500 worst passwords

Author: Martin Voelk
January 7, 2016

Some Pentester sometimes think way too complicated. At Security conferences, when talking about passwords, I often hear from other Security Experts about Gigs worth of password rainbow-tables in all sorts of languages, mixed with special characters and how to brute force. Let’s take a step back here.

Why not try the low hanging fruit in a Pentest first? It sounds basic but holds true. So many users simply use the most basic passwords and maybe, yes maybe use a capital letter to start with or append 123.

Whenever we do a Pentest for a client, which involves password brute forcing we always start with the 500 worst passwords. And here some statistics. Out of all Pentests we have done against WordPress Admin panels in 2015, a password out of those 500 worst passwords with the admin user was successful in more than 40% of all tested sites. Yes, for the other 60% you need more sophisticated wordlists and permutations often, but even then another 35% opened its doors. Meaning that only around 25% have real sophisticated passwords where brute forcing doesn’t lead to success in a reasonable timeframe.

For those interested in the 500 worst passwords, take a look here: https://gist.github.com/djaiss/4033452

Maybe you find a password you use? 😉