Testing for default auto generation of credentials

Over the years, in some applications we pentested, credentials are auto-generated.   For the worst case scenario,  some of those applications never enforced expiration of passwords to life-time (aka only upon user's demand).

When we analysed a large of number of samples, we found the following common patterns:

Common username patterns:

1. Derived from small number of digits such as 6, 7, 8
2. Derived from first name, last name


Useful tool:
https://github.com/urbanadventurer/username-anarchy


Common password patterns:

1. Derived from small number of digits such as 6, 7, 8
2. Combination of small number of first alphanumeric characters  and digits such as (xwuc7482) and vice versa


Comments

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

HttpOnly Session ID in URL and Page Body | Cross Site Scripting

KingRoot: failure to root ASUS ZenFone 4 Max