The Death of Passwords
Dangers to Passwords● Passwords are “phished”● Passwords are shared● Users use dictionary words or “lazy” passwords● Users...
Demo of the GPU cracking5 characters of mixed cases, characters andnumbers: ~2.5 min brute force of NVidia NVS        3100...
Cracking Passwords                                                           d131dd02c5e                                d1...
12345 anyone?“Im so clever” passwords: Q1W2E3R4A!S@D#F$zxcv/.,mAq1Sw2De3Fr4L33tSp3@K (th3y w1ll n3v3r gu3$$)
Dictionary lists, hybrid attacks          and mangle rules#define RULE_OP_MANGLE_LREST            l //   lower case all ch...
Rainbow Tables●   http://www.freerainbowtables.com/ (using    BOINC distributed computing for    calculation) (5271 GB as ...
RainbowCrack Project example             ntlm_mixalpha-numeric#1-9Hash Algorithm: NTLMCharset:abcdefghijklmnopqrstuvwxyzAB...
Methods to Compromise                           Defense              Accounts/Passwords                      Longer       ...
What is Multi-Factor• Authentication involves:  – Something you know (e.g. password)  – Something you have (e.g. digital c...
Option           Multifactor Options:              Pros      ConsTokens          Industry standard;       Token replacemen...
Passwords Alone Are No   Longer Effective
Upcoming SlideShare
Loading in …5
×

2012 03 The Death of Passwords

287 views

Published on

2012 03 The Death of Passwords by Artëm Kazantsev, Duke IT Security

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
287
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2012 03 The Death of Passwords

  1. 1. The Death of Passwords
  2. 2. Dangers to Passwords● Passwords are “phished”● Passwords are shared● Users use dictionary words or “lazy” passwords● Users reuse password for different sites● Users recycle passwords or add numbers at the end (BlueDevil#9)● Passwords can be cracked using: Brute Force the hashes AND / OR Rainbow Tables AND / OR GPU Cracking ...
  3. 3. Demo of the GPU cracking5 characters of mixed cases, characters andnumbers: ~2.5 min brute force of NVidia NVS 3100M (16 cores, 512 Mb) for comparison, NVidia card PCI Express - eVGA Memory clock 4212 MHz Effective. Shader clock 1800 MHz. Cuda cores 512. Memory 3072MB GDDR5. ~$600
  4. 4. Cracking Passwords d131dd02c5e d131dd02c5e 6eec4693d9a Password Guess HASH 6eec4693d9a 0698aff95c 0698aff95c Password FilePassword Type Using the CPU Using the GPU6 char (no spec chars) 1 hour 30 sec 4 seconds7 char (no spec chars) 4 days 17 minutes 30 seconds7 char (spec chars) 75 days 7 hours9 char (spec chars) 43 years 48 days
  5. 5. 12345 anyone?“Im so clever” passwords: Q1W2E3R4A!S@D#F$zxcv/.,mAq1Sw2De3Fr4L33tSp3@K (th3y w1ll n3v3r gu3$$)
  6. 6. Dictionary lists, hybrid attacks and mangle rules#define RULE_OP_MANGLE_LREST l // lower case all chars#define RULE_OP_MANGLE_UREST u // upper case all chars#define RULE_OP_MANGLE_LREST_UFIRST c // lower case all chars, upper case 1st#define RULE_OP_MANGLE_UREST_LFIRST C // upper case all chars, lower case 1st#define RULE_OP_MANGLE_TREST t // switch the case of each char#define RULE_OP_MANGLE_TOGGLE_AT T // switch the case of each char on pos N#define RULE_OP_MANGLE_REVERSE r // reverse word#define RULE_OP_MANGLE_DUPEWORD d // append word to itself#define RULE_OP_MANGLE_DUPEWORD_TIMES p // append word to itself N times#define RULE_OP_MANGLE_REFLECT f // reflect word (append reversed word)#define RULE_OP_MANGLE_ROTATE_LEFT { // rotate the word left. ex: hello -> elloh#define RULE_OP_MANGLE_ROTATE_RIGHT } // rotate the word right. ex: hello -> ohell#define RULE_OP_MANGLE_APPEND $ // append char X#define RULE_OP_MANGLE_PREPEND ^ // prepend char X#define RULE_OP_MANGLE_DELETE_FIRST [ // delete first char of word#define RULE_OP_MANGLE_DELETE_LAST ] // delete last char of word#define RULE_OP_MANGLE_DELETE_AT D // delete char of word at pos N#define RULE_OP_MANGLE_EXTRACT x // delete X chars of word at pos N#define RULE_OP_MANGLE_INSERT i // insert char X at pos N#define RULE_OP_MANGLE_OVERSTRIKE o // overwrite with char X at pos N#define RULE_OP_MANGLE_TRUNCATE_AT // cut the word at pos N#define RULE_OP_MANGLE_REPLACE s // replace all chars X with char Y#define RULE_OP_MANGLE_PURGECHAR @ // -- not implemented --#define RULE_OP_MANGLE_DUPECHAR_FIRST z // prepend first char of word to itself. ex:hello -> hhello#define RULE_OP_MANGLE_DUPECHAR_LAST Z // append last char of word to itself. ex:hello -> helloo#define RULE_OP_MANGLE_DUPECHAR_ALL q // duplicate all chars. ex: hello ->hheelllloo
  7. 7. Rainbow Tables● http://www.freerainbowtables.com/ (using BOINC distributed computing for calculation) (5271 GB as of 02/20/2012)● RainbowCrack –your local friendly rainbow tables generator / converter (different formats of RT) / cracker
  8. 8. RainbowCrack Project example ntlm_mixalpha-numeric#1-9Hash Algorithm: NTLMCharset:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Plaintext Length: 1 to 9Key Space: 13,759,005,997,841,642 (about 253.6)Table Pre-computation Effort: 59,476,604,035,792,896 (about255.7) hash computationsTable Size: 864 GBThat pretty much means the game is over for NTLMpasswords under 10 digits alphanumeric!
  9. 9. Methods to Compromise Defense Accounts/Passwords Longer Accou Mu Netw Host- Password Attack passwor Regular nt lti- Edu ork based ds Password cati locko fac encry securi (passphr changes on uts tor ption ty ases)Password Cracking• Dictionary Attack• Brute Force ✔ ✔ ✔ ✔• Rainbow Tables• GPU CrackingPassword Sharing ✔ ✔Phishing/Social ✔ ✔EngineeringMan-in-the-Middle ✔ ✔ ✔AttackNetwork Sniffing ✔ ✔ ✔ ✔ ✔Keylogger ✔ ✔ * *(unless digital cert)
  10. 10. What is Multi-Factor• Authentication involves: – Something you know (e.g. password) – Something you have (e.g. digital cert, “token”) – Something you are (e.g. fingerprint, voice pattern) – Somewhere you are (e.g. GPS or network IP)• Passwords provide 1 of these items. What if we supported the use of a second? Or a third?• Depending on a user role AND the application they are trying to access we could provide a second factor for authentication
  11. 11. Option Multifactor Options: Pros ConsTokens Industry standard; Token replacement costs; can implement into if lost, stolen, or not current available, cannot log-in; authentication may not be able to log-in services; can run on from a guest machine; top of existing ‘seed’ server must be password policy protected at all costsDigital Cheapest option (via Only ½ of a factor in someCertificates Incommon); Least cases; Cert must be impact to users; can installed on all user run on top of existing devices; cannot log-in password policy from a guest machine; depend on user key protectionPhone (SMS/QR Similar to tokens; User has to have a phonetech) low-cost/open source that can take pictures or options; works well SMS; If phone is lost, for those that have stolen, or not available, smart phones; can cannot log-in
  12. 12. Passwords Alone Are No Longer Effective

×