2012 03 The Death of Passwords

Uploaded on

2012 03 The Death of Passwords by Artëm Kazantsev, Duke IT Security

2012 03 The Death of Passwords by Artëm Kazantsev, Duke IT Security

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. The Death of Passwords
  • 2. Dangers to Passwords● Passwords are “phished”● Passwords are shared● Users use dictionary words or “lazy” passwords● Users reuse password for different sites● Users recycle passwords or add numbers at the end (BlueDevil#9)● Passwords can be cracked using: Brute Force the hashes AND / OR Rainbow Tables AND / OR GPU Cracking ...
  • 3. Demo of the GPU cracking5 characters of mixed cases, characters andnumbers: ~2.5 min brute force of NVidia NVS 3100M (16 cores, 512 Mb) for comparison, NVidia card PCI Express - eVGA Memory clock 4212 MHz Effective. Shader clock 1800 MHz. Cuda cores 512. Memory 3072MB GDDR5. ~$600
  • 4. Cracking Passwords d131dd02c5e d131dd02c5e 6eec4693d9a Password Guess HASH 6eec4693d9a 0698aff95c 0698aff95c Password FilePassword Type Using the CPU Using the GPU6 char (no spec chars) 1 hour 30 sec 4 seconds7 char (no spec chars) 4 days 17 minutes 30 seconds7 char (spec chars) 75 days 7 hours9 char (spec chars) 43 years 48 days
  • 5. 12345 anyone?“Im so clever” passwords: Q1W2E3R4A!S@D#F$zxcv/.,mAq1Sw2De3Fr4L33tSp3@K (th3y w1ll n3v3r gu3$$)
  • 6. Dictionary lists, hybrid attacks and mangle rules#define RULE_OP_MANGLE_LREST l // lower case all chars#define RULE_OP_MANGLE_UREST u // upper case all chars#define RULE_OP_MANGLE_LREST_UFIRST c // lower case all chars, upper case 1st#define RULE_OP_MANGLE_UREST_LFIRST C // upper case all chars, lower case 1st#define RULE_OP_MANGLE_TREST t // switch the case of each char#define RULE_OP_MANGLE_TOGGLE_AT T // switch the case of each char on pos N#define RULE_OP_MANGLE_REVERSE r // reverse word#define RULE_OP_MANGLE_DUPEWORD d // append word to itself#define RULE_OP_MANGLE_DUPEWORD_TIMES p // append word to itself N times#define RULE_OP_MANGLE_REFLECT f // reflect word (append reversed word)#define RULE_OP_MANGLE_ROTATE_LEFT { // rotate the word left. ex: hello -> elloh#define RULE_OP_MANGLE_ROTATE_RIGHT } // rotate the word right. ex: hello -> ohell#define RULE_OP_MANGLE_APPEND $ // append char X#define RULE_OP_MANGLE_PREPEND ^ // prepend char X#define RULE_OP_MANGLE_DELETE_FIRST [ // delete first char of word#define RULE_OP_MANGLE_DELETE_LAST ] // delete last char of word#define RULE_OP_MANGLE_DELETE_AT D // delete char of word at pos N#define RULE_OP_MANGLE_EXTRACT x // delete X chars of word at pos N#define RULE_OP_MANGLE_INSERT i // insert char X at pos N#define RULE_OP_MANGLE_OVERSTRIKE o // overwrite with char X at pos N#define RULE_OP_MANGLE_TRUNCATE_AT // cut the word at pos N#define RULE_OP_MANGLE_REPLACE s // replace all chars X with char Y#define RULE_OP_MANGLE_PURGECHAR @ // -- not implemented --#define RULE_OP_MANGLE_DUPECHAR_FIRST z // prepend first char of word to itself. ex:hello -> hhello#define RULE_OP_MANGLE_DUPECHAR_LAST Z // append last char of word to itself. ex:hello -> helloo#define RULE_OP_MANGLE_DUPECHAR_ALL q // duplicate all chars. ex: hello ->hheelllloo
  • 7. Rainbow Tables● http://www.freerainbowtables.com/ (using BOINC distributed computing for calculation) (5271 GB as of 02/20/2012)● RainbowCrack –your local friendly rainbow tables generator / converter (different formats of RT) / cracker
  • 8. RainbowCrack Project example ntlm_mixalpha-numeric#1-9Hash Algorithm: NTLMCharset:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Plaintext Length: 1 to 9Key Space: 13,759,005,997,841,642 (about 253.6)Table Pre-computation Effort: 59,476,604,035,792,896 (about255.7) hash computationsTable Size: 864 GBThat pretty much means the game is over for NTLMpasswords under 10 digits alphanumeric!
  • 9. Methods to Compromise Defense Accounts/Passwords Longer Accou Mu Netw Host- Password Attack passwor Regular nt lti- Edu ork based ds Password cati locko fac encry securi (passphr changes on uts tor ption ty ases)Password Cracking• Dictionary Attack• Brute Force ✔ ✔ ✔ ✔• Rainbow Tables• GPU CrackingPassword Sharing ✔ ✔Phishing/Social ✔ ✔EngineeringMan-in-the-Middle ✔ ✔ ✔AttackNetwork Sniffing ✔ ✔ ✔ ✔ ✔Keylogger ✔ ✔ * *(unless digital cert)
  • 10. What is Multi-Factor• Authentication involves: – Something you know (e.g. password) – Something you have (e.g. digital cert, “token”) – Something you are (e.g. fingerprint, voice pattern) – Somewhere you are (e.g. GPS or network IP)• Passwords provide 1 of these items. What if we supported the use of a second? Or a third?• Depending on a user role AND the application they are trying to access we could provide a second factor for authentication
  • 11. Option Multifactor Options: Pros ConsTokens Industry standard; Token replacement costs; can implement into if lost, stolen, or not current available, cannot log-in; authentication may not be able to log-in services; can run on from a guest machine; top of existing ‘seed’ server must be password policy protected at all costsDigital Cheapest option (via Only ½ of a factor in someCertificates Incommon); Least cases; Cert must be impact to users; can installed on all user run on top of existing devices; cannot log-in password policy from a guest machine; depend on user key protectionPhone (SMS/QR Similar to tokens; User has to have a phonetech) low-cost/open source that can take pictures or options; works well SMS; If phone is lost, for those that have stolen, or not available, smart phones; can cannot log-in
  • 12. Passwords Alone Are No Longer Effective