Discover Password Patterns with Analysis Tools


There are specialized analysis tools that can detect patterns and generate new rules and schemas from password leaks or existing cracked passwords. Programs like papal or pipal analyze the passwords and compile statistics about frequencies and distributions. From Authentico you will be having the smartest deals now.

This allows the cracker to draw conclusions, for example, on password specifications or the maximum password length. In further cracking runs, they then leave out candidates without special characters, for example, and can break passwords faster with less computation. Recurring strings such as the domain name are also found by the analysis tools. These recurring strings are then used in new runs to test new combinations with new candidates.

Newly decoded passphrases migrate into the cracker’s dictionaries; found patterns are stored as templates in the analysis tools.

Once the program has gone through the static dictionaries, it’s time to move on: with advanced rulesets, the cracker’s tools try to recreate popular word changes by:

  • Write words backward
  • Strings like <3 or xD added
  • Complete years (e.g., 1984)
  • Exchange lowercase and uppercase letters
  • Keyboard patterns such as asdfqwerz to test
  • Apply leetspeak (p455w0r7 kn4ck3n instead of password crack)
  • Service typical strings like FB, facebook or facebook use
  • The password P @ 5 $ w0rD is therefore almost as insecure as the password.

Often, most of these passwords are already cracked with these cracking rules. But there are more cracking runs to follow.

Advanced Attack Techniques

Combination Attack: Two words from the dictionary are combined. (Example: Horse Battery) How long only two words are combined is questionable. Therefore, the expert also advises against the xkcd method.

Hybrid attack: In a hybrid attack, all dictionary entries are extended by a short random string. The Cracker tools than try to guess the random characters with a brute force attack. The brute force part of the password is limited to about four characters for performance reasons. Example: Based on Jerry’s dictionary entry, the cracking tools now also try Ben & Jerry , Jerry1994, and, with a random suffix, Jerry $ jN3.

Combination Attack with Pattern Search: Here, captured passwords are broken down into pieces and assembled into new combinations. Clear that the components are also combined with already found passwords.


The pattern repeats: The Levenshtein distance can be used to find repeating patterns. From the two existing passwords, OmaOpa and OmaOpa1, the programs create a rule after which the number 1 is simply hung on the password. The cracking tools then hang with this rule on all dictionary entries 1.

You see, these attack techniques can be used to find just about any human-made password. The procedures even recognize patterns that a person does not consciously perceive.

Are There Any Secure Passwords?

Yes, as long as they were not made by a human, but randomly generated. A random password with more than ten characters cannot be decrypted by any of these attacks. With a password generator or the acronym method, you can generate such passwords quickly.

Why Many Crackers Are On the Good Side

Password crackers are often not criminals, but full-time penetration testers or members of the hash cracking scene. They meet in legal hacking competitions. The organizers of such competitions are often security providers who want to learn and profit from the knowledge of the password crackers. The security companies require the participants to disclose the tools and techniques used.

With the new knowledge, security companies can track down insecure passwords for an employer’s employees during penetration testing, improving password security. But not only security service providers benefit from the work of the hash-cracking scene, but also the general public.

When hundreds of thousands of passwords are analyzed, typical weaknesses can be identified, and countermeasures developed. For example, it has been found in the past that typical length, duration, or special character specifications do not improve password security.

You may also like