IT Baseline Protection Manual T 5.18 Systematic trying-out of passwords
T 5.18 Systematic trying-out of passwords
Passwords which are too simple can be found out by systematically trying them out.
Example:
A study made by Klein (Klein, Daniel V. 1990, USENIX Security Workshop Proceedings, Portland, August 1990) of 15,000 accounts yielded a success rate of 24.2 per cent; the following password options were tried out:
About 130 variations of the log-in name (first and last names) and of other personal data from the /etc/passwd file; frequent names, names of well-known persons, names and places in movies, from sports events and from the Bible; abusive common invectives/swear-words, and words from foreign languages; different variations of these words, e.g. changes from upper and lower case, insertion of special characters and check symbols, reversing of the sequence of letters, repeated letters (e.g. aaabbb), or frequent abbreviations (e.g. rygbv for the colours of the rainbow) and pairs composed of two short words.
All these combinations and more can be tried out by any user of the Unix system in which the password file is freely accessible, using the crack PD program. Moreover, for passwords that are too short, it is highly probable that the password can be found out by systematically trying out all combinations.