Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Report
OWASP KyivFollow
OWASP KyivSep. 11, 2017•0 likes•1,096 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Sep. 11, 2017•0 likes•1,096 views
Download to read offline
Report
Technology
Comprehensive analysis of a large portion of passwords specific to Ukrainian internet users.
OWASP KyivFollow
OWASP KyivRecommended
Inecuaciones - matematicasana yulissa cordoba perez
Vlad Styran - "Hidden" Features of the Tools We All LoveOWASP Kyiv
Andriy Shalaenko - GO security tipsOWASP Kyiv
Quick Wikipedia Mining using Elastic Map Reduceohkura
Ruby Outside Rails 2 (southfest)Victor Petrenko
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance FuckupsNETFest
More Related Content
Similar to Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Getting started with Cassandra 2.1Viswanath J
Matlab teachingHosseinGholizadeh7
Lecture18Ankit Katiyar
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013Amazon Web Services
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...JAX London
DB2 Workload Manager HistogramsKeith McDonald
More from OWASP Kyiv
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
Threat Modeling with OWASP Threat DragonOWASP Kyiv
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
Vlad Styran - Cyber Security Economics 101OWASP Kyiv
Recently uploaded
dvss.pptSaikrishnaCheruvu1
INASLA_AI and Landscape Architecture.pptxJonathon Geels
What’s new in Kotlin 12-08-2023 Google IO Cairo 23Ahmed Nabil
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden
AWS Toolkit.pptxBrandon Minnick, MBA
Sell&Buy.pdfDanielle95109
![[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/wc-kcdgt2023demystifyingetcdfailurescenariosforkubernetes-230819210453-e911a262-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
PASSWORDS COMPLEXITY BILL BURR 2003 NIST Special Publication 800-63B.
PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
`
` P@ssw0rd
` P@ssw0rd P@ssw0rd1
PASSWORDS STORAGE • CLEAR-TEXT • ALGORITHM • HASH ALGORITHM • BCRYPT • SCRYPT • CRYPT ($2y$, $5$, $6$) • SALT • HASHING ON SERVER-SIDE
PASSWORDS STORAGE (SALT) • eat-less-salt-sodium.jpg
PASSWORDS STORAGE (SALT) • LENGTH • UNIQUE PER USER • RANDOM • SERVER-SIDE
PASSWORDS RECOVERY • SECURITY QUESTIONS • 3 QUESTIONS (2 PER REQUESTS) • NEW QUESTIONS • WRONG ANSWERS • EMAILS • LOGGING
PASSWORDS CRACKING • 190197 • 139766 • md5(md5($pass)) • >6 SYMBOLS • NO PASSWORD RULES • 20+
PASSWORDS CRACKING
HASHCAT • -a • -m • -m 2600 md5(md5())
DICTIONARY ATTACK
DICTIONARY ATTACK • hashcat -a 0 -m 2600 hashes.txt example.dict
ROCKYOU • /USR/SHARE/WORDLIST/ROCKYOU.TXT
ROCKYOU
0 48669 0 28668 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou ROCKYOU ALL UNIQUE
HASHCAT RULES • hashcat -a 0 -m 2600 hashes.txt example.dict –r rule
ROCKYOU +BEST64.RULE
0 48669 67258 0 28668 45350 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 ROCKYOU + BEST64.RULE ALL UNIQUE
NUMMER_DB.TOP • http://wordbook.xyz/do wnload/
0 48669 67258 107163 0 28668 45350 77745 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer NUMMER_DB.TOP ALL UNIQUE
HASHCAT HYBRID ATTACK • hashcat -a 6 -m 2600 hashes.txt klichki.txt 19?d?d • hashcat -a 7 -m 2600 19?d?d hashes.txt klichki.txt
0 48669 67258 107163 109467 0 28668 45350 77745 79549 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki KLICHKI + 19?d?d ALL UNIQUE
HASHCAT MASK ATTACK • hashcat -a 3 -m 6 hashes.txt -1 ?l?u • ?1?1?d?d?d?d?1?1 • ?l = abcdefghijklmnopqrstuvwxyz • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ • ?d = 0123456789 • ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~ • ?a = ?l?u?d?s • ?b = 0x00 - 0xff
0 48669 67258 107163 109467 110239 0 28668 45350 77745 79549 80289 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki ?1?1?d?d?d?d?1?1 -1 ?l?u ?1?1?d?d?d?d?1?1 ALL UNIQUE
OWN DICTIONARY
BRUTEFORCE • hashcat -a 3 -m 6 hashes.txt ?l?l?l?l?l?l • Web-app password policy
0 48669 67258 107163 109467 110239 121210 0 28668 45350 77745 79549 80289 90678 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 BRUTEFORCE ALL UNIQUE
MAKE YOU OWN RULES • usage: ./morph.bin dictionary depth width pos_min pos_max- Dictionary = Wordlist used for frequency analysis. • - Depth = Determines what “top” chains that you want. • - Width = Max length of the chain.
MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 0 28668 45350 77745 79549 80289 90678 93340 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 OWN RULES ALL UNIQUE
TMESIS • tmesis.pl example.dict
MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 0 28668 45350 77745 79549 80289 90678 93340 93450 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TMESIS ALL UNIQUE
HASHCAT COMBINATOR • hashcat -a 1 -m 2600 hashes.txt example.dict example.dict2
MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 COMBINATOR ALL UNIQUE
TOP RULES • TOP_250 • TOP_500 • TOP_1000 • TOP_3000 • TOP_5000
MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 128973 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TOP RULES ALL UNIQUE
MARKOV CHAINS
TOP 15 /USR/SHARE/WORDLIST/ROCKYO U.TXT 1. 123456 (1) 2. 12345 (N) 3. 123456789 (3) 4. password (78) 5. iloveyou (112) 6. princess (955) 7. 1234567 (5) 8. rockyou (N) 9. 12345678 (7) 10.abc123 (230) 11.nicole (N) 12.daniel (N) 13.babygirl (N) 14.monkey (N) 15.lovely (N)
TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 3. 123456789 (3) 4. 5. 1234567 (7) 6. 7. 12345678 (9) 8. 9. 10. 11. 12. 13. 14. 15.
TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.? (272749) 14.000000 (23) 15.654321 (17)
TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.gfhjkm (272749) 14.000000 (23) 15.654321 (17)
TOP 16-59 UKRAINE.DIC 16. 777777 17. 159753 18. 666666 19. 121212 20. 1111111 21. 11111111 22. qazwsx 23. 1q2w3e4r 24. zxcvbnm 25. 987654321 26. 131313 27. 123qwe 28. 222222 29. 1qaz2wsx 30. 333333 31. 112233 32. 88888888 33. qwertyuiop 34. 888888 35. 1q2w3e 36. $app 37. 123654 38. 123123123 39. 1q2w3e4r5 t 40. $app_cyr 41. yfnfif 42. ghbdtn 43. qwe123 44. samsung 45. 789456 46. 999999 47. 12344321 48. qwerty123 49. zxcvbn 50. 1qazxsw2 51. 987654 52. marina 53. q1w2e3r4 54. natali 55. larisa 56. vfhbyf 57. 159357 58. galina 59. $city_keyb
TOP 60-100 UKRAINE.DIC 60. sergey 61. 11223344 62. nikita 63. nfnmzyf 64. 147258 65. qazwsxedc 66. 111222 67. 31415926 68. 987654321 69. svetlana 70. 101010 71. 1111111111 72. 1234554321 73. 12345qwert 74. 12341234 75. 232323 76. qweasdzxc 77. password 78. oplata 79. viktoria 80. 12qwaszx 81. 789456123 82. jgkfnf 83. 252525 84. 1qaz2wsx3ed c 85. 87654321 86. natasha 87. 7753191 88. oksana 89. hjvfirf 90. qwertyui 91. 999999999 92. 1234qwer 93. qazxsw 94. jrcfyf 95. 1234567w 96. veronika 97. vfrcbv 98. qwerty12345 99. master 100.valentina
TOP 100 UKRAINE.DIC TOP 100 = 8764 OF 190197 (4.6%) TOP 10 = 4984 OF 190197 (2.6%)
TOP 20 BASE WORDS 1. qwerty = 847 (0.55%) 2. $city = 700 (0.45%) 3. gfhjkm = 232 (0.15%) 4. olga = 225 (0.15%) 5. mama = 224 (0.14%) 6. alex = 221 (0.14%) 7. anna = 204 (0.13%) 8. lena = 201 (0.13%) 9. nata = 190 (0.12%) 10. $app = 175 (0.11%) 11. dima = 156 (0.1%) 12. qazwsx = 145 (0.09%) 13. sasha = 145 (0.09%) 14. irina = 144 (0.09%) 15. oleg = 137 (0.09%) 16. natali = 137 (0.09%) 17. vova = 136 (0.09%) 18. vika = 130 (0.08%) 19. sveta = 125 (0.08%) 20. marina = 125 (0.08%)
0 0 0 80 119 139 42630 21625 42665 17201 14135 6855 4865 2033 1214 576 378 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PASSWORD LENGHT
LAST 4 DIGITS (Top 50) • 3456 = 2439 • 1111 = 1021 • 1987 = 615 • 1986 = 584 • 1984 = 582 • 1983 = 565 • 1985 = 562 • 1975 = 559 • 1980 = 550 • 1981 = 539 • 1976 = 536 • 6789 = 535 • 1979 = 524 • 1982 = 512 • 1978 = 502 • 1977 = 499 • 7777 = 491 • 2012 = 487 • 1974 = 481 • 1988 = 474 • 1989 = 460 • 2010 = 455 • 1972 = 444 • 4321 = 441 • 1973 = 421 • 1990 = 414 • 2009 = 408 • 1970 = 403 • 2008 = 403 • 1971 = 397 • 1991 = 385 • 2011 = 384 • 2015 = 377 • 2007 = 369 • 4567 = 355 • 1969 = 343 • 1234 = 340 • 1965 = 338 • 2006 = 336 • 2345 = 335 • 2013 = 332 • 2005 = 326 • 2014 = 326 • 1968 = 314 • 1964 = 313 • 1967 = 310 • 1966 = 305 • 1962 = 297 • 2000 = 293 • 1963 = 292
CHARACTER SETS 1. numeric: 54056 (34.88%) 2. loweralphanum: 52672 (33.99%) 3. loweralpha: 23671 (15.28%) 4. mixedalphanum: 9651 (6.23%) 5. mixedalpha: 3628 (2.34%) 6. upperalphanum: 2681 (1.73%) 7. loweralphaspecialnum: 1164 (0.75%) 8. loweralphaspecial: 1129 (0.73%) 9. mixedalphaspecialnum: 563 (0.36%) 10.specialnum: 507 (0.33%)
0 25000 45000 80000 82000 90000 95000 96000 98000 100000 101000 101500 103000 0 4000 29000 55000 57000 65000 70000 71000 73000 75000 76000 76200 76600 0 20000 40000 60000 80000 100000 120000 Chart Title Series 1 Series 2