Download - Profiling User Passwords on Social Networks
-
8/13/2019 Profiling User Passwords on Social Networks
1/12
The information contained in or accompanying this document is intended only for the use of the stated recipient and may contain
information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby
notified that any dissemination, distribution, or copying of this document is strictly prohibited and may constitute a breach of
confidence and/or privilege. If you have received this document in error, please notify us immediately. Any views or opinions
presented are solely those of the author and do not necessarily represent those of SecureState, LLC.
Profiling User
Passwords on
Social Networks
Tom Eston
-
8/13/2019 Profiling User Passwords on Social Networks
2/12
Profiling User Passwords on Social Networks
2
Synopsis
This is a whitepaper on how to determine passwords for social network accounts through information posted
on the profiles of social network users.
Author
Name Revision Title Date
Tom Eston 1.3 August 31, 2010
Table of Contents
Background ............................................................................................................................................................. 3
Password Selection Theory ..................................................................................................................................... 3
Examples of Common Passwords Found on Social Networks ................................................................................ 4
Methods to Determine Passwords ......................................................................................................................... 5
Tools ........................................................................................................................................................................ 5
How Social Networks Are Not Helping The Problem .............................................................................................. 9Defenses and Prevention ...................................................................................................................................... 10
About The Author ................................................................................................................................................. 11
References and Related Links.12
-
8/13/2019 Profiling User Passwords on Social Networks
3/12
Profiling User Passwords on Social Networks
3
Background
Social networks have recently reached a pinnacle of popularity. Facebook has reached 500 million users, and there are
now an estimated 105 million users on Twitter. Social networking sites have become so popular that they have
outpaced technology that most of us take for granted such as email. For example, a recent study performed by Nielsen
Online
1
showed that social networks are now the fourth most popular online activity, even ahead of personal email.
Millions of people are continuously sharing personal and sometimes private information with friends, acquaintances,
and even total strangers on social networks. More than likely the information you share on a social network can be
viewed and shared by more than just your friends. To compound the problem, social networks encourage the sharing o
private and personal information with little regard for the users privacy. Social networks are designed to make money
from information posted by their user base.
The inadvertent disclosure of non-sensitive personal information may seem innocent but there is a dark side to posting
your interests, hobbies, and even your favorite car or movies. Studies and recent privacy breaches have shown that
users of social networks choose poorly crafted passwords and many of these passwords can be determined simply from
information posted by the user. Tools and scripts beyond simple guessing techniques have been developed to helpdetermine a users password. These tools can be used in some cases to brute force the users password on a social
network service as well as other websites the user might use.
This white paper will discuss the problem of inadvertent information sharing by users of social networks and how to
defend against such attacks.
Password Selection Theory
Humans naturally dont like complexity. This applies to many things in life, and especially to password selection. While
many theories have been offered and studies have been conducted in recent times, the reasons for poor password
selection can be narrowed down to the following:
Passwords are difficult to remember. Users will usually choose to create a password that is familiar to them
with very little complexity.
Passwords are a hindrance. Nearly every social network website requires a password. Users get frustrated with
multiple requests for passwords so they choose the same, easy to remember password for every website.
Users select passwords based on what they are familiar with. For example, users will most likely choose a
password that meets any of the following criteria:
o Names of the users pets, children, spouses, or significant others
o Favorite sports teams
o Favorite foods and drinks
o Places where the user grew up or went to school
o Important dates such as birthdays and anniversaries
Users dont like to think about password complexity. Many users dont care what their password is so they
choose an easy password based on where their fingers are on the keyboard. For example:
o 12345
o qwerty
-
8/13/2019 Profiling User Passwords on Social Networks
4/12
Profiling User Passwords on Social Networks
4
o 54321
o asdf
o zxcvb
Alternate methods for password selection dontwork. Passphrases are time consuming for the average user to
create and end up being difficult to remember. Security professionals have alsorecommended creating a per
site password. One example is where one appends a series or combination of numbers or other charactersbefore or after the website name. For example, facebook1234 or 1234Facebook. Attackers have been known t
quickly ascertain these patterns to determine passwords on other websites.
Social networks dont encouragestrong password selection. Most major social networking websites dont
enforce any complexity or very long passwords so users naturally choose insecure ones. In addition, social
networks have never expired passwords after a set period of time, mostly due to user support challenges.
Examples of Common Passwords Found on Social Networks
Recent security breaches have shown that users of social networks do in fact select poor passwords. The best example
of this is the RockYou database breach2which exposed over 32 million userspasswords. While RockYou creates third-
party applications and games for social networking websites like MySpace and Facebook, most users are known to use
the same password for all of their accounts, especially for social networks.
The RockYou data breach is by far the largest sampling of passwords that has been released. It gives great insight into
the passwords that users select. In addition, the RockYou database breach allowed security researchers to calculate the
most common passwords out of this very large dataset. Security research firm Imperva released a white paper titled
Consumer Password Worst Practices, which calculated the most common passwords found from the RockYou
database breach3. Figure 1 shows the top twenty passwords.
Rank Password Rank Password
1 123456 11 Nicole2 12345 12 Daniel
3 123456789 13 babygirl
4 Password 14 monkey
5 iloveyou 15 Jessica
6 princess 16 Lovely
7 rockyou 17 michael
8 1234567 18 Ashley
9 12345678 19 654321
10 abc123 20 Qwerty
Figure 1.Top twenty passwords from the RockYou database breach
By just quickly reviewing this list you can see many of the password patterns that have been discussed in the previous
section. One attack to consider is to simply try the top twenty passwords when attacking a user account on a social
network. This would be a simple dictionary brute force style attack. For example, just by trying the number one
password 123456you have a slightly better chance of the attack being successful than just taking a simple guess at the
password.
-
8/13/2019 Profiling User Passwords on Social Networks
5/12
Profiling User Passwords on Social Networks
5
Methods to Determine Passwords
There are several methods to attempt to determine a userspassword based on information posted on the users social
network profile.
Simply guess the password. It may seem trivial to think about, but based on the information you find on a
profile try guessing the password. For example, try the top twenty from the RockYou database, their favorite
foods and drinks, names of significant others, as well as hobbies and sports teams. You may get lucky.
Look for answers to password reset questions. Users of social networks sometimes inadvertently reveal
information that could be used to reset passwords either on the social network itself or on popular webmail
services such as Yahoo! Mail. For example, on a users Facebook profile you might see a note called 25 Random
Things about You. Contained in these types of notes is information like mothersmaiden name, place of birth,
the color of their first car, etc. These questions are similar, if not identical, to many password reset functions of
popular webmail or even online banking services. If an attacker can gain access to the users webmail account
using this method, all it takes is using the password reset functionality on the social network to send a new
password (or reset link) to the email account under the attackers control.
Create a wordlist to narrow down keywords mentioned in the profile. Several tools are available and
discussed in the next section that can collect keywords from a web page and put them into a wordlist. Once you
have this list you can narrow down words that you might try in a password guessing attack.
Brute force the password. Using the wordlist, you can attempt to brute force the users password. This attack
is largely dependent on how accurate your wordlist is and if the social network employs any brute force
prevention mechanisms such as CAPTCHAsto prevent this type of attack.
Tools
Several free and open source tools are available to create wordlists that can be used for brute force attacks to obtain
passwords of social network users. Following is a list of the most useful tools and scripts that can be used to generate
wordlists from social network profiles.
CeWL - Custom Wordlist Generator
CeWL4was created by security researcher Robin Wood as a way to create a custom wordlist based on spidering a
website. This functionality is perfect for quickly determining unique words on a social network profile. CeWL is available
for download from Woods website, in the Samurai WTF5(Web Testing Framework), and within the popular BackTrack 4
penetration testing distribution6.
-
8/13/2019 Profiling User Passwords on Social Networks
6/12
Profiling User Passwords on Social Networks
6
Figure 2 shows the typical output when running CeWL targeting a Twitter profile.
Figure 2.Output of CeWL after it discovered unique words from a Twitter profile
RSMangler
RSMangler is another tool created by Robin Wood7which compliments CeWL or any other tool that generates a
wordlist. RSMangler will take a wordlist and generate mangled combinations or manipulations of those words. For
example, if you have three words in your wordlist: tom, eston, social; RSMangler would output these as:
tomeston
tomsocial
estontom
socialeston
socialtom
etc.
You also can add common permutations such as 123 to the mangling rules. The RSMangler tool can be downloaded
from the RandomStorm8website.
AWLG - Associative Word List Generator
AWLG is a website9that will generate a wordlist based on your search terms. These terms are queried from the website
using typical search engine techniques. For example, if you search for tom, eston, agent0x0, zombies, spylogic, security,
justice; AWLG will search the Internet for those terms and give you back a listing of relevant keywords.
-
8/13/2019 Profiling User Passwords on Social Networks
7/12
Profiling User Passwords on Social Networks
7
Figures 3 and 4 show a search with AWLG and its related output.
Figure 3.The AWLG front end which searches the Internet to create a custom wordlist
Figure 4.The result of AWLG searching for keywords associated based on the original search
-
8/13/2019 Profiling User Passwords on Social Networks
8/12
Profiling User Passwords on Social Networks
8
CUPPCommon Users Password Profiler
CUPP is a wordlist generation script created by Muris Kurgas. CUPP asks a series of questions to generate a custom
wordlist based on the answers given by the user. This tool can be quite handy if you have already found out significant
information about the user through their social network profile. CUPP can be found pre-installed in the BackTrack 4
penetration testing distribution. Figure 5 shows an example of some of the questions CUPP asks.
Figure 5.CUPP asks relevant questions to determine a custom wordlist based on the user
Mark Baggett's userpass.py script
Mark Baggettsscript userpass.py10takes a unique approach to generating wordlists as they are customized
automatically on a per user basis. An explanation of how the script works follows:
A search for publicly available LinkedIn profiles through Google based on a target company is initiated.
Next, the script will attempt to spider any websites that the user has linked in their LinkedIn profile such as blogs
or company sites.
The script pulls the users profile picture and attempts to check a website called tineye to determine if that
profile picture matches up with others found on the Internet. If so, those websites are spidered for keyword
information.
Lastly, all the spidered websites are run through CeWL to generate custom wordlists.
Marks usepass.py script is available for download from the PaulDotCom website11.
-
8/13/2019 Profiling User Passwords on Social Networks
9/12
Profiling User Passwords on Social Networks
9
How Social Networks Are Not Helping the Problem
Social networks are designed to allow for sharing personal information with others. Without this sharing, social
networks would cease to exist. Protecting your information is not in their business model. The more information you
share the more valuable you are to them. Privacy of your information is mostly dependent on what you post as well as
how privacy settings are configured for each social network.
Social networks have generally not implemented good security controls for safeguarding their users accounts. A list of
these problems follows:
Minimum password length on social networks. All the major social networks (Facebook, MySpace, Twitter,
LinkedIn) have the same minimum password length of six (6) characters. Interestingly, MySpace will only allow a
user to select a password under fifty (50) characters.
Password complexity checks are few and far between. Social networks do not enforce robust password
complexity rules (if at all).
o Facebook- No complexity check.
o MySpace- Basic (broken) complexity check. Viewing the HTML source shows some complexity checking
is enabled; however, users can enter a password of "123456".
o Twitter- Basic complexity check (based on static word list which is viewable through the HTML source of
the login page). This is a poor way of implementing password complexity checks. For example, you
can't select a password of "password1" but you can select a password of "1password".
o LinkedIn- No complexity check.
Brute force attack prevention. Most social networks have implemented CAPTCHAs (Completely Automated
Public Turing test to tell Computers and Humans Apart) to prevent brute forcing of user accounts. However,
there are some exceptions to that rule. Several social networks do not implement CAPTCHAs for the mobile
versions of their websites. This is most likely because CAPTCHAs are a nuisance for mobile users. For example,
Twitter accounts can be brute forced through the mobile versions of their website. The following is a list of the
major social networks and their CAPTCHA protections on their main website. Exceptions are noted.
o FacebookAfter three (3) failed login attempts, the user is presented with a CAPTCHA. Solve the
CAPTCHA and the user is allowed three more attempts. The Facebook mobile website
(m.facebook.com) has no CAPTCHA protection in place; however, after ten (10) failed logins the account
is locked out for a period of time after which the user can try a single login again. This could be scripted
to create a slow brute force attack.
o MySpaceAfter ten (10) failed login attempts the user is presented with a CAPTCHA. The MySpace
mobile website (m.myspace.com) has an identical control with CAPTCHAs in place.
o Twitter- After three (3) failed login attempts the user is presented with a CAPTCHA. The Twitter mobile
site (mobile.twitter.com) has no CAPTCHA protection in place. User accounts are able to be brute
forced.
o LinkedInAfter one (1) failed login attempt the user is presented with a CAPTCHA. The LinkedIn mobile
site (m.linkedin.com) has a CAPTCHA presented at first login.
-
8/13/2019 Profiling User Passwords on Social Networks
10/12
Profiling User Passwords on Social Networks
10
Based on these observations, it appears that while one social network enables strict controls around preventing brute
force attacks (LinkedIn), that same social network lacks in other areas such as password complexity checks. There is very
little consistency among the social networks regarding these common security controls.
Defenses and Prevention
Besides the social networks themselves ensuring better security controls for their users, users can mitigate many of
these risks by simply following basic guidelines around password creation and management. With social networks,
personal responsibility of your information and login credentials is key. Recommendations follow to help prevent
password guessing and brute force attacks on social networks.
1. Choose a complex password
Choose a password that contains letters, numbers, special characters and is at least twelve (12) characters in
length. In the case of passwords, longer is always better. Passwords should not be able to be guessed simply by
looking at the personal information on your social network profile. A simple test is to take your password andsee if it has any reference to you, your family members, pets, hobbies, etc. For example,fluffy15 is a poor
password choice while X@*4!5~a6s}V is a much more secure one. This is also harder to remember; however,
see #3 and #5 on passphrases and password managers.
2. Choose a unique password for every website
Suppose your Facebook account or webmail gets hacked and you have the same password for every website.
This means that you have effectively compromised all the accounts with that same password. Many users
choose the same user name and password for every website. Always create a unique password for each websit
you use.
3. Choose passphrases over passwords if you can
Whenever possible you should choose a passphrase instead of a password. Passphrases are generally easier to
remember, are much longer than passwords, harder to brute force, and can be easier to create. For example,
suppose you have a favorite saying like I like Zombie Movies especially at midnight in December on a train!
Take this phrase and you can either use the entire phrase as is, or you can break this up by taking the first letter
of each word. In this case your password would be: IlZMe@miDoat!.
4. Try not to use "throw away" passwords
Throw away passwords are ones you dont care about. They are easy to remember as well as guess. You may
hear advice like Only use strong, complex passwords for sites with sensitivedata like online banking. This isbad advice as all your passwords should be complex and unique. The real problem with throw away passwords
is that humans are naturally lazy and if you get into the habit of creating a throw away password, before you
know it all of your passwords are the same. Get out of this habit now and see #5.
5. Use a password manager
The best recommendation of all is to use a password manager to take over the management of your passwords.
-
8/13/2019 Profiling User Passwords on Social Networks
11/12
Profiling User Passwords on Social Networks
11
There are some very good and easy to use solutions, and many are even free of charge. While you still need a
complex password to open the application storing your passwords (see #1 and #3), these programs can auto
generate complex and unique passwords and store them securely. Two popular password manager programs
are KeePass12
(free) for Windows, Linux, OSX and 1Password13
(commercial) for Windows and OSX systems.
KeePass and 1Password also can be used on mobile devices like the iPhone. Important:a password manager is
not the password manager in your web browser! These are dangerous to use, especially if your browser or
computer gets compromised.
6. Review your privacy settings on your social network profiles
Lastly, review the privacy settings on your social networks to ensure they meet your expectations. Social
networks in general initially set privacy settings to many defaults that allow anyone to view your information.
Visit SocialMediaSecurity.com14
for guides and other information on how to properly configure these settings.
About the AuthorTom Eston is a Senior Security Consultant for SecureState. Tom is a seniormember of SecureStates Profiling team
which provides attack and penetration testing services for SecureStates clients. Tom is actively involved in the security
community and focuses his research on the security of social media. He is the founder of SocialMediaSecurity.com which
is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-
host of the Security Justice and Social Media Security podcasts, and is a frequent speaker at security user groups and
national conferences including Notacon, OWASP AppSec, Defcon, and Shmoocon.
-
8/13/2019 Profiling User Passwords on Social Networks
12/12
Profiling User Passwords on Social Networks
12
References and Related Links
Acknowledgements of assistance with this research:
Kevin Johnson, Robin Wood, Mark Baggett, Chris Clymer, Jake Garlie, and Alex Hamerstone.
1http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.html2http://techcrunch.com/2009/12/14/rockyou-hacked/
3http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
4http://www.digininja.org/projects/cewl.php
5http://samurai.inguardians.com/
6http://www.backtrack-linux.org/
7http://www.digininja.org/projects/rsmangler.php
8http://www.randomstorm.com/rsmangler-security-tool.php
9http://awlg.org/index.gen
10http://pauldotcom.com/wiki/index.php/Episode206
11http://pauldotcom.com/userpass.py
12http://keepass.info/
13
http://agilewebsolutions.com/products/1Password14http://socialmediasecurity.com
http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.htmlhttp://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.htmlhttp://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.htmlhttp://techcrunch.com/2009/12/14/rockyou-hacked/http://techcrunch.com/2009/12/14/rockyou-hacked/http://techcrunch.com/2009/12/14/rockyou-hacked/http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://www.digininja.org/projects/cewl.phphttp://www.digininja.org/projects/cewl.phphttp://www.digininja.org/projects/cewl.phphttp://samurai.inguardians.com/http://samurai.inguardians.com/http://samurai.inguardians.com/http://www.backtrack-linux.org/http://www.backtrack-linux.org/http://www.backtrack-linux.org/http://www.digininja.org/projects/rsmangler.phphttp://www.digininja.org/projects/rsmangler.phphttp://www.digininja.org/projects/rsmangler.phphttp://www.randomstorm.com/rsmangler-security-tool.phphttp://www.randomstorm.com/rsmangler-security-tool.phphttp://www.randomstorm.com/rsmangler-security-tool.phphttp://awlg.org/index.genhttp://awlg.org/index.genhttp://awlg.org/index.genhttp://pauldotcom.com/wiki/index.php/Episode206http://pauldotcom.com/wiki/index.php/Episode206http://pauldotcom.com/wiki/index.php/Episode206http://pauldotcom.com/userpass.pyhttp://pauldotcom.com/userpass.pyhttp://pauldotcom.com/userpass.pyhttp://keepass.info/http://keepass.info/http://keepass.info/http://agilewebsolutions.com/products/1Passwordhttp://agilewebsolutions.com/products/1Passwordhttp://agilewebsolutions.com/products/1Passwordhttp://socialmediasecurity.com/http://socialmediasecurity.com/http://socialmediasecurity.com/http://socialmediasecurity.com/http://agilewebsolutions.com/products/1Passwordhttp://keepass.info/http://pauldotcom.com/userpass.pyhttp://pauldotcom.com/wiki/index.php/Episode206http://awlg.org/index.genhttp://www.randomstorm.com/rsmangler-security-tool.phphttp://www.digininja.org/projects/rsmangler.phphttp://www.backtrack-linux.org/http://samurai.inguardians.com/http://www.digininja.org/projects/cewl.phphttp://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://techcrunch.com/2009/12/14/rockyou-hacked/http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.html