The Attacker’s Dictionary
rapid7-research-the-attackers-dictionary
rapid7-research-the-attackers-dictionary
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Figure 14: Password Complexity<br />
Complexity: 0 (20.2% of Heisenberg passwords)<br />
Complexity: 1 (38.1% of Heisenberg passwords)<br />
Complexity: 2 (18.5% of Heisenberg passwords)<br />
Crackstation 90.4% Crackstation 59.4%<br />
Crackstation<br />
11.8%<br />
Burnett<br />
70.2%<br />
Burnett<br />
41.9%<br />
Burnett<br />
50.3%<br />
Any<br />
90.7%<br />
Any<br />
62.1%<br />
Any<br />
12.8%<br />
All<br />
70.0%<br />
All<br />
39.2%<br />
All<br />
4.1%<br />
Complexity: 3 (14.3% of Heisenberg passwords)<br />
Complexity: 4 (8.9% of Heisenberg passwords)<br />
Crackstation 2.3%<br />
Crackstation 2.0%<br />
Burnett<br />
0.9%<br />
Burnett<br />
2.0%<br />
Any<br />
2.3%<br />
Any<br />
2.3%<br />
All<br />
0.9%<br />
All<br />
0.8%<br />
Ranked Password Complexity<br />
Figure 14 illustrates how complex the collected passwords are, as a body.<br />
For each complexity rating, it shows whether they appear in the CrackStation<br />
or Burnett password lists.<br />
For instance, there were 352 passwords classified as being complexity<br />
level 4, 7 of which were found in the crackstation dump, and 4 of which<br />
were found in the Burnett sample. Futhermore, 8 of the passwords were<br />
found in at least one of the password dumps, meaning that if we were to<br />
use all the available leaked passwords, we would only find 2.27% classified<br />
with a complexity value of 4. Similarly, we would find 3 (0.85%) passwords<br />
in each of the dumps.<br />
| Rapid7.com <strong>The</strong> <strong>Attacker’s</strong> <strong>Dictionary</strong>: Auditing Criminal Credential Attacks 22