Fork me on GitHub

Cracking Passwords Based on Song Lyrics

There’s been a lot of news in the media lately about using tools like encryption and password managers. Both of these can leverage a single password to unlock a ton of vital information. Because of this, people are looking to create longer, more complex “master keys”. This blog demonstrates a method of guessing some of those keys.

These “master keys” are for things like:

  • Unlocking their password manager
  • Decrypting their OS when booting
  • Decrypting volumes with sensitive files
  • WiFi encryption using WPA
  • etc.

I’ve noticed a trend when people are discussing new strategies here – using a string of words together, including spaces, that is easy to remember. Song lyrics come readily to mind, and it seems that a good deal of people assume these will be difficult to crack.

So What?

I wanted to create a short program to show that this type of password is also insecure. Using Python with a few simple libraries, I created this script that generates a password list based on a given artist. Discovering someone’s favorite band is pretty easy… that sort of thing is plastered all over social media, and it’s usually something people will provide when asked by anyone.

$ python ./lyricpass.py -h
usage: lyricpass.py [-h] [--lower] [--punctuation] artist output

positional arguments:
  artist         Define a specific artist for song lyric inclusion. Please
                 place the artist name in quotes.
  output         Output to file name in current directory.

optional arguments:
  -h, --help     show this help message and exit
  --lower        Switches all letters to lower case.
  --punctuation  Preserves punctuation, which is removed by default.

The script currently allows a few inputs to tailor the password file, which is pure text and can be used for brute force password attacks. It will chug away and output a nice deduplicted file when it is done.

screenshot

Are you using any lyric-based passwords today? Try out this script and see if it can crack yours.

Update

This script is now linked to on WeakPass! :)