Sunday, December 22, 2013

How I Keep Track of My Passwords

We all know that you shouldn't re-use the same password on different websites, but this is extremely difficult in practice considering the number of sites people use today.  Password managers were developed to help solve the problem of remembering passwords.  Some examples are KeePass, Password Safe, and LastPass.  They work fine for many people.  However, I personally don't like the idea of depending on a password manager.  I want the ability to pull the correct password out of my brain in case I'm ever in a situation where I don't have access to the password manager.  There's also a risk that your passwords could be compromised (this is true about any data that is stored, encrypted or not).

I have over 100 different passwords, but I don't have any problem remembering them.  I don't write them down or use any sort of password manager.  I came up with a system that enables me to remember my passwords.  It works for me, so I'm sharing the technique in case anyone else thinks it might be helpful.

With my system, you only have to remember two things.

  1. Your "core" password.
  2. Your scheme.
First, come up with a strong core password of about 8 or 9 characters.  This core piece should be gibberish and needs to have a combination of lowercase letters, uppercase letters, and numbers.  An example is kM92ax43. Whatever you decide upon, memorize it.

Second, pick a scheme based on the website's domain name.  The scheme will be used to supplement your core password.  As a simple example, you could look at the last 3 characters of the site's domain, add one letter to each (this is actually an encryption technique called "ROT1"), and append this to your core password.  So, for the site "", we see the last 3 characters of the domain are "ess".  Therefore the 3 additional characters would be "ftt" and your final password becomes kM92ax43ftt.

For, your final password is kM92ax43jou.

For, your final password is kM92ax43buu.

Tweak your scheme however you want before finalizing it.  Some possibilities:
  • Prepend the first character to your core password/append the last two 
  • Capitalize one or two of the letters
  • Subtract two letters ("ROT24" encryption) instead of adding one
  • Look at the first two chars + last char of the domain, instead of the last three
You get the idea. The scheme remains constant, but your password changes.  Whatever you decide, never tell anyone your core password or your scheme.

P.S.  My system isn't perfect.  It doesn't work on sites that have a short maximum password length (like 10) or have onerous password requirements (like requiring a special character).  It also doesn't work for my Windows domain account or my home router where I'm not actually logging into a website.  I treat these as exceptions and remember them separately.  I do keep notes about exceptions as well, but I rarely need to refer to them.


Sunday, December 8, 2013

Wordlists for Common Usernames

I made some wordlists a while ago containing common usernames.  They have proven very useful to me when doing application penetration testing, specifically they are great to use as the payload for Burp Intruder.

I created the lists by taking the 10,000 most common last names in the United States and prepending a single letter (for example "dferguson" appears in the usernames-d.txt wordlist).  There are wordlists for all letters except "i", "q", "x", and "z" (frankly, there aren't many first names that begin with those letters so it's a waste of time to try them).

 Click here to get the username wordlists (zip)

One scenario where you might leverage these wordlists is a web application where the login page returns a different error message depending if a valid username is received versus and invalid username.  Run Intruder on the login request and you can probably reap a nice set of valid accounts.

You'll also find a special wordlist called usernames-top100-each-letter.txt.  This is perfect when you have limited time and want to maximize your potential to find a valid account.  And there's another list called usernames-generic.txt, which could help you discover some test accounts.  Of course you can combine these wordlists any way you want (even concatenate them together and try the whole darn thing).

Things get a little more complex if the web app requires an email address for login.  You could certainly append "", "", "", etc. to the usernames.  Separate wordlists could be created for each email domain, or you could just leverage the power of Burp Intruder to append the domain on the fly.


  © Blogger templates The Professional Template by 2008

Back to TOP