Sunday, December 22, 2013

How I Keep Track of My Passwords

We all know that you shouldn't re-use the same password on different websites, but this is extremely difficult in practice considering the number of sites people use today.  Password managers were developed to help solve the problem of remembering passwords.  Some examples are KeePass, Password Safe, and LastPass.  They work fine for many people.  However, I personally don't like the idea of depending on a password manager.  I want the ability to pull the correct password out of my brain in case I'm ever in a situation where I don't have access to the password manager.  There's also a risk that your passwords could be compromised (this is true about any data that is stored, encrypted or not).

I have over 100 different passwords, but I don't have any problem remembering them.  I don't write them down or use any sort of password manager.  I came up with a system that enables me to remember my passwords.  It works for me, so I'm sharing the technique in case anyone else thinks it might be helpful.

With my system, you only have to remember two things.
  1. A core password.
  2. Your scheme.

First, come up with a strong core password of about 8 or 9 characters.  This core piece should be random gibberish and needs to have a lowercase letter, an uppercase letter, a number, and a special character.  An example is kM92ax4!. Whatever you decide upon, memorize it.

Second, pick a scheme based on the website's domain name.  The scheme is used to supplement your core password.  As a simple example, your scheme could use the last 3 characters of the site's domain, add one letter to each (this is actually an encryption technique called "ROT1"), and append this to your core password.  

So for the site "www.verizonwireless.com", we see the last 3 characters of the domain are "ess".  Therefore the 3 additional characters would be "ftt" and your final password is kM92ax4!ftt.

For sprint.com, your final password is kM92ax4!jou.

For att.com, your final password is kM92ax4!buu.

Come up with a any scheme you want as long as it's based on the website domain.  Here are some other possibilities:

  • Prepend the first character to your core password/append the last two 
  • Capitalize one or two of the letters
  • Subtract two letters ("ROT24" encryption) instead of adding one
  • Look at the first two chars + last char of the domain, instead of the last three
You get the idea. The scheme remains constant, but your password changes.  Whatever you decide, never tell anyone your core password or your scheme.

My system isn't perfect.  It doesn't work on sites that have a short maximum password length (like 10) or onerous password requirements (like requiring you to change it every 90 days).  But overall it has worked great for me.

Sunday, December 8, 2013

Wordlists for Common Usernames

I made some wordlists a while ago containing common usernames.  They have proven very useful to me when doing application penetration testing, specifically they are great to use as the payload for Burp Intruder.

I created the lists by taking the 10,000 most common last names in the United States and prepending a single letter (for example "dferguson" appears in the usernames-d.txt wordlist).  There are wordlists for all letters except "i", "q", "x", and "z" (frankly, there aren't many first names that begin with those letters so it's a waste of time to try them).

 Click here to get the username wordlists (zip)

One scenario where you might leverage these wordlists is a web application where the login page returns a different error message depending if a valid username is received versus and invalid username.  Run Intruder on the login request and you can probably reap a nice set of valid accounts.

You'll also find a special wordlist called usernames-top100-each-letter.txt.  This is perfect when you have limited time and want to maximize your potential to find a valid account.  And there's another list called usernames-generic.txt, which could help you discover some test accounts.  Of course you can combine these wordlists any way you want (even concatenate them together and try the whole darn thing).

Things get a little more complex if the web app requires an email address for login.  You could certainly append "@gmail.com", "@yahoo.com", "@aol.com", etc. to the usernames.  Separate wordlists could be created for each email domain, or you could just leverage the power of Burp Intruder to append the domain on the fly.