SlideShare a Scribd company logo

Correcthorsebatterystaple dwsg 07 09-13

Download as PPTX, PDF
D
Dallas Web Security Group

Dustin Talk presented this at Dallas Web Security Group's July meeting.

Technology
1 of 12
Credera is a full-service management and technology consulting firm. Our clients range from Fortune 1,000 companies to emerging industry leaders. We provide expert, objective advice to help solve complex business and technology challenges. Dallas Office 15303 Dallas Parkway Suite 300 Addison, TX 75001 972.692.0010 Phone 972.692.0019 Fax Denver Office 5445 DTC Parkway Suite 1040 Greenwood Village, CO 80111 303.623.1344 Phone 303.484.4577 Fax Houston Office 800 Town & Country Blvd Suite 300 Houston, TX 77024 713.496.0711 Phone 713.401.9650 Fax Austin Office 9020 N Capital of Texas Hwy Suite 345 Austin, TX 78759 512.327.1112 Phone 512.233.0844 Fax
Discussion document – Strictly Confidential & Proprietary correcthorsebatterystaple: hacking passwords by example Dallas, TX July 9, 2013 Dallas Web Security Group Dustin Talk
Agenda … P@ssw0rdZ • Expectations and Objectives • What makes a good password? • Demo: Cracking a user list of ~1.5million users – What a leak looks like – Using rainbow tables (or google) – Using the leaked information from others – Using common passwords – Lists created by experts – Lists created by l33t h4x0r – Brute Force on the GPU – Hybrid Attacks & Key Sequences • What can be done? • Q&A 7/19/2013 Dallas Web Security Group 3
Dustin Talk (not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • Addressing Top Security Threats in Web Applications • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Introductions… 7/19/2013 Dallas Web Security Group 4
The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Provide Education to Seed Investigation • Learn how to secure yourself and those around you Expectations and Objectives … 7/19/2013 Dallas Web Security Group 5
How strong are your passwords? Let’s ask Microsoft… Microsoft has provided a free tool to ensure that your password is strong: https://www.microsoft.com/security/pc-security/password-checker.aspx How would these rate: • password12345678790 • Luvnme4aChange@$ Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 6*Figure and statistics from June 2012 WhiteHat Security Statistics Report
Perhaps we should ask someone else? Intel… Microsoft Intel has provided a free tool to ensure that your password is strong: https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html How would these rate: • AdMos185auj; • Wt4e-79P-B13^qS Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 7*Figure and statistics from June 2012 WhiteHat Security Statistics Report
http://xkcd.com/936/ What makes a good password? 7/19/2013 Dallas Web Security Group 8
Simple tips for a better password Creating a stronger password • The more random the better* • The longer the better* • A mix of numbers, letters (upper and lower), symbols • NO words! or anything L!K3 a word (the h4x0r knows) • No personal info (pin code, home address, etc.) • No keyboard tricks (!@#,123,QWE) Use some helpful tools: • https://lastpass.com/passwordhelp.php?a=1 • https://lastpass.com/generatepassword.php What makes a good password? … 7/19/2013 Dallas Web Security Group 9*Figure and statistics from June 2012 WhiteHat Security Statistics Report
DEMO: Cracking 1.5 million users 7/19/2013 Dallas Web Security Group 10
What can be done? … Attend More Meetings… What To Do Now • Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus • Don’t rely on salts to protect you • Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt What to Do Now For Fun • Download John the Ripper • Download oclHashcat-plus (and get a decent GPU) Reference Materials • http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ • http://hashcat.net/oclhashcat-plus/ • http://www.openwall.com/john/ 7/19/2013 Dallas Web Security Group 11
Q&A 7/19/2013 Dallas Web Security Group 12

Recommended

Securing Your Privacy
Securing Your PrivacySecuring Your Privacy
Securing Your PrivacyDallas Web Security Group
 
After the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsAfter the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsSBWebinars
 
Cyber threat trends
Cyber threat trendsCyber threat trends
Cyber threat trendsStephen Richards
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Gohsuke Takama
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc Cyber Threat Intelligence Network
 

Recommended

Securing Your Privacy
Securing Your PrivacySecuring Your Privacy
Securing Your PrivacyDallas Web Security Group
 
After the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsAfter the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsSBWebinars
 
Cyber threat trends
Cyber threat trendsCyber threat trends
Cyber threat trendsStephen Richards
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Gohsuke Takama
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc Cyber Threat Intelligence Network
 
Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findingsCindy Joice
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
82257421 stup
82257421 stup82257421 stup
82257421 stupVali Nedin
 
Flores
FloresFlores
Floresjamach53
 
Apprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceApprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceVega Sims
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13LawDawg___7879
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate IntroductionAnkush Gupta
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
Fundamentals of Cryptography
Fundamentals of CryptographyFundamentals of Cryptography
Fundamentals of CryptographyDallas Web Security Group
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health monthMegan Hart
 
Distribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardDistribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardCindy Joice
 
Employee engagement project statement of work
Employee engagement project statement of workEmployee engagement project statement of work
Employee engagement project statement of workCindy Joice
 
Hackathon
HackathonHackathon
HackathonAbhimanyu Arora
 
Overcoming gender oppression by mirra price
Overcoming gender oppression by mirra priceOvercoming gender oppression by mirra price
Overcoming gender oppression by mirra priceSusan Deckhart
 
Cyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsCyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsAditi Rao
 
Chapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyChapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyKhuboni Mdlambuzi
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsBunmi Sowande
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityBetterCloud
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 

More Related Content

Viewers also liked

Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findingsCindy Joice
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
Apprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceApprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceVega Sims
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13LawDawg___7879
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate IntroductionAnkush Gupta
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health monthMegan Hart
 
Distribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardDistribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardCindy Joice
 
Employee engagement project statement of work
Employee engagement project statement of workEmployee engagement project statement of work
Employee engagement project statement of workCindy Joice
 
Overcoming gender oppression by mirra price
Overcoming gender oppression by mirra priceOvercoming gender oppression by mirra price
Overcoming gender oppression by mirra priceSusan Deckhart
 
Cyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsCyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsAditi Rao
 
Chapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyChapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyKhuboni Mdlambuzi
 

Viewers also liked (16)

Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findings
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2
 
82257421 stup
82257421 stup82257421 stup
82257421 stup
 
Flores
FloresFlores
Flores
 
Apprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceApprenticeships Suffolk Business Service
Apprenticeships Suffolk Business Service
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate Introduction
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
 
Fundamentals of Cryptography
Fundamentals of CryptographyFundamentals of Cryptography
Fundamentals of Cryptography
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health month
 
Distribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardDistribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX Award
 
Employee engagement project statement of work
Employee engagement project statement of workEmployee engagement project statement of work
Employee engagement project statement of work
 
Hackathon
HackathonHackathon
Hackathon
 
Overcoming gender oppression by mirra price
Overcoming gender oppression by mirra priceOvercoming gender oppression by mirra price
Overcoming gender oppression by mirra price
 
Cyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsCyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media Platforms
 
Chapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyChapter 3 recombinant dna technology
Chapter 3 recombinant dna technology
 

Similar to Correcthorsebatterystaple dwsg 07 09-13

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsBunmi Sowande
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityBetterCloud
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecurityMediacurrent
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
How To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyHow To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyClickSSL
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
Data Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data ProtectionData Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data ProtectionKaren Lopez
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Trust in a Digital World
Trust in a Digital WorldTrust in a Digital World
Trust in a Digital Worlditnewsafrica
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Network secuirty & encryption techniques
Network secuirty & encryption techniquesNetwork secuirty & encryption techniques
Network secuirty & encryption techniquesmanoj kumar
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024Michael Noel
 

Similar to Correcthorsebatterystaple dwsg 07 09-13 (20)

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwords
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile Security
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a password
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
How To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyHow To Plan Successful Encryption Strategy
How To Plan Successful Encryption Strategy
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
Data Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data ProtectionData Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data Protection
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
 
Trust in a Digital World
Trust in a Digital WorldTrust in a Digital World
Trust in a Digital World
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Network secuirty & encryption techniques
Network secuirty & encryption techniquesNetwork secuirty & encryption techniques
Network secuirty & encryption techniques
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Correcthorsebatterystaple dwsg 07 09-13

  • 1. Credera is a full-service management and technology consulting firm. Our clients range from Fortune 1,000 companies to emerging industry leaders. We provide expert, objective advice to help solve complex business and technology challenges. Dallas Office 15303 Dallas Parkway Suite 300 Addison, TX 75001 972.692.0010 Phone 972.692.0019 Fax Denver Office 5445 DTC Parkway Suite 1040 Greenwood Village, CO 80111 303.623.1344 Phone 303.484.4577 Fax Houston Office 800 Town & Country Blvd Suite 300 Houston, TX 77024 713.496.0711 Phone 713.401.9650 Fax Austin Office 9020 N Capital of Texas Hwy Suite 345 Austin, TX 78759 512.327.1112 Phone 512.233.0844 Fax
  • 2. Discussion document – Strictly Confidential & Proprietary correcthorsebatterystaple: hacking passwords by example Dallas, TX July 9, 2013 Dallas Web Security Group Dustin Talk
  • 3. Agenda … P@ssw0rdZ • Expectations and Objectives • What makes a good password? • Demo: Cracking a user list of ~1.5million users – What a leak looks like – Using rainbow tables (or google) – Using the leaked information from others – Using common passwords – Lists created by experts – Lists created by l33t h4x0r – Brute Force on the GPU – Hybrid Attacks & Key Sequences • What can be done? • Q&A 7/19/2013 Dallas Web Security Group 3
  • 4. Dustin Talk (not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • Addressing Top Security Threats in Web Applications • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Introductions… 7/19/2013 Dallas Web Security Group 4
  • 5. The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Provide Education to Seed Investigation • Learn how to secure yourself and those around you Expectations and Objectives … 7/19/2013 Dallas Web Security Group 5
  • 6. How strong are your passwords? Let’s ask Microsoft… Microsoft has provided a free tool to ensure that your password is strong: https://www.microsoft.com/security/pc-security/password-checker.aspx How would these rate: • password12345678790 • Luvnme4aChange@$ Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 6*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  • 7. Perhaps we should ask someone else? Intel… Microsoft Intel has provided a free tool to ensure that your password is strong: https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html How would these rate: • AdMos185auj; • Wt4e-79P-B13^qS Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 7*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  • 8. http://xkcd.com/936/ What makes a good password? 7/19/2013 Dallas Web Security Group 8
  • 9. Simple tips for a better password Creating a stronger password • The more random the better* • The longer the better* • A mix of numbers, letters (upper and lower), symbols • NO words! or anything L!K3 a word (the h4x0r knows) • No personal info (pin code, home address, etc.) • No keyboard tricks (!@#,123,QWE) Use some helpful tools: • https://lastpass.com/passwordhelp.php?a=1 • https://lastpass.com/generatepassword.php What makes a good password? … 7/19/2013 Dallas Web Security Group 9*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  • 10. DEMO: Cracking 1.5 million users 7/19/2013 Dallas Web Security Group 10
  • 11. What can be done? … Attend More Meetings… What To Do Now • Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus • Don’t rely on salts to protect you • Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt What to Do Now For Fun • Download John the Ripper • Download oclHashcat-plus (and get a decent GPU) Reference Materials • http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ • http://hashcat.net/oclhashcat-plus/ • http://www.openwall.com/john/ 7/19/2013 Dallas Web Security Group 11