Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to LavaPasswordFactory

744 views

Published on

Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory.

LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Introduction to LavaPasswordFactory

  1. 1. LAVA.PASSWORD.FACT ORY PASSWORDS ARE BAD AND YOU CAN TOO!!
  2. 2. A BRIEF INTRODUCTION
  3. 3. AGENDA 1. What is authentication? 2. Why do passwords exist? 3. Why attack authentication mechanisms? 1. Password-based attacks 4. LavaPasswordFactory 1. Demonstration 5. Conclusion / Questions
  4. 4. WHO AM I? • Christopher Grayson • cegrayson3@gmail.com • @_lavalamp • Senior Security Analyst at Bishop Fox (Pen-Testing FTW) • MSCS, BSCM from GT • Former Research Scientist from GT • Former president, GT hacking club That guy in the front…
  5. 5. WHAT IS AUTHENTICATION?
  6. 6. THE BASICS • It’s all about identity baby • Something you know • Something you have • Something you are
  7. 7. SOMETHING YOU KNOW • Passwords • Personal knowledge (security questions) • Only those that know X should have access.
  8. 8. SOMETHING YOU HAVE • RSA SecurID • Google Authenticator • Only those that have X should be allowed access.
  9. 9. SOMETHING YOU ARE • Most nebulous of the three • Commonly refers to biometrics (iris scans for instance) • Only those who are X should be allowed access.
  10. 10. TAKEAWAYS • Authentication mechanisms aim to identify who you are for the purpose of establishing the correct level of authority. • Without accurately identifying someone, how can one hope to apply any meaningful identity-based security controls?
  11. 11. PESKY PESKY PASSWORDS
  12. 12. WHYYYYYYY?! • Easy to implement • Usually easy to remember • Requires the lowest amount of technical overhead • Many other reasons…
  13. 13. PASSWORDS ARE BAD, M’KAY? • When used properly, passwords can provide a decent level of security. • Passwords are largely used improperly, even within the security community.
  14. 14. COMMON PASSWORD PROBLEMS • Low complexity • Password re-use • Writing passwords down
  15. 15. SOME TANGIBLE DATA Credit to Karl Sigler, The Register http://www.theregister.co.uk/2014/08/15/hundreds_of_thousands_of_corporate_passwords_cracke
  16. 16. ATTACKING PASSWORDS
  17. 17. WHY ATTACK AUTHENTICATION? • Automated systems typically have different roles meant for different users. • Correctly identifying a user supplies that user with the intended level of authority. • Even in an incredibly secure system, if you can trick the system into thinking you’re an admin, many security controls fall away.
  18. 18. ONLINE PASSWORD ATTACKS • Logging into a Web site • Logging into network services • Don’t have access to hashed representation of passwords
  19. 19. OFFLINE PASSWORD ATTACKS • Typically a data store has been compromised • Have direct access to hashed representation of passwords • Can break passwords at much larger scale
  20. 20. LAVA.PASSWORD.FACTORY
  21. 21. SHINY NEW TOOL • Generates passwords for offline and online attacks • Cleans existing password lists • Uses a set of seed words • Has functionality for matching password policies
  22. 22. DEMONSTRATION
  23. 23. GETTING IT • https://github.com/lavalamp- /LavaPasswordFactory • Still a work-in-progress, but current work is only to add more functionality. • Comments and feature requests welcome!
  24. 24. QUESTIONS?
  25. 25. THANK YOU! @_LAVALAMP

×