Skip to Main Content
February 26, 2020

Weak in, Weak out: Keeping Password Lists Current

Written by @ nyxgeek
Application Security Assessment Penetration Testing Security Testing & Analysis

THIS POST WAS WRITTEN BY @NYXGEEK

When performing brute-force attacks, it's our first instinct to go to the current season and year, i.e., Winter20, Winter2020. But it's important to keep in mind that many organizations use a 90-day password change window, and 90 days can be a deceptively long time. For instance, as of today, February 25, 2020, the oldest passwords in such an organization would land in the end of November. It's possible that a user has a November19 or Fall2019 password set.

To make the task of creating weak password lists a little easier, I've created weakpasswords.net (and south.weakpasswords.net for our friends in the Southern Hemisphere). This site displays a list of candidate passwords for brute-force attacks based on the current date and is updated daily via a cronjob.

The code is available on GitHub (https://github.com/nyxgeek/weakpass_generator) and is easily modified. Each month has an array of base words defined. For example, November has the following base words:

November
Fall
Autumn
Winter
Thanksgiving

There is another array defined that consists of popular suffixes. These include:

SHORTYEAR (e.g., 19)
LONGYEAR (e.g., 2019)
SHORTYEAR!
LONGYEAR!
1
123
@SHORTYEAR
@LONGYEAR

Again, this is easily modified to include your favorite endings. Happy hacking!