He proved his findings on the password hashes leaked by LulzSec from MilitarySingles.com

Jun 4, 2012 11:14 GMT  ·  By

Joshua Dustin, an information security expert, has made a small experiment to show how Twitter can be used to create password cracking wordlists.

For his demonstration, Dustin relied on the John the Ripper password cracker and used the MD5 password hashes dumped by LulzSec Reborn after they had breached the MilitarySingles.com website.

First, the expert made a script that connected to Twitter and extracted 500 tweets that matched the supplied terms, creating a list of the words from those posts. Then he fed the script some of the relevant words.

The result: 4,400 unique words which, when compared to the MilitarySingles hashes, returned 1,978 passwords.

“And that's 1978 uniques. The number of accounts we actually cracked with these 1978 passwords is actually even more than 4400 accounts cause many use the same passwords as each other, and with the mangling rules John tries ~300 mutations of each word in the list (semperfi gives us semperFi, semperfi1, semperfi123, etc),” Dustin explained.