Richelieu is a free list of the most common French passwords

Based on my experience as a pentester, I often had to try brute-force and dictionary-based attacks against exposed websites and services. The easiest way to do so is to use an existing list of common passwords, and to load it in a dedicated tool like hydra.

However, the best lists of common passwords (such as danielmiessler’s SecLists) do not work against French assets. The reason is simple: these passwords lists are based on the frequential analysis of huge dataleaks (like Collection #1), with mixed sources from different countries and cultures. As a result, these lists say that most common passwords are « qwerty« , « password« , « letmein« , etc. But French people do not use a QWERTY keyboard nor say « let me in » to log in. We prefer « azerty« , « motdepasse« , or even « bonjour« .

QWERTY keyboard by Pixabay
AZERTY keyboard by NemossosCC BY 2.0

This cultural difference reveals a real limit for brute-force attacks.

In order to build a better dictionary to pentest French targets, I analyzed public dataleaks and filtered all the results to target only « .fr » emails. The hypothesis here is that a « .fr » email address is linked to a French user. Even if this approach might be unperfect, the results are really interesting and accurate. This new dictionary, named « Richelieu » after the creator of the Académie française, has the following top 50:

  • 123456
  • 123456789
  • azerty
  • 1234561
  • qwerty
  • marseille
  • 000000
  • 1234567891
  • doudou
  • 12345
  • loulou
  • 123
  • password
  • azertyuiop
  • 12345678
  • soleil
  • chouchou
  • 1234
  • 1234567
  • 123123
  • 123451
  • bonjour
  • 111111
  • nicolas
  • jetaime

  • coucou
  • motdepasse
  • Status
  • julien
  • thomas
  • camille
  • 010203
  • chocolat
  • iloveyou
  • iloveyou1
  • portugal
  • 1234567890
  • alexandre
  • 654321
  • maxime
  • 00000
  • wxcvbn
  • oceane
  • pompier
  • 12345671
  • marine
  • 0000
  • maison
  • isabelle
  • celine

Cultural analysis of this dictionary

An analysis of the full dictionary shows unsurprisingly that the most common French passwords are based on:

  • a spatial sequence on an AZERTY keyboard (123456, azerty, 1a2z3e, wxcvbn…) ;
  • a logical sequence (1a2b3c4d, 010203040506…) ;
  • a proper noun, such as a firstname, a town, a country (nicolas, marseille, algerie…) ;
  • a phrase (motdepasse, auboulot, vivelafrance…) ;
  • or a cultural item (france98, warcraft, carapuce…).
A moment that inspired our passwords!
REUTERS/Vincent Kessler
CC BY-NC 2.0
Marseille, one of the biggest cities in France and an inspiration source for our passwords
F. Laffont-FeraudCC BY-SA 3.0

Get the dictionary

DISCLAIMER: THIS DICTIONARY IS PUBLISHED FOR LEGAL PURPOSES ONLY. PLEASE DO NOT USE IN MILITARY OR SECRET SERVICE ORGANIZATIONS OR FOR ILLEGAL PURPOSES.

The full dictionary is available for free here: https://github.com/tarraschk/richelieu.

Publié par Maxime

Consultant en sécurité informatique — Co-fondateur de @cyberwatch — #ARCSI #Infosec #FrenchTech #CivicTech

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Photo Google

Vous commentez à l’aide de votre compte Google. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s

%d blogueurs aiment cette page :