Norman Rockwell, 4 March 1944       
~ Passwords lore ~
Version 1.27 ~ June 2007
(how to find working passwords when you forget your own)

This is a 'living' workshop on passwords searching and database accessing, you will find elsewhere on my site other "broad" site protection (and de-protection :-) lore. There are many approaches that will open us the "dragon lairs" where our targets have been hidden.Anyway we will find more knowledge only if we create it ourself at the same time. Your own contributes and work are necessary. The material presented here should be more than enough to "get you started". Awaiting your own contributions. Check the passwords ad hoc tools.


Jeff: " so what happens if we remove the domain-name/member and use ONLY the logpass??...:)    We get huge lists of userpasses and who knows... maybe with the right combo we might stumble upon ALL the other places/domaines/ Google has indexed for a single person/people/repeatedly_used_userpass they use to log into even at other different type sites :)    Would be great to find a library or two :)    So I asked myself does a bob:bob really exist? "

loki: " Now, it's time to fish lists of access, and range them for each DB known, and then build combolist. Each DB's Login Url can be used to see what are the sites POINTING to it, and filter the result to grab the passwords "
 An introduction - explanation for those that do not know...

What we would like to obtain with this lore is nothing less than restaurate, in part, the "web of old", the web of sharing knowledge, versus hoarding it, the web where information flow freely, before the invasion of the commercial zombies. "Scusate se poco"
Seekers will be confronted more than once, on the web, with useful knowledge that has been "hidden": complete texts of books you may need; complete newspapers collections; music; images; university thesis; statistical data; all sort of documents you may need to check or use in order to gain a better understanding of the world, that have been locked behind databases' gates.

Most of these gates can be opened finding the right "combo": a combination of username:password, asked on the web with a form that is similar to the one you are probably using when you turn your computer on at your office.
Exactly as, in the office, many colleagues will write their passwords somewhere not too far away from their PC, many people -as strange it may appear to you- write their own passwords somewhere on the web. And since we know how to search we will find them.
It is as simple as that, and almost banal (after it has been explained).
Alternatively you may try to guess a combo or a subdirectory structure.
Alternatively you may try to bruteforce it using one of the many ad hoc bruteforcers, like Ares, Access diver, wwwhack and Goldeneye (see the tools section). Then you will have to learn the differences between basic authentication reversing, HTML-forms reversing (get/post) and "single pass" reversing.
Yet we will always prefer "seekers"' methods to bruteforcing. It seems easier and quicker :-)

Note that, of course, accessing databases using passwords that do not belong to you may be illegal in some countries. A thorough knowledge of basic anonymity techniques and proxy usage is required.
This said I do believe that if you are just seeking knowledge for your own use, and you work both in a ethically correct manner and without any commercial intent, your misdemeanour will be very relative even if you happen to live in a copyright obsessed commercial dictature. Anyway always remember that if they want they CAN catch you, so do not ever do stupid things. In fact our seekers' knowledge is so powerful that we will never need to "hack" anything in order to gain something as trivially simple as unlimited access to any database.

The first 'methodological' question one could ask is "where am I going to find, on the web, the best experts on password finding and on-line database accessing?"
For reasons that -as always- appear obvious afterwards, the best experts appear to be porn sites busters whose aim and pleasure is to break into paying sites that have various authentication systems. Some of these systems are quite complex, with rotating passwords and IP-related verification routines. Luckyly the main use of this lore, for seekers, will be to access libraries' and newspapers' databases. These "institutional" databases have not only -mostly- simpler verification routines, but also a more relaxed attitude towards allowing users even silly passwords choices.
Whereas a "found" password will keep its validity on a pron site only for a couple of days (in some cases merely a couple of hours), username/passwords combinations will keep their validity for months (in some cases years) on our targets: bibliographical / university databases.

So, how do we find the places and the dark hidden alleys of the web where porn site busters (our first target when combing the web) hide and exchange their information?
A quick and dirty, simple "synecdochical" approach would be a query like this one.
Personally I discovered (and became interested in) this kind of techniques and targets through klebing, when, looking at my referrals loggings, I noticed people visiting my site from many web-forums where these techniques were discussed in extenso :-)

Password lore should begin with a thorough knowledge of the weakness intrinsic in passwords that humans have to remember "in their head" (theoretically, in the praxis, one out of three will write it somewhere not all too far away from where it is used :-)
This will be added in due time, for now just enjoy the following and the "unabridged discussion" as well.
There is much to learn, as you will see.

 Our essays

 Strata gems by ~S~ loki

I've datamined the unabridged discussion, to collapse our ideas into something easier to follow and update. An attempt to make a framework to support our future essays. I've called this framework 'strata gems', after having seen this picture in an article from the seeker's message board. It talked to me ;) and it somehow fits to the searchlores's metaphore. I've read somewhere in searchlores (or maybe was it the old fortress) a +hcuker saying that analogy was a powerfull tool for the reverser. Analogy, metaphors, isomorphism ... And something to run these tools: imagination. Curious George also note the importance of metaphors in his essay : "An Essay Attempting to Justify the Relationship Between Code Cracking and Reality Cracking"

"back to cracking as a metaphor. Every exercise that is published, every essay written, and every strainer is a metaphorical exercise for cracking a Paradigm. You have to search through the various programs until you find a new protection method. Then you use the skills and intuition that you've developed thus far to crack this new method. The mentality required to solve these types of problems is EASILY mapable onto the real world."
(Curious George)

Not only the real world, if i might add :) but that's another discussion ..

Using a Fantasy metaphor here on our workshop, we could say that we are wizards, thieves, warriors, living in the L-Space, listening to rumours of holy treasures in far place, with some protected by dragons sitting before the gate to reach their lair. (if you prefer, you can be a dragon attacking a fortress, depends on your idea of fun ;) ).
So what we are providing here is a list of Stratagems, to check whenever a 'locked door' is found somewhere. Each stratagem is linked to details on it, essays, ressources, links to relevant part of searchlores. Order them the way you prefer (and mail if you see any addition).

Our targets can be those invisible and closed databases, invisible because spiders can't enter inside the database, and closed for obvious reason ($$). We're also keeping here a list of targets for this workshop. This way you'll be able to pick a database of your choice and share your findings with an essay or on the board. But feel free to share your thoughts on any database you prefer!

The stratagems to follow when facing a closed gate

Following all these strategems, you should be able to break inside any password protected database.
This framework is still in fieri, any comments/additions are welcomed (and strongely suggested)

 Combing approach

"Combing" = (simplified) gathering results that others have collected

You can go to the appropriate section on searchlores to learn more about that approach.
In our discussion, we've noticed that the librairies often publish their passwords in a (so called) private web page. This way, client inside the building can use the computer to access to some internet databases. The approach here is to find those bookmarks by using search engines and appropriates queries. Simply :) It's as simple as forgetting to deny spiders from indexing your page...

And i can assure you there are thousands of them in the indexed web, just waiting to be fished.

The nice thing for our workshop is that full-text database passwords are often easier to fish than p0rn ones. And they stay valid for month or years ! For those who think it's really a counter-intuitive finding, use some search spies, you'll quickly understand.

Fravia+ (18/01/02 09:17:43):
Dunnow how long this cutting road will remain open for us once published, maybe for ever, maybe just for some months. Would be worth having a look at regional search engines.If they perform the same tricks we'll be able to reopen all dragon caves whenever they close them.

We're listing next a list of methods and tricks to try while using this approach. The dates are those of the posts in the unabridged discussion. Refer to them to see the whole context/post/essay

loki (18/01/02 07:00:37) :

let's try to resume what i posted, into a simple combing 'trick' for accessing databases.

This way you'll fish mostly bookmarks where someone has written in PLAIN TEXT his login information. It is frequently the case for libraries, has we have seen earlier. They write all the identification informations on a web page, and thinks it'll be seen only by users of their internal computers. But they forgot the spiders ... :)

Jeff (17/01/02 22:52:19):

Searching entries 'around the web', no specific target, using 'common' passwords:

For instance: bob:bob

Jeff :

most of the images that can be had without user/pass can be loaded and found in open indexes also:
using an example keyword search such as :
inurl:images index +of/ hentai... movies too...

Jeff :

Searching entries to a specific site using google's wildcard (not necessarily pr0n :-):
For instance: "http://*:*@www" supermodeltits

loki (18/01/02 05:54:51) :

Using weakness generated by bad password protection.
The Proquest case :

Proquest :
Fished combos :
username: 07SNXJX2C9
password: WELCOME
username: BRV3G3S8V6
password: WELCOME
username: 0039KJK4DB
password: WELCOME
password: 87TFK6VCPC
Password: WELCOME

obvious no ? :) Knowing that, we can fish more passwords by querying, for instance : welcome proquest password
ahahaha, this one always make me laugh ;)

Jeff (18/01/02 20:49:28):

Same trick here, but for SIRS database :

Notice in your sirs returns that the USER begins "NY#####" well while looking at this page (at googles above url at the 5th link): +%2Blibrary+%2Busername+%2Bpassword+sirs&hl=en

(more userpasses :) however my point (sorry) the very last link at CERF it says...New York State standards
N Y......New York? a new York User-Number? would that then mean that california would have CA#####...?

yep! :)


 Guessing and using backdoors

jeff Re:it's not pretty -- actually its even uglier (30/04/02 23:24:52) :

did a search for: search harpers weekly EBSCO password=
read a few pages and came too: +search+harpers+weekly+EBSCO++password%3D&hl=en
clicked on the page link for harp week and lookee here:
...I won't even try to tell you how shocked I was ... I typed in "smith" (a very common name used quite extensively so chances are their may be at least one teacher somewhere named smith or jones... and then typed in the 40years... whoapp! page comes asking me to change my password... u won't believe what happens next ...

fravia+ :

Should you need a false name, here they are in order of frequency (Taken from, Thanks Nemo :-)

Study Material (for the above approach, duh :-)

50 Most Common American Surnames (US Census 1990)
 1. Smith  11. Anderson  21. Clark  31. Wright  41. Mitchell
 2. Johnson  12. Thomas  22. Rodriguez  32. Lopez  42. Perez
 3. Williams  13. Jackson  23. Lewis  33. Hill  43. Roberts
 4. Jones  14. White  24. Lee  34. Scott  44. Turner
 5. Brown  15. Harris  25. Walker  35. Green  45. Phillips
 6. Davis  16. Martin  26. Hall  36. Adams  46. Campbell
 7. Miller  17. Thompson  27. Allen  37. Baker  47. Parker
 8. Wilson  18. Garcia  28. Young  38. Gonzalez  48. Evans
 9. Moore  19. Martinez  29. Hernandez  39. Nelson  49. Edwards
 10. Taylor  20. Robinson  30. King  40. Carter  50. Collins

25 Most Popular American Male Names ---------25 Most Popular American Female Names
 1. James  11 Christopher  21. Ronald    1. Mary  11. Lisa  21. Michelle
 2. John  12. Daniel  22. Anthony    2. Patricia  12. Nancy  22. Laura
 3. Robert  13. Paul  23. Kevin    3. Linda  13. Karen  23. Sarah
 4. Michael  14. Mark  24. Jason    4. Barbara  14. Betty  24. Kimberly
 5.William  15. Donald  25. Jeff    5. Elizabeth  15. Helen  25. Deborah
 6. David  16. George      6. Jennifer  16. Sandra  
 7. Richard  17. Kenneth    7. Maria  17. Donna
 8. Charles  18. Steven    8. Susan  18. Carol
 9. Joseph  19. Edward    9. Margaret  19. Ruth
 10. Thomas  20. Brian    10. Dorothy  20. Sharon

loki (20/01/02 14:45:20):

Here is the jump station :
Select your library from this list, then click on the GO button. If your library is not on the list to the left, you cannot access the remote database resources through The Library Network. These resources are available to participating members of TLN's Shared System Libraries.

Once on the library gate, you can choose to access some DBs, the SIRS one for example :
Access to the SIRS DiscovererDatabases is limited to valid library card holders at The Library Network(TLN) Shared System Libraries.
In order to enter inside the DB, you need an ID which's on the library card.
I don't remember how exactly i went to find/guess that, but there is a hole in one of the library, where the cgi-bin directory can be listed : http://

As always, remember to use a proxy, and do not abuse of this hole to let it be open the more we can. The interesting gem is here :


and so on ... 13370 ID numbers :) I think these are the ID of the northville library card, it worked for me on the DBs.
They won't be able to change the whole list, and i've dumped it on my HD, so we have now permanent access to the library network, enjoy ! ;)
There is much to explore, i don't really know what's accessible from this. The /cgi-bin/ dir needs also an exploration.
How about reading the logs ?


 Reversing protection schemes

fravia+ : An example of human stupidity (January 2003) :

Ws_ftp, a known Malware, allows zombies to store their passwords on-line.

a list
The method:
Function decif(cifrat)
    y = 0
    For X = 1 To Len(cifrat) Step 2
        decif = decif & Chr(CInt("&H" & Mid(cifrat, X, 2)) - y)
        y = y + 1
    Next X
End Function
So if password
      a o q q }r {z H
then it is anonymous

Note also that CuteFtp is even more stupid and GetRight stores passwords in the register.


 Exploiting server weakness

Skybound :

dear fravia,
while reading the essay about web-proxy logs, the following occurred to me:

universities, or exactly speaking: their libraries, often subscribe to knowledge sites and need to give these password(s) to a certain number of people.
one easy (and I bet often used way) is creating a html page and limiting access to ~local~ subnet. universities also tend to have proxy server, many of these are open to anyone... and most have a ~local~ ip ;-} he he...

i choose a university at random (innsbruck), made sure they had a proxy, endured a few mouse clicks till i found the online resources page, got 403 and retried through their proxy (which denies fetching external pages to ~foreign~ users)... qed quod erat demonstrandum

though not having investigated any further, this problem should imho appear quite often and imho something like*uni*+zeitschriften+passwort+lokal
(note the '' in this language related fishing rod :-)
might be a starting point (i lack the exact english terms ;-(
could be url:*edu* review password local? :-)

farewell, skybound


 Bruteforcing & "Bruteforcing resistant" passwords


How I found tons of usernames to try on a specific .edu server.

I just got done exploring a great .edu server that only had telnet access.
I used brutus to get in and just guess what kind of information I found :)

I also wanted to create a specific username list for my target.
So I went and downloaded a program called fast email spider (fesweb.exe v1.09).
You could find the serial number on the web, but you should buy it.
You can use the spider on Google.I used the spider to gather all email addresses of the specific university ie. ""
Voila! a list of targeted usernames.

Best simple bruteforcing-hard password for your own use? A poem:
For instance in german (german has a lot of uppercases and hence gives nice case-sensitive strings):

Schon haengen die Lampions wie bunte Trauben    
An langen Schnueren ueber kleinen Beeten
Den gruenen Zaeunen, und von den Staketen
Der hohen Bohnen leuchtend in die Lauben
Password_1: ShdLwbT
Password_2: AlSukB
Password_3 (1+2): ShdLwbTAlSukB
SuperPassword_4 (all_together_now): ShdLwbTAlSukBDgZuvdSdhBlidL
StraSuperPassword_5 (all_together_now plus numbers): ShdLwbTA1SukBDgZuvdSdhB1idL (notice the two "1")
(Georg Heym)

You get the idea... Repeat at leasure for any language... Sihapnna: Siquis in hoc artem populo non novit amandi... (Ovid) (Latin is good security on the web :-)

Remember the three rules:
1) Never create a password that contains a word that someone could find in a dictionary. It's as simple as that.
2) Never... write down somewhere / tell someone / use elsewhere ...your password. It's as simple as that.
1) ALWAYS use upper case and lower case letters. And for good measure some numbers. It's as simple as that.

MORE about secure passwords
(Password guessing and password cracking)
(Pass phrases and passwords)

First of all, the "number substitution" described above adds very little strength to your password: any decent password crackers knows that 0 = O, 1 = l, 5 = S and so on, and knows how to look for those substitutions.
A more promising alternative is (where possible) to use a pass phrase.
There are pass phrases and passwords. A pass phrase, like "After dinner James Stuart bathed from a sandy beach" contains spaces and at the same time cannot be easily guessed. A password, like trautSsemaJ will be guessed or bruteforced easily (especially if your name is James Stuart :-)
Passwords are not 'automatically' guessable, but they are crackable. Using the 76 most common symbols, for instance, we obtain 1.11 x 10^15 different possible 8-character passwords. If the guesser guesses 600 passwords per second, it would still take him around 30,000 years to guess the correct password. Keep in mind that a guesser, on line, will unlikely be able to try 600 gueeses per second, he'll more likely be able to guess only half a dozen passwords per second. Hence, if well chosen, a 8 character password should be pretty secure against guessing.

But this is valid for password guessing, which is different from password cracking (bruteforcing).

Password cracking is performed after the attacker has obtained the raw hashes. (A hash is a mathematical representation used to store passwords)
The attacker generates test passwords, hashes them, and then compares the result to the stored hash. Cracking is far faster than guessing. With any current PC, an attacker can generate and test 3,000,000 passwords a second. Bruteforcing all possible 8-character passwords above that use the 76-character set will take 6 years. Of course, many of the passwords will be found in much less time, and any given password will statistically be found in half that time. If the passwords are only 7 characters cracking the full set will take only about 28 days.

The point, most of teh time, is just to obtain the hash.
Among the 76 characters, letters, numbers and !@#$%^&*()-_+= symbols, the 32 most common symbols are, in order of occurrence: ea1oirn0st2lud!m3hcyg94kSbpM758B. You can rest assured that a 10-20% of all passwords are composed only from these 32 symbols.
Hence pass phrases (instead of passwords) would be more sure because they could be composed, instead than from 76 different symbols, from the average 20.000-40.000 different words any human knows. Even if you take account of the fact that most of those words only make sense when strung together in a particular way, significantly decreasing the randomness of the pass phrase, it still makes a big difference if you have a -say- 500 elements count or a 76 element count.


 Social engineering


  • Searchlores' trolling lore
  • Searchlores' stalking lore
  • An example of social engineering by _A&T


    Seliman(17/01/02 23:40:43) :

    You need proxies in order to buster? NO! There's another way :)

    OK, maybe better use a proxy nevertheless...



    We'll try to keep here a list of potential target for your work :

     Password webbits

    Moonman(17/01/02 23:40:43) :

    The following speaks for itself :)


    We'll try to keep here a list of potential target for your work :

     And next ?

    Restore the web of the old ...

    Helping hands needed!

    Enjoy! Just take your time, there is no hurry whatsoever, use some of the tricks described above, understand the approaches, try some slightly different 'cuts'... implement your own ideas... and finally write some (good) essays on this stuff yourself!

    "please" and "thank you" will open any door... hehe

    Petit image

    (c) 1952-2032: [fravia+], all rights reserved