Currently I am focusing on the topic of password security and guessing of passwords. For this work I started to analyse the famous rockyou password list. This list was leaked in December 2009 [wikipedia]. The list can be found on various sources for example at SkullSecurity, where are a lot more lists as well.

Taking a closer look on the passwords brings the following results:

12.2% are passwords with 6 letters lower case

8.4% are passwords with 7 letters lower case

7.5% are passwords with 8 letters lower case

7% are passwords with 6 digits

As a little performance test I took a list of raw-MD5 Hashes a asked John The Ripper to brute force all lower case words with 8 letters meaning from a to zzzzzzzz. It took around 5 hours then John had finished his work with roughly 2.4 Million words hashed per second.The work was performed on a Compaq nx9420 running a gentoo linux. Testing the digits from 0 to 99999999 took additionally 42 seconds.

This numbers bring us to the point:

  • use long passwords (10+ signs)
  • use small and capital letters
  • use numbers
  • use special signs !

All of these measures increase the security of your password and also help to protect your data.