Password mutations
Last updated
Last updated
Many people create their passwords according to simplicity instead of security. To eliminate this human weakness that often compromises security measures, password policies can be created on all systems that determine how a password should look.
many employees often select passwords that can have the company's name in the passwords. A person's preferences and interests also play a significant role. These can be pets, friends, sports, hobbies, and many other elements of life. OSINT information gathering can be very helpful for finding out more about a user's preferences and may assist with password guessing.
Commonly, users use the following additions for their password to fit the most common password policies:
Based on statistics provided by WPengine, most password lengths are not longer than ten characters. So what we can do is to pick specific terms that are at least five characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the current year, followed by a special character, at the end of their password, we would reach the ten-character password requirement.
We can use a very powerful tool called Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists.
Hashcat mutation syntax
Hashcat will apply the rules of custom.rule for each word in password.list and store the mutated version in our mut_password.list accordingly. Thus, one word will result in fifteen mutated words in this case.
Hashcat and John come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is best64.rule, which can often lead to good results.
Existing rules examples:
-d depth to spider
-m minimum length of the word
--lowercase storage of the found words in lowercase
-w output
11 chars min, alphanumeric and punctuation:
Description
Password Syntax
First letter is uppercase.
Password
Adding numbers.
Password123
Adding year.
Password2022
Adding month.
Password02
Last character is an exclamation mark.
Password2022!
Adding special characters.
P@ssw0rd2022!
Function
Description
:
Do nothing.
l
Lowercase all letters.
u
Uppercase all letters.
c
Capitalize the first letter and lowercase others.
sXY
Replace all instances of X with Y.
$!
Add the exclamation character at the end.