Rootkit.com Password Analysis
| Length | Occurences | Percentage |
| 1 | 16 | 0.04% |
| 2 | 20 | 0.05% |
| 3 | 270 | 0.64% |
| 4 | 1444 | 3.41% |
| 5 | 2646 | 6.24% |
| 6 | 16424 | 38.76% |
| 7 | 8258 | 19.49% |
| 8 | 9786 | 23.09% |
| 9 | 2029 | 4.79% |
| 10 | 971 | 2.29% |
| 11 | 250 | 0.59% |
| 12 | 157 | 0.37% |
| 13 | 62 | 0.15% |
| 14 | 23 | 0.05% |
| 15 | 8 | 0.02% |
| 16 | 3 | 0.01% |
| 17 | 1 | 0.00% |
| 18 | 0 | 0.00% |
| 19 | 2 | 0.00% |
| 20 | 4 | 0.01% |
Password Entropy:
Entropy of various cracked passwords was calculated using Eric Monti’s rbkb‘s entropy function that performs chi-square calculation. Clearly, higher the entropy, lesser chances that your password will be guessed or cracked. Having said that, how easy is to remember and key in the passwords that are extremely random and are more than 16 characters in length?
| Entropy | Count |
| 0 to <1 | 1620 |
| 1 to <2 | 7388 |
| 2 to <3 | 32071 |
| 3 to <4 | 1292 |
| 4 to <5 | 3 |
| 5 to <6 | 0 |
| 6 to <7 | 0 |
Cracked Passwords with Highest Entropy:
Certain cracked passwords had entropy in excess of 4 bits. Table below lists down the cracked passwords with highest entropy. A good dictionary allowed JTR to crack most of the passwords.
| # | Entropy | Password |
| 1 | 4.321928095 | q1w2e3r4t5y6u7i8o9p0 |
| 2 | 4.321928095 | 1234567890qwertyuiop |
| 3 | 4.321928095 | 1q2w3e4r5t6y7u8i9o0p |
| 4 | 4 | 1234qwerasdfzxcv |
| 5 | 3.807354922 | abcdefg1234567 |
| 6 | 3.700439718 | qwertyuiop123 |
| 7 | 3.700439718 | superman12345 |
| 8 | 3.700439718 | 1qazxcvbnm,./ |
| 9 | 3.664497779 | kingoftheworld |
| 10 | 3.664497779 | qwertyuiop[]\\ |
| 11 | 3.584962501 | !@#$%^&*()_+ |
| 12 | 3.584962501 | fucktheworld |
| 13 | 3.584962501 | 1q2w3e!Q@W#E |
| 14 | 3.584962501 | qazxswedcvfr |
| 15 | 3.584962501 | 123qweasdzxc |
| 16 | 3.584962501 | 1qazxsw23edc |
| 17 | 3.584962501 | q1w2e3r4t5y6 |
| 18 | 3.584962501 | asdfghjkl;\’ |
| 19 | 3.584962501 | qwerty123456 |
| 20 | 3.584962501 | 4rfv5tgb6yhn |
| 21 | 3.584962501 | qwe123rty456 |
| 22 | 3.584962501 | 1qaz2wsx3edc |
| 23 | 3.584962501 | 1a2b3c4d5e6f |
| 24 | 3.584962501 | 123456qwerty |
| 25 | 3.584962501 | 1q2w3e4r5t6y |
Password Distribution:
Finally, I looked at password distribution. An overwhelming 51% of cracked passwords were only in lowercase, this was followed by only numeric passwords close to 24%. Passwords using uppercase alphabets along with numerics were least favorite.
| Password Type | Percentage Share |
| Only Lowercase | 51.81 |
| Lowercase AND Numerals | 23.92 |
| Only Numeric | 19.9 |
| Alphabets (Uppercase AND Lowercase) | 1.32 |
| Alphanumeric | 1.25 |
| Passwords With Special Characters | 1.11 |
| Only Uppercase | 0.45 |
| Uppercase AND Numerals | 0.24 |
*** This is a Security Bloggers Network syndicated blog from Random Security authored by Gursev Singh Kalra. Read the original post at: http://gursevkalra.blogspot.com/2011/02/rootkitcom-password-analysis.html
