@tinker@infosec.exchangeOoooh... figured out a way to pull LOCAL user account hashes from a specific type of multifunction printer.
They're only hashed as Raw-MD5... so that's fast to crack.
I'm going to sleep on this and talk about it more tomorrow.
Or other password "systems" use prepending and appending of constant strings, while varying the inner part depending on the site/service. Again, these are not hypothetical - these are obfuscated cracks of real passwords.
Keeping the right-hand side constant is less common, but also a thing.
Friends don't let friends use password "systems".
If someone tells you they don't use password managers, but it's "OK" because they can remember them all because "they have a system", show them this.
Shown here are real (obfuscated) runs of cracked passwords, for which the "base word" was discovered, and then combined with other wordlists and brute force on the right-hand side to get the rest.
The right-hand side usually has a clear trend of abbreviated names of the site. Which means that the attacker can guess your password on that other site in just a few tries without even having to break into the server.
It doesn't matter how long or random-looking their "base word" is. All it takes is for the weakest site they use to get compromised, or for an infostealer infection to intercept and leak one variant ... and the attacker (or me, emulating one) can see the pattern and get the rest.
Lose one ... lose them all.
