I often need to analyze or audit (cracked) password hashes to understand password patterns in an organization as part of a regular password audit - you may also prefer the word "reverse engineer"
Today, I want to share a simple PowerShell approach that can help you quickly identify both long passwords and duplicates in your hash dumps.
The Core Concept
When you have a "pot file" (the output file from password cracking tools), you'll want to extract meaningful security insights. This process is surprisingly straightforward with PowerShell.
Here's the essence of how it works:
# Read the hash:password file
$fileContent = Get-Content -Path "output.txt"
# Extract and analyze passwords
$allPasswords = @()
$passwordCounts = @{}
foreach ($line in $fileContent) {
if ($line -match ":") {
$parts = $line -split ":", 2
$hash = $parts[0]
$password = $parts[1]
# Store password information
$allPasswords += [PSCustomObject]@{
Password = $password
Length = $password.Length
}
# Count occurrences for duplicate detection
if ($passwordCounts.ContainsKey($password)) {
$passwordCounts[$password]++
} else {
$passwordCounts[$password] = 1
}
}
}
# Find passwords with 15+ characters
$longPasswords = $allPasswords | Where-Object { $_.Length -ge 15 }
# Find duplicate passwords
$duplicatePasswords = $passwordCounts.GetEnumerator() |
Where-Object { $_.Value -gt 1 } |
ForEach-Object { $_.Key }
This gives you the essential information you need which passwords meet your length requirements and which ones are being reused.
Beyond the Code: Security Insights
When analyzing passwords, I've discovered some important counter-intuitive patterns:
Don't ignore shorter passwords during your analysis! Even if they're from disabled accounts, they reveal valuable pattern insights. I've noticed that when organizations increase password complexity requirements, users often respond predictably.
For example, if someone uses "lavender" and then is required to create a longer password, they'll commonly just duplicate it to "lavenderlavender". Similarly, when special characters are required, users typically add "1" or "!" at the end.
The lesson? Simply making passwords longer or adding complexity requirements doesn't necessarily improve security in practice.
Output Files
You get a folder that outputs the format into valid file names for later processing as you can see below:
Better Authentication Recommendations
After conducting password audits, I strongly recommend:
- Consider password less authentication or passkeys
- Implement hardware security like FIDO2
- Add biometric factors for sensitive accounts
Phishing-resistant authentication factors are vastly superior to traditional passwords, no matter how complex your password policy is.
While I have more detailed scripts for comprehensive password analysis, this snippet gives you the core functionality to get started analyzing your organization's password hygiene today.