Hacking Tutorials

Guessing 25% of the PIN, Pattern and String Based Passwords

Hi! This piece of writing is based on my research and personal experiences so correct me if I am wrong at some point.
So today I am gonna talk about how to guess passwords! PIN based, Pattern based and our regular string based passwords.
This article has two sections, in the first one will talk about the most commonly used PINs, patterns and passwords. In the second one, we will take the guessing to a next level and that section is really interesting.

How to crack PIN code?

Do you know what’s common between people around the world? Stupidity and unfortu.. *coughs* fortunately there’s no patch for it.

Many people tend to use simple and easy to remember passwords and here are the most commonly used PINs organized according to their frequencies:

CodeFrequency
123410.71%
11116.016%
00001.881%
12121.197%
77770.745%
10040.616%
20000.613%
44440.526%
22220.516%
69690.512%
99990.451%
33330.419%
55550.395%
66660.391%
11220.366%
13130.304%
88880.303%
43210.293%
20010.290%
10100.285%

So now whenever you encounter a PIN based authentication system you know what to try first.

Tell me who you are and I will crack your lock pattern

Many android users tend to use pattern based locks on their smartphone for the sake of comfort and security. But are they really secure? We will get on that later but take a look at these most common patterns first:

most common pattern passwords

Our favorite string based passwords

String based passwords are used in most of the authentication systems and many users are stupid enough to use these common passwords:

most commonly used passwords

Source: Reddit

We have a word cloud here, larger the word, larger is the frequency.

Guessing passwords ain’t shit, Social Engineering and Tricks

I was watching Marte Loge’s Defcon presentation where he talks about his analysis of pattern locks based on gender, age and other factors and he disclosed the results of his survey which are pretty interesting.

As you know length of string based passwords is measured by the number of characters they have, length of pattern based passwords is measured by the number of dots used. You can see the graph of length of common patterns based on Marte loge’s research:

crack pattern lock android

He also pointed out that women tend to use weaker patterns than men and younger people tend to use stronger patterns than older people. The thing that I loved the most about his research is that he was able to identify the most commonly used dots.

android pattern lock unlock

It implies that 76.3 % patterns start from the corners where the bottom right corner is the least used corner and top left corner is most used. When people are using pattern based passwords, they tend to connect dots in form of their initials like P, N or S.

Lets stop talking about statistics and focus on real world techniques.

One thing you can do is to use your cheek to guess the pattern. Yeah that sounds weird but let me tell you how its done.

  1. Reach out to victim’s phone when he/she is away
  2. Press it against your cheek so the oil from your cheek would stick to it.
  3. Leave and take position at a distance
  4. Now the victim will draw his pattern to unlock the phone which will leave a trace on the oily screen which will be clearly visible if you tilt the phone.
  5. Regain access to the phone when victim is away and tilt the phone to figure out the path of the pattern.

Now take a look at this image and try to guess the password

most common used digit passwords

Its very easy to figure out that the keys 1, 5 and 8 rubbed off due to continuous use and the password should be 158, 185, 518, 581, 815 or 851. You won’t find worn keypads everywhere but you may be able distinguish the commonly used keys by changing light and angle of view.

My adventures with string based passwords

About an year ago when I was in initial phase of my hacking journey I was very fond of breaking into websites using SQL injection, and I learned a lot about passwords in that phase.
The second most common password I used to encounter was admin while ‘or’ ‘=’ was at the first place. Yeah I know thats a lame SQLi joke.

So I encountered a lot of hashes during my journey that would resolve to admin, 12345 or admin’s name like ahmed.
I clearly remember that one particular incident when I broke into database of a college where email addresses and passwords of the students were stored. At least 20% of the passwords were from most commonly used password list that we discussed above and rest of them were either their phone numbers or names written like this, somdev123, somdev1, somdev! or [email protected].
I took a guy’s email address and got his facebook account with and that and yeah you guessed it right, he was using the same password on facebook as well. *facepalm*

Passwords also depends on the type the service in use.
For example, when the data of adobe users was leaked the most common password was adobe123.
But what if pornhub’s data gets leaked? What would be the most common password? pussyslayer maybe. *another lame joke*

So next time you encounter an authentication system try making educated guesses before trying to bruteforce it and that would work 25% of the times if you are doing that right.

Thats all I had in mind while writing this article.
Thanks for reading and I hope you learned something new today. Have a nice day.

Also Read: Getting A Girlfriend : The Hacker’s Way


About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

1 Comment

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<