Cracking Forgotten Passwords

Expandpass is a string expansion program. It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords.

I learned about it in this article about Phil Dougherty, who helps people recover lost cryptocurrency passwords (mostly Ethereum) for a cut of the recovered value.

Posted on September 18, 2019 at 7:42 AM • 17 Comments

Comments

JoeSeptember 18, 2019 9:46 AM

For those low-value passwords that I don't have in a password manager, it would be so incredibly helpful if sites would just tell me upfront what their complexity requirements are. Then, at least 90% of the time, I would be able to remember what it was.

CommenterSeptember 18, 2019 1:07 PM

Please note that Lepton's Crack (https://github.com/reinob/lcrack) can also enumerate regex-like expressions (option "-g") to crack (hashes of) passwords.

HumdeeSeptember 18, 2019 4:24 PM

Honestly, I just reuse passwords. I've never understood the requirement to make passwords unique because it assumes that everything that is password protected is of equal value. This assumption is false.

So this comes across to me as a solution to a fake problem.

RealFakeNewsSeptember 18, 2019 5:57 PM

Wasn't there a discussion here on this blog a few years back that concluded that writing a long, complex password in notepad was a better option to short, easily guessable passwords?

There is really no excuse for forgetting passwords, and no reason to need these password-guessers.

Password managers should have pretty much eliminated the problem by now; if you're using cryptocurrency, surely you're smart enough to use one?

Clive RobinsonSeptember 18, 2019 8:36 PM

Cracking "forgotten passwords" is a similar excercise to cracking "Survivor passwords".

For those not used to the otherwise unclear term "surviour passwords" these are passwords that have withstood previous mass password cracking attempts on encrypted password files that have been stolen and publicaly posted.

Though survivor passwords might be harder to crack than forgotten passwotds it is being done,

https://www.netmux.com/blog/survivor-password-hashes

WaelSeptember 18, 2019 11:57 PM

The username needs to be as secret as the password. It also needs to be unrelated to your real name. And if you like wearing a straitjacket, then you might as well change your username periodically, preferably at a different period than the password (which some believe need to be static, sigh)

@Clive Robinson,

For those not used to the otherwise unclear term "surviour passwords"

My password is trivial; my username... is a "survivor username". It looks something like this: ༼ʘ̚ل͜ʘ̚༽

Or better yet, to bring the constant vs. changing password debate: use two password fields; one static and one dynamic!

username: cbcdxgh
password: 'this one changes every x days'
pass phrase: if xxxx spits on you, he'll make you an instant security guru, chief!

Clive RobinsonSeptember 19, 2019 4:23 AM

@ Wael,

What I need is someone to help me recover lost money.

When it comes to financial crime, it's been my experience that when technology or corporations are involved as financial vehicles your chances are such that it will cost you more than you will ever get back to pursue it (banks being a case in point).

It's why "finger snapper / bone breaker", "Shark" or "Money Shop" lenders work the way they do to ensure they get not just their money back but interest as well. The fact that the law in quite a number of jurisdictions actually protects the majority of them, should ring alarm bells in most peoples heads as to the way their political system works. As you probably know it's why some religions have prohibitions against "money lenders" and their practices.

We are engouraged on one side to save for our futures with risky financial instruments in a rigged but legaly protected market, but on the other to spend what we have for a comfortable life and to also have vulgar displays of wealth for status reasons.

The reality though, is that, what ever you aquire there will be a law somewhere in just about every legislative canon to strip you bare at any time of any assets you own, either directly or indirectly including your liberty or life. Such is "The King Game" of "Might is Right" giving "Divine Right" thus "Eminent Domain".

It was because of this that the British financiers set up the notion of "tax havens" and "Off shore trusts" and in more recent times more interesting financial vehicles such as "Limited Liability Partnerships". To prevent even Kings from being thieves.

Part of this has been over the years various people deciding to offer alternative financial systems. Such as stocks and shares and more recently crypto currencies. When you analyse them you will find they can all be abused in atleast two primary ways you as an investor/user have no control over,

1, Compulsory "rent seeking".
2, Institutional "theft".

These "rights of the market" are usually "protected in law" or by some other mechanism to prevent you from getting your initial investment back. Failing that there will be long trails often across many jurisdictional borders to make any persuit and capture at best a pyric victory. Which is no boubt why Mark Zuckerburg is so interested in setting up yet another financial system that he would control.

As has once been observed "we live in a world of thieves and villains"...

Which if you know your history is some what ironic and true. Because the word villain has changed it's meaning over the years but is derived from the Latin word "villanus" which referred to those bound to the soil of the "Villa" and who also were bound life and soul to the land owner as a surf. The villain who was only marginally better off than a slave could at one time become a freeman by going on the run, however their ability to stay alive without land was minimal at best untill trades became established. Villain came as many English words do via the "Courtly" or "Old" French word "Vilain", and over time changed to villein. Which under the "Courtly system" referred to a person of a less than knightly status, implying a lack of chivalry and politeness, or more simply one of the "peasants". Thus by logic if there are only "thieves and villains" in the world and the villains are the peasants, then the remaing courtly lords, ladies, monarchs, legislators and churchmen must be "thieves", which about sums it up.

EasySeptember 19, 2019 7:32 AM

@Joe

"low-value passwords that I don't have in a password manager"

Password managers nowadays can auto-fill-in the password for you, without you doing anything at all... using such systems are actually easier than physically typing in the simplest possible of all easiest-to-guess passwords you could possibly think of...

And since having a password manager auto-fill-in a complex hard-to-guess password is just as easy as a simple easy-to-guess password, I just don't understand why people still cling to the fallacy of "but my data is special: it's soooo unimportant that I refuse to use good password practices on it"... look, if it's that unimportant, why don't you delete those accounts? or not register them in the first place... if it's important enough to register, it's important enough to use the password manager on, especially since that's actually by far the easiest thing to do!!!

Here's what's probably going on: either a) ignorance/inexperience of how modern password managers work... or b) clinging to hard-to-use password managers, under the belief that they must be more secure than eaiser-to-use ones. The problem with the latter one is that the most insecure password manager is the one that's being used but not fully because it's too hard to use. In other words you'll increase your security by using something that's easy enough for you to use that you use it everywhere. Such things exist. Check them out.

GregSeptember 19, 2019 8:07 AM

@Easy

Yeah, honestly the really high-value passwords are the ones I remember myself, because they're the ones I can least afford to lose if I lose access to my password manager for some reason. Every other account I set up literally requires two clicks to generate and save a unique password for, and then requires zero further clicks to access later from a browser connected to the manager. Why on Earth would I try to memorize those passwords in my own brain instead?

WaelSeptember 19, 2019 11:15 AM

@Clive Robinson,

It's why "finger snapper / bone breaker", "Shark" or "Money Shop" lenders work the way they do...

No, thanks. Don't need that kind of help :)

humdeeSeptember 19, 2019 1:07 PM

@easy writes, "look, if it's that unimportant, why don't you delete those accounts? or not register them in the first place... if it's important enough to register, it's important enough to use the password manager on..."

LOL. You don't understand anything about human psychology, do you? It is like telling an alcoholic than if the alcohol is causing a problem he should just stop drinking.

https://www.youtube.com/watch?v=1nw-V5eEeAk

@EasySeptember 19, 2019 4:17 PM

@humdee

Or like telling people who keep shoving their hands in the fire, "if it hurts don't do that"... :)

Nameless CowSeptember 19, 2019 4:27 PM

@humdee

> I've never understood the requirement to make passwords unique because it assumes that everything that is password protected is of equal value.

I've never heard of that assumption being the justification for using different passwords for different accounts. Say you have a number of accounts all sharing the same password. Let's further assume that only one of them is of high value -- the rest are unimportant enough that you don't care if they get compromised. By having the same password, your high-valued account is at the mercy of the security of the other ones, some of which may have your password stored in plaintext on a vulnerable server. If the password of your vulnerable account is leaked, someone may just try the same password on every account that's known to be yours. Now your high-value account is at risk.

It might be OK if you only use the same password for multiple low-value accounts. but then just because you don't care if your account gets compromised doesn't mean that the system owners feel the same way. A system owner may trust you enough to allow you to have an account on their system, but they may not want random, untrusted people to have access to their system through your account.

EasySeptember 19, 2019 4:29 PM

Or like telling people who refuse to secure their stuff in a crime-ridden area, "if you really don't want your stuff, why do you keep buying it in the first place?"

Or like telling people who keep smearing meat all over their tents before camping in them in bear country, "if you don't want to keep getting mauled by bears, why do you keep doing that"

EasySeptember 19, 2019 4:47 PM

Criminals don't evaluate the value before trying to steal each account... they just try to get them all... high values ones, low value ones, medium value ones... it's like stealing packages: they have no idea of the value, they're just hoping one of the dozen they picked up today is valuable.. the more they grab the more likely one is valuable... they're playing the odds by cranking up the number...

So all your online stuff is equally being tried to get broken into by every single criminal worldwide... if you don't value it enough to protect it, with the simplest-to-use things known to modern man: password managers full of auto-filled-in strong passwords, THEN DO NOT HAVE IT IN THE FIRST PLACE... All you're doing is feeding the criminals with more accounts... It's just like feeding the bears your toes (didn't need them to walk anyway), so they get a taste of human meat... You are harming society...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.