Tuesday, June 17, 2014

What I want from Domino's passwords

Domino's Pizza got hacked, hackers demand money for not publishing stolen user credentials. 

Now if I could analyze those passwords, here's what I would be interested in:


1. Site specific basewords

We've been discussing this like a million times. Scrape www.dominos.com for all words, and use that as a base for cracking passwords. But why specifically an analysis for this breach?

Well, its a "specialty" site. Narrow field of products served. It would be interesting to see how many site/service specific words we would find at the base of users' passwords. Many other services online might have a bigger custom dictionary in use. Using site/service specific association elements is one of the observations we've made before, but imho an area still to be researched more.

2. Use of site specific colors in passwords

Based on research from Kirsi Helkala in 2012, we discovered that the color blue was the most dominant color word used in the <=6 million unique Linkedin passwords, as we show in this infographic blog post.

It could be pure coincidence, as previous research shows that blue is the dominant color used on the Internet.

Domino's uses a red and something blue-ish on a white background as their logo and website colors. I would search for color words black|white|blue|red|green|yellow|pink|orange etc, where used as base words, preferably stand-alone or connected with digits or symbols. Eventually as part of sentences or longer words (passphrases without spaces).

That's it.

Oh, and Robin @digininja: consider the above as some sort of feature requests for Pipal. ;-)

Oh; and I would love to see more tools developed for target specific wordlist creation, including for Maltego, Metasploit, Kali Linux and more.