Your SlideShare is downloading. ×
  • Like
Passwords & security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Passwords & security


This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.

This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Passwords & Security#Finse2011
    Per Thorsheim
  • 2. Disclaimer
    My presentation, as well as anything I say, do, show, demonstrate, give away or try to sell you is my personal stuff & opinions.
    My employer have chosen not to be a part of this in any way, as such my employer cannot and will not be held liable. My opinions does not necessarily reflect that of my employer, our customers or partners.
    Etc etc.
  • 3.
  • 4. About me
    Valid certifications:
    Certified Information Systems Auditor
    Certified Information Security Manager
    Certified Information Systems Security Professional
    Information Systems Security Architecture Professional
    ITIL v3 Foundations
    Passwords^10 conference in December 2010
  • 5. Passwords^11, June 7-8, Bergen
    Prof. Frank Stajano (Cambridge)
    Prof. KirsiHelkala (Gjøvik)
    Simon Josefsson(Head of R&D, Yubico)
    Bendik Mjaaland (Accenture)
    John Arild M. Johansen (CSO, Buypass)
    Erlend Dyrnes(CSO, Nextgentel)
    Chris Lyon(Mozilla)
    James Nobis(
  • 6. Examples
  • 7. Sony Playstation Network
    70+ million accountscompromised
    #PSNunavailable for 3 weeks
    Playstation store unavailable for 4 weeks
    New firmware: v3.61
    All passwords must be changed
  • 8. #PSNPassword Reset
    Online (web)
  • 9. PS3 Policy #1 Revealed
    Online (web)
  • 10. PS3 Policy #2 Revealed
    Online (web)
  • 11. Web Password Reset CAPTCHA
    Online (web)
  • 12. #PSNPartial CC Data Stored
    Online (web)
  • 13. PS3 vs Web – Policy Comparison
    Online (web)
  • 14. #PSNPassword Reset
    Online (web)
  • 15. #PSN – There’s more!
  • 16. Sony BGM Greece
  • 17. Bergen Bompengeselskap AS
  • 18. Login (https)
  • 19. I Forgot My Password!
  • 20. Which Language Sir?
  • 21. E-mail received:
  • 22. Or: License Number + Tag ID…
  • 23. Breaking in – online attacks
  • 24. Todo List
    Usernames and/or usernamealgorithm at targetcorp
    Windows domain (if applicable)
    Account lockout policy
    FQDN to webmail service
    Online passwordcracker
    (Google is yourfriend…)
    And patience… 
  • 25. Online Password Attacks
    THC Hydra
  • 26. Possible targets found:
    Potential targets:
  • 27. Offline Password Attacks
  • 28. Got Hash?
    SQL Injection Attacks:
    SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
    Source: Wikipedia 
  • 29.
  • 30. Cracking Passwords
  • 31. Offline password cracking
    A widenumberoftools& techniquesavailable:
    Dictionary attacks
    Various hybrid/logicalattacks
    Time is on your side!
  • 32. RainbowTables (wikipedia)
    A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Proper key derivation functions employ salt to make this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman that used the inversion of hashes by looking up precomputed hash chains.
  • 33. RainbowTablesavailable: (99.9% hitrate)
    CPU/GPU generation, CPU cracking (for now)
    MD5, NTLM
    (Full US charset, chainlength 200k, GPU only!)
  • 34. lm_lm-frt-cp437-850#1-7_20000
    Windows LM passwordslength 1-14
    566Gb (1400+ files) tableset;charsetcoverage:
  • 35. ntlm_mixalpha-numeric#1-8_40000
    Windows NTLM Mixalpha_numeric_1-8
    453Gb, covers A-Z,a-z,0-9
  • 36. Hybrid Rainbowtables
    is currently being finished by
    With more to come!
  • 37. Hybrid attacks
    John the Ripper (JtR)
    Hashcat family (lite, plus, ocl)
    Cain & Abel

    And many, many more!
  • 38. Bruteforce
    Bruteforcing is increasingly hard to do;
    Graphics Processing Units (GPUs) to therescue!
  • 39. PasswordStatistics
    Time to show some cool/interesting/boring numbers!
  • 40. Password Resets
  • 41. Storing passwords
    «I’musing MD5, so I’m safe.»
    Response from web applicationdeveloperafter I talkedabout storing passwords in cleartextbeing a bad idea.
  • 42. Thomas Ptacek
    Enough With The RainbowTables: WhatYouNeed To KnowAboutSecurePasswordSchemes
  • 43.
  • 44. Chris Lyon
    “SHA-512 w/ per User Salts is Not Enough”
  • 45. BypassingPassword Security
  • 46. BypassingPassword Security
    Microsoft Windows Pass-the-Hashattacks
    Microsoft Windows Pass-the-Ticketattacks
    Passware – «bypassing» Microsoft Bitlocker
    Smartphone (in)security
  • 47. Pass-the-Hash / Pass-the-Ticket
    Windows Credentials Editor v1.2:
    Scenario description:
    Eve just started in Alices company. Bob, thedomainadminguy, givesyouyour brand newlaptop, ready to use. You have localadminrights. Bob’slogincredentialsarecached on your computer. Extract, send credentials (username + hashvalue), getaccess.
  • 48. Passware Kit Forensic
    vs Microsoft Bitlocker:
    Live memory dump from target system usingFirewire, utilizingDirect Memory Access. Search dump, getdecryption keys, getaccess
    Remove disk from hibernated computer. Physicalmemory is written to disk, parts of it unencrypted. Searchand finddecryption keys, mount volume, getaccess.
    Video demonstration:
  • 49. CorporateAndroid Security
    Android devices: no hardware encryption
    Nitro software – softwareencryption
    Butonly for Microsoft Activesync data
    (Mail, Calendar, Contacts)
    Samsung Galaxy S II
    Hardware deviceencryption
    90% of all MS Activesyncpoliciessupported
    Not even Microsoft doesthat!
  • 50. CorporateiOS Security
  • 51.
  • 52.
  • 53. CorporateiOS Security
    AES hardware deviceencryption is good, but..
    iTunes configurationissues
    Frequentupdates(Quicktime + Safari + iTunes)
    Hardware Device has «passwordprotect» flag
    Device-specificencryption key is used to protectkeychain
    Almost all other data availableunencrypted in backup
  • 54. Elcomsoft, Tuesday, May 24th:
  • 55. PasswordUsability
  • 56. NorSIS / (Norway)
  • 57. PasswordUsability
    Minimum/Maximum Length
    Lost Password (Password Reset)
    Reauthentication (BankID)
    Single Sign-On
  • 58. Usabilityvs Security
    Minimum/Maximum Length
    Lost Password (Password Reset)
    Reauthentication (BankID)
    Single Sign-On
    Usepassphrases / implement support for it!
    Length = complexity
    VERY hard to do in real-life environments!
    Goodidea, but…
  • 59. Recommendations
  • 60. My User Recommendation:
    Use a normal sentence as yourpassword.
    Change it whenyouthink it is necessary.
  • 61. My Policy Recommendation:
    Use a normal sentence as yourpassword.
    It must be changedevery 13 months.
  • 62. Technical Recommendation
    Has to be a little more complexthentheprevious slides, but;
    Do NOT tell your end-users or othersabouttheactualrulesimplemented!
    Provideuseful feedback whenpasswordsarerejected
    Do 100% technicalimplementationofwritten policy
    SSO: store passwordhashes at thestrongest system
  • 63. DynamicPreventionofCommonPasswords
    Somewebsites have static lists of «forbidden» (common) passwords
    Can be found & documented (Twitter…)
    Does not providebettersecurity
    Easilycircumvented (blocking bad passwords is hard!)
  • 64. DynamicPreventionofCommonPasswords
    My suggestion:
    A custom DLL for Windows. It receives a usersrequestedpassword. Checkagainstrules (length, complexity, historyetc).
    If OK, thenhash and store hashwithcounter= 1
    DLL config has a thresholdvalue
    Any given passwordcanonlyexist on X accounts at the same time
  • 65. Thankyou!
    And do not forget: Passwords^11, June 7-8, UiB, Bergen.
    2 days, onlyaboutpasswords.