ASCII Art in Password Cracking

By -
Just a quick warning but almost all the links presented here are NSFW, (more from an embarrassment factor due to ascii representations of male and female genitalia).

As pointed out in the comments of this post not all passwords are created from dictionary words or pass-phrases. One other way of creating a password is to use ascii art instead. For example:

/><{{{{">     --fish

///\oo/\\\  --spider

d[ o_0 ]b    --robot

You get the idea. Of course the most common ascii art used is that of the male genitalia. I'll spare you the examples of that on the front page of this blog ;)

The question then is what is the best way to attack these passwords? My gut feeling is that a standard dictionary based approach is the way to go, but instead of input words you can use a wordlist full of ascii art instead. To test this I googled various terms such as "ascii penis", "ascii porn", "one line ascii art", along with some actual pictures of said ascii art to collect as many examples as possible. One a side note, I hate to envision what Google thinks of me based on my browsing history...

What I found is that most people used variations of common "construction" techniques of their ascii pictures. For example the shaft is usually either '=' or '-'. There are common heads, bases, depictions of sperm, and depictions of what said ejaculation is landing on. I then threw all of this into a script and had it output all the possible different combinations. The end result is a little over 3 million examples of NSFW ascii art for use in password cracking. You can get a copy of the wordlist here. In all likelihood it's the largest collection of ascii porn on the internet. That's exactly what I thought I would be creating when I decided to go for my PhD. Sigh, at least it's better than frog fluffing, (a reference to the movie beerfest). 

The list is rather large since I included a lot of options that probably won't be used in real life, such as 'p' to represent someone with only one ball, (people on the internet are inventive, what can I say). Also spacing added quite a bit to it since in password cracking the spaces used/not used do make a difference. If you have any examples I missed please post them in the comments of the site where I'm hosting the wordlist as I'd rather avoid getting my inbox filled with depictions of ascii penises and vaginas.

The next step is to create another wordlist containing "normal" ascii art such as hearts, frogs, etc. Once I have that done I'll post that as well.

One final note. Despite all the joking, I seriously considered not writing this post or making this wordlist available since I do like to maintain a shred of dignity, professionalism, etc. The thing is, people actually create passwords this way so something like this wordlist is needed by the community. I'd really appreciate it though if you kept this post off of digg, slashdot, don't submit it for an ignobel award, etc so it stays "in-house".

Comments

Brian said…
Thanks, believe it or not I have seen ASCII art used for passwords both years ago when I worked for an ISP and more recently (when an admin typed his password in the visible username box by mistake). As "funny" as ASCII art/porn may be- much of it does meet the requirements of a strong password and is easy to remember.

I'd also venture that the majority of users familiar with ASCII art who would use it for a password are also probably more "involved" in IT and therefore cracking their accounts may subsequently yield greater "reward". In short- my original comment was no joke.
June 3, 2009 at 4:07 PM
Anonymous said…
<°-°> (')^(') ¿~ )
October 7, 2016 at 9:38 PM
Post a Comment

Popular posts from this blog

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo
Read more

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi
Read more

Cracking the MySpace List - First Impressions

By -
Image
Alt Title: An Embarrassment of Riches Backstory: Sometime around 2008, a hacker or disgruntled employee managed to break into MySpace and steal all the usernames, e-mails, and passwords from the social networking site. This included information covering more than 360 million accounts. Who knows what else they stole or did, but for the purposes of this post I'll be focusing only on the account info. For excellent coverage of why the dataset appears to be from 2008 let me refer you to the always superb Troy Hunt's blog post on the subject . Side note, most of my information about this leak also comes from Troy's coverage. This dataset has been floating around the underground crime markets since then, but didn't gain widespread notoriety until May 2016 when an advertisement offering it for sale was posted to the "Real Deal" dark market website. Then on July 1st, 2016, another researcher managed to obtain a copy and then posted a public torrent of then entir
Read more