G1234! - An Investigation of the Security of Passwords Derived From African languages - Sibusiso Sis

hi everybody so my name is lucy saucy she some see she's just my surname it's just easier for people to to pronounce my surname so I bit up so a little bit about me so I call I'm co-owner of a company called Iron Sky South African base penetration testing company my main function is to be a basically just penetration tester before I did security and anything security related I used to be a professional athlete and win as far as the Olympic Games and World Championships so yes I've basically bought my fear excite unto and to into security as well so my talk is about the effectiveness of passwords and just basically sort of everything about

process form form for myself African from from South Africa and basically in South Africa the business language is English and what we found is that most of the parts of policy is written for prison by the organization's are based in English do you know with English examples and and basically also the systems that they use are also in English as well and and also around user awareness around around passwords very very low in South Africa and user education about just general cyber risks it's also very very low than my country for most people just looking at the default Windows password policy is like oK we've checked the box we set this up everything should be done all pulses

should be should be of a high standard and most of the times this once organization has status they really don't look at costs anywhere else of the debt so what I did is I I collect our seven organizations in South Africa if I could just collect them the users passwords and and these then the companies are picked there are in there are in different sectors of honest government government form a circle and no different other regions of different industries and are collected seventh 2614 LM hashes and 170 thousand four hundred thirty three Intel hashes all these hashes that are collected are all user based so that no computers accounts in this thing so these are posters that somebody has

created then basically what I found was that I was able to crack 2242 of the LEM hashes because the palm with LM hashes is it takes the word breaks it up into seven upper cases and what I found that most people in the organization's creates a positive a KB c-123 password and Fish Eagle as the main passwords them just looking at these passwords you can see that they just look like just generic passwords that an administrator may have created and then just forgot about them as well on the insulin hash side of it I was able to crack 70 6500 eighty-eight of these passwords and and most of the pauses that I found were password or one okay and then password

in all capital letters and the company name so a lot of people use the company name as their as one of their passwords in Africa to cope and this is just a breakdown of just the passwords that are found so I just creates them up together so you can see that Fish Eagle 1 2 3 was accounts of 179 times fresh eagle and ABC which is redacted company redacted 1 2 3 that's basically the company name we found that a lot of lot of organizations love using their company names and then and then adding 1 2 3 or some special character at the end to create their passwords as well and as you can see as

well password is very very popular as one of the as like a coping mechanism for making passwords other interesting information about the process is that this one on their world on their list and the other list is that users created passwords quick according to what the calling what the company makes as a product for example there was one company so they make fertilizers so people made posters around fertilizer as well and people also use cities and towns that the word that were in for process or I'm from Johannesburg so some of the passes that I was able to where people would say Johannesburg or one watch a heinous burg full stop as one of their passwords and and also some

of that the service account passwords that I found were that people or IT administrators will create a password for example called sequel sequel 30 or 2 depending on whatever service that they're using and also that for sample SharePoint like the shape words installer will have SH installer as a password or something generic like that South Africa is very as a very religious and the mostly followed Christian the Christian ideology so people will create we use Bible verses as well as to make passwords or you'll find like Genesis something all Romans and a lot of there was quite a few people who use passwords and then also like the literal phrases of the puff of a Bible phrase of verse

story as one of their pastors as well they used a lot of people so use mint so they'll make like whatever mental June or sorry luck August August 19 as a password as well and keyboard walking so people will go like QWERTY ake q SZ z w is X as sort of a cup passwords which are sort of very easy to sort of kiss yeah once you have a nice word list and these are the pastor's that I was able to crack most of them so I'll able to crack passwords from the most positive crack to eight characters of length and the reason for eight kinds of length is that most organizations that I have that

attested and I look at their possible policies as well is that eight characters was the minimum password length that they wanted the users to have then obviously starts to go up nine ten eleven twelve thirteen and then yeah then back down to six there was one organization which said the users could create a five five years of passwords as well so this is just the breakdown of just how the passwords were like using hash Quetzal you see like they were mixed mixed Alphen amps or those 33,000 496 of them which are counters in nearly 50% of all my passwords that I was able to crack there were some processors actually they had a special character

and a number and then the lowercase passwords was or some organizations wait this did not deteriorate didn't care about how they entered a pauses just as long as the user just had a password in and then though some process which was just basically just numbers as well and most of those numbers was literally 1 2 3 4 5 6 as they passwords as well so so this got me thinking about about sauce basically in Zimbabwe is doing a review for for for a company in Zimbabwe and I was struggling to crack passwords in in the organization and so I started so I basically captured the hashes and I'm sitting there and I'm trying to crack

them using my normal word list that I have and none of them and none of them work were working until until I decided like okay let me just dump the whole domain controller or take all the user names and take all the surnames as well and then started doing like plays on those and then it's only they're not started getting hits so example the one the one account that I was able to get was Charlie Nora so there was a user who is his account was Charlie Norma and his surname and they basically when I use this name actually got a hit as well and then those can be really thinking about you know how if we converted English

known weak English pauses into into into another language you know how effective would it be how can people be able to sort of like be able to crack them and be able to catch them as well so South Africa so South Africa is so this is basically South Africa and Africa we have 11 official languages and the languages are based on regions so I am from kwazulu-natal so I speak issue zoo loop KwaZulu Natal over here so this is kwazulu-natal so I speak Zulu and most of the regions are very like there's a very dominant language for that region so the region just below it is is the eastern cape and most of the people that reside they speak is it is

it close up and then in the western cape with northern cape western cape most of the people that reside they speak of the Khans so yeah so Suffolk is very very much regional and then also the last one was sorry my apologies and then the last one there is a right there at the top that is vendor and you will speak about that a bit more as well so esophagus could 11 official languages and but for the purpose of this talk I'm in my research as well I only decided to pick eight eight of the eight of the most spoken languages in South Africa so I picked English this is Lulu si si Swati so since that is a very very

unique language way it's that it's also significant Safa can speak it and but also at the same time though people in Swaziland also speak the language as well as actually mostly their language CPD chi vendor is in the belly sets wanna sit Tsonga and it's it closer and the another very important thing about about African languages is that is that languages in African languages especially in southern Africa that they very much grouped for example I speak issue Zulu but I could speak to people who speak society and clothes of example because we share some common part they're part of the the core part of them dabeli languages so if we speak tsutsu for example you can speak not to

northern suits to as far to support wanna and inside and fit he speaks Zulu you can speak as far up as the Congo was up into the Congo before and I've listened to them talk and actually could pick up words from their languages just because they share some sort of words with with us so for the experiment that basically collected known a collected week English posted words and then I'm going to convert them into instead of into the eight African languages that I selected and then and then I'll use and then I'll send them up to to various password cracking sites and people so the whole process was for me it's are collected the top nineteen weak passwords from the

semantic top 500 list as well but I knew then but one thing I made sure was to make sure that the words were accountable for example you know like in some language example the numbers are to disregard the numbers most numbers of just numbers as well and then Parrinello very important thing is that the chip in the language has got their own unique special characters that do not appear in some of the dictionaries and certain some of the keyboards as well so I had to remove these special characters otherwise you know people really going to struggle to crack them as well and another very important thing I did is that I made all the words lowercase so

the reason that I made them all lower cases for example M in issue Zulu for example we sometimes capitalize the third letter of the word so in English generally your capitalize the first word but in Malan which we sometimes keep we capsulize the third letter or sometimes even the second letter for example is Zulu if you look at this word here we kept we capitalized the third letter in in the in the example if we saying soccer will say Ebola which means that we'll only capitalize the second letter of the word to basically keep it standards and the same for everything I basically this isn't why I know it lowercased everything and then I capitalize the first letter for every

language every respects of one language it was and then another important thing is that I used the special characters from from all the password cracking that I did form from from the seven organizations I used the special characters that they uses used for for making passwords I didn't want to introduce any any new any new special characters to this was I wanted sim I wanted to see people can't fight figure out if they could correct the same passwords and then what I did is that I converted those so I made the words and then I converted them into into ntlm and Indian five hashes as well so these are the weak passwords so these are the top these are the weak passwords

that are selected for each language so English the English is selected in yellow and then for each for each language I converted it into four are converted it into into into that language so example easily we say so in English is called password but in Zulu is a password e then then then for each for each of the other languages as well you'll see that in some languages they we do share some words for example in Zulu you say a password deep parts in weaselly we say a password e and then in song in Tonga they also say password e so I so you know a lot of sharing of words if the word was shaped between two

languages I only used at once and then the research and then what I also did is that I also represented the month as well so I converted all the months and then I converted them into the various languages as well because as you saw and with the word how the users used for coping mechanisms they use also meant to cope as well and then so basically these are just examples of how the passwords God creates it you'll see they're in English for example let me end so let me just explain so in sapphic and in zulu for example and we can take a whole sentence and make it into one word you know for example let me in in my language is if

we give in pad that so we can make it we take let me in which is three words in English but we could just make it one word so and so are basically some of the words let people created as like let me an outcome I converted them into one word as well then and then inside is called peggotty welcome in Zulu okay that's them okay another very important thing is that there are two ways that we say this traditional Zulu and then there's like the more modern way of saying it so basically I used the very traditional way of talking so this is like kazoo we say is Zulu one which is also very even

very very hard even for me to sort of understand what the words are insanely deep and insanely long as well and then to them to basically keep them all the same I'm the Hashcash mas that I used was uppercase the first letter lowercase everything else added in random digits and then a special character at the end and then for the months I did the sort of same but the two pages that I ain't were the man's what sir what the year that we end so we in 2019 and so our Erin one nine at the end so the breakdown of the words that got generated we creative accurate so though I live in so these are all the keys at

the bottom that are character lengths and then obviously it's account of the words so most of the words that occur generator from English into into the into the into the African languages or eleven eleven characters of lengths or 15 eight of them followed by ten at 58 character words at 47 and then nine at 47 as well twelve or 37 then teen and then this sort of goes down as well the reason they're not so reason that you'll see that I only gave very very few I tried to stick as much as I can to how the users also the passwords that that was able to crack for example most of them are eight character

passwords but just because my languages are sort of like just in general some of the words will just be long you know for example hello so hello is h-e-l-l-o five letters but in my language we say style Borna which is is s8 WUP o bo a o in a you know so just the same word hello same meaning but in my language is longer so hence while the words who sometimes was a bit longer here that are generated so I basically uploaded some of the process for example to like hash killer has just a dog online and online hash crack and then I also are some people that are know around you know like hey I've

created these words can you try can you try to guess them basically the reason I uploaded them to these services is I wanted to get as many people to see which people could actually get a additionally to be able to crack some of these passwords and then what I did is that I like I regularly check the websites to see if they appeared on the website so I knew what the hash was so I'll just paste the hash onto the onto the service and then if the passo got cracked cool I will see it but if it didn't then I'll wait a few more weeks so basically the password hashes were so this was just last year so uploaded name

of the 30th of July and then I stopped checking like in August last year August and then I found that 48 of 159 sorry 48 percent or 159 of the 330 passwords that I created so so work was successful was successfully cracked between the online service source 100 in CLM hashes and only 55 md5 hashes hash kill accounted for nearly 90 of the hundred hashes and most of them and most of the md5 hashes as well so this was basically the breakdown of the pauses that people were able to guess so eight character password accounted for for the most and then followed by nine at 28 10 at 20 to 7 at 16 and then 11 11 character pauses

before for 15 of them when you put them together you'll see that we generated 11 you see that in the 8 character passwords for example nearly all of them got cracked and then on the 9 followed by the 9 just slightly less so 15 out of the fifth so 15 out of the fifty eight of the 11 carats of possible successors really cracked saving all seven character passwords were cracked and AIDS and only air for eight character passwords 37 of out of the 47 was successfully correct none of the top none of the 22 none of the 21 and 22 and the hi length and time passwords were actually successfully cracked so basically then the password so these are

basically the posters that were found in green and so the English passwords and these are the spouses that up that God so all the possible sins at but the ones in green were the ones that people was successfully able to crack as well and then for the month you'll notice for the man's as well it's basically the same as well people actually struggled to to crack the the closer in the closer months while this is an immense were basically people were able to crack successfully and there's a cop back one you'll find that for example issue Zulu basically only four words were people struggle to find but in course of example to associate why not also able

to crack a lot of them only three core naka found yeah so basically is that the the the word password have successfully cracked in two languages is his ruling is it closer the word her law was only was the only words we fully cracked in all the languages what is a greeting and it said so many times so people must have must have an intake dictionary this is universal it was the language was a southern African language that was cracked successfully out of all of the other languages while cosa was the least correct language when he came to the manse so it's one of the most correct language when it comes to man source also

Setswana so in conclusion so so corpus Africa used English based pauses even though the 11 official languages Suffolk ins used users use really available objects to create their passwords because the words if there's a lot of bias towards English based Posterous was your computers in English the system's asking you to say hey please enter posit in English so obviously the user even though you speak Zulu for example like me at home you'll still create an english-based password because there's a lot of you know bias was their posture is very it's very popular in South Africa and it's got a very very high hip number as well within corporate South Africa converting the converting English based passwords

into Zulu did not offer any additional protection and the reason for this is because Zulu Zulu is so well spoken in South Africa Zulu is sort of that the language that if I miss another black person in southern Africa or they so expect them to understand my language even if they don't subscribe does very much of us like we just proud of ourselves and we want to tell everybody else around us that even the language might actually be the better one to create the pauses if you use the special characters because to get the special characters onto the keyboard essentially there's only one person that I've found he actually has a he creates he created

a file that you have to put in to onto your Windows system to be able to get those to able to get those special characters as well so I had to remove them just to make it bit easier but I'm sure the editing for special characters there would be really really hard to sort of crack using months in Kosovo obviously the released crack was the least crack and I've got no reason as to why proves Tosa and Zulu you know they're part of the same in the village grew so there should have been a lot bit easier so sort of kissing and to get right then thank you very much [Applause]

on your first slide fish eagle was the third most common what is the significance of fish eagle fish eagles actually there's a company in South Africa that they're a banking company and they use that word as they one of their passwords so you so it's very easy to put you together up a test yeah that's reason why they had bet that they use fish eagle a lot for thank you very much guys if any more questions please come up to me and talk to me oh no it is it is yes Zulu Zulu is the most yes tracked but you said setswana was was also so highly Kretz nice if I know so easy to lose the most cracked words

so if you look at sorry for the for the food the converting that passwords from English into you into that not the men's Zulu was the most correct one for for those ones and then sits why now so it's one the follow so it wasn't as follows that a close second as well but when it came to the man said Twila was the most correct for the month as well so converting so taking the to taking the so taking the man's and putting in eighteen or nineteen people are actually able to cracks it so I know words much more much more readily I don't know why I posted early if Zulu it was people are

able to find Zulu words so easily just using like hello welcome freedom hello it's really was different to see them that the Ashley didn't crack has match when he came to the man's but they were able to crack them in Setswana so is setswana also a ubiquitous language like Zulu like more people would actually speak it in those regions yes so so it's one is spoken mostly in the sort of having northern side of South Africa so Zulu sport is spoken to more in kwazulu-natal so there's more coastal so it's one spoken up more for more up north as well so I think also into puts wine if I'm not mistaken as well so the two languages we dish they

may share a little bit of words but they don't really share all that much between each other thank you okay

and I'm just curious how did you manage to get all the hashes from all the seven companies did you face any resistance from them and what was the context and so did you get it in the author it is it is it is very hard was so basically we also do sort of like pass with checking possible auditing for the organization so I have to I have to get deposit somewhere somehow to be able to do the possible audits and also most of the times that I've got the passwords was you know you could just talk to the people say hey I'm doing this you know but then what I did is rights is that

after their research everything gets scraped everything goes away and I don't even shake I don't mean shade those passwords but I will share the positive I created for the research the converted ones but I would never shade the ones that are cut for from the organization as well um one more question will you be looking into breach credentials because now you know that you have seven companies maybe you can look them up in bridge credentials you can pull out all the breach passwords and maybe do an analysis on them so yes so those passwords that are caught actually that come from using like ever been pawned databases and a whole bunch of other sort of databases around it

it's just that yeah this always gonna be some new breach so and also and also what I did is that for a lot of these words a lot of the trade for the process for the corporations was that I used I use a lot of hash catch rules as well so the whole process cracking them took about two to three months of just look of just pure cracking at all alright thank you Norris thank you very much guys [Applause]