# ChicagoVPS review of customer passwords from database dumps



## drmike (Apr 12, 2014)

ChicagoVPS' highly publicized hacks and subsequent database dumps continue to horrify customers and yield more insight into ChicagoVPS.

"CVPS Machine Passwords CVPS Email Passwords - A good friend got me a partially cracked dump of Chicago VPS data. This has been ran through the new, modular, Pipal so check out the username and email address Levenshtein comparisons at the end of the report, really interesting stuff. Info on the breach from the Chicago VPS site."

This is the analysis from "CVPS Machine Passwords".  These are assumed to be credentials to individual VPS containers:

Basic Results

Total entries = 8085
Total unique entries = 6939

Top 20 passwords
qazwsxedc1 = 73 (0.9%)
shadowman10 = 33 (0.41%)
password = 23 (0.28%)
changeme = 19 (0.24%)
CVPSg36-c = 18 (0.22%)
abc123 = 15 (0.19%)
aloha123 = 13 (0.16%)
mrjain9278303545 = 13 (0.16%)
husseinn123 = 12 (0.15%)
123456 = 11 (0.14%)
Fa000019 = 10 (0.12%)
xTeg712 = 9 (0.11%)
XSeries345 = 9 (0.11%)
tree761349 = 9 (0.11%)
ViadUnRek0 = 9 (0.11%)
chicagovps = 9 (0.11%)
test123 = 9 (0.11%)
SUyan866 = 8 (0.1%)
12uzaed24 = 8 (0.1%)
ssh27net = 8 (0.1%)

Top 20 base words
qazwsxedc = 74 (0.92%)
password = 45 (0.56%)
changeme = 40 (0.49%)
shadowman = 33 (0.41%)
wsxsd = 27 (0.33%)
test = 22 (0.27%)
cvpsg36-c = 18 (0.22%)
root = 16 (0.2%)
chicagovps = 14 (0.17%)
mrjain = 13 (0.16%)
aloha = 13 (0.16%)
husseinn = 12 (0.15%)
admin = 12 (0.15%)
tree = 11 (0.14%)
abcd = 11 (0.14%)
xteg = 9 (0.11%)
hello = 9 (0.11%)
viadunrek = 9 (0.11%)
xseries = 9 (0.11%)
pass = 8 (0.1%)

Password length (length ordered)
1 = 11 (0.14%)
2 = 2 (0.02%)
3 = 2 (0.02%)
4 = 13 (0.16%)
5 = 14 (0.17%)
6 = 402 (4.97%)
7 = 493 (6.1%)
8 = 1700 (21.03%)
9 = 923 (11.42%)
10 = 1020 (12.62%)
11 = 566 (7.0%)
12 = 1648 (20.38%)
13 = 250 (3.09%)
14 = 191 (2.36%)
15 = 186 (2.3%)
16 = 150 (1.86%)
17 = 51 (0.63%)
18 = 59 (0.73%)
19 = 52 (0.64%)
20 = 143 (1.77%)
21 = 29 (0.36%)
22 = 26 (0.32%)
23 = 12 (0.15%)
24 = 26 (0.32%)
25 = 14 (0.17%)
26 = 8 (0.1%)
27 = 5 (0.06%)
28 = 5 (0.06%)
29 = 1 (0.01%)
30 = 9 (0.11%)
31 = 3 (0.04%)
32 = 30 (0.37%)
33 = 3 (0.04%)
35 = 1 (0.01%)
36 = 4 (0.05%)
37 = 1 (0.01%)
40 = 13 (0.16%)
41 = 2 (0.02%)
42 = 1 (0.01%)
43 = 1 (0.01%)
44 = 2 (0.02%)
48 = 3 (0.04%)
49 = 1 (0.01%)
50 = 4 (0.05%)
63 = 1 (0.01%)
64 = 2 (0.02%)
68 = 1 (0.01%)
69 = 1 (0.01%)

Password length (count ordered)
8 = 1700 (21.03%)
12 = 1648 (20.38%)
10 = 1020 (12.62%)
9 = 923 (11.42%)
11 = 566 (7.0%)
7 = 493 (6.1%)
6 = 402 (4.97%)
13 = 250 (3.09%)
14 = 191 (2.36%)
15 = 186 (2.3%)
16 = 150 (1.86%)
20 = 143 (1.77%)
18 = 59 (0.73%)
19 = 52 (0.64%)
17 = 51 (0.63%)
32 = 30 (0.37%)
21 = 29 (0.36%)
24 = 26 (0.32%)
22 = 26 (0.32%)
25 = 14 (0.17%)
5 = 14 (0.17%)
40 = 13 (0.16%)
4 = 13 (0.16%)
23 = 12 (0.15%)
1 = 11 (0.14%)
30 = 9 (0.11%)
26 = 8 (0.1%)
28 = 5 (0.06%)
27 = 5 (0.06%)
36 = 4 (0.05%)
50 = 4 (0.05%)
31 = 3 (0.04%)
33 = 3 (0.04%)
48 = 3 (0.04%)
41 = 2 (0.02%)
2 = 2 (0.02%)
44 = 2 (0.02%)
3 = 2 (0.02%)
64 = 2 (0.02%)
69 = 1 (0.01%)
37 = 1 (0.01%)
63 = 1 (0.01%)
42 = 1 (0.01%)
43 = 1 (0.01%)
29 = 1 (0.01%)
68 = 1 (0.01%)
49 = 1 (0.01%)
35 = 1 (0.01%)

| |
| |
| |
| |
| |
| |
| | |
||| |
||| |
||| |
|||||
||||||
|||||||
||||||||
||||||||||| |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
00000000001111111111222222222233333333334444444444555555555566666666667
01234567890123456789012345678901234567890123456789012345678901234567890

One to six characters = 444 (0.0%)
One to eight characters = 2637 (32.62'%)
More than eight characters = 5448 (67.38%)

Only lowercase alpha = 808 (9.99%)
Only uppercase alpha = 6 (0.07%)
Only alpha = 814 (10.07%)
Only numeric = 229 (2.83%)

First capital last symbol = 113 (1.4%)
First capital last number = 1011 (12.5%)

Single digit on the end = 1118 (13.83%)
Two digits on the end = 929 (11.49%)
Three digits on the end = 786 (9.72%)

Last number
0 = 424 (5.24%)
1 = 746 (9.23%)
2 = 509 (6.3%)
3 = 691 (8.55%)
4 = 370 (4.58%)
5 = 319 (3.95%)
6 = 308 (3.81%)
7 = 299 (3.7%)
8 = 292 (3.61%)
9 = 310 (3.83%)

|
| |
| |
| |
| |
|||
||||
||||
|||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit
1 = 746 (9.23%)
3 = 691 (8.55%)
2 = 509 (6.3%)
0 = 424 (5.24%)
4 = 370 (4.58%)
5 = 319 (3.95%)
9 = 310 (3.83%)
6 = 308 (3.81%)
7 = 299 (3.7%)
8 = 292 (3.61%)

Last 2 digits (Top 20)
23 = 321 (3.97%)
12 = 140 (1.73%)
10 = 90 (1.11%)
34 = 88 (1.09%)
13 = 87 (1.08%)
11 = 84 (1.04%)
00 = 80 (0.99%)
45 = 72 (0.89%)
21 = 67 (0.83%)
01 = 66 (0.82%)
88 = 59 (0.73%)
22 = 45 (0.56%)
56 = 42 (0.52%)
66 = 40 (0.49%)
99 = 39 (0.48%)
02 = 37 (0.46%)
42 = 36 (0.45%)
06 = 36 (0.45%)
09 = 35 (0.43%)
77 = 34 (0.42%)

Last 3 digits (Top 20)
123 = 278 (3.44%)
234 = 66 (0.82%)
013 = 42 (0.52%)
345 = 36 (0.45%)
000 = 33 (0.41%)
456 = 28 (0.35%)
012 = 28 (0.35%)
321 = 21 (0.26%)
337 = 16 (0.2%)
545 = 15 (0.19%)
111 = 14 (0.17%)
010 = 13 (0.16%)
999 = 13 (0.16%)
987 = 13 (0.16%)
666 = 13 (0.16%)
349 = 13 (0.16%)
101 = 12 (0.15%)
007 = 12 (0.15%)
712 = 11 (0.14%)
019 = 11 (0.14%)

Last 4 digits (Top 20)
1234 = 63 (0.78%)
2013 = 39 (0.48%)
2345 = 26 (0.32%)
2012 = 26 (0.32%)
3456 = 23 (0.28%)
1337 = 15 (0.19%)
3545 = 13 (0.16%)
3123 = 12 (0.15%)
1349 = 11 (0.14%)
0019 = 10 (0.12%)
1981 = 10 (0.12%)
2000 = 10 (0.12%)
7890 = 10 (0.12%)
2010 = 9 (0.11%)
1982 = 8 (0.1%)
0000 = 8 (0.1%)
1425 = 7 (0.09%)
5678 = 7 (0.09%)
2682 = 7 (0.09%)
1111 = 7 (0.09%)

Last 5 digits (Top 20)
12345 = 25 (0.31%)
23456 = 23 (0.28%)
03545 = 13 (0.16%)
23123 = 12 (0.15%)
61349 = 11 (0.14%)
00019 = 10 (0.12%)
52682 = 7 (0.09%)
45678 = 7 (0.09%)
71425 = 7 (0.09%)
67890 = 6 (0.07%)
54321 = 6 (0.07%)
51031 = 5 (0.06%)
21213 = 5 (0.06%)
42031 = 5 (0.06%)
37465 = 5 (0.06%)
11111 = 4 (0.05%)
35297 = 4 (0.05%)
92115 = 4 (0.05%)
61266 = 4 (0.05%)
00000 = 4 (0.05%)

Character sets
loweralphanum: 3825 (47.31%)
mixedalphanum: 2341 (28.95%)
loweralpha: 808 (9.99%)
mixedalphaspecialnum: 351 (4.34%)
numeric: 229 (2.83%)
loweralphaspecialnum: 164 (2.03%)
mixedalpha: 153 (1.89%)
loweralphaspecial: 42 (0.52%)
upperalphanum: 31 (0.38%)
mixedalphaspecial: 22 (0.27%)
upperalphaspecialnum: 12 (0.15%)
upperalpha: 6 (0.07%)
specialnum: 2 (0.02%)

Character set ordering
othermask: 3186 (39.41%)
stringdigit: 2440 (30.18%)
allstring: 967 (11.96%)
stringdigitstring: 780 (9.65%)
alldigit: 229 (2.83%)
digitstring: 217 (2.68%)
digitstringdigit: 155 (1.92%)
stringspecialdigit: 66 (0.82%)
stringspecialstring: 23 (0.28%)
stringspecial: 17 (0.21%)
specialstringspecial: 4 (0.05%)
specialstring: 1 (0.01%)

Colours
red = 34 (0.42%)
blue = 10 (0.12%)
green = 7 (0.09%)
black = 6 (0.07%)
white = 1 (0.01%)
orange = 1 (0.01%)
brown = 1 (0.01%)
purple = 1 (0.01%)
indigo = 1 (0.01%)

Dates

Months
march = 1 (0.01%)
may = 11 (0.14%)
june = 2 (0.02%)
july = 1 (0.01%)
august = 1 (0.01%)
december = 2 (0.02%)

Days
wednesday = 1 (0.01%)
friday = 2 (0.02%)

Months (Abreviated)
jan = 6 (0.07%)
feb = 5 (0.06%)
mar = 31 (0.38%)
apr = 7 (0.09%)
may = 11 (0.14%)
jun = 5 (0.06%)
jul = 5 (0.06%)
aug = 3 (0.04%)
oct = 3 (0.04%)
nov = 2 (0.02%)
dec = 7 (0.09%)

Days (Abreviated)
mon = 29 (0.36 %)
wed = 2 (0.02 %)
thurs = 1 (0.01 %)
fri = 8 (0.1 %)
sat = 3 (0.04 %)
sun = 11 (0.14 %)

Includes years
1975 = 1 (0.01%)
1976 = 4 (0.05%)
1977 = 3 (0.04%)
1978 = 5 (0.06%)
1979 = 5 (0.06%)
1980 = 3 (0.04%)
1981 = 10 (0.12%)
1982 = 11 (0.14%)
1983 = 6 (0.07%)
1984 = 4 (0.05%)
1985 = 7 (0.09%)
1986 = 10 (0.12%)
1987 = 9 (0.11%)
1988 = 8 (0.1%)
1989 = 4 (0.05%)
1990 = 5 (0.06%)
1991 = 3 (0.04%)
1992 = 4 (0.05%)
1993 = 4 (0.05%)
1994 = 12 (0.15%)
1995 = 3 (0.04%)
1998 = 1 (0.01%)
1999 = 2 (0.02%)
2000 = 13 (0.16%)
2001 = 2 (0.02%)
2002 = 4 (0.05%)
2003 = 7 (0.09%)
2004 = 6 (0.07%)
2005 = 5 (0.06%)
2006 = 7 (0.09%)
2007 = 14 (0.17%)
2008 = 8 (0.1%)
2009 = 5 (0.06%)
2010 = 10 (0.12%)
2011 = 8 (0.1%)
2012 = 32 (0.4%)
2013 = 48 (0.59%)
2014 = 4 (0.05%)
2016 = 1 (0.01%)
2018 = 5 (0.06%)
2020 = 2 (0.02%)

Years (Top 20)
2013 = 48 (0.59%)
2012 = 32 (0.4%)
2007 = 14 (0.17%)
2000 = 13 (0.16%)
1994 = 12 (0.15%)
1982 = 11 (0.14%)
1981 = 10 (0.12%)
1986 = 10 (0.12%)
2010 = 10 (0.12%)
1987 = 9 (0.11%)
2011 = 8 (0.1%)
2008 = 8 (0.1%)
1988 = 8 (0.1%)
2003 = 7 (0.09%)
1985 = 7 (0.09%)
2006 = 7 (0.09%)
1983 = 6 (0.07%)
2004 = 6 (0.07%)
1990 = 5 (0.06%)
2005 = 5 (0.06%)

Hashcat masks (Top 20)

?l?l?l?l?l?l?l?l: 221 (2.73%)
?l?l?l?l?l?l: 117 (1.45%)
?l?l?l?l?l?d?d?d: 113 (1.4%)
?l?l?l?l?l?l?d?d: 113 (1.4%)
?l?l?l?l?l?l?l: 100 (1.24%)
?l?l?l?l?d?d?d?d: 98 (1.21%)
?l?l?l?l?l?l?l?l?l: 93 (1.15%)
?l?l?l?l?l?l?l?l?l?d: 85 (1.05%)
?d?d?d?d?d?d: 84 (1.04%)
?l?l?l?l?l?l?l?l?l?l: 79 (0.98%)
?l?l?l?l?l?l?l?d: 66 (0.82%)
?l?l?l?l?l?l?d?d?d: 60 (0.74%)
?u?l?l?l?l?l?d?d: 57 (0.71%)
?l?l?l?l?l?l?l?l?d?d?d: 57 (0.71%)
?d?d?d?d?d?d?d?d: 55 (0.68%)
?l?l?l?l?l?l?l?l?l?d?d: 54 (0.67%)
?l?l?l?l?l?l?l?l?d: 50 (0.62%)
?l?l?l?l?d?d?d: 49 (0.61%)
?l?l?l?l?l?l?l?l?l?l?l: 48 (0.59%)
?l?l?l?l?l?d?d?d?d: 48 (0.59%)

Windows AD Default Complexity
Number of matches = 2836 (35.08%)

Machine Name Test
Exact Matches
wsxsd029
wsxsd038
asdf
yelloh
wsxsd032
wsxsd021
wsxsd039
wsxsd027
wsxsd015
wsxsd022
wsxsd004
wsxsd002
wsxsd028
wsxsd024
wsxsd025
dylanteoh
wsxsd040
wsxsd035
wsxsd041
wsxsd042
wsxsd043

Levenshtein Results
Average distance 14.96

Close Matches
D: 1 U: minecraft P: minecraft!
D: 1 U: wsxsd014 P: wsxsd013
D: 2 U: server1 P: dwserver1
D: 2 U: vp14.ezyhostr.com P: vp14ezyhostrcom
D: 2 U: perak2 P: perak123
D: 3 U: lichc P: lichipx
D: 3 U: john P: wzxjohn
D: 3 U: john P: wzxjohn
D: 3 U: puntun2 P: PuntuN
D: 3 U: alpha1 P: alpha224
D: 3 U: chicago P: chicagovps
D: 3 U: driftchicken P: [email protected]
D: 3 U: clanexo P: 6clan6exo6
D: 3 U: jendoel P: jendoel212
D: 3 U: jakkk123 P: jakkk123123
D: 3 U: shadowfarm10 P: shadowman10
D: 3 U: poppy P: poppy1C!


----------



## lbft (Apr 12, 2014)

Mind if I ask why you're dragging this up again?


----------



## blergh (Apr 12, 2014)

But.. why?


----------



## Wintereise (Apr 12, 2014)

Dude, stop.


----------



## mikho (Apr 12, 2014)

How is this relevant to my interests?


----------



## DomainBop (Apr 12, 2014)

> Password length (length ordered)
> 1 = 11 (0.14%)
> 
> 
> ...


I take it SolusVM doesn't have a password strength or password length setting?


----------



## blergh (Apr 12, 2014)

DomainBop said:


> I take it SolusVM doesn't have a password strength or password length setting?


Both yes and no. I don't think solus has it, but whmcs can force you to a certain password-lenght upon sign-up.


----------



## texteditor (Apr 12, 2014)

If anything this should drive everyone to review and rethink their password policies, given the stunning amount of overlap from a small customer base


----------



## nunim (Apr 12, 2014)

texteditor said:


> If anything this should drive everyone to review and rethink their password policies, given the stunning amount of overlap from a small customer base


It's very likely that people had multiple VMs and set the same root password on signup.  It's also important to remember this is only what Solus THINKS that the password is, not the actual passwords.  I frequently use a weak password on signup/reset only to change it via SSH as I do not want my host to have my password.

I believe that randomly generating the password on creation of the VPS is the best idea from the provider's point of view.


----------



## iWF-Jacob (Apr 12, 2014)

nunim said:


> I believe that randomly generating the password on creation of the VPS is the best idea from the provider's point of view.


100% agreed. Though I don't believe I've found a way to force a password change on initial login for SolusVM/VPS accounts, I highly recommend implementing such a policy with shared/reseller.


----------



## MartinD (Apr 12, 2014)

iWF-Jacob said:


> 100% agreed. Though I don't believe I've found a way to force a password change on initial login for SolusVM/VPS accounts, I highly recommend implementing such a policy with shared/reseller.


Don't provision VM's with a password, use a random string and have customers reinstall with a new password at first login. Or, have the default install image block logins with a message telling customers to reinstall with a new password. It's what we do with another brand and works well.


----------



## Lanarchy (Apr 12, 2014)

Can confirm, my password was set to

CVPSsecuritysuckslol1!


----------



## Magiobiwan (Apr 14, 2014)

MartinD said:


> Don't provision VM's with a password, use a random string and have customers reinstall with a new password at first login. Or, have the default install image block logins with a message telling customers to reinstall with a new password. It's what we do with another brand and works well.


Precisely how Feathur does it. The root password box in WHMCS does nothing. You have to use the activation link to set your Feathur account password, then you have to set your VPS root password in Feathur (for OpenVZ). This confuses some new users despite being stated in the welcome email...


----------



## MannDude (Apr 14, 2014)

To be fair, the whole CVPS debacle taught a lot of people a couple things:


How passwords are stored in Solus, and why it's a good idea to change your password via SSH on first login to your VPS.
If you run a company, you learned how _not_ to respond to such an unfortunate event. So, there's that.

Weak passwords are everywhere, it's unfortunate. The thing is, most people who operate a VPS would ideally have... y'know, more secure passwords. I wonder how that list would compare to say a list from less tach-savvy people.

Also, the top 20 password list has to be impacted by customers with multiple VPSes... like, there must of been one person with "shadowman10" as all of his root passwords for a handful of machines or something. The 'qazwsxedc' password seemed odd until I looked at my keyboard... just a slightly more secure 'qwerty'.


----------



## drmike (Apr 14, 2014)

Lots wrong with the passwords.   Short ones, idiotic ones...  You see all sorts of funnies...

There is a whole other file analyzed of other CVPS data... Ho hum... But I'll resist.


----------



## iWF-Jacob (Apr 14, 2014)

drmike said:


> There is a whole other file analyzed of other CVPS data... Ho hum... But I'll resist.


Aww, come now. You know you cant resist the temptation...


----------

