The old database hashed its passwords (SHA-1), but did not salt them. Looking at the old users table, I wondered how well the rainbow table approach would work - using Google as a big rainbow table. Just feed the hash into the search field and see what comes up.
Here are the results:
| Password | Clear text | Count |
|---|---|---|
| 7C4A8D09CA3762AF61E59520943DC26494F8941B | 123456 | 36 |
| 9C2028963DC9F7FBB4CB30140428A210C61DBB2C | wachtwoord | 24 |
| 9CF95DACD226DCF43DA376CDB6CBBA7035218921 | azerty | 22 |
| 62E839476B23E579EFB96B47391599FFCA4CFA94 | ? | 18 |
| 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220 | 1234 | 18 |
| F001F2E438738807D3079BFFAF66519B9D0F26C7 | azqswx | 16 |
| F7C3BC1D808E04732ADF679965CCC34CA7AE3441 | 123456789 | 16 |
| D18C9E9DCCE902D6A3E21E72BADA443AC294CB5F | Paswoord | 15 |
| FDA48D6A63F351DC46D411336DE4BA33F77B66F5 | voetbal | 14 |
| D22BC6BAD61129B636AFFA2511B3CE522CD74BB3 | brecht | 13 |
| EE8D8728F435FD550F83852AABAB5234CE1DA528 | iloveyou | 12 |
| 48F285F9A1E15CB6240506182A3C08AEDD639F26 | dansen | 11 |
The count indicates how many users chose that password. Users spoke dutch, used an azerty keyboard. Of the top 12, I found all but 1 using a Google search. This is why you salt your passwords.
Mind you, it's also a reason to implement a decent password policy. One that does not allow '1234'.
I really wonder about that 1 that I wasn't able to find though. Must be some dutch word.
No comments:
Post a Comment