Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

OWASP Kyiv
OWASP KyivOWASP Kyiv
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
PASSWORDS COMPLEXITY
BILL BURR
2003
NIST Special Publication 800-63B.
PASSWORDS COMPLEXITY
BILL BURR
NIST Special Publication 800-63B.
PASSWORDS COMPLEXITY
BILL BURR
NIST Special Publication 800-63B.
`
`
P@ssw0rd
`
P@ssw0rd
P@ssw0rd1
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
PASSWORDS STORAGE
• CLEAR-TEXT
• ALGORITHM
• HASH ALGORITHM
• BCRYPT
• SCRYPT
• CRYPT ($2y$, $5$, $6$)
• SALT
• HASHING ON SERVER-SIDE
PASSWORDS STORAGE
(SALT)
• eat-less-salt-sodium.jpg
PASSWORDS STORAGE
(SALT)
• LENGTH
• UNIQUE PER USER
• RANDOM
• SERVER-SIDE
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
PASSWORDS RECOVERY
• SECURITY QUESTIONS
• 3 QUESTIONS (2 PER REQUESTS)
• NEW QUESTIONS
• WRONG ANSWERS
• EMAILS
• LOGGING
PASSWORDS CRACKING
• 190197
• 139766
• md5(md5($pass))
• >6 SYMBOLS
• NO PASSWORD RULES
• 20+
PASSWORDS CRACKING
HASHCAT
• -a
• -m
• -m 2600 md5(md5())
DICTIONARY ATTACK
DICTIONARY ATTACK
• hashcat -a 0 -m 2600 hashes.txt example.dict
ROCKYOU
• /USR/SHARE/WORDLIST/ROCKYOU.TXT
ROCKYOU
0
48669
0
28668
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou
ROCKYOU
ALL UNIQUE
HASHCAT RULES
• hashcat -a 0 -m 2600 hashes.txt example.dict
–r rule
ROCKYOU +BEST64.RULE
0
48669
67258
0
28668
45350
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou rockyou + best64
ROCKYOU + BEST64.RULE
ALL UNIQUE
NUMMER_DB.TOP
• http://wordbook.xyz/do
wnload/
0
48669
67258
107163
0
28668
45350
77745
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou rockyou + best64 nummer
NUMMER_DB.TOP
ALL UNIQUE
HASHCAT HYBRID ATTACK
• hashcat -a 6 -m 2600 hashes.txt klichki.txt
19?d?d
• hashcat -a 7 -m 2600 19?d?d hashes.txt
klichki.txt
0
48669
67258
107163 109467
0
28668
45350
77745 79549
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou rockyou + best64 nummer klichki
KLICHKI + 19?d?d
ALL UNIQUE
HASHCAT MASK ATTACK
• hashcat -a 3 -m 6 hashes.txt -1 ?l?u
• ?1?1?d?d?d?d?1?1
• ?l = abcdefghijklmnopqrstuvwxyz
• ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
• ?d = 0123456789
• ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~
• ?a = ?l?u?d?s
• ?b = 0x00 - 0xff
0
48669
67258
107163 109467 110239
0
28668
45350
77745 79549 80289
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
0 rockyou rockyou + best64 nummer klichki ?1?1?d?d?d?d?1?1
-1 ?l?u ?1?1?d?d?d?d?1?1
ALL UNIQUE
OWN DICTIONARY
BRUTEFORCE
• hashcat -a 3 -m 6 hashes.txt ?l?l?l?l?l?l
• Web-app password policy
0
48669
67258
107163 109467 110239
121210
0
28668
45350
77745 79549 80289
90678
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
BRUTEFORCE
ALL UNIQUE
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
MAKE YOU OWN RULES
• usage: ./morph.bin dictionary depth width
pos_min pos_max- Dictionary = Wordlist used
for frequency analysis.
• - Depth = Determines what “top” chains that
you want.
• - Width = Max length of the chain.
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
want.
• Width = Max length of the chain.
0
48669
67258
107163 109467 110239
121210 123897
0
28668
45350
77745 79549 80289
90678 93340
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
OWN RULES
ALL UNIQUE
TMESIS
• tmesis.pl example.dict
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
want.
• Width = Max length of the chain.
0
48669
67258
107163 109467 110239
121210 123897 124011
0
28668
45350
77745 79549 80289
90678 93340 93450
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
TMESIS
ALL UNIQUE
HASHCAT COMBINATOR
• hashcat -a 1 -m 2600 hashes.txt example.dict
example.dict2
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
want.
• Width = Max length of the chain.
0
48669
67258
107163 109467 110239
121210 123897 124011 125465
0
28668
45350
77745 79549 80289
90678 93340 93450 94808
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
COMBINATOR
ALL UNIQUE
TOP RULES
• TOP_250
• TOP_500
• TOP_1000
• TOP_3000
• TOP_5000
MAKE YOUR OWN RULES
• ./morph.bin dictionary depth width pos_min
pos_max
• Depth = Determines what “top” chains that you
want.
• Width = Max length of the chain.
0
48669
67258
107163 109467 110239
121210 123897 124011 125465
128973
0
28668
45350
77745 79549 80289
90678 93340 93450 94808
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
TOP RULES
ALL UNIQUE
MARKOV CHAINS
TOP 15
/USR/SHARE/WORDLIST/ROCKYO
U.TXT
1. 123456 (1)
2. 12345 (N)
3. 123456789 (3)
4. password (78)
5. iloveyou (112)
6. princess (955)
7. 1234567 (5)
8. rockyou (N)
9. 12345678 (7)
10.abc123 (230)
11.nicole (N)
12.daniel (N)
13.babygirl (N)
14.monkey (N)
15.lovely (N)
TOP 15 UKRAINE.DIC
1. 123456 (1)
2.
3. 123456789 (3)
4.
5. 1234567 (7)
6.
7. 12345678 (9)
8.
9.
10.
11.
12.
13.
14.
15.
TOP 15 UKRAINE.DIC
1. 123456 (1)
2. 111111 (21)
3. 123456789 (3)
4. qwerty (20)
5. 1234567 (7)
6. 7777777 (153)
7. 12345678 (9)
8. $city (N)
9. 123321 (196)
10.1234567890 (48)
11.123123 (40)
12.55555 (127)
13.? (272749)
14.000000 (23)
15.654321 (17)
TOP 15 UKRAINE.DIC
1. 123456 (1)
2. 111111 (21)
3. 123456789 (3)
4. qwerty (20)
5. 1234567 (7)
6. 7777777 (153)
7. 12345678 (9)
8. $city (N)
9. 123321 (196)
10.1234567890 (48)
11.123123 (40)
12.55555 (127)
13.gfhjkm (272749)
14.000000 (23)
15.654321 (17)
TOP 16-59 UKRAINE.DIC
16. 777777
17. 159753
18. 666666
19. 121212
20. 1111111
21. 11111111
22. qazwsx
23. 1q2w3e4r
24. zxcvbnm
25. 987654321
26. 131313
27. 123qwe
28. 222222
29. 1qaz2wsx
30. 333333
31. 112233
32. 88888888
33. qwertyuiop
34. 888888
35. 1q2w3e
36. $app
37. 123654
38. 123123123
39. 1q2w3e4r5
t
40. $app_cyr
41. yfnfif
42. ghbdtn
43. qwe123
44. samsung
45. 789456
46. 999999
47. 12344321
48. qwerty123
49. zxcvbn
50. 1qazxsw2
51. 987654
52. marina
53. q1w2e3r4
54. natali
55. larisa
56. vfhbyf
57. 159357
58. galina
59. $city_keyb
TOP 60-100 UKRAINE.DIC
60. sergey
61. 11223344
62. nikita
63. nfnmzyf
64. 147258
65. qazwsxedc
66. 111222
67. 31415926
68. 987654321
69. svetlana
70. 101010
71. 1111111111
72. 1234554321
73. 12345qwert
74. 12341234
75. 232323
76. qweasdzxc
77. password
78. oplata
79. viktoria
80. 12qwaszx
81. 789456123
82. jgkfnf
83. 252525
84. 1qaz2wsx3ed
c
85. 87654321
86. natasha
87. 7753191
88. oksana
89. hjvfirf
90. qwertyui
91. 999999999
92. 1234qwer
93. qazxsw
94. jrcfyf
95. 1234567w
96. veronika
97. vfrcbv
98. qwerty12345
99. master
100.valentina
TOP 100 UKRAINE.DIC
TOP 100 = 8764 OF 190197 (4.6%)
TOP 10 = 4984 OF 190197 (2.6%)
TOP 20 BASE WORDS
1. qwerty = 847 (0.55%)
2. $city = 700 (0.45%)
3. gfhjkm = 232 (0.15%)
4. olga = 225 (0.15%)
5. mama = 224 (0.14%)
6. alex = 221 (0.14%)
7. anna = 204 (0.13%)
8. lena = 201 (0.13%)
9. nata = 190 (0.12%)
10. $app = 175 (0.11%)
11. dima = 156 (0.1%)
12. qazwsx = 145 (0.09%)
13. sasha = 145 (0.09%)
14. irina = 144 (0.09%)
15. oleg = 137 (0.09%)
16. natali = 137 (0.09%)
17. vova = 136 (0.09%)
18. vika = 130 (0.08%)
19. sveta = 125 (0.08%)
20. marina = 125 (0.08%)
0 0 0
80 119
139
42630
21625
42665
17201
14135
6855
4865
2033
1214
576 378
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
PASSWORD LENGHT
LAST 4 DIGITS (Top 50)
• 3456 = 2439
• 1111 = 1021
• 1987 = 615
• 1986 = 584
• 1984 = 582
• 1983 = 565
• 1985 = 562
• 1975 = 559
• 1980 = 550
• 1981 = 539
• 1976 = 536
• 6789 = 535
• 1979 = 524
• 1982 = 512
• 1978 = 502
• 1977 = 499
• 7777 = 491
• 2012 = 487
• 1974 = 481
• 1988 = 474
• 1989 = 460
• 2010 = 455
• 1972 = 444
• 4321 = 441
• 1973 = 421
• 1990 = 414
• 2009 = 408
• 1970 = 403
• 2008 = 403
• 1971 = 397
• 1991 = 385
• 2011 = 384
• 2015 = 377
• 2007 = 369
• 4567 = 355
• 1969 = 343
• 1234 = 340
• 1965 = 338
• 2006 = 336
• 2345 = 335
• 2013 = 332
• 2005 = 326
• 2014 = 326
• 1968 = 314
• 1964 = 313
• 1967 = 310
• 1966 = 305
• 1962 = 297
• 2000 = 293
• 1963 = 292
CHARACTER SETS
1. numeric: 54056 (34.88%)
2. loweralphanum: 52672 (33.99%)
3. loweralpha: 23671 (15.28%)
4. mixedalphanum: 9651 (6.23%)
5. mixedalpha: 3628 (2.34%)
6. upperalphanum: 2681 (1.73%)
7. loweralphaspecialnum: 1164 (0.75%)
8. loweralphaspecial: 1129 (0.73%)
9. mixedalphaspecialnum: 563 (0.36%)
10.specialnum: 507 (0.33%)
0
25000
45000
80000 82000
90000
95000 96000 98000 100000 101000 101500 103000
0
4000
29000
55000 57000
65000
70000 71000 73000 75000 76000 76200 76600
0
20000
40000
60000
80000
100000
120000
Chart Title
Series 1 Series 2
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
1 of 60

Recommended

Inecuaciones - matematicas by
Inecuaciones - matematicasInecuaciones - matematicas
Inecuaciones - matematicasana yulissa cordoba perez
236 views9 slides
Vlad Styran - "Hidden" Features of the Tools We All Love by
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveOWASP Kyiv
638 views9 slides
Andriy Shalaenko - GO security tips by
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
1.5K views27 slides
Quick Wikipedia Mining using Elastic Map Reduce by
Quick Wikipedia Mining using Elastic Map ReduceQuick Wikipedia Mining using Elastic Map Reduce
Quick Wikipedia Mining using Elastic Map Reduceohkura
1.4K views34 slides
Ruby Outside Rails 2 (southfest) by
Ruby Outside Rails 2 (southfest)Ruby Outside Rails 2 (southfest)
Ruby Outside Rails 2 (southfest)Victor Petrenko
221 views36 slides
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups by
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance FuckupsNETFest
296 views132 slides

More Related Content

Similar to Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

Getting started with Cassandra 2.1 by
Getting started with Cassandra 2.1Getting started with Cassandra 2.1
Getting started with Cassandra 2.1Viswanath J
1.3K views117 slides
Matlab teaching by
Matlab teachingMatlab teaching
Matlab teachingHosseinGholizadeh7
107 views77 slides
Lecture18 by
Lecture18Lecture18
Lecture18Ankit Katiyar
270 views31 slides
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013 by
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013Amazon Web Services
31.9K views123 slides
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu... by
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...JAX London
10.4K views37 slides
DB2 Workload Manager Histograms by
DB2 Workload Manager HistogramsDB2 Workload Manager Histograms
DB2 Workload Manager HistogramsKeith McDonald
1.5K views92 slides

Similar to Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017(20)

Getting started with Cassandra 2.1 by Viswanath J
Getting started with Cassandra 2.1Getting started with Cassandra 2.1
Getting started with Cassandra 2.1
Viswanath J1.3K views
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013 by Amazon Web Services
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
Amazon Web Services31.9K views
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu... by JAX London
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...
JAX London10.4K views
DB2 Workload Manager Histograms by Keith McDonald
DB2 Workload Manager HistogramsDB2 Workload Manager Histograms
DB2 Workload Manager Histograms
Keith McDonald1.5K views
Saint Francis & Purple Vision NAHF Presentation 24/3/12 by Purple Vision
Saint Francis & Purple Vision NAHF Presentation 24/3/12Saint Francis & Purple Vision NAHF Presentation 24/3/12
Saint Francis & Purple Vision NAHF Presentation 24/3/12
Purple Vision302 views
Saint Francis & Purple Vision NAHF Presentation 24/3/12 by Purple Vision
Saint Francis & Purple Vision NAHF Presentation 24/3/12Saint Francis & Purple Vision NAHF Presentation 24/3/12
Saint Francis & Purple Vision NAHF Presentation 24/3/12
Purple Vision503 views
Scaling PostreSQL with Stado by Jim Mlodgenski
Scaling PostreSQL with StadoScaling PostreSQL with Stado
Scaling PostreSQL with Stado
Jim Mlodgenski3.1K views
Understanding Performance with DTrace by ahl0003
Understanding Performance with DTraceUnderstanding Performance with DTrace
Understanding Performance with DTrace
ahl000381 views
RIPE64 - DNS and DNSSEC in the .se Zone by pawal
RIPE64 - DNS and DNSSEC in the .se ZoneRIPE64 - DNS and DNSSEC in the .se Zone
RIPE64 - DNS and DNSSEC in the .se Zone
pawal574 views
Kollmorgen nema 34_n3_k3_stepper_systems_tb_specsheet by Electromate
Kollmorgen  nema 34_n3_k3_stepper_systems_tb_specsheetKollmorgen  nema 34_n3_k3_stepper_systems_tb_specsheet
Kollmorgen nema 34_n3_k3_stepper_systems_tb_specsheet
Electromate120 views
Kollmorgen nema 34 specsheet by Electromate
Kollmorgen  nema 34 specsheetKollmorgen  nema 34 specsheet
Kollmorgen nema 34 specsheet
Electromate256 views
Generic Framework for Knowledge Classification-1 by Venkata Vineel
Generic Framework  for Knowledge Classification-1Generic Framework  for Knowledge Classification-1
Generic Framework for Knowledge Classification-1
Venkata Vineel275 views

More from OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc... by
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv
247 views34 slides
Software Supply Chain Security та компоненти з відомими вразливостями by
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv
197 views21 slides
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite by
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
155 views31 slides
Threat Modeling with OWASP Threat Dragon by
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonOWASP Kyiv
627 views12 slides
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I... by
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
694 views79 slides
Vlad Styran - Cyber Security Economics 101 by
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101OWASP Kyiv
467 views17 slides

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc... by OWASP Kyiv
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv247 views
Software Supply Chain Security та компоненти з відомими вразливостями by OWASP Kyiv
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite by OWASP Kyiv
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv155 views
Threat Modeling with OWASP Threat Dragon by OWASP Kyiv
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv627 views
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I... by OWASP Kyiv
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv694 views
Vlad Styran - Cyber Security Economics 101 by OWASP Kyiv
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv467 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security by OWASP Kyiv
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git Push by OWASP Kyiv
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv433 views
Dima Kovalenko - Modern SSL Pinning by OWASP Kyiv
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv527 views
Yevhen Teleshyk - OAuth Phishing by OWASP Kyiv
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv363 views
Vlada Kulish - Why So Serial? by OWASP Kyiv
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv591 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans by OWASP Kyiv
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv345 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience by OWASP Kyiv
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv816 views
Ihor Bliumental - WebSockets by OWASP Kyiv
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
OWASP Kyiv344 views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor by OWASP Kyiv
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv649 views
Volodymyr Ilibman - Close Look at Nyetya Investigation by OWASP Kyiv
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv413 views
Ihor Bliumental - Collision CORS by OWASP Kyiv
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv373 views
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers by OWASP Kyiv
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv548 views
Ihor Bliumental – Is There Life Outside OWASP Top-10 by OWASP Kyiv
Ihor Bliumental – Is There Life Outside OWASP Top-10Ihor Bliumental – Is There Life Outside OWASP Top-10
Ihor Bliumental – Is There Life Outside OWASP Top-10
OWASP Kyiv657 views
Roman Rott – Ruby for Pentesters by OWASP Kyiv
Roman Rott – Ruby for PentestersRoman Rott – Ruby for Pentesters
Roman Rott – Ruby for Pentesters
OWASP Kyiv1.7K views

Recently uploaded

Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueShapeBlue
222 views7 slides
Qualifying SaaS, IaaS.pptx by
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxSachin Bhandari
1K views8 slides
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueShapeBlue
203 views54 slides
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...ShapeBlue
198 views20 slides
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITShapeBlue
206 views8 slides
Cencora Executive Symposium by
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposiummarketingcommunicati21
159 views14 slides

Recently uploaded(20)

Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue222 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue203 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue198 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue206 views
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by ShapeBlue
Extending KVM Host HA for Non-NFS Storage -  Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage -  Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue123 views
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue130 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue218 views
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... by ShapeBlue
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
ShapeBlue132 views
Why and How CloudStack at weSystems - Stephan Bienek - weSystems by ShapeBlue
Why and How CloudStack at weSystems - Stephan Bienek - weSystemsWhy and How CloudStack at weSystems - Stephan Bienek - weSystems
Why and How CloudStack at weSystems - Stephan Bienek - weSystems
ShapeBlue238 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue139 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue166 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE79 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson160 views
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue119 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty64 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu423 views

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

  • 5. PASSWORDS COMPLEXITY BILL BURR 2003 NIST Special Publication 800-63B.
  • 6. PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
  • 7. PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
  • 8. `
  • 13. PASSWORDS STORAGE • CLEAR-TEXT • ALGORITHM • HASH ALGORITHM • BCRYPT • SCRYPT • CRYPT ($2y$, $5$, $6$) • SALT • HASHING ON SERVER-SIDE
  • 15. PASSWORDS STORAGE (SALT) • LENGTH • UNIQUE PER USER • RANDOM • SERVER-SIDE
  • 17. PASSWORDS RECOVERY • SECURITY QUESTIONS • 3 QUESTIONS (2 PER REQUESTS) • NEW QUESTIONS • WRONG ANSWERS • EMAILS • LOGGING
  • 18. PASSWORDS CRACKING • 190197 • 139766 • md5(md5($pass)) • >6 SYMBOLS • NO PASSWORD RULES • 20+
  • 20. HASHCAT • -a • -m • -m 2600 md5(md5())
  • 22. DICTIONARY ATTACK • hashcat -a 0 -m 2600 hashes.txt example.dict
  • 26. HASHCAT RULES • hashcat -a 0 -m 2600 hashes.txt example.dict –r rule
  • 31. HASHCAT HYBRID ATTACK • hashcat -a 6 -m 2600 hashes.txt klichki.txt 19?d?d • hashcat -a 7 -m 2600 19?d?d hashes.txt klichki.txt
  • 33. HASHCAT MASK ATTACK • hashcat -a 3 -m 6 hashes.txt -1 ?l?u • ?1?1?d?d?d?d?1?1 • ?l = abcdefghijklmnopqrstuvwxyz • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ • ?d = 0123456789 • ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~ • ?a = ?l?u?d?s • ?b = 0x00 - 0xff
  • 34. 0 48669 67258 107163 109467 110239 0 28668 45350 77745 79549 80289 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki ?1?1?d?d?d?d?1?1 -1 ?l?u ?1?1?d?d?d?d?1?1 ALL UNIQUE
  • 36. BRUTEFORCE • hashcat -a 3 -m 6 hashes.txt ?l?l?l?l?l?l • Web-app password policy
  • 37. 0 48669 67258 107163 109467 110239 121210 0 28668 45350 77745 79549 80289 90678 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 BRUTEFORCE ALL UNIQUE
  • 39. MAKE YOU OWN RULES • usage: ./morph.bin dictionary depth width pos_min pos_max- Dictionary = Wordlist used for frequency analysis. • - Depth = Determines what “top” chains that you want. • - Width = Max length of the chain.
  • 40. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 0 28668 45350 77745 79549 80289 90678 93340 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 OWN RULES ALL UNIQUE
  • 42. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 0 28668 45350 77745 79549 80289 90678 93340 93450 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TMESIS ALL UNIQUE
  • 43. HASHCAT COMBINATOR • hashcat -a 1 -m 2600 hashes.txt example.dict example.dict2
  • 44. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 COMBINATOR ALL UNIQUE
  • 45. TOP RULES • TOP_250 • TOP_500 • TOP_1000 • TOP_3000 • TOP_5000
  • 46. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 128973 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TOP RULES ALL UNIQUE
  • 48. TOP 15 /USR/SHARE/WORDLIST/ROCKYO U.TXT 1. 123456 (1) 2. 12345 (N) 3. 123456789 (3) 4. password (78) 5. iloveyou (112) 6. princess (955) 7. 1234567 (5) 8. rockyou (N) 9. 12345678 (7) 10.abc123 (230) 11.nicole (N) 12.daniel (N) 13.babygirl (N) 14.monkey (N) 15.lovely (N)
  • 49. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 3. 123456789 (3) 4. 5. 1234567 (7) 6. 7. 12345678 (9) 8. 9. 10. 11. 12. 13. 14. 15.
  • 50. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.? (272749) 14.000000 (23) 15.654321 (17)
  • 51. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.gfhjkm (272749) 14.000000 (23) 15.654321 (17)
  • 52. TOP 16-59 UKRAINE.DIC 16. 777777 17. 159753 18. 666666 19. 121212 20. 1111111 21. 11111111 22. qazwsx 23. 1q2w3e4r 24. zxcvbnm 25. 987654321 26. 131313 27. 123qwe 28. 222222 29. 1qaz2wsx 30. 333333 31. 112233 32. 88888888 33. qwertyuiop 34. 888888 35. 1q2w3e 36. $app 37. 123654 38. 123123123 39. 1q2w3e4r5 t 40. $app_cyr 41. yfnfif 42. ghbdtn 43. qwe123 44. samsung 45. 789456 46. 999999 47. 12344321 48. qwerty123 49. zxcvbn 50. 1qazxsw2 51. 987654 52. marina 53. q1w2e3r4 54. natali 55. larisa 56. vfhbyf 57. 159357 58. galina 59. $city_keyb
  • 53. TOP 60-100 UKRAINE.DIC 60. sergey 61. 11223344 62. nikita 63. nfnmzyf 64. 147258 65. qazwsxedc 66. 111222 67. 31415926 68. 987654321 69. svetlana 70. 101010 71. 1111111111 72. 1234554321 73. 12345qwert 74. 12341234 75. 232323 76. qweasdzxc 77. password 78. oplata 79. viktoria 80. 12qwaszx 81. 789456123 82. jgkfnf 83. 252525 84. 1qaz2wsx3ed c 85. 87654321 86. natasha 87. 7753191 88. oksana 89. hjvfirf 90. qwertyui 91. 999999999 92. 1234qwer 93. qazxsw 94. jrcfyf 95. 1234567w 96. veronika 97. vfrcbv 98. qwerty12345 99. master 100.valentina
  • 54. TOP 100 UKRAINE.DIC TOP 100 = 8764 OF 190197 (4.6%) TOP 10 = 4984 OF 190197 (2.6%)
  • 55. TOP 20 BASE WORDS 1. qwerty = 847 (0.55%) 2. $city = 700 (0.45%) 3. gfhjkm = 232 (0.15%) 4. olga = 225 (0.15%) 5. mama = 224 (0.14%) 6. alex = 221 (0.14%) 7. anna = 204 (0.13%) 8. lena = 201 (0.13%) 9. nata = 190 (0.12%) 10. $app = 175 (0.11%) 11. dima = 156 (0.1%) 12. qazwsx = 145 (0.09%) 13. sasha = 145 (0.09%) 14. irina = 144 (0.09%) 15. oleg = 137 (0.09%) 16. natali = 137 (0.09%) 17. vova = 136 (0.09%) 18. vika = 130 (0.08%) 19. sveta = 125 (0.08%) 20. marina = 125 (0.08%)
  • 56. 0 0 0 80 119 139 42630 21625 42665 17201 14135 6855 4865 2033 1214 576 378 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PASSWORD LENGHT
  • 57. LAST 4 DIGITS (Top 50) • 3456 = 2439 • 1111 = 1021 • 1987 = 615 • 1986 = 584 • 1984 = 582 • 1983 = 565 • 1985 = 562 • 1975 = 559 • 1980 = 550 • 1981 = 539 • 1976 = 536 • 6789 = 535 • 1979 = 524 • 1982 = 512 • 1978 = 502 • 1977 = 499 • 7777 = 491 • 2012 = 487 • 1974 = 481 • 1988 = 474 • 1989 = 460 • 2010 = 455 • 1972 = 444 • 4321 = 441 • 1973 = 421 • 1990 = 414 • 2009 = 408 • 1970 = 403 • 2008 = 403 • 1971 = 397 • 1991 = 385 • 2011 = 384 • 2015 = 377 • 2007 = 369 • 4567 = 355 • 1969 = 343 • 1234 = 340 • 1965 = 338 • 2006 = 336 • 2345 = 335 • 2013 = 332 • 2005 = 326 • 2014 = 326 • 1968 = 314 • 1964 = 313 • 1967 = 310 • 1966 = 305 • 1962 = 297 • 2000 = 293 • 1963 = 292
  • 58. CHARACTER SETS 1. numeric: 54056 (34.88%) 2. loweralphanum: 52672 (33.99%) 3. loweralpha: 23671 (15.28%) 4. mixedalphanum: 9651 (6.23%) 5. mixedalpha: 3628 (2.34%) 6. upperalphanum: 2681 (1.73%) 7. loweralphaspecialnum: 1164 (0.75%) 8. loweralphaspecial: 1129 (0.73%) 9. mixedalphaspecialnum: 563 (0.36%) 10.specialnum: 507 (0.33%)
  • 59. 0 25000 45000 80000 82000 90000 95000 96000 98000 100000 101000 101500 103000 0 4000 29000 55000 57000 65000 70000 71000 73000 75000 76000 76200 76600 0 20000 40000 60000 80000 100000 120000 Chart Title Series 1 Series 2