345678
    146 abc123
    111 111111
     75 letmein
     66 monkey
     64 baseball
     62 1234567
     50 shadow
     35 michael
     32 jordan
     31 dragon
     29 superman
     29 master
     28 mustang
     28 football
     25 harley
     23 jennifer

     22 696969
     21 12345
     18 1234
      2 2000
      1 pussy