Cryptohaze.com

[mrCracker]

Analyzing 17689 passwords from a single Windows domain, all "current" passwords, mixed user and service accounts:
Average password length 9.12
Average number of unique characters in LM passwords 7.76
Average number of unique characters in NT passwords 7.89
Average number of character groups in LM passwords 2.26
Average number of character groups in NT passwords 3.04
Accounts where password matches username 1
Accounts where password starts with username 26
Accounts where password contains username 13

Passwords consisting of numbers only 1
Passwords consisting of mixed case letters only 4
Passwords consisting of upper case letters only 4
Passwords consisting of lower case letters only 47
Passwords consisting of special characters only 0
Passwords consisting of mixed case letters and numbers 12297
Passwords consisting of upper case letters and numbers 44
Passwords consisting of lower case letters and numbers 4531
Passwords consisting of mixed case letters and special characters 47
Passwords consisting of upper case letters and special characters 0
Passwords consisting of lower case letters and special characters 34
Passwords consisting of mixed case letters, numbers and special characters 553
Passwords consisting of upper case letters, numbers and special characters 21
Passwords consisting of lower case letters, numbers and special characters 107
Passwords consisting of numbers and special characters 0

Based on per-position charset support (Thx Bitweasil!), here's a small preview of the most 4 popular characters per position:
B 2703 r 3223 u 2682
A 902 a 2503 n 1555
M 693 e 1559 r 1434
L 669 o 1520 l 1230
T 656 i 1155 e 990

Password length statistics (policy is minimum length 8):
0 0
1 0
2 0
3 0
4 0
5 0
6 1
7 1
8 8194
9 2893
10 4568
11 979
12 589
13 300
14 164

And that was just a very tiny preview of things to come.

[Bitweasil]

Interesting...

Do you have a script that generates this out of a list of passwords?

[mrCracker]

Yup. Or to be completely honest: a friend/colleague does this for me using Perl. What you see here though is just a fraction of what we've got, as an example there's nothing here linking the passwords to the real users (are they using parts of their name as whole/part of their password as an example..)

[Bitweasil]

Any chance of getting that perl script published? It would be interesting to run it through what Cryptohaze finds (to generate statistics).

[Sc00bz]

Average number of unique characters in LM passwords 7.76
...
Accounts where password starts with username 26
Accounts where password contains username 13

You should probably do "average number of unique characters in first half of LM passwords" and "average number of unique characters in second half of LM passwords."

Also "accounts where password contains username" should be 39 (13+26) or be called "accounts where password contains username (not including passwords that start with username)." Since it would be impossible to tell what it actually meant if "password contains username" is greater than "password starts with username."

[mrCracker]

Already in the process, along with several other features.

[mrCracker]

mrCracker
How did you dump passwords from domain server?

I used Cain (www.oxid.it).

Cain "secret": At least for password dumping you don't actually need to install Cain in order to make it run, just copy the main executable and a few other files to your server (disable AV - otherwise you'll probably kill Cain....), and run it as Domain Admin (yep, *crazy*, isn't it?). I usually dump all hashes along with history hashes, since i'm looking for users violating the password history parameter by changing their password XX times in batch every time they are required to change their password, thus keeping their same password all the time.

I've had (and still have) problems with pwdump/fgdump from Fizzgig (foofus.net), and other command-line dumpers like gsecdump etc. doesn't give me the features i want and/or are not stable enough for my scripted production environments. Until some of those issues are resolved, Cain's my best tool.

[mrCracker]

I probably have tested Cain on x64, but can't say for sure at the moment (gotta check). All i can tell you is that i've ran it on a whole bunch of servers, so far without problems.

[mrCracker]

Any chance of getting that perl script published? It would be interesting to run it through what Cryptohaze finds (to generate statistics).

Currently discussing a possible release as open source, i'll get back to you as soon as i have a obtained a decision. Company decisions takes time.