Profiling User Passwords on Social Networks

8/13/2019 Profiling User Passwords on Social Networks

1/12

The information contained in or accompanying this document is intended only for the use of the stated recipient and may contain

information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby

notified that any dissemination, distribution, or copying of this document is strictly prohibited and may constitute a breach of

confidence and/or privilege. If you have received this document in error, please notify us immediately. Any views or opinions

presented are solely those of the author and do not necessarily represent those of SecureState, LLC.

Profiling User

Passwords on

Social Networks

Tom Eston


2/12

Profiling User Passwords on Social Networks

2

Synopsis

This is a whitepaper on how to determine passwords for social network accounts through information posted

on the profiles of social network users.

Author

Name Revision Title Date

Tom Eston 1.3 August 31, 2010

Table of Contents

Background ............................................................................................................................................................. 3

Password Selection Theory ..................................................................................................................................... 3

Examples of Common Passwords Found on Social Networks ................................................................................ 4

Methods to Determine Passwords ......................................................................................................................... 5

Tools ........................................................................................................................................................................ 5

How Social Networks Are Not Helping The Problem .............................................................................................. 9Defenses and Prevention ...................................................................................................................................... 10

About The Author ................................................................................................................................................. 11

References and Related Links.12


3/12


3

Background

Social networks have recently reached a pinnacle of popularity. Facebook has reached 500 million users, and there are

now an estimated 105 million users on Twitter. Social networking sites have become so popular that they have

outpaced technology that most of us take for granted such as email. For example, a recent study performed by Nielsen

Online

1

showed that social networks are now the fourth most popular online activity, even ahead of personal email.

Millions of people are continuously sharing personal and sometimes private information with friends, acquaintances,

and even total strangers on social networks. More than likely the information you share on a social network can be

viewed and shared by more than just your friends. To compound the problem, social networks encourage the sharing o

private and personal information with little regard for the users privacy. Social networks are designed to make money

from information posted by their user base.

The inadvertent disclosure of non-sensitive personal information may seem innocent but there is a dark side to posting

your interests, hobbies, and even your favorite car or movies. Studies and recent privacy breaches have shown that

users of social networks choose poorly crafted passwords and many of these passwords can be determined simply from

information posted by the user. Tools and scripts beyond simple guessing techniques have been developed to helpdetermine a users password. These tools can be used in some cases to brute force the users password on a social

network service as well as other websites the user might use.

This white paper will discuss the problem of inadvertent information sharing by users of social networks and how to

defend against such attacks.

Password Selection Theory

Humans naturally dont like complexity. This applies to many things in life, and especially to password selection. While

many theories have been offered and studies have been conducted in recent times, the reasons for poor password

selection can be narrowed down to the following:

Passwords are difficult to remember. Users will usually choose to create a password that is familiar to them

with very little complexity.

Passwords are a hindrance. Nearly every social network website requires a password. Users get frustrated with

multiple requests for passwords so they choose the same, easy to remember password for every website.

Users select passwords based on what they are familiar with. For example, users will most likely choose a

password that meets any of the following criteria:

o Names of the users pets, children, spouses, or significant others

o Favorite sports teams

o Favorite foods and drinks

o Places where the user grew up or went to school

o Important dates such as birthdays and anniversaries

Users dont like to think about password complexity. Many users dont care what their password is so they

choose an easy password based on where their fingers are on the keyboard. For example:

o 12345

o qwerty


4/12


4

o 54321

o asdf

o zxcvb

Alternate methods for password selection dontwork. Passphrases are time consuming for the average user to

create and end up being difficult to remember. Security professionals have alsorecommended creating a per

site password. One example is where one appends a series or combination of numbers or other charactersbefore or after the website name. For example, facebook1234 or 1234Facebook. Attackers have been known t

quickly ascertain these patterns to determine passwords on other websites.

Social networks dont encouragestrong password selection. Most major social networking websites dont

enforce any complexity or very long passwords so users naturally choose insecure ones. In addition, social

networks have never expired passwords after a set period of time, mostly due to user support challenges.

Examples of Common Passwords Found on Social Networks

Recent security breaches have shown that users of social networks do in fact select poor passwords. The best example

of this is the RockYou database breach2which exposed over 32 million userspasswords. While RockYou creates third-

party applications and games for social networking websites like MySpace and Facebook, most users are known to use

the same password for all of their accounts, especially for social networks.

The RockYou data breach is by far the largest sampling of passwords that has been released. It gives great insight into

the passwords that users select. In addition, the RockYou database breach allowed security researchers to calculate the

most common passwords out of this very large dataset. Security research firm Imperva released a white paper titled

Consumer Password Worst Practices, which calculated the most common passwords found from the RockYou

database breach3. Figure 1 shows the top twenty passwords.

Rank Password Rank Password

1 123456 11 Nicole2 12345 12 Daniel

3 123456789 13 babygirl

4 Password 14 monkey

5 iloveyou 15 Jessica

6 princess 16 Lovely

7 rockyou 17 michael

8 1234567 18 Ashley

9 12345678 19 654321

10 abc123 20 Qwerty

Figure 1.Top twenty passwords from the RockYou database breach

By just quickly reviewing this list you can see many of the password patterns that have been discussed in the previous

section. One attack to consider is to simply try the top twenty passwords when attacking a user account on a social

network. This would be a simple dictionary brute force style attack. For example, just by trying the number one

password 123456you have a slightly better chance of the attack being successful than just taking a simple guess at the

password.


5/12


5

Methods to Determine Passwords

There are several methods to attempt to determine a userspassword based on information posted on the users social

network profile.

Simply guess the password. It may seem trivial to think about, but based on the information you find on a

profile try guessing the password. For example, try the top twenty from the RockYou database, their favorite

foods and drinks, names of significant others, as well as hobbies and sports teams. You may get lucky.

Look for answers to password reset questions. Users of social networks sometimes inadvertently reveal

information that could be used to reset passwords either on the social network itself or on popular webmail

services such as Yahoo! Mail. For example, on a users Facebook profile you might see a note called 25 Random

Things about You. Contained in these types of notes is information like mothersmaiden name, place of birth,

the color of their first car, etc. These questions are similar, if not identical, to many password reset functions of

popular webmail or even online banking services. If an attacker can gain access to the users webmail account

using this method, all it takes is using the password reset functionality on the social network to send a new

password (or reset link) to the email account under the attackers control.

Create a wordlist to narrow down keywords mentioned in the profile. Several tools are available and

discussed in the next section that can collect keywords from a web page and put them into a wordlist. Once you

have this list you can narrow down words that you might try in a password guessing attack.

Brute force the password. Using the wordlist, you can attempt to brute force the users password. This attack

is largely dependent on how accurate your wordlist is and if the social network employs any brute force

prevention mechanisms such as CAPTCHAsto prevent this type of attack.

Tools

Several free and open source tools are available to create wordlists that can be used for brute force attacks to obtain

passwords of social network users. Following is a list of the most useful tools and scripts that can be used to generate

wordlists from social network profiles.

CeWL - Custom Wordlist Generator

CeWL4was created by security researcher Robin Wood as a way to create a custom wordlist based on spidering a

website. This functionality is perfect for quickly determining unique words on a social network profile. CeWL is available

for download from Woods website, in the Samurai WTF5(Web Testing Framework), and within the popular BackTrack 4

penetration testing distribution6.


6/12


6

Figure 2 shows the typical output when running CeWL targeting a Twitter profile.

Figure 2.Output of CeWL after it discovered unique words from a Twitter profile

RSMangler

RSMangler is another tool created by Robin Wood7which compliments CeWL or any other tool that generates a

wordlist. RSMangler will take a wordlist and generate mangled combinations or manipulations of those words. For

example, if you have three words in your wordlist: tom, eston, social; RSMangler would output these as:

tomeston

tomsocial

estontom

socialeston

socialtom

etc.

You also can add common permutations such as 123 to the mangling rules. The RSMangler tool can be downloaded

from the RandomStorm8website.

AWLG - Associative Word List Generator

AWLG is a website9that will generate a wordlist based on your search terms. These terms are queried from the website

using typical search engine techniques. For example, if you search for tom, eston, agent0x0, zombies, spylogic, security,

justice; AWLG will search the Internet for those terms and give you back a listing of relevant keywords.


7/12


7

Figures 3 and 4 show a search with AWLG and its related output.

Figure 3.The AWLG front end which searches the Internet to create a custom wordlist

Figure 4.The result of AWLG searching for keywords associated based on the original search


8/12


8

CUPPCommon Users Password Profiler

CUPP is a wordlist generation script created by Muris Kurgas. CUPP asks a series of questions to generate a custom

wordlist based on the answers given by the user. This tool can be quite handy if you have already found out significant

information about the user through their social network profile. CUPP can be found pre-installed in the BackTrack 4

penetration testing distribution. Figure 5 shows an example of some of the questions CUPP asks.

Figure 5.CUPP asks relevant questions to determine a custom wordlist based on the user

Mark Baggett's userpass.py script

Mark Baggettsscript userpass.py10takes a unique approach to generating wordlists as they are customized

automatically on a per user basis. An explanation of how the script works follows:

A search for publicly available LinkedIn profiles through Google based on a target company is initiated.

Next, the script will attempt to spider any websites that the user has linked in their LinkedIn profile such as blogs

or company sites.

The script pulls the users profile picture and attempts to check a website called tineye to determine if that

profile picture matches up with others found on the Internet. If so, those websites are spidered for keyword

information.

Lastly, all the spidered websites are run through CeWL to generate custom wordlists.

Marks usepass.py script is available for download from the PaulDotCom website11.


9/12


9

How Social Networks Are Not Helping the Problem

Social networks are designed to allow for sharing personal information with others. Without this sharing, social

networks would cease to exist. Protecting your information is not in their business model. The more information you

share the more valuable you are to them. Privacy of your information is mostly dependent on what you post as well as

how privacy settings are configured for each social network.

Social networks have generally not implemented good security controls for safeguarding their users accounts. A list of

these problems follows:

Minimum password length on social networks. All the major social networks (Facebook, MySpace, Twitter,

LinkedIn) have the same minimum password length of six (6) characters. Interestingly, MySpace will only allow a

user to select a password under fifty (50) characters.

Password complexity checks are few and far between. Social networks do not enforce robust password

complexity rules (if at all).

o Facebook- No complexity check.

o MySpace- Basic (broken) complexity check. Viewing the HTML source shows some complexity checking

is enabled; however, users can enter a password of "123456".

o Twitter- Basic complexity check (based on static word list which is viewable through the HTML source of

the login page). This is a poor way of implementing password complexity checks. For example, you

can't select a password of "password1" but you can select a password of "1password".

o LinkedIn- No complexity check.

Brute force attack prevention. Most social networks have implemented CAPTCHAs (Completely Automated

Public Turing test to tell Computers and Humans Apart) to prevent brute forcing of user accounts. However,

there are some exceptions to that rule. Several social networks do not implement CAPTCHAs for the mobile

versions of their websites. This is most likely because CAPTCHAs are a nuisance for mobile users. For example,

Twitter accounts can be brute forced through the mobile versions of their website. The following is a list of the

major social networks and their CAPTCHA protections on their main website. Exceptions are noted.

o FacebookAfter three (3) failed login attempts, the user is presented with a CAPTCHA. Solve the

CAPTCHA and the user is allowed three more attempts. The Facebook mobile website

(m.facebook.com) has no CAPTCHA protection in place; however, after ten (10) failed logins the account

is locked out for a period of time after which the user can try a single login again. This could be scripted

to create a slow brute force attack.

o MySpaceAfter ten (10) failed login attempts the user is presented with a CAPTCHA. The MySpace

mobile website (m.myspace.com) has an identical control with CAPTCHAs in place.

o Twitter- After three (3) failed login attempts the user is presented with a CAPTCHA. The Twitter mobile

site (mobile.twitter.com) has no CAPTCHA protection in place. User accounts are able to be brute

forced.

o LinkedInAfter one (1) failed login attempt the user is presented with a CAPTCHA. The LinkedIn mobile

site (m.linkedin.com) has a CAPTCHA presented at first login.


10/12


10

Based on these observations, it appears that while one social network enables strict controls around preventing brute

force attacks (LinkedIn), that same social network lacks in other areas such as password complexity checks. There is very

little consistency among the social networks regarding these common security controls.

Defenses and Prevention

Besides the social networks themselves ensuring better security controls for their users, users can mitigate many of

these risks by simply following basic guidelines around password creation and management. With social networks,

personal responsibility of your information and login credentials is key. Recommendations follow to help prevent

password guessing and brute force attacks on social networks.

1. Choose a complex password

Choose a password that contains letters, numbers, special characters and is at least twelve (12) characters in

length. In the case of passwords, longer is always better. Passwords should not be able to be guessed simply by

looking at the personal information on your social network profile. A simple test is to take your password andsee if it has any reference to you, your family members, pets, hobbies, etc. For example,fluffy15 is a poor

password choice while X@*4!5~a6s}V is a much more secure one. This is also harder to remember; however,

see #3 and #5 on passphrases and password managers.

2. Choose a unique password for every website

Suppose your Facebook account or webmail gets hacked and you have the same password for every website.

This means that you have effectively compromised all the accounts with that same password. Many users

choose the same user name and password for every website. Always create a unique password for each websit

you use.

3. Choose passphrases over passwords if you can

Whenever possible you should choose a passphrase instead of a password. Passphrases are generally easier to

remember, are much longer than passwords, harder to brute force, and can be easier to create. For example,

suppose you have a favorite saying like I like Zombie Movies especially at midnight in December on a train!

Take this phrase and you can either use the entire phrase as is, or you can break this up by taking the first letter

of each word. In this case your password would be: IlZMe@miDoat!.

4. Try not to use "throw away" passwords

Throw away passwords are ones you dont care about. They are easy to remember as well as guess. You may

hear advice like Only use strong, complex passwords for sites with sensitivedata like online banking. This isbad advice as all your passwords should be complex and unique. The real problem with throw away passwords

is that humans are naturally lazy and if you get into the habit of creating a throw away password, before you

know it all of your passwords are the same. Get out of this habit now and see #5.

5. Use a password manager

The best recommendation of all is to use a password manager to take over the management of your passwords.


11/12


11

There are some very good and easy to use solutions, and many are even free of charge. While you still need a

complex password to open the application storing your passwords (see #1 and #3), these programs can auto

generate complex and unique passwords and store them securely. Two popular password manager programs

are KeePass12

(free) for Windows, Linux, OSX and 1Password13

(commercial) for Windows and OSX systems.

KeePass and 1Password also can be used on mobile devices like the iPhone. Important:a password manager is

not the password manager in your web browser! These are dangerous to use, especially if your browser or

computer gets compromised.

6. Review your privacy settings on your social network profiles

Lastly, review the privacy settings on your social networks to ensure they meet your expectations. Social

networks in general initially set privacy settings to many defaults that allow anyone to view your information.

Visit SocialMediaSecurity.com14

for guides and other information on how to properly configure these settings.

About the AuthorTom Eston is a Senior Security Consultant for SecureState. Tom is a seniormember of SecureStates Profiling team

which provides attack and penetration testing services for SecureStates clients. Tom is actively involved in the security

community and focuses his research on the security of social media. He is the founder of SocialMediaSecurity.com which

is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-

host of the Security Justice and Social Media Security podcasts, and is a frequent speaker at security user groups and

national conferences including Notacon, OWASP AppSec, Defcon, and Shmoocon.


12/12


12

References and Related Links

Acknowledgements of assistance with this research:

Kevin Johnson, Robin Wood, Mark Baggett, Chris Clymer, Jake Garlie, and Alex Hamerstone.

1http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.html2http://techcrunch.com/2009/12/14/rockyou-hacked/

3http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

4http://www.digininja.org/projects/cewl.php

5http://samurai.inguardians.com/

6http://www.backtrack-linux.org/

7http://www.digininja.org/projects/rsmangler.php

8http://www.randomstorm.com/rsmangler-security-tool.php

9http://awlg.org/index.gen

10http://pauldotcom.com/wiki/index.php/Episode206

11http://pauldotcom.com/userpass.py

12http://keepass.info/

13

http://agilewebsolutions.com/products/1Password14http://socialmediasecurity.com
http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.htmlhttp://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.htmlhttp://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.htmlhttp://techcrunch.com/2009/12/14/rockyou-hacked/http://techcrunch.com/2009/12/14/rockyou-hacked/http://techcrunch.com/2009/12/14/rockyou-hacked/http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://www.digininja.org/projects/cewl.phphttp://www.digininja.org/projects/cewl.phphttp://www.digininja.org/projects/cewl.phphttp://samurai.inguardians.com/http://samurai.inguardians.com/http://samurai.inguardians.com/http://www.backtrack-linux.org/http://www.backtrack-linux.org/http://www.backtrack-linux.org/http://www.digininja.org/projects/rsmangler.phphttp://www.digininja.org/projects/rsmangler.phphttp://www.digininja.org/projects/rsmangler.phphttp://www.randomstorm.com/rsmangler-security-tool.phphttp://www.randomstorm.com/rsmangler-security-tool.phphttp://www.randomstorm.com/rsmangler-security-tool.phphttp://awlg.org/index.genhttp://awlg.org/index.genhttp://awlg.org/index.genhttp://pauldotcom.com/wiki/index.php/Episode206http://pauldotcom.com/wiki/index.php/Episode206http://pauldotcom.com/wiki/index.php/Episode206http://pauldotcom.com/userpass.pyhttp://pauldotcom.com/userpass.pyhttp://pauldotcom.com/userpass.pyhttp://keepass.info/http://keepass.info/http://keepass.info/http://agilewebsolutions.com/products/1Passwordhttp://agilewebsolutions.com/products/1Passwordhttp://agilewebsolutions.com/products/1Passwordhttp://socialmediasecurity.com/http://socialmediasecurity.com/http://socialmediasecurity.com/http://socialmediasecurity.com/http://agilewebsolutions.com/products/1Passwordhttp://keepass.info/http://pauldotcom.com/userpass.pyhttp://pauldotcom.com/wiki/index.php/Episode206http://awlg.org/index.genhttp://www.randomstorm.com/rsmangler-security-tool.phphttp://www.digininja.org/projects/rsmangler.phphttp://www.backtrack-linux.org/http://samurai.inguardians.com/http://www.digininja.org/projects/cewl.phphttp://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdfhttp://techcrunch.com/2009/12/14/rockyou-hacked/http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.html

Documents

Profiling User Passwords on Social Networks