Password Analysis and Reporting

Pwdlyser (pronounced ‘password ly-ser’ for ‘password analyser’) is the password analysis and reporting tool that can be used for a wide variety of environments. The tool itself was originally built as a Python script for the purposes of automating Microsoft Active Directory domain user account passwords, with an aim of providing consistent results for security consultants and penetration testers.

However, the tool can also be used for any other cracked password lists, such as databases for example. Organisations can also use these tools for internal audits, security awareness, and other purposes.

Pwdlyser CLI

The original Pwdlyser tool can be found on my GitHub page and can be quickly used to provide password analysis results in a terminal window. An example of the basic output (table view) can be seen below:

Password analysis for Linux

Pwdlyser GUI

The newest version of Pwdlyser was built for Windows and offers end-users to be able to audit and perform password auditing. The GUI provides a number of controllable settings for performing password analysis. As for the output, this comes in three distinct display options for the resulting analysis;

  • Automated Executive Summary
  • Automated Technical Summary
  • Individual Analysis Results (Tabled View)

Password analysis for Windows

Password Analysis

The full list of password analysis features are as follows:

  • Administrative user accounts and their associated passwords (requires an input for a list of administrative account names through the ‘–admin’ input).
  • List passwords within a list that are a variation (e.g. substituted alpha characters for numeric or numeric for alpha, upper or lower case changes, or substitutions for alpha characters from special or the reverse) .
  • Provide character-level analysis, outputting the most common characters (alpha, numeric, or special).
  • Display a list of passwords that are a variation or use the date (e.g. March, Mar, 1949, DD MM, etc).
  • Output the estimated entropy of the password or password mask. Please note, this does not take in to consideration the variation of the common passwords or dictionary-based words.
  • Search for usernames, either a variation or the exact username.
  • Search for passwords, either exact (using –exact) or variation (-S or –search).
  • Provide frequency analysis output in terms of the most common passwords. The amount of most frequent passwords can be specified via the ‘-f X’ argument, where ‘X’ is the integer.
  • Provide frequency analysis output in terms of the most common password lengths. Again, this can be specified with ‘-fl X’.
  • Perform keyboard pattern analysis. This is performed by looking at the most common keyboard patterns (such as 12345, qwert, z1x2c3, q1w2e3r4t5) and checking for slight variations.
  • Output a list of passwords that do not meet a certain length. For example, if an organisation’s password policy is 9 characters, a list of passwords less than 9 characters will be displayed.
  • Hashcat mask analysis (argument -m), which outputs the most common (the default amount can be changed via the ‘–mask-count’ argument) password lengths in the output of Hashcat input masks. An example of this would be if a password list has a majority of passwords within the list that use ‘Passw0rd1’, which would resolve to the Hashcat mask of ‘?u?l?l?l?l?d?l?l?d’. This has been shown to be very effective for internal Domain password cracking, and also highlights weaknesses within the user-base awareness of strong passwords.
  • Organisations can use this tool to review the usage of the organisation name (or a variation/abbreviation of the organisation name) within staff passwords. The output will highlight passwords that use the exact organisation name or a variation of the organisation name. For example, ‘exampleorg’ as the organisation name and ‘ex4mpl¬£0rg’ as the password.
  • Check for password reuse within accounts that are similarly named. This could highlight potential escalation routes within an organisation, which may include low privileged accounts reusing the same password between high privileged user accounts. This could be ‘bobm’ reusing the same password as ‘bobm_da’.
  • Analysis can also be performed for all user accounts that share a password with other accounts. An example use of this output would be to review where the same password configured for administrative or service accounts.
  • Additionally, organisations often have user accounts (such as service accounts) that have their password using a variation of the username itself. An example of this would be ”svc_voiporgprovider” as the username and “0rgProv!der” as the password.
  • Finally, the last analysis feature is the ability to be able to output a ‘cleaned’ password wordlist. This is based upon substitution and the removal of numeric suffixes. An example output from a password would be ‘Ex4mplePa$$2017’ being output to the wordlist as ‘ExamplePass’.

Password Analysis Output

In terms of the formats for the analysis output, there are three output formats:

  • Firstly, Pwdlyser can display a non-masked output of passwords (plaintext) alongside their associated usernames. This of course varies depending upon the analysis; e.g., most common password lengths, length and the total amount/percentage will be displayed.
  • A more technical output, which provides the list of each user account or individual password analysis feature. An example would be the most common password lengths or common passwords as a top 10 output. Any passwords shown within this output will be masked for at least 3 characters. The total ¬†masked characters depends upon the length of the password being displayed.
  • Provide a summary output that is high level and aimed at an executive or management level. Can be easily included within security testing reports or internal audits.

Additional options can be set that include other features within the above outputs. Such as using the organisation name search, which would also feature within the technical or summary outputs.