Thursday, January 12, 2012

Analysis of Leaked B-K Lightning Passwords

B-K Lightning was recently victim of an SQL injection. The team behind it used an automated tool to find the SQL injection and then used another tool to gather the data. This is evident inside the data itself. I removed the injection data as it would lower the quality of this analysis.

No passwords where cracked as the site keeps their passwords in clear-text. 

The Results
The leak contains a total of 3288 passwords.

Length distribution
 
Average password length: 7.132295

Character distribution
 

Unique character distribution


Contained in common wordlists
 

Top 30 most common passwords


Top 30 longest passwords
 

Notes
The data this analysis is based on is doubtful as it was extracted without any regards to data consistency. This is partly due to an error based SQL injection was used (limits the length of the strings given) and the fact that it was extracted from the output of the web application itself.

No comments:

Post a Comment