-1

I have a question similar to this one:

How to create dictionary to prevent weak passwords?

What I want to do though is simply check a list of passwords that exist in a text file I have that contains over 2000 passwords against a known list of words that may appear in a dictionary and/or a list of common names, books, songs, movies, etc..Basically I want to weed out all of the weak passwords so our company can deal with these users according to a new password policy we are putting into place.

Is there a dictionary app or list I can use to accomplish this? The workflow I'm looking for would be something like this:

run app > feed it my text file > app parses through the list to find words that are in its database > output matching results to a new file

How can I accomplish this? It would be nice if I could tap into Linux's built in dictionary check that runs when you set a password with the passwd command, but I have no idea how to do that.

Community
  • 1
user53029
  • 2,657
  • 5
  • 24
  • 35
  • Seems like this may be more relevant question for our friends over at stackoverflow as handling a file and parsing through are programmatic actions. –  Aug 17 '16 at 01:36
  • I don't fully disagree about the text processing, but I am asking rather directly about a security app and/or dictionary file and how this could be done in the context of password auditing, which would fall in the realm of infosec. – user53029 Aug 17 '16 at 01:44
  • 1
    Sure I half agree then, your first question is relevant. Check out this question, great references for lists on your 1st question. http://security.stackexchange.com/questions/9567/modern-high-quality-password-dictionary –  Aug 17 '16 at 01:45
  • If no one else has any ideas or there is nothing out there specifically for my use case I was going to look into running my list through LInux's useradd/passwd routine with a for loop script, and capturing the ones that were flagged as based on dictionary. That may be my best bet. – user53029 Aug 17 '16 at 01:51
  • Answer to your first question regarding a list suggestion is to pick the length of Rock You or similar that suits your needs for weak / common passwords. There are varying sizes and are well documented and well respected. –  Aug 17 '16 at 01:53
  • What do you mean "length of Rock"? – user53029 Aug 17 '16 at 02:07
  • 1
    Rock You is a password list that has varying length types. https://github.com/danielmiessler/SecLists/tree/master/Passwords –  Aug 17 '16 at 02:22
  • Gotcha. I will look into all this. – user53029 Aug 17 '16 at 02:25
  • How exactly is it irrelevent to the question? Please tell. The question belongs here because it deals with information security. Period. I love it when jerks come here thinking their opinions give them the right to cast judgement and downvote the question based solely off what they think. 3) We have plain text files because that's how the venbor chose to store passwords in the database...not my call brother. I'm just trying to build a case to my superiors to take action on these accounts at risk. And the info I got here that I COULD NOT HAVE GOTTEN from soflo means my question belongs here. – user53029 Aug 17 '16 at 18:06
  • Those steps are already in the works. But that does not negate the fact that our users should be properly educated on best practices for setting passwords and changing them if need be. As you know security is a multi-layered approach, and we want the best security model in place from the top down to the user. – user53029 Aug 17 '16 at 18:42

2 Answers2

1

The app would be grep...or comm. Once I chose what list I wanted to compare to my file to, I simply ran:

grep -wo -f mypwordfile rockyoulistfile > pwordmatches

OR if you just want a numeric count or total

grep -wo -f mypwordfile rockyoulistfile | wc -l
user53029
  • 2,657
  • 5
  • 24
  • 35
1

I realize you're asking for an app that does everything I'm about to describe, but in lieu of that, I would also consider the following:

  1. Look at SkullSecurity for several password dictionaries and leaked passwords here: https://wiki.skullsecurity.org/Passwords
  2. Read up on using tools like Hashcat for testing password strength using these dictionaries: http://www.makeuseof.com/tag/test-password-strength-tool-hackers-use/
  3. Implement a process tailored to your specific user base whereby you might be able to trigger alerts, generate reports, and such (i.e. routine or random password checks, email notification, etc.). Grep works too, as you've probably seen already.

I'm always an advocate for knowing how to do something 100% by hand before looking to prebuilt apps that may only accomplish 85% of what I need it to do.

Matt Borja
  • 267
  • 1
  • 10