Cross-referencing acquired credentials against public known, known bad credentials in a bid to really hit home the cultural change required. or just fully breaking down a target.
Sometimes it helps to make obvious as possible you can deny wiggle-room to anything counter to improvement. pressure, pressure, pressure.
I've put together a little tool called Publicker.py, it's written in python, what it does is it takes your list of your compromised / recovered passwords, cracked, stolen, whatever and it cross-refrences them against either a folder and it's files on your system or can download the Passwords folder of the infamouse 'Seclist', the idea being that the folder on your computer maybe it's Kali maybe it's the wordlist folder, or maybe it's from Seclist either way, they're both folders and their respective subdirectories and files all known, and all bad to use.
Here's what the output will look like:
Publicker.py
python3 publicker.py
Choose an option:
- Provide a path to your wordlist folder.
- Download wordlist folder from GitHub. **< this takes some time**
2
Enter the file name for complex passwords: /Users/carroll/Desktop/Publicker/this.txt
Using /Users/carroll/Desktop/Publicker/this.txt as the list of passwords.
Processing Files...
Processed 1/42 files...
SNIP
Total matches found: 1582
Summary:
openwall.net-all.txt: 1 matches
2020-200_most_used_passwords.txt: 0 matches
dutch_common_wordlist.txt: 0 matches
xato-net-10-million-passwords-dup.txt: 181 matches
xato-net-10-million-passwords-1000.txt: 0 matches
probable-v2-top207.txt: 0 matches
xato-net-10-million-passwords.txt: 447 matches
twitter-banned.txt: 0 matches
unkown-azul.txt: 0 matches
darkweb2017-top10000.txt: 7 matches
cirt-default-passwords.txt: 0 matches
darkweb2017-top10.txt: 0 matches
darkweb2017-top1000.txt: 1 matches
german_misc.txt: 0 matches
dutch_passwordlist.txt: 508 matches
richelieu-french-top5000.txt: 2 matches
months.txt: 37 matches
probable-v2-top12000.txt: 4 matches
seasons.txt: 19 matches
common_corporate_passwords.lst: 72 matches
mssql-passwords-nansh0u-guardicore.txt: 4 matches
probable-v2-top1575.txt: 2 matches
xato-net-10-million-passwords-100000.txt: 36 matches
Most-Popular-Letter-Passes.txt: 0 matches
richelieu-french-top20000.txt: 5 matches
bt4-password.txt: 41 matches
xato-net-10-million-passwords-10.txt: 0 matches
xato-net-10-million-passwords-10000.txt: 4 matches
scraped-JWT-secrets.txt: 1 matches
xato-net-10-million-passwords-1000000.txt: 181 matches
darkc0de.txt: 0 matches
UserPassCombo-Jay.txt: 0 matches
xato-net-10-million-passwords-100.txt: 0 matches
Keyboard-Combinations.txt: 0 matches
PHP-Magic-Hashes.txt: 0 matches
clarkson-university-82.txt: 0 matches
500-worst-passwords.txt: 0 matches
stupid-ones-in-production.txt: 0 matches
citrix.txt: 0 matches
der-postillon.txt: 0 matches
days.txt: 29 matches
darkweb2017-top100.txt: 0 matches
Results saved to publickers.txt.
That's what you'll see in your terminal, and in the Publickers.txt file you'll see Password 'password' was found in 'Publicly-known-wordlist.txt' This will be one per line, followed by a summary speaking to the number of matches per wordlist of those that where used to cross-refrence.
Snipped Example:
Password 'Monday111' found in days.txt
Password 'Saturday123!' found in days.txt
Password 'Wednesday1*' found in days.txt
Password 'Friday123' found in days.txt
Password 'Saturday1' found in days.txt
Password 'Thursday12345' found in days.txt
Password 'Thursday123' found in days.txt
Password 'Friday12345!' found in days.txt
Password 'Friday123!' found in days.txt
Password 'Thursday1' found in days.txt
Password 'Friday123?' found in days.txt
Password 'Wednesday1' found in days.txt
Password 'Saturday123' found in days.txt
Password 'Thur5d4y!' found in days.txt
Password 'Thursday12345!' found in days.txt
Password 'Tuesday1' found in days.txt
Password 'Sunday123' found in days.txt
Password 'Wednesday1#' found in days.txt
Password 'Friday12345' found in days.txt
Password 'Wednesday123' found in days.txt
Password 'Tuesday123*' found in days.txt
Password 'Wednesday123!' found in days.txt
Password 'Monday123?' found in days.txt
Total matches found: 1337
Summary:
openwall.net-all.txt: 1 matches
2020-200_most_used_passwords.txt: 0 matches
dutch_common_wordlist.txt: 0 matches
xato-net-10-million-passwords-dup.txt: 181 matches
xato-net-10-million-passwords-1000.txt: 0 matches
probable-v2-top207.txt: 0 matches
xato-net-10-million-passwords.txt: 447 matches
twitter-banned.txt: 0 matches
unkown-azul.txt: 0 matches
darkweb2017-top10000.txt: 7 matches
cirt-default-passwords.txt: 0 matches
darkweb2017-top10.txt: 0 matches
darkweb2017-top1000.txt: 1 matches
german_misc.txt: 0 matches
dutch_passwordlist.txt: 508 matches
richelieu-french-top5000.txt: 2 matches
months.txt: 37 matches
probable-v2-top12000.txt: 4 matches
seasons.txt: 19 matches
common_corporate_passwords.lst: 72 matches
mssql-passwords-nansh0u-guardicore.txt: 4 matches
probable-v2-top1575.txt: 2 matches
xato-net-10-million-passwords-100000.txt: 36 matches
Most-Popular-Letter-Passes.txt: 0 matches
richelieu-french-top20000.txt: 5 matches
bt4-password.txt: 41 matches`
You can download it from here: https://gist.github.com/yosignals/ce4a23c8bf15a4efa81b5783cfb9b730
Who is this for ?
Well, this was a creation of nessesity from my Password audit kitbag, many dont like a password audit but there's a time and a place for it, not a regular time or a common place, but still ... if you want to understand my optics on when, why and what to expect we can coveer that [blog post isn't ready]
This is part of a set of tooling I've created to create needed pressure to drive cultural change within organisations that simply need to do more around credentials as an ecosystem, this isnt really a user problem, it's a control and education problem, you can help that message whenever you have the means to parse a load of passwords.