An investigation of the security of passwords derived from African languages

BSidesLV 2019

Presented by: Sibusiso Sishi
Date: Wednesday August 07, 2019
Time: 11:00 - 11:55
Location: Ground1234!

There have been several studies on country based passwords by authors but there has been a lack of focused study on the type of passwords that are being created in Africa and whether there are benefits in creating passwords in an African language.For this research, password databases containing LAN Manager and NT LAN Manager hashes extracted from South African organisations, were obtained to gain an understanding of user behaviour in creating passwords. Analysis of the passwords obtained from these hashes showed that many organisational passwords are based on the English language. This is understandable considering that the business language in South Africa is English even though South Africa has official 11 languages. African language based passwords were derived from known English weak passwords and some of the passwords were appended with numbers and special characters. The African based passwords were then uploaded to the Internet to test the security around using passwords based on African languages.Most of the passwords were able to be cracked by third-party researchers, we conclude that any password that is derived from known weak English words marked no improvement in the security of a password written in an African language,especially the more widely spoken languages.

Sibusiso Sishi

Sibusiso is a former professional athlete that has represented his country at the highest sporting level, the Olympic games. After retiring from the athletics he transitioned into cyber security and has been doing penetration testing for the past five years. Sibusiso co-founded a majority black owned cyber security company called Ironsky Pty Ltd in South Africa where he serves as a technical director and penetration tester. Sibusiso has always had an interest for passwords and how users create and use passwords within the organisation.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats