Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
PASSWORDS COMPLEXITY
BILL BURR
2003
NIST Special Publication 800-63B.
PASSWORDS COMPLEXITY
BILL BURR
NIST Special Publication 800-63B.
PASSWORDS COMPLEXITY
BILL BURR
NIST Special Publication 800-63B.
`
`
P@ssw0rd
`
P@ssw0rd
P@ssw0rd1
PASSWORDS STORAGE
• CLEAR-TEXT
• ALGORITHM
• HASH ALGORITHM
• BCRYPT
• SCRYPT
• CRYPT ($2y$, $5$, $6$)
• SALT
• HASHING ON...
PASSWORDS STORAGE
(SALT)
• eat-less-salt-sodium.jpg
PASSWORDS STORAGE
(SALT)
• LENGTH
• UNIQUE PER USER
• RANDOM
• SERVER-SIDE
PASSWORDS RECOVERY
• SECURITY QUESTIONS
• 3 QUESTIONS (2 PER REQUESTS)
• NEW QUESTIONS
• WRONG ANSWERS
• EMAILS
• LOGGING
PASSWORDS CRACKING
• 190197
• 139766
• md5(md5($pass))
• >6 SYMBOLS
• NO PASSWORD RULES
• 20+
PASSWORDS CRACKING
HASHCAT
• -a
• -m
• -m 2600 md5(md5())
DICTIONARY ATTACK
DICTIONARY ATTACK
• hashcat -a 0 -m 2600 hashes.txt example.dict
ROCKYOU
• /USR/SHARE/WORDLIST/ROCKYOU.TXT
ROCKYOU
0
48669
0
28668
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou
ROCKYOU
ALL UNIQUE
HASHCAT RULES
• hashcat -a 0 -m 2600 hashes.txt example.dict
–r rule
ROCKYOU +BEST64.RULE
0
48669
67258
0
28668
45350
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou rockyou + best64
ROCKYO...
NUMMER_DB.TOP
• http://wordbook.xyz/do
wnload/
0
48669
67258
107163
0
28668
45350
77745
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou rockyou + ...
HASHCAT HYBRID ATTACK
• hashcat -a 6 -m 2600 hashes.txt klichki.txt
19?d?d
• hashcat -a 7 -m 2600 19?d?d hashes.txt
klichk...
0
48669
67258
107163 109467
0
28668
45350
77745 79549
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rocky...
HASHCAT MASK ATTACK
• hashcat -a 3 -m 6 hashes.txt -1 ?l?u
• ?1?1?d?d?d?d?1?1
• ?l = abcdefghijklmnopqrstuvwxyz
• ?u = ABC...
0
48669
67258
107163 109467 110239
0
28668
45350
77745 79549 80289
0
20000
40000
60000
80000
100000
120000
140000
160000
1...
OWN DICTIONARY
BRUTEFORCE
• hashcat -a 3 -m 6 hashes.txt ?l?l?l?l?l?l
• Web-app password policy
0
48669
67258
107163 109467 110239
121210
0
28668
45350
77745 79549 80289
90678
0
20000
40000
60000
80000
100000
120000
14...
MAKE YOU OWN RULES
• usage: ./morph.bin dictionary depth width
pos_min pos_max- Dictionary = Wordlist used
for frequency a...
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
w...
TMESIS
• tmesis.pl example.dict
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
w...
HASHCAT COMBINATOR
• hashcat -a 1 -m 2600 hashes.txt example.dict
example.dict2
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
w...
TOP RULES
• TOP_250
• TOP_500
• TOP_1000
• TOP_3000
• TOP_5000
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
w...
MARKOV CHAINS
TOP 15
/USR/SHARE/WORDLIST/ROCKYO
U.TXT
1. 123456 (1)
2. 12345 (N)
3. 123456789 (3)
4. password (78)
5. iloveyou (112)
6. ...
TOP 15 UKRAINE.DIC
1. 123456 (1)
2.
3. 123456789 (3)
4.
5. 1234567 (7)
6.
7. 12345678 (9)
8.
9.
10.
11.
12.
13.
14.
15.
TOP 15 UKRAINE.DIC
1. 123456 (1)
2. 111111 (21)
3. 123456789 (3)
4. qwerty (20)
5. 1234567 (7)
6. 7777777 (153)
7. 1234567...
TOP 15 UKRAINE.DIC
1. 123456 (1)
2. 111111 (21)
3. 123456789 (3)
4. qwerty (20)
5. 1234567 (7)
6. 7777777 (153)
7. 1234567...
TOP 16-59 UKRAINE.DIC
16. 777777
17. 159753
18. 666666
19. 121212
20. 1111111
21. 11111111
22. qazwsx
23. 1q2w3e4r
24. zxc...
TOP 60-100 UKRAINE.DIC
60. sergey
61. 11223344
62. nikita
63. nfnmzyf
64. 147258
65. qazwsxedc
66. 111222
67. 31415926
68....
TOP 100 UKRAINE.DIC
TOP 100 = 8764 OF 190197 (4.6%)
TOP 10 = 4984 OF 190197 (2.6%)
TOP 20 BASE WORDS
1. qwerty = 847 (0.55%)
2. $city = 700 (0.45%)
3. gfhjkm = 232 (0.15%)
4. olga = 225 (0.15%)
5. mama = 2...
0 0 0
80 119
139
42630
21625
42665
17201
14135
6855
4865
2033
1214
576 378
0
5000
10000
15000
20000
25000
30000
35000
4000...
LAST 4 DIGITS (Top 50)
• 3456 = 2439
• 1111 = 1021
• 1987 = 615
• 1986 = 584
• 1984 = 582
• 1983 = 565
• 1985 = 562
• 1975...
CHARACTER SETS
1. numeric: 54056 (34.88%)
2. loweralphanum: 52672 (33.99%)
3. loweralpha: 23671 (15.28%)
4. mixedalphanum:...
0
25000
45000
80000 82000
90000
95000 96000 98000 100000 101000 101500 103000
0
4000
29000
55000 57000
65000
70000 71000 7...
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Upcoming SlideShare
Loading in …5
×

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

769 views

Published on

Comprehensive analysis of a large portion of passwords specific to Ukrainian internet users.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

  1. 1. PASSWORDS COMPLEXITY BILL BURR 2003 NIST Special Publication 800-63B.
  2. 2. PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
  3. 3. PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
  4. 4. `
  5. 5. ` P@ssw0rd
  6. 6. ` P@ssw0rd P@ssw0rd1
  7. 7. PASSWORDS STORAGE • CLEAR-TEXT • ALGORITHM • HASH ALGORITHM • BCRYPT • SCRYPT • CRYPT ($2y$, $5$, $6$) • SALT • HASHING ON SERVER-SIDE
  8. 8. PASSWORDS STORAGE (SALT) • eat-less-salt-sodium.jpg
  9. 9. PASSWORDS STORAGE (SALT) • LENGTH • UNIQUE PER USER • RANDOM • SERVER-SIDE
  10. 10. PASSWORDS RECOVERY • SECURITY QUESTIONS • 3 QUESTIONS (2 PER REQUESTS) • NEW QUESTIONS • WRONG ANSWERS • EMAILS • LOGGING
  11. 11. PASSWORDS CRACKING • 190197 • 139766 • md5(md5($pass)) • >6 SYMBOLS • NO PASSWORD RULES • 20+
  12. 12. PASSWORDS CRACKING
  13. 13. HASHCAT • -a • -m • -m 2600 md5(md5())
  14. 14. DICTIONARY ATTACK
  15. 15. DICTIONARY ATTACK • hashcat -a 0 -m 2600 hashes.txt example.dict
  16. 16. ROCKYOU • /USR/SHARE/WORDLIST/ROCKYOU.TXT
  17. 17. ROCKYOU
  18. 18. 0 48669 0 28668 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou ROCKYOU ALL UNIQUE
  19. 19. HASHCAT RULES • hashcat -a 0 -m 2600 hashes.txt example.dict –r rule
  20. 20. ROCKYOU +BEST64.RULE
  21. 21. 0 48669 67258 0 28668 45350 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 ROCKYOU + BEST64.RULE ALL UNIQUE
  22. 22. NUMMER_DB.TOP • http://wordbook.xyz/do wnload/
  23. 23. 0 48669 67258 107163 0 28668 45350 77745 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer NUMMER_DB.TOP ALL UNIQUE
  24. 24. HASHCAT HYBRID ATTACK • hashcat -a 6 -m 2600 hashes.txt klichki.txt 19?d?d • hashcat -a 7 -m 2600 19?d?d hashes.txt klichki.txt
  25. 25. 0 48669 67258 107163 109467 0 28668 45350 77745 79549 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki KLICHKI + 19?d?d ALL UNIQUE
  26. 26. HASHCAT MASK ATTACK • hashcat -a 3 -m 6 hashes.txt -1 ?l?u • ?1?1?d?d?d?d?1?1 • ?l = abcdefghijklmnopqrstuvwxyz • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ • ?d = 0123456789 • ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~ • ?a = ?l?u?d?s • ?b = 0x00 - 0xff
  27. 27. 0 48669 67258 107163 109467 110239 0 28668 45350 77745 79549 80289 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki ?1?1?d?d?d?d?1?1 -1 ?l?u ?1?1?d?d?d?d?1?1 ALL UNIQUE
  28. 28. OWN DICTIONARY
  29. 29. BRUTEFORCE • hashcat -a 3 -m 6 hashes.txt ?l?l?l?l?l?l • Web-app password policy
  30. 30. 0 48669 67258 107163 109467 110239 121210 0 28668 45350 77745 79549 80289 90678 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 BRUTEFORCE ALL UNIQUE
  31. 31. MAKE YOU OWN RULES • usage: ./morph.bin dictionary depth width pos_min pos_max- Dictionary = Wordlist used for frequency analysis. • - Depth = Determines what “top” chains that you want. • - Width = Max length of the chain.
  32. 32. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 0 28668 45350 77745 79549 80289 90678 93340 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 OWN RULES ALL UNIQUE
  33. 33. TMESIS • tmesis.pl example.dict
  34. 34. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 0 28668 45350 77745 79549 80289 90678 93340 93450 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TMESIS ALL UNIQUE
  35. 35. HASHCAT COMBINATOR • hashcat -a 1 -m 2600 hashes.txt example.dict example.dict2
  36. 36. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 COMBINATOR ALL UNIQUE
  37. 37. TOP RULES • TOP_250 • TOP_500 • TOP_1000 • TOP_3000 • TOP_5000
  38. 38. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 128973 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TOP RULES ALL UNIQUE
  39. 39. MARKOV CHAINS
  40. 40. TOP 15 /USR/SHARE/WORDLIST/ROCKYO U.TXT 1. 123456 (1) 2. 12345 (N) 3. 123456789 (3) 4. password (78) 5. iloveyou (112) 6. princess (955) 7. 1234567 (5) 8. rockyou (N) 9. 12345678 (7) 10.abc123 (230) 11.nicole (N) 12.daniel (N) 13.babygirl (N) 14.monkey (N) 15.lovely (N)
  41. 41. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 3. 123456789 (3) 4. 5. 1234567 (7) 6. 7. 12345678 (9) 8. 9. 10. 11. 12. 13. 14. 15.
  42. 42. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.? (272749) 14.000000 (23) 15.654321 (17)
  43. 43. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.gfhjkm (272749) 14.000000 (23) 15.654321 (17)
  44. 44. TOP 16-59 UKRAINE.DIC 16. 777777 17. 159753 18. 666666 19. 121212 20. 1111111 21. 11111111 22. qazwsx 23. 1q2w3e4r 24. zxcvbnm 25. 987654321 26. 131313 27. 123qwe 28. 222222 29. 1qaz2wsx 30. 333333 31. 112233 32. 88888888 33. qwertyuiop 34. 888888 35. 1q2w3e 36. $app 37. 123654 38. 123123123 39. 1q2w3e4r5 t 40. $app_cyr 41. yfnfif 42. ghbdtn 43. qwe123 44. samsung 45. 789456 46. 999999 47. 12344321 48. qwerty123 49. zxcvbn 50. 1qazxsw2 51. 987654 52. marina 53. q1w2e3r4 54. natali 55. larisa 56. vfhbyf 57. 159357 58. galina 59. $city_keyb
  45. 45. TOP 60-100 UKRAINE.DIC 60. sergey 61. 11223344 62. nikita 63. nfnmzyf 64. 147258 65. qazwsxedc 66. 111222 67. 31415926 68. 987654321 69. svetlana 70. 101010 71. 1111111111 72. 1234554321 73. 12345qwert 74. 12341234 75. 232323 76. qweasdzxc 77. password 78. oplata 79. viktoria 80. 12qwaszx 81. 789456123 82. jgkfnf 83. 252525 84. 1qaz2wsx3ed c 85. 87654321 86. natasha 87. 7753191 88. oksana 89. hjvfirf 90. qwertyui 91. 999999999 92. 1234qwer 93. qazxsw 94. jrcfyf 95. 1234567w 96. veronika 97. vfrcbv 98. qwerty12345 99. master 100.valentina
  46. 46. TOP 100 UKRAINE.DIC TOP 100 = 8764 OF 190197 (4.6%) TOP 10 = 4984 OF 190197 (2.6%)
  47. 47. TOP 20 BASE WORDS 1. qwerty = 847 (0.55%) 2. $city = 700 (0.45%) 3. gfhjkm = 232 (0.15%) 4. olga = 225 (0.15%) 5. mama = 224 (0.14%) 6. alex = 221 (0.14%) 7. anna = 204 (0.13%) 8. lena = 201 (0.13%) 9. nata = 190 (0.12%) 10. $app = 175 (0.11%) 11. dima = 156 (0.1%) 12. qazwsx = 145 (0.09%) 13. sasha = 145 (0.09%) 14. irina = 144 (0.09%) 15. oleg = 137 (0.09%) 16. natali = 137 (0.09%) 17. vova = 136 (0.09%) 18. vika = 130 (0.08%) 19. sveta = 125 (0.08%) 20. marina = 125 (0.08%)
  48. 48. 0 0 0 80 119 139 42630 21625 42665 17201 14135 6855 4865 2033 1214 576 378 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PASSWORD LENGHT
  49. 49. LAST 4 DIGITS (Top 50) • 3456 = 2439 • 1111 = 1021 • 1987 = 615 • 1986 = 584 • 1984 = 582 • 1983 = 565 • 1985 = 562 • 1975 = 559 • 1980 = 550 • 1981 = 539 • 1976 = 536 • 6789 = 535 • 1979 = 524 • 1982 = 512 • 1978 = 502 • 1977 = 499 • 7777 = 491 • 2012 = 487 • 1974 = 481 • 1988 = 474 • 1989 = 460 • 2010 = 455 • 1972 = 444 • 4321 = 441 • 1973 = 421 • 1990 = 414 • 2009 = 408 • 1970 = 403 • 2008 = 403 • 1971 = 397 • 1991 = 385 • 2011 = 384 • 2015 = 377 • 2007 = 369 • 4567 = 355 • 1969 = 343 • 1234 = 340 • 1965 = 338 • 2006 = 336 • 2345 = 335 • 2013 = 332 • 2005 = 326 • 2014 = 326 • 1968 = 314 • 1964 = 313 • 1967 = 310 • 1966 = 305 • 1962 = 297 • 2000 = 293 • 1963 = 292
  50. 50. CHARACTER SETS 1. numeric: 54056 (34.88%) 2. loweralphanum: 52672 (33.99%) 3. loweralpha: 23671 (15.28%) 4. mixedalphanum: 9651 (6.23%) 5. mixedalpha: 3628 (2.34%) 6. upperalphanum: 2681 (1.73%) 7. loweralphaspecialnum: 1164 (0.75%) 8. loweralphaspecial: 1129 (0.73%) 9. mixedalphaspecialnum: 563 (0.36%) 10.specialnum: 507 (0.33%)
  51. 51. 0 25000 45000 80000 82000 90000 95000 96000 98000 100000 101000 101500 103000 0 4000 29000 55000 57000 65000 70000 71000 73000 75000 76000 76200 76600 0 20000 40000 60000 80000 100000 120000 Chart Title Series 1 Series 2

×