Successfully reported this slideshow.

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

0

Share

Sep. 11, 2017
0 likes 1,060 views
Upcoming SlideShare
Inecuaciones - matematicas
Inecuaciones - matematicas
Loading in …3
×
1 of 60
1 of 60

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

Sep. 11, 2017
0 likes 1,060 views

0

Share

Download to read offline

Technology

Comprehensive analysis of a large portion of passwords specific to Ukrainian internet users.

Comprehensive analysis of a large portion of passwords specific to Ukrainian internet users.

Technology

Recommended

More Related Content

More from OWASP Kyiv

Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
Vlada Kulish - Why So Serial?
OWASP Kyiv
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv
Ihor Bliumental - WebSockets
OWASP Kyiv
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv
Andriy Shalaenko - GO security tips
OWASP Kyiv
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv
Ihor Bliumental - Collision CORS
OWASP Kyiv
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv
Ihor Bliumental – Is There Life Outside OWASP Top-10
OWASP Kyiv
Roman Rott – Ruby for Pentesters
OWASP Kyiv

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

  1. 1. PASSWORDS COMPLEXITY BILL BURR 2003 NIST Special Publication 800-63B.
  2. 2. PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
  3. 3. PASSWORDS COMPLEXITY BILL BURR NIST Special Publication 800-63B.
  4. 4. `
  5. 5. ` P@ssw0rd
  6. 6. ` P@ssw0rd P@ssw0rd1
  7. 7. PASSWORDS STORAGE • CLEAR-TEXT • ALGORITHM • HASH ALGORITHM • BCRYPT • SCRYPT • CRYPT ($2y$, $5$, $6$) • SALT • HASHING ON SERVER-SIDE
  8. 8. PASSWORDS STORAGE (SALT) • eat-less-salt-sodium.jpg
  9. 9. PASSWORDS STORAGE (SALT) • LENGTH • UNIQUE PER USER • RANDOM • SERVER-SIDE
  10. 10. PASSWORDS RECOVERY • SECURITY QUESTIONS • 3 QUESTIONS (2 PER REQUESTS) • NEW QUESTIONS • WRONG ANSWERS • EMAILS • LOGGING
  11. 11. PASSWORDS CRACKING • 190197 • 139766 • md5(md5($pass)) • >6 SYMBOLS • NO PASSWORD RULES • 20+
  12. 12. PASSWORDS CRACKING
  13. 13. HASHCAT • -a • -m • -m 2600 md5(md5())
  14. 14. DICTIONARY ATTACK
  15. 15. DICTIONARY ATTACK • hashcat -a 0 -m 2600 hashes.txt example.dict
  16. 16. ROCKYOU • /USR/SHARE/WORDLIST/ROCKYOU.TXT
  17. 17. ROCKYOU
  18. 18. 0 48669 0 28668 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou ROCKYOU ALL UNIQUE
  19. 19. HASHCAT RULES • hashcat -a 0 -m 2600 hashes.txt example.dict –r rule
  20. 20. ROCKYOU +BEST64.RULE
  21. 21. 0 48669 67258 0 28668 45350 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 ROCKYOU + BEST64.RULE ALL UNIQUE
  22. 22. NUMMER_DB.TOP • http://wordbook.xyz/do wnload/
  23. 23. 0 48669 67258 107163 0 28668 45350 77745 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer NUMMER_DB.TOP ALL UNIQUE
  24. 24. HASHCAT HYBRID ATTACK • hashcat -a 6 -m 2600 hashes.txt klichki.txt 19?d?d • hashcat -a 7 -m 2600 19?d?d hashes.txt klichki.txt
  25. 25. 0 48669 67258 107163 109467 0 28668 45350 77745 79549 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki KLICHKI + 19?d?d ALL UNIQUE
  26. 26. HASHCAT MASK ATTACK • hashcat -a 3 -m 6 hashes.txt -1 ?l?u • ?1?1?d?d?d?d?1?1 • ?l = abcdefghijklmnopqrstuvwxyz • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ • ?d = 0123456789 • ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~ • ?a = ?l?u?d?s • ?b = 0x00 - 0xff
  27. 27. 0 48669 67258 107163 109467 110239 0 28668 45350 77745 79549 80289 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 0 rockyou rockyou + best64 nummer klichki ?1?1?d?d?d?d?1?1 -1 ?l?u ?1?1?d?d?d?d?1?1 ALL UNIQUE
  28. 28. OWN DICTIONARY
  29. 29. BRUTEFORCE • hashcat -a 3 -m 6 hashes.txt ?l?l?l?l?l?l • Web-app password policy
  30. 30. 0 48669 67258 107163 109467 110239 121210 0 28668 45350 77745 79549 80289 90678 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 BRUTEFORCE ALL UNIQUE
  31. 31. MAKE YOU OWN RULES • usage: ./morph.bin dictionary depth width pos_min pos_max- Dictionary = Wordlist used for frequency analysis. • - Depth = Determines what “top” chains that you want. • - Width = Max length of the chain.
  32. 32. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 0 28668 45350 77745 79549 80289 90678 93340 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 OWN RULES ALL UNIQUE
  33. 33. TMESIS • tmesis.pl example.dict
  34. 34. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 0 28668 45350 77745 79549 80289 90678 93340 93450 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TMESIS ALL UNIQUE
  35. 35. HASHCAT COMBINATOR • hashcat -a 1 -m 2600 hashes.txt example.dict example.dict2
  36. 36. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 COMBINATOR ALL UNIQUE
  37. 37. TOP RULES • TOP_250 • TOP_500 • TOP_1000 • TOP_3000 • TOP_5000
  38. 38. MAKE YOUR OWN RULES • ./morph.bin dictionary depth width pos_min pos_max • Depth = Determines what “top” chains that you want. • Width = Max length of the chain. 0 48669 67258 107163 109467 110239 121210 123897 124011 125465 128973 0 28668 45350 77745 79549 80289 90678 93340 93450 94808 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 TOP RULES ALL UNIQUE
  39. 39. MARKOV CHAINS
  40. 40. TOP 15 /USR/SHARE/WORDLIST/ROCKYO U.TXT 1. 123456 (1) 2. 12345 (N) 3. 123456789 (3) 4. password (78) 5. iloveyou (112) 6. princess (955) 7. 1234567 (5) 8. rockyou (N) 9. 12345678 (7) 10.abc123 (230) 11.nicole (N) 12.daniel (N) 13.babygirl (N) 14.monkey (N) 15.lovely (N)
  41. 41. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 3. 123456789 (3) 4. 5. 1234567 (7) 6. 7. 12345678 (9) 8. 9. 10. 11. 12. 13. 14. 15.
  42. 42. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.? (272749) 14.000000 (23) 15.654321 (17)
  43. 43. TOP 15 UKRAINE.DIC 1. 123456 (1) 2. 111111 (21) 3. 123456789 (3) 4. qwerty (20) 5. 1234567 (7) 6. 7777777 (153) 7. 12345678 (9) 8. $city (N) 9. 123321 (196) 10.1234567890 (48) 11.123123 (40) 12.55555 (127) 13.gfhjkm (272749) 14.000000 (23) 15.654321 (17)
  44. 44. TOP 16-59 UKRAINE.DIC 16. 777777 17. 159753 18. 666666 19. 121212 20. 1111111 21. 11111111 22. qazwsx 23. 1q2w3e4r 24. zxcvbnm 25. 987654321 26. 131313 27. 123qwe 28. 222222 29. 1qaz2wsx 30. 333333 31. 112233 32. 88888888 33. qwertyuiop 34. 888888 35. 1q2w3e 36. $app 37. 123654 38. 123123123 39. 1q2w3e4r5 t 40. $app_cyr 41. yfnfif 42. ghbdtn 43. qwe123 44. samsung 45. 789456 46. 999999 47. 12344321 48. qwerty123 49. zxcvbn 50. 1qazxsw2 51. 987654 52. marina 53. q1w2e3r4 54. natali 55. larisa 56. vfhbyf 57. 159357 58. galina 59. $city_keyb
  45. 45. TOP 60-100 UKRAINE.DIC 60. sergey 61. 11223344 62. nikita 63. nfnmzyf 64. 147258 65. qazwsxedc 66. 111222 67. 31415926 68. 987654321 69. svetlana 70. 101010 71. 1111111111 72. 1234554321 73. 12345qwert 74. 12341234 75. 232323 76. qweasdzxc 77. password 78. oplata 79. viktoria 80. 12qwaszx 81. 789456123 82. jgkfnf 83. 252525 84. 1qaz2wsx3ed c 85. 87654321 86. natasha 87. 7753191 88. oksana 89. hjvfirf 90. qwertyui 91. 999999999 92. 1234qwer 93. qazxsw 94. jrcfyf 95. 1234567w 96. veronika 97. vfrcbv 98. qwerty12345 99. master 100.valentina
  46. 46. TOP 100 UKRAINE.DIC TOP 100 = 8764 OF 190197 (4.6%) TOP 10 = 4984 OF 190197 (2.6%)
  47. 47. TOP 20 BASE WORDS 1. qwerty = 847 (0.55%) 2. $city = 700 (0.45%) 3. gfhjkm = 232 (0.15%) 4. olga = 225 (0.15%) 5. mama = 224 (0.14%) 6. alex = 221 (0.14%) 7. anna = 204 (0.13%) 8. lena = 201 (0.13%) 9. nata = 190 (0.12%) 10. $app = 175 (0.11%) 11. dima = 156 (0.1%) 12. qazwsx = 145 (0.09%) 13. sasha = 145 (0.09%) 14. irina = 144 (0.09%) 15. oleg = 137 (0.09%) 16. natali = 137 (0.09%) 17. vova = 136 (0.09%) 18. vika = 130 (0.08%) 19. sveta = 125 (0.08%) 20. marina = 125 (0.08%)
  48. 48. 0 0 0 80 119 139 42630 21625 42665 17201 14135 6855 4865 2033 1214 576 378 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PASSWORD LENGHT
  49. 49. LAST 4 DIGITS (Top 50) • 3456 = 2439 • 1111 = 1021 • 1987 = 615 • 1986 = 584 • 1984 = 582 • 1983 = 565 • 1985 = 562 • 1975 = 559 • 1980 = 550 • 1981 = 539 • 1976 = 536 • 6789 = 535 • 1979 = 524 • 1982 = 512 • 1978 = 502 • 1977 = 499 • 7777 = 491 • 2012 = 487 • 1974 = 481 • 1988 = 474 • 1989 = 460 • 2010 = 455 • 1972 = 444 • 4321 = 441 • 1973 = 421 • 1990 = 414 • 2009 = 408 • 1970 = 403 • 2008 = 403 • 1971 = 397 • 1991 = 385 • 2011 = 384 • 2015 = 377 • 2007 = 369 • 4567 = 355 • 1969 = 343 • 1234 = 340 • 1965 = 338 • 2006 = 336 • 2345 = 335 • 2013 = 332 • 2005 = 326 • 2014 = 326 • 1968 = 314 • 1964 = 313 • 1967 = 310 • 1966 = 305 • 1962 = 297 • 2000 = 293 • 1963 = 292
  50. 50. CHARACTER SETS 1. numeric: 54056 (34.88%) 2. loweralphanum: 52672 (33.99%) 3. loweralpha: 23671 (15.28%) 4. mixedalphanum: 9651 (6.23%) 5. mixedalpha: 3628 (2.34%) 6. upperalphanum: 2681 (1.73%) 7. loweralphaspecialnum: 1164 (0.75%) 8. loweralphaspecial: 1129 (0.73%) 9. mixedalphaspecialnum: 563 (0.36%) 10.specialnum: 507 (0.33%)
  51. 51. 0 25000 45000 80000 82000 90000 95000 96000 98000 100000 101000 101500 103000 0 4000 29000 55000 57000 65000 70000 71000 73000 75000 76000 76200 76600 0 20000 40000 60000 80000 100000 120000 Chart Title Series 1 Series 2

×