Default, weak & Leaked Passwords
Theory
In the realm of cybersecurity, default, weak, and leaked passwords are the Achilles' heel of digital defenses. For red teamers, understanding these vulnerabilities is key to breaking through security barriers. On this page, we're taking a look at default, weak, and leaked passwords.
Practice
Default Passwords
Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Manufacturers set default passwords with products and equipment such as switches, firewalls, routers. There are scenarios where customers don't change the default password, which makes the system vulnerable. Here are some websites that provides default passwords for various products :
Leaked Passwords
Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach. These public or privately available leaks are often referred to as 'dumps'. Depending on the contents of the dump, an attacker may need to extract the passwords out of the data. In some cases, the dump may only contain hashes of the passwords and require cracking in order to gain the plain-text passwords. Here are some websites and tools that provides resources about leaked passwords :
BreachCheck is a Python tool that use the BreachDirectory API for finding passwords in known data breaches and leaks of compromised email addresses or usernames.
Weak Passwords
Professionals collect and generate weak password lists over time and often combine them into one large wordlist. Lists are generated based on their experience and what they see in pentesting engagements. These lists may also contain leaked passwords that have been published publically. Here are some of the common weak passwords lists :
https://wiki.skullsecurity.org/index.php?title=Passwords - This includes the most well-known collections of passwords.
SecLists - A huge collection of all kinds of lists, not only for password cracking.
Resources
Last updated
