For a case I am looking at the Apple keychain pass keys of one of my clients....and I cannot help notice how extremely non-random the few passkeys are that I have looked at.
To give some clarifications,
Pass keys appear in most cases to fit these 6 masks (a few exceptionss, sometimes a number is move one block to the left or right, creating a block of 5):
-1 ?l?u ?d?1?1?1?1?1-?1?1?1?1?1?1-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?d-?1?1?1?1?1?1-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?d?1?1?1?1?1-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?1?1?1?1?1?d-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?1?1?1?1?1?1-?d?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?1?1?1?1?1?1-?1?1?1?1?1?d
As you can see one of these blocks having a number either at the beginning or end instead of letter.
Better observation shows that these 6 letter blocks are always pronounceable, using the format
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?d?2?3?3?2?3- ?3?2?3?3?2?3 - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?d- ?3?2?3?3?2?3 - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?d?2?3?3?2?3 - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?3?2?3?3?2?d - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?3?2?3?3?2?3 - ?d?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?3?2?3?3?2?3 - ?3?2?3?3?2?d
An even better look and you see a lot of strange reoccurring patterns, like mirror or duplicate use of consonant, e.g. blocks that look like these.
'roppiz' 'xepxap. Their frequency shows there is a high chance to reuse consonants in a block of 6 which leads me to believe there are some extra rules or a limited set of consonants per block used.
A quick search did not lead me to anyone explaining how these passkeys are generated, but clearly they are not random and very likely not as secure and random as we are made to believe.
Does anyone have more information about this, custom masks or knows of a dataset of passkeys so I can investigate this non randomness further?
I apologize if this is a bit of general topic and not very specific for hashcat but I do think it is rather interesting to discuss and investigate further. If this better fits another category, please move it appropriately.
To give some clarifications,
Pass keys appear in most cases to fit these 6 masks (a few exceptionss, sometimes a number is move one block to the left or right, creating a block of 5):
-1 ?l?u ?d?1?1?1?1?1-?1?1?1?1?1?1-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?d-?1?1?1?1?1?1-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?d?1?1?1?1?1-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?1?1?1?1?1?d-?1?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?1?1?1?1?1?1-?d?1?1?1?1?1
-1 ?l?u ?1?1?1?1?1?1-?1?1?1?1?1?1-?1?1?1?1?1?d
As you can see one of these blocks having a number either at the beginning or end instead of letter.
Better observation shows that these 6 letter blocks are always pronounceable, using the format
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?d?2?3?3?2?3- ?3?2?3?3?2?3 - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?d- ?3?2?3?3?2?3 - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?d?2?3?3?2?3 - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?3?2?3?3?2?d - ?3?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?3?2?3?3?2?3 - ?d?2?3?3?2?3
-2 aouiye -3 bcdfghjklmnpqrstvwxz ?3?2?3?3?2?3- ?3?2?3?3?2?3 - ?3?2?3?3?2?d
An even better look and you see a lot of strange reoccurring patterns, like mirror or duplicate use of consonant, e.g. blocks that look like these.
'roppiz' 'xepxap. Their frequency shows there is a high chance to reuse consonants in a block of 6 which leads me to believe there are some extra rules or a limited set of consonants per block used.
A quick search did not lead me to anyone explaining how these passkeys are generated, but clearly they are not random and very likely not as secure and random as we are made to believe.
Does anyone have more information about this, custom masks or knows of a dataset of passkeys so I can investigate this non randomness further?
I apologize if this is a bit of general topic and not very specific for hashcat but I do think it is rather interesting to discuss and investigate further. If this better fits another category, please move it appropriately.