Correcthorsebatterystaple dwsg 07 09-13

1,809 views

Published on

Dustin Talk presented this at Dallas Web Security Group's July meeting.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Correcthorsebatterystaple dwsg 07 09-13

  1. 1. Credera is a full-service management and technology consulting firm. Our clients range from Fortune 1,000 companies to emerging industry leaders. We provide expert, objective advice to help solve complex business and technology challenges. Dallas Office 15303 Dallas Parkway Suite 300 Addison, TX 75001 972.692.0010 Phone 972.692.0019 Fax Denver Office 5445 DTC Parkway Suite 1040 Greenwood Village, CO 80111 303.623.1344 Phone 303.484.4577 Fax Houston Office 800 Town & Country Blvd Suite 300 Houston, TX 77024 713.496.0711 Phone 713.401.9650 Fax Austin Office 9020 N Capital of Texas Hwy Suite 345 Austin, TX 78759 512.327.1112 Phone 512.233.0844 Fax
  2. 2. Discussion document – Strictly Confidential & Proprietary correcthorsebatterystaple: hacking passwords by example Dallas, TX July 9, 2013 Dallas Web Security Group Dustin Talk
  3. 3. Agenda … P@ssw0rdZ • Expectations and Objectives • What makes a good password? • Demo: Cracking a user list of ~1.5million users – What a leak looks like – Using rainbow tables (or google) – Using the leaked information from others – Using common passwords – Lists created by experts – Lists created by l33t h4x0r – Brute Force on the GPU – Hybrid Attacks & Key Sequences • What can be done? • Q&A 7/19/2013 Dallas Web Security Group 3
  4. 4. Dustin Talk (not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • Addressing Top Security Threats in Web Applications • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Introductions… 7/19/2013 Dallas Web Security Group 4
  5. 5. The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Provide Education to Seed Investigation • Learn how to secure yourself and those around you Expectations and Objectives … 7/19/2013 Dallas Web Security Group 5
  6. 6. How strong are your passwords? Let’s ask Microsoft… Microsoft has provided a free tool to ensure that your password is strong: https://www.microsoft.com/security/pc-security/password-checker.aspx How would these rate: • password12345678790 • Luvnme4aChange@$ Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 6*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  7. 7. Perhaps we should ask someone else? Intel… Microsoft Intel has provided a free tool to ensure that your password is strong: https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html How would these rate: • AdMos185auj; • Wt4e-79P-B13^qS Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 7*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  8. 8. http://xkcd.com/936/ What makes a good password? 7/19/2013 Dallas Web Security Group 8
  9. 9. Simple tips for a better password Creating a stronger password • The more random the better* • The longer the better* • A mix of numbers, letters (upper and lower), symbols • NO words! or anything L!K3 a word (the h4x0r knows) • No personal info (pin code, home address, etc.) • No keyboard tricks (!@#,123,QWE) Use some helpful tools: • https://lastpass.com/passwordhelp.php?a=1 • https://lastpass.com/generatepassword.php What makes a good password? … 7/19/2013 Dallas Web Security Group 9*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  10. 10. DEMO: Cracking 1.5 million users 7/19/2013 Dallas Web Security Group 10
  11. 11. What can be done? … Attend More Meetings… What To Do Now • Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus • Don’t rely on salts to protect you • Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt What to Do Now For Fun • Download John the Ripper • Download oclHashcat-plus (and get a decent GPU) Reference Materials • http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ • http://hashcat.net/oclhashcat-plus/ • http://www.openwall.com/john/ 7/19/2013 Dallas Web Security Group 11
  12. 12. Q&A 7/19/2013 Dallas Web Security Group 12

×