#hashbot

Tonight I challenged myself to a bit of penetration testing on the accounts of my own site, IO-Chat.com. In a couple of hours with some redbull, I've developed a bot that attempts to bruteforce accounts with a number of methods to determine the vulnerability of that account. This is in regards to the next update's Security Initiative that will be elaborated on at a later point.

At the moment, the bot's abilities are fairly minimal. It does the following:

Compares each user’s name to their own password.

Compares each user’s password to everyone else’s name.

Compares each user’s password with 10,000 popular passwords.

As a result of this scan, which took the bot 3.2 seconds to perform, the results showed me that 139 accounts were matched by one (or more) of these commands. 24 accounts were considered high-risk, and I will force them to change their password in 1.1.7

This has been an eye-opening night, I've sort of slacked on making users realize how unsafe their account can be with a weak password, but thanks to 1.1.7, this won't be a concern any longer.

In the future, I hope to program this bot to also do the following:

Compare user’s password to everyone else’s password.

Compare user’s password with variants of their date of birth.

Compare user’s password with variants of their email address.

Compare password to words in dictionary.

Compare password to words and phrases in urban dictionary.