There’s been a lot of news in the media lately about using tools like encryption and password managers. Both of these can leverage a single password to unlock a ton of vital information. Because of this, people are looking to create longer, more complex “master keys”. This blog demonstrates a method of guessing some of those keys.
These “master keys” are for things like:
- Unlocking their password manager
- Decrypting their OS when booting
- Decrypting volumes with sensitive files
- WiFi encryption using WPA
I’ve noticed a trend when people are discussing new strategies here – using a string of words together, including spaces, that is easy to remember. Song lyrics come readily to mind, and it seems that a good deal of people assume these will be difficult to crack.
I wanted to create a short program to show that this type of password is also insecure. Using Python with a few simple libraries, I created this script that generates a password list based on a given artist. Discovering someone’s favorite band is pretty easy… that sort of thing is plastered all over social media, and it’s usually something people will provide when asked by anyone.
$ python ./lyricpass.py -h usage: lyricpass.py [-h] [--lower] [--punctuation] artist output positional arguments: artist Define a specific artist for song lyric inclusion. Please place the artist name in quotes. output Output to file name in current directory. optional arguments: -h, --help show this help message and exit --lower Switches all letters to lower case. --punctuation Preserves punctuation, which is removed by default.
The script currently allows a few inputs to tailor the password file, which is pure text and can be used for brute force password attacks. It will chug away and output a nice deduplicted file when it is done.
Are you using any lyric-based passwords today? Try out this script and see if it can crack yours.
This script is now linked to on WeakPass! :)