At this point it feels a little like beating a dead horse, but I wanted to follow-up my previous post with an idea that occurred to me this weekend. I’ve been told that you shouldn’t pose a problem with at least outlining a few possible solutions, and I think this is a good rule for information security too. So with that in mind I wanted to show how you can use the tree walk data structure I previously presented to detect if users are trying to set a keyboard walk as a password. I’d like to point out that this technique is only presented as a proof of concept, but the methodology could probably be implemented on a domain wide scale to set a password policy preventing keyboard walks. I’m sure there are probably other ways to enforce this as well.
I’ve seen a wide range of password policies, and some of them are rather Draconian. For example, one system I worked on required a password that didn’t use any adjacent letters. This policy had the effect of annoying the users mostly, and still didn’t prevent all keyboard walks (e.g. z1x2c3v4). I’ve added a script here that will use the tree data structure to detect if a keyboard walk is present in a string. This script isn’t perfect and detects strings that are walks in a technical sense, but maybe not exactly what you’re used to seeing. For example, running this script on the rockyou word list gives some interesting results. Here’s some sample output:
... 123456 654321 qwerty 121212 987654 456789 asdfgh 232323 212121 zxcvbn 098765 1q2w3e 234567 090909 454545 898989 565656 redred qwaszx 567890 lololo 909090 ...
You’ll notice that obvious walks like, qwerty and 123456 are detected, but also strings like 232323 which some may not consider a valid result. I would say that 232323 is a true positive, but what constitutes a keyboard walk is all in the eyes of the cracker I guess (i.e redred is questionable). Using the WalkCheck.py script I came up with a quick analysis of the rockyou word list.
Passwords containing walks of x length/total possible:
|L||Total Walks||Total Possible*||Percentage|
*Total possible means candidates of at least length L