It was a run on John the Ripper that sparked off this exercise, we were checking the quality of Osirium generated passwords and were surprised at some of the human passwords it cracked. Since we’re a security company many of our passwords are quite obtuse!
We think that the main issue is that a human’s have to use their brain to recall a password whereas Osirium has it’s secure database. The brain wants some sort of pattern it can lock onto, and it would appear that these patterns translate into rainbow lists very well.
Here’s the two heat maps that we generated, bear in mind that Osirium will create the longest password that a device or system will allow and a human often goes for the minimum a system policy will allow, therefore there are more characters in the Osirium sample set. The human passwords were taken from one of the recent breaches of a social media site.
Obviously we were pleased to find that John the Ripper didn’t crack any of the Osirium Generated Passwords. We can infer from the heat maps that
- Humans invent short passwords that contain dictionary words.
- Many human passwords start with a lowercase ‘a’.
- For humans, vowels are popular, particularly as the first character. ‘2’ is their most popular digit.
- Human passwords rarely exceed 10 characters