So,What’sinaPassword?
Presentedby /RobGillen @argodev
Thisworkislicensedundera .
Thistalkandrelatedresourcesareavailableon...
Don'tbeStupid
Thefollowingpresentationdescribesrealattacksonreal
systems.Pleasenotethatmostoftheattacksdescribedwould
beco...
Disclaimer
Thecontentofthispresentationrepresentsmypersonalviews
andthoughtsatthepresenttime.Ireservetherighttochange
myvi...
PasswordAttacks
AYearinReview
PixelFederation
InDecember2013,abreachoftheweb-basedgamecommunity
basedinSlovakiaexposedover38,000accountswhichwere
prompt...
Vodafone
InNovember2013,VodafoneinIcelandsufferedanattack
attributedtotheTurkishhackercollective"Maxn3y".Thedata
wasconseq...
Adobe
Thebigone.InOctober2013,153millionaccountswere
breachedwitheachcontaininganinternalID,username,email,
encryptedpassw...
Twitter
February2013-Thisweek,wedetectedunusualaccesspatterns
thatledtousidentifyingunauthorizedaccessattemptsto
Twitterus...
More...
cvideo.co.il–10/15/2013–3,339
penangmarathon.gov.my–10/8/2013–1,387
tomsawyer.com–10/6/2013–57,462
ahashare.com–10...
More...
UnknownIsraeliwebsite–7/30/2013–26,064
UKemails–7/17/2013–8,002
UKemails(part2)–7/17/2013–7,514
http://www.pakista...
More...
McDonaldsTaiwan–3/27/2013–185,620
karjera.ktu.lt–3/14/2013–14,133
avadas.de–3/9/2013–3,344
angloplatinum.co.za–3/5...
More...
angloplatinum.com–3/5/2013–723
Walla.co.il–2/19/2013–531,526
BankExecutives–2/4/2013–4,596
bee-network.co.za–1/29/...
More...
omni-id.com–1/29/2013–1,151
moolmans.com–1/29/2013–117
servicedesk.ufs.ac.za–1/29/2013–3,952
servicedesk.ufs.ac.za...
More...
westcol.co.za–1/29/2013–99
digital.postnet.co.za–1/29/2013–45,245
FrenchChamberofCommerce–1/29/2013–515
http://www...
TypesofAttacks
AlgorithmWeakness
ImplementationWeaknesses
DictionaryAttacks
Brute-ForceAttacks
MaskAttacks
AlgorithmicWeaknesses
Collision,SecondPre-Image,Pre-Image
Confirmed:
GOST,HAVAL,MD2,MD4,MD5,PANAMA,RadioGatun,RIPEMD,
RIPE...
AccountHashes
WindowsHash
EAD0CC57DDAAE50D876B7DD6386FA9C7
LinuxHash
$6$OeKR9qBnzym.Q.VO$hM3uL03hmR4Z
qAME/8Ol.xWGYAmVdpi3...
FileEncryption
MSOffice
PDFs
Zip/7z/rar
TrueCrypt
Howdotheywork?
Knownfile-format/implementationweakness
Headerdatatoindicateencryption
Type,keylength,etc.
Oftensomesmallpo...
Isitreally
cracking?
PasswordGuessing
char string1[maxPassLength + 1];
char alphanum[63] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuv...
SlightlyBetter...
int min = 8;
int max = 12;
char[] valid =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"012...
DEMO:Crackinga
WindowsHash
WithoclHashCat
(more)IntelligentPassword
Guessing
Whatdopeopleusuallyuse?
Whatcanwedotoreducethesetofpossibilities?
Cullterms/domainknowl...
DetermineYourGoals
Crackingasingle,specificpwd?
Crackingalarge%ofan“acquiredset”?
MarkBurnett,authorofPerfectPasswords
Listof6,000,000,culleddownto10,000mostfrequentlyused
Top10,000passwordsrepresentby99....
MorePasswordStats...
Overview
4.7%ofusershavethepasswordpassword
8.5%havethepasswordspasswordor123456
9.8%havethepasswords...
Lists....
PACK
PasswordAnalysisand
CrackingToolkit
PeterKacherginsky,
PasswordCon,
7/30-7/31
Intelligentcycleof
cracking,analysis,
r...
StatisticalAnalysis
PasswordLengthAnalysis
CharacterSetAnalysis
WordManglingAnalysis
Example:Length
https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
DEMO:Statistics
onRealPWs
AdvancedAnalytics
LevenshteinEditDistance
http://en.wikipedia.org/wiki/Levenshtein_distance
LevenshteinEditDistance
Minimumnumberofchangesrequiredto
changeonestringintoanother
Measuredistanceb/tactualwordsand
crack...
WhatifIdon'thaveyour
Password?
PasstheHash
ButWeuseSmartCards!?
AvoidanceTechniques
Don’tuse"monkey"
Don’treuse"monkey"
Ifyoumustuse"monkey",requiresomethingelseaswell
Saltisgood
Yourown...
References
http://haveibeenpwned.com/
https://lastpass.com/adobe/
https://lastpass.com/linkedin/
https://lastpass.com/last...
Questions/Contact
RobGillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev
Thistalkandrelatedresourcesareavaila...
What's in a password
What's in a password
What's in a password
What's in a password
What's in a password
Upcoming SlideShare
Loading in …5
×

What's in a password

4,028 views

Published on

Talk presented at CodeStock 2014

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,028
On SlideShare
0
From Embeds
0
Number of Embeds
2,086
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

What's in a password

  1. 1. So,What’sinaPassword? Presentedby /RobGillen @argodev Thisworkislicensedundera . Thistalkandrelatedresourcesareavailableonline: CreativeCommonsAttribution4.0InternationalLicense https://github.com/argodev/talks/
  2. 2. Don'tbeStupid Thefollowingpresentationdescribesrealattacksonreal systems.Pleasenotethatmostoftheattacksdescribedwould beconsideredILLEGALifattemptedonmachinesthatyoudonot haveexplicitpermissiontotestandattack.Iassumeno responsibilityforanyactionsyouperformbasedonthecontent ofthispresentationorsubsequentconversations. Pleaserememberthisbasicguideline:Withknowledgecomes responsibility.
  3. 3. Disclaimer Thecontentofthispresentationrepresentsmypersonalviews andthoughtsatthepresenttime.Ireservetherighttochange myviewsandopinionsatanytime.Thiscontentisnotendorsed by,orrepresentativeinanywayofmyemployernorisit intendedtobeaviewintomyworkorareflectiononthetype ofworkthatIormygroupperforms.Itissimplyahobbyand personalinterestandshouldbeconsideredassuch.
  4. 4. PasswordAttacks AYearinReview
  5. 5. PixelFederation InDecember2013,abreachoftheweb-basedgamecommunity basedinSlovakiaexposedover38,000accountswhichwere promptlypostedonline.Thebreachincludedemailaddressesand unsaltedMD5hashedpasswords,manyofwhichwereeasily convertedbacktoplaintext. http://haveibeenpwned.com/
  6. 6. Vodafone InNovember2013,VodafoneinIcelandsufferedanattack attributedtotheTurkishhackercollective"Maxn3y".Thedata wasconsequentlypubliclyexposedandincludedusernames, emailaddresses,socialsecuritynumbers,SMSmessage,server logsandpasswordsfromavarietyofdifferentinternal sources. http://haveibeenpwned.com/
  7. 7. Adobe Thebigone.InOctober2013,153millionaccountswere breachedwitheachcontaininganinternalID,username,email, encryptedpasswordandapasswordhintinplaintext.The passwordcryptographywaspoorlydoneandmanywerequickly resolvedbacktoplaintext.Theunencryptedhintsalso disclosedmuchaboutthepasswordsaddingfurthertotherisk thathundredsofmillionsofAdobecustomersalreadyfaced. http://haveibeenpwned.com/
  8. 8. Twitter February2013-Thisweek,wedetectedunusualaccesspatterns thatledtousidentifyingunauthorizedaccessattemptsto Twitteruserdata.Wediscoveredoneliveattackandwereable toshutitdowninprocessmomentslater.However,our investigationhasthusfarindicatedthattheattackersmay havehadaccesstolimiteduserinformation–usernames,email addresses,sessiontokensandencrypted/saltedversionsof passwords–forapproximately250,000users. https://blog.twitter.com/2013/keeping-our-users-secure
  9. 9. More... cvideo.co.il–10/15/2013–3,339 penangmarathon.gov.my–10/8/2013–1,387 tomsawyer.com–10/6/2013–57,462 ahashare.com–10/3/2013–169,874 http://hackread.com/iranian-hackers-hack-israeli-job-site/ http://www.cyberwarnews.info/2013/10/07/45000-penang- marathon-participants-personal-details-leaked/ http://www.cyberwarnews.info/2013/10/07/software-company- tom-sawyer-hacked-61000-vendors-accounts-leaked/ http://www.cyberwarnews.info/2013/10/04/ahashare-com- hacked-complete-database-with-190-000-user-credentials- leaked/ https://shouldichangemypassword.com/all-sources.php
  10. 10. More... UnknownIsraeliwebsite–7/30/2013–26,064 UKemails–7/17/2013–8,002 UKemails(part2)–7/17/2013–7,514 http://www.pakistanintelligence.com–5/27/2013–75,942 http://hackread.com/opizzah-opisrael-phr0zenmyst-claims- to-leak-login-details-of-33895-israelis/ http://www.techworm.in/2013/07/more-than-15000-emails- username-and.html http://www.techworm.in/2013/07/more-than-15000-emails- username-and.html http://www.ehackingnews.com/2013/05/pakistan-intelligence- job-board-website.html https://shouldichangemypassword.com/all-sources.php
  11. 11. More... McDonaldsTaiwan–3/27/2013–185,620 karjera.ktu.lt–3/14/2013–14,133 avadas.de–3/9/2013–3,344 angloplatinum.co.za–3/5/2013–7,967 http://www.cyberwarnews.info/2013/03/28/official- mcdonalds-austria-taiwan-korea-hacked-over-200k- credentials-leaked/ http://www.cyberwarnews.info/2013/03/14/14000-student- credentials-leaked-from-ktu-career-center-lithuania/ http://hackread.com/avast-germany-website-hacked-defaced- 20000-user-accounts-leaked-by-maxney/ http://thehackernews.com/2013/03/worlds-largest-platinum- producer-hacked.html https://shouldichangemypassword.com/all-sources.php
  12. 12. More... angloplatinum.com–3/5/2013–723 Walla.co.il–2/19/2013–531,526 BankExecutives–2/4/2013–4,596 bee-network.co.za–1/29/2013–81 http://thehackernews.com/2013/03/worlds-largest-platinum- producer-hacked.html http://www.haaretz.com/news/national/anonymous-activists- hack-into-600-000-israeli-email-accounts.premium-1.504093 http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank- executive-credentials-7000010740/ http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html https://shouldichangemypassword.com/all-sources.php
  13. 13. More... omni-id.com–1/29/2013–1,151 moolmans.com–1/29/2013–117 servicedesk.ufs.ac.za–1/29/2013–3,952 servicedesk.ufs.ac.za(part2)–1/29/2013–355 http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html https://shouldichangemypassword.com/all-sources.php
  14. 14. More... westcol.co.za–1/29/2013–99 digital.postnet.co.za–1/29/2013–45,245 FrenchChamberofCommerce–1/29/2013–515 http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html http://www.ehackingnews.com/2013/01/projectsunrise-team- ghostshell-leaked.html http://news.softpedia.com/news/French-Chamber-of-Commerce- and-Industry-Portal-Hacked-by-Tunisian-Cyber-Army- 324716.shtml https://shouldichangemypassword.com/all-sources.php
  15. 15. TypesofAttacks AlgorithmWeakness ImplementationWeaknesses DictionaryAttacks Brute-ForceAttacks MaskAttacks
  16. 16. AlgorithmicWeaknesses Collision,SecondPre-Image,Pre-Image Confirmed: GOST,HAVAL,MD2,MD4,MD5,PANAMA,RadioGatun,RIPEMD, RIPEMD-160,SHA-0,SHA-1,Tiger(2)–192/160/128, WHIRLPOOL Theoretical: SHA-256/224 SHA-512/384 http://en.wikipedia.org/wiki/Cryptographic_hash_function
  17. 17. AccountHashes WindowsHash EAD0CC57DDAAE50D876B7DD6386FA9C7 LinuxHash $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4Z qAME/8Ol.xWGYAmVdpi3S4hWGLeugaKN j/HLzQPTz7FhjATYO/KXCNHZ8P7zJDi2 HHb1K.xfE.
  18. 18. FileEncryption MSOffice PDFs Zip/7z/rar TrueCrypt
  19. 19. Howdotheywork? Knownfile-format/implementationweakness Headerdatatoindicateencryption Type,keylength,etc. Oftensomesmallportiontodecrypt/validate Howisitthatchangingencryptionkeysisfast? Yourkeyencrypts“real”key
  20. 20. Isitreally cracking?
  21. 21. PasswordGuessing char string1[maxPassLength + 1]; char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; for 0 --> maxLength for each char in alphanum…
  22. 22. SlightlyBetter... int min = 8; int max = 12; char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; // known rules // first & last must be char // no consecutive-ordered chars/nums // no repeated chars/nums
  23. 23. DEMO:Crackinga WindowsHash WithoclHashCat
  24. 24. (more)IntelligentPassword Guessing Whatdopeopleusuallyuse? Whatcanwedotoreducethesetofpossibilities? Cullterms/domainknowledgefromrelevantdata Datingsites,religioussites,others Best:Alreadyused/real-worldpasswords
  25. 25. DetermineYourGoals Crackingasingle,specificpwd? Crackingalarge%ofan“acquiredset”?
  26. 26. MarkBurnett,authorofPerfectPasswords Listof6,000,000,culleddownto10,000mostfrequentlyused Top10,000passwordsrepresentby99.8%ofallpasswords
  27. 27. MorePasswordStats... Overview 4.7%ofusershavethepasswordpassword 8.5%havethepasswordspasswordor123456 9.8%havethepasswordspassword,123456or12345678 14%haveapasswordfromthetop10passwords 40%haveapasswordfromthetop100passwords 79%haveapasswordfromthetop500passwords 91%haveapasswordfromthetop1000passwords Fromauniquenessstandpoint... 99.6%oftheuniquepasswordsareusedbyonly0.18%of users https://xato.net/passwords/more-top-worst-passwords/
  28. 28. Lists....
  29. 29. PACK PasswordAnalysisand CrackingToolkit PeterKacherginsky, PasswordCon, 7/30-7/31 Intelligentcycleof cracking,analysis, rulegeneration http://thesprawl.org/projects/pack/
  30. 30. StatisticalAnalysis PasswordLengthAnalysis CharacterSetAnalysis WordManglingAnalysis
  31. 31. Example:Length https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
  32. 32. DEMO:Statistics onRealPWs
  33. 33. AdvancedAnalytics LevenshteinEditDistance http://en.wikipedia.org/wiki/Levenshtein_distance
  34. 34. LevenshteinEditDistance Minimumnumberofchangesrequiredto changeonestringintoanother Measuredistanceb/tactualwordsand crackedlisttooptimizetheword manglingrules i.e.XX%ofwordscanbeachieved withLevenshteineditdistanceof<=2 Onlygenrulesthatmatch http://www.let.rug.nl/~kleiweg/lev/ http://www.kurzhals.info/static/samples/levenshtein_distance/
  35. 35. WhatifIdon'thaveyour Password? PasstheHash ButWeuseSmartCards!?
  36. 36. AvoidanceTechniques Don’tuse"monkey" Don’treuse"monkey" Ifyoumustuse"monkey",requiresomethingelseaswell Saltisgood Yourownsaltisbetter Utilizememory-hardalgorithms Utilizemultipleiterations(alot) Yourusernameishalfoftheequation
  37. 37. References http://haveibeenpwned.com/ https://lastpass.com/adobe/ https://lastpass.com/linkedin/ https://lastpass.com/lastfm/ https://shouldichangemypassword.com/all-sources.php
  38. 38. Questions/Contact RobGillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev Thistalkandrelatedresourcesareavailableonline: https://github.com/argodev/talks/

×