Sunday, March 17, 2019

Password Requirements Evaluation

I am often asked to evaluate a list of passwords. The evaluation sometimes goes like this, how many passwords only have upper, lower-case, and numeric passwords and not special characters. Below is a script to evaluate a list of passwords for this and length of the passwords. This script does not handle unicode characters being in the passwords. 




#!/usr/bin/python3


# Script to Evaluate the Strength of Passwords and Length

import re

f = open("temp.txt", encoding="utf-8", errors="ignore")
countNumeric = 0
countLowerCase = 0
countLowerCaseNumber = 0
countUpperCase = 0
countUpperCaseNumber = 0
countUpperLowerCase = 0
countUpperLowerCaseNumber = 0
countUpperLowerCaseNumberSpecial = 0
countTotal = 0
lengthLess8 = 0
length8to12 = 0
length13to16 = 0
length17to20 = 0
length21to32 = 0
length33up = 0

for line in f:
    line = line.strip()
    strLength = len(line)
    # All lower-case password
    numericExpression = '^[0-9]{' + str(strLength) + '}$'
    if re.match(numericExpression, line): countNumeric += 1
    lowerCaseExpression = '^[a-z]{' + str(strLength) + '}$'
    if re.match(lowerCaseExpression, line): countLowerCase += 1
    lowerCaseNumericExpression = '^[a-z0-9]{' + str(strLength) + '}$'
    if re.match(lowerCaseNumericExpression, line): countLowerCaseNumber += 1
    upperCaseExpression = '^[A-Z]{' + str(strLength) + '}$'
    if re.match(upperCaseExpression, line): countUpperCase += 1
    upperCaseNumberExpression = '^[A-Z0-9]{' + str(strLength) + '}$'
    if re.match(upperCaseNumberExpression, line): countUpperCaseNumber += 1
    upperLowerCaseExpression = '^[A-Za-z]{' + str(strLength) + '}$'
    if re.match(upperLowerCaseExpression, line): countUpperLowerCase += 1
    upperLowerCaseNumericExpression = '^[A-Za-z0-9]{' + str(strLength) + '}$'
    if re.match(upperLowerCaseNumericExpression, line): countUpperLowerCaseNumber += 1
    upperLowerCaseNumericSpecialExpression = '^[A-Za-z0-9,.!@#$%^&?\[\]<>*_\-=+ \'"()`\.,;:/\\x5c~|]{' + str(strLength) + '}$'   # \x5c = \
    if re.match(upperLowerCaseNumericSpecialExpression, line): 
        countUpperLowerCaseNumberSpecial += 1
    #else:
    #    print(line)
    if len(line) < 8: lengthLess8 += 1
    if len(line) >= 8 and len(line) <= 12: length8to12 += 1
    if len(line) >= 13 and len(line) <= 16: length13to16 += 1
    if len(line) >= 17 and len(line) <= 20: length17to20 += 1
    if len(line) >= 21 and len(line) <= 32: length21to32 += 1
    if len(line) >= 33: length33up += 1
    countTotal += 1
    #print(line)

print("Total Passwords in List: " + str(countTotal))
print("All numeric only passwords: " + str(countNumeric))
print("All lower-case only passwords: " + str(countLowerCase))
print("All lower-case and numeric only passwords: " + str(countLowerCaseNumber - countNumeric - countLowerCase))
print("All upper-case only passwords: " + str(countUpperCase))
print("All upper-case and numeric only passwords: " + str(countUpperCaseNumber - countUpperCase - countNumeric))
print("All upper-case and lower-case only passwords: " + str(countUpperLowerCase - countUpperCase - countLowerCase))
print("All upper-case, lower-case and numeric only passwords: " + str(countUpperLowerCaseNumber - (countUpperLowerCase - countUpperCase - countLowerCase) - (countLowerCaseNumber - countLowerCase - countNumeric) - (countUpperCaseNumber - countUpperCase - countNumeric) - countUpperCase - countLowerCase - countNumeric))
print("All upper-case, lower-case, numeric and special chars only passwords: " + str(countUpperLowerCaseNumberSpecial - (countUpperLowerCaseNumber - countUpperCase - countLowerCase - countNumeric) - countUpperCase - countLowerCase - countNumeric))
print("Unaccounted for Passwords with RegEx's: " + str(countTotal - countUpperLowerCaseNumberSpecial))
print()
print("Password Length < 8: " + str(lengthLess8))
print("Password Length 8 to 12: " + str(length8to12))
print("Password Length 13 to 16: " + str(length13to16))
print("Password Length 17 to 20: " + str(length17to20))
print("Password Length 21 to 32: " + str(length21to32))
print("Password Length 33 and up: " + str(length33up))

With the above script I ran it against the rockyou list and received the following statistics (I put in the comma's):

Total Passwords in List: 14,344,391
All numeric only passwords: 2,346,874
All lower-case only passwords: 3,726,802
All lower-case and numeric only passwords: 6,075,066
All upper-case only passwords: 229,917
All upper-case and numeric only passwords: 407,421
All upper-case and lower-case only passwords: 159,318
All upper-case, lower-case and numeric only passwords: 382,270
All upper-case, lower-case, numeric and special chars only passwords: 1,001,182
Unaccounted for Passwords with RegEx's: 15,541

Password Length < 8: 4,737,460
Password Length 8 to 12: 8,593,633
Password Length 13 to 16: 891,426
Password Length 17 to 20: 88,173
Password Length 21 to 32: 31,576
Password Length 33 and up: 2,123


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...