Password War Games Webinar

Password War Games

© 2012 nCircle. All Rights Reserved.

Password Basics – How Passwords are
Stored

ENCRYPTED
PASSWORD: PASSWORD:
One way Encryption
bone33 6d19f07b3849a96156fe5b18733c07bb
Algorithm

md5
NT Hash Example:
SHA-1 Account Algorithm used (1=md5 in this case)
SHA-256 Salt (“R4mDH”)
Blowfish
jalex:$1$R4mDH$aOcFaA9.Dq6Ww2u3XmCfK/:
SHA-512
14641:0:99999:7:::
SHA-crypt
bcrypt
scrypt encrypted password


Basic Password Math
Character Complexity and Length
Number of password
• Numbers only = 10n combinations = cn
• Lower case only = 26n
• Mixed case = (26+26)n
• Mixed case + numbers = (26+26+10)n
• Mixed case + num + special = (26+26+10+30)n
• All ASCII = (256)n

c = number of characters in the character set, e.g. numbers = 10
n = the length of the password
Special characters include the “space” character


Basic Password Math
Examples:
141 = 103 = 1000
cat = 263 = 17,576
Cat = (26+26)3 = 140,608
C2t = (26+26+10)3 = 238,828
#2t = (26+26+10+20)3 = 551,368
…..
thecatjumpedoutofthecup = 2623 =
3,500,000,000,000,000,000,000,000,000,000,000

Character complexity is important but Length is King!!


Password Games Hackers Play

Password cracking techniques:
– Guessing
• Lists of common passwords,
personal information, default passwords
– Dictionary
• One or more dictionaries to include foreign dictionaries
– Hybrid
• One or more dictionaries (plus word lists, personal
information, and rules)
– Brute Force
• Random passwords


Quiz Question #1

What is the correct ordering of password
cracking techniques from most powerful to
least?
a. Hybrid, Brute-Force, Guessing, Dictionary
b. Dictionary, Brute-Force, Dictionary, Guessing
c. Brute-Force, Dictionary, Hybrid, Guessing
d. Brute-Force, Hybrid, Dictionary, Guessing


Guessing Attacks


Most Common Passwords
• These are some standard common
passwords. Common passwords are the
weakest of all password types. Avoid them
like the plague:
Common Passwords
password letmein sunshine
123456 trustno1 opensesame
12345678 dragon ashley
qwerty baseball passw0rd
abc123 111111 shadow
monkey iloveyou 123123
1234567 master 654321
Source: Splashdata annual list of worst Internet passwords

Default and Blank Passwords

• Many networking devices come
preconfigured with “default” passwords
• Many users don’t change this default
password

• Example: 2Wire Router
– Default login user name: admin
– Default password: 2Wire


Background Checks
• Do Not Use Personal Information — Steer
clear of personal information. If the attacker
knows who you are, they will have an easier
time figuring out your password if it includes
information such as:
– Names: Your name, Pet Names, Names
of family members and friends (e.g. Joshua)
– Numbers: Phone numbers, addresses,
social security numbers, license
plate numbers, zip codes
– Dates: Birth dates / anniversary dates
– Favorites: Hobbies, sports teams, movie
stars, colors, wine, books, cars, …


The Dictionary Attack


Word Games

• Do Not Use Dictionary or Recognizable Words —
Words such as proper names, dictionary words,
or even terms from television shows or novels
– guest
– quartet
– hogwarts
– ds-9
– obiwan
– spiderman


Foreign Language Words

• Do Not Use Words in Foreign Languages —
Password cracking programs often check
against word lists that encompass
dictionaries of many languages. Relying on
foreign languages for secure passwords is
not a good practice. This includes Klingon ;-)
– betenoir
– bienvenido
– gutenmorgen


Word Lists

• Dictionary attacks can be augmented
by pre-built and custom word lists:
– Slang
– Jargon
– Dirty words
– Klingon, Romulan, Elvish word lists, …
– Custom lists: SF 49-ers, Star Trek, Jane Austen,
Marilyn Monroe word lists, rock climbing terms…


Double Jeopardy

• Don’t combine two words:
– cathycathy
– springale
– realginger
– elegantpresentation
– scissorsauto
– brokenmouse


Hybrid Attacks
(Augmenting the dictionary with rules)


Prefixes and Postfixes

• Do Not add numbers or special characters to
a simple words
– superman7
– nevada999
– 34phonebook
– desayuno!@
– %%stockmarket


Inversion/Reversal

• Do Not Invert or Reverse Words — Good
password checkers check for reversed
words, so inverting/reversing a bad
password does not make it any more secure:
– etamitigel
– ardnassac
– nauj
– 9-SD


Keyboard Patterns (sequences)

• Don’t use simple keyboard patterns:
– 123
– 123123
– 1234567890
– qwerty
– qwertyuiop
– asdfghj
– zaqwsx
– !@#$%^&*()


Character Substitutions & Leetspeak
(elite speak = l33tspeak = leetspeak)

Common Character Substitutions:
$=S, @=A, 4=A, 1=L, 1=I, !=I, 3=E, 0=O, #=H

• Examples:
– PASWORD = P@$$w0rd
– livefish = l!v3f1S#
– ELITE = ELEET = 3L33T
– n00b = newbie
– Iamsurprised:-o


Leetspeak Table (source: Wikipedia)


Don’t Make it Up

• Good password cracking programs can check many
made up words using something called frequency
tables.
• Idea is that certain letters follow others more frequently
than others in a given language
• There are frequency tables for each language
• Examples:
– markap
– yunk
– quirp


Quiz Question #2

What is the problem with the following
password: minulauck?

a. Susceptible to a dictionary cracking
b. Susceptible to hybrid cracking (two words)
c. Susceptible to hybrid cracking (made up word)
d. Susceptible to guessing (a common word)


Quiz Question #3

Which of these two passwords is weaker?

a. superman56
b. Y&f2*e


Brute-Force Attack


Brute Force Attacks

• When all else fails the cracking software will
try every possible combination
• Brute-force is intelligent in its search it will go
in a certain order (that can be configured)
• Example:
– Single character, 2 character passwords, 3
character passwords, 4 digit numbers, 4 character
lowercase, 4 character all character, ….


Letters or Numbers Only

• Do NOT use only letters or numbers:
– 8675309
– miwhdd
– prwlkj

Length is key, but character complexity
is also important in defending against
Brute force attacks

Loose Lips Sink
Ships
Password Best Practices


Hide & Seek

• Do Not Write Down Your Password — Never
store your password on paper. Come up with
a good memory scheme.


The Golden Password

• Do Not Use the Same Password For All
Machines — i.e. This is called a gold or
golden password. Crackers love them. It is
important that you make separate
passwords for each account. This way if one
system is compromised, all of your
machines/accounts/data will not be
immediately at risk.


Password Length

• Make the Password At Least Eight
Characters Long
• The longer the password, the better
• Most firms have a minimal acceptable
length that they consider strong
• Use longer passwords for more sensitive
data


Alphanumerics

• Mix Letters and Numbers — Adding numbers
to passwords, especially when added to the
middle (not just at the beginning or the end),
can enhance password strength.

Where n = length of password
Lower case alphabet = 26n combinations
Alphabet + numbers = (26+10)n combinations


Mixed Case

• Mix Upper and Lower Case Letters — By
mixing cases, you will enhance the strength
of the password.

26n versus (26+26)n
26 combinations of lowercase , 52 combinations of mixed case


Special Sauce

• Including Special characters such as &, $, #,
>, … can greatly improve the strength of a
password

Lower case only = 26n
Mixed case = (26+26)n
Mixed case + numbers = (26+26+10)n
Mixed case + numbers + special char = (26+26+10+20)n


Password Pragmatism

• Pick a Password You Can Remember — The
best password in the world does you little
good if you cannot remember it or feel you
have to write it down.
• Use acronyms or other mnemonic
devices to aid in memorizing
passwords or use a “Password
Manager” program


Password Checkers vs. Password Cracking

• Most password strength checkers will not
discover certain types of bad passwords.
• Organizations should use password cracking
software as part of their audit procedures
• Most password are not as sophisticated as
actual password cracking programs.
• Example: Procr4$tin4te
i.e., a password checker might accept this password,
while a good cracking program will easily break this.


Quiz Question #4

How many times should you reuse a
password?

a. Never
b. Twice
c. Everywhere but your financial accounts
d. Everywhere but your medical and financial accounts


Password
Subterfuge
Snooping and Social
Engineering


Password Acquisition Methods (1 of 3)

• Theft
• Search - Passwords written down: under
keyboard, on monitor, on wall, in desk
drawer, under leaf of plant, under plant pot
• Bribery
• Coercion/Extortion/Subversion/Blackmail
• Social Engineering (phishing,
impersonation,…)


• Insider (admin, users, someone has access
to password database)
• Sniffer (to include wiretapping, rogue
devices, wireless sniffing, could be insider
assisted.)
• Keylogger (hardware or software)
• Logon spoofing (to include ATM spoofing)



• Shoulder surfing (to include hidden
cameras)
• Keyboard “Audio” detection
• Dumpster diving
• Access to password databases (safe, admin
access,…)


Quiz Question #5

What is the one of the most common methods
that hackers use to steal passwords?

a. phishing
b. dumpster diving
c. spamming
d. breaking into your house and looking for passwords


Password
Counter
Intelligence


Policies

• Password Policies
– Password Use Policies
• Don’t give your password to anyone
• Don’t use the same password on multiple accounts
• Password strength (length and character complexity)
• Required use of password manager software
– Logon, Aging, and Lockout Policies
• Logon process should not indicate if you typed in a valid
username
• Delay of login response should be the same for correct and
incorrect logins
• Lockout policies (time and tries)
• Password age
• Password history


Checking and Auditing

• Password Checkers
– Password Policy Tester
– Password Defender

• Password Auditing
– Auditing for weak passwords using password
crackers, e.g. ophcrack, John the Ripper, …
– Sniffing
– Physical security audits and Pen Testing


Multi-Factor and Non-text Input Methods

• Multiple factor authentication:
– RSA tokens
– Knowledge based redundancy
– Smartcards
– Biometrics
– Location-based
• Graphical passwords
• Virtual keyboards


Defenses

• Education
• Do not store or transmit passwords in the clear
• Logging (login failure attempts)
• Slower encryption methods (password hashing,
e.g. SHA-crypt, bcrypt)
• Password salts – Response to use of rainbow
tables (i.e. pre-computation attacks)
• Use of local parameterization
• Use of password stretching (configurable
iteration counts)


Password Manager Example: KeePass
• Easy to Use
• Drag-n-drop
• Hard to Get Into
• Composite Master Key
• Key Transformation (Stretching)
• Random password Generator


Personal Identifiable Information Reference
• Names: (first, last, middle, maiden, hyphenated, ranks, titles), Names of relatives, friends,
pets (to a lesser extent acquaintances), Nicknames
• Addresses (home, addresses of relatives and friends, offices, current, old addresses,
numbers, street names, city names, state names, country names)
• License plate (all vehicles owned by victim to include previous vehicles)
• Drivers license number (to include numbers of acquaintances)
• Schools: Name of schools (elementary, middle, HS, college, fraternities, clubs)
• Telephone numbers (home, cell, work, relatives, friends, office, contacts)
• Social security number, account numbers, identification numbers, …
• Dates: Birthday (victim, relatives, friends, pets), anniversaries (wedding, engagement,
special occasion, graduation), astrological signs
• Room numbers, office numbers
• Clubs and military: Unit names and designations
• Favorites: Colors, music groups, songs, actors/actresses,
auto models, movies, books, food, wine, hobbies, sport teams,…
• Web: urls of favorite sites


Cloud-based network security services platform designed
for small to medium enterprises

nCircle PureCloud
Twice the Security at Half the Cost

• Enterprise-class security scanning
• State-of-the-art cloud delivery
• Easy to use
• No hardware or software to deploy
or manage


Questions?
Continue the conversation at

http://connect.ncircle.com


Password War Games Webinar

More Related Content

Similar to Password War Games Webinar

More from nCircle - a Tripwire Company

Recently uploaded

Password War Games Webinar