Quick Links:
Repo: https://github.com/Rich5/Keyboard-Walk-Generators/tree/master/Analysis%20Tools
At this point it feels a little like beating a dead horse, but I wanted to follow-up my previous post with an idea that occurred to me this weekend. I’ve been told that you shouldn’t pose a problem with at least outlining a few possible solutions, and I think this is a good rule for information security too. So with that in mind I wanted to show how you can use the tree walk data structure I previously presented to detect if users are trying to set a keyboard walk as a password. I’d like to point out that this technique is only presented as a proof of concept, but the methodology could probably be implemented on a domain wide scale to set a password policy preventing keyboard walks. I’m sure there are probably other ways to enforce this as well.
I’ve seen a wide range of password policies, and some of them are rather Draconian. For example, one system I worked on required a password that didn’t use any adjacent letters. This policy had the effect of annoying the users mostly, and still didn’t prevent all keyboard walks (e.g. z1x2c3v4). I’ve added a script here that will use the tree data structure to detect if a keyboard walk is present in a string. This script isn’t perfect and detects strings that are walks in a technical sense, but maybe not exactly what you’re used to seeing. For example, running this script on the rockyou word list gives some interesting results. Here’s some sample output:
...
123456
654321
qwerty
121212
987654
456789
asdfgh
232323
212121
zxcvbn
098765
1q2w3e
234567
090909
454545
898989
565656
redred
qwaszx
567890
lololo
909090
...
You’ll notice that obvious walks like, qwerty and 123456 are detected, but also strings like 232323 which some may not consider a valid result. I would say that 232323 is a true positive, but what constitutes a keyboard walk is all in the eyes of the cracker I guess (i.e redred is questionable). Using the WalkCheck.py script I came up with a quick analysis of the rockyou word list.
Passwords containing walks of x length/total possible:
L | Total Walks | Total Possible* | Percentage |
4 | 201345 | 14344005 | 1.4 |
5 | 72048 | 14341544 | .5 |
6 | 34579 | 14323645 | .2 |
7 | 16260 | 14064476 | .1 |
8 | 10904 | 12116679 | .1 |
*Total possible means candidates of at least length L