WA
Uploaded byWill Alexander
PPTX, PDF114 views

P@ssw0rds

This document discusses password security and best practices. It notes that 66% of corporate network breaches are due to weak passwords. Passwords should not be stored in plaintext or with reversible encryption, but rather hashed with salts. Hashing strengthens security but using salts is important to avoid rainbow table attacks. The document recommends choosing long, unique passphrases rather than short, dictionary words for passwords. It also advocates the use of password managers and two-factor authentication for strongest security.

Embed presentation

Download to read offline
P@ssw0rds
Introduction
What is a password?
Despite providing access to their online identities, which are becoming more and more valuable as more and more services are offered online, people are still using weak and easy to guess passwords.
Percentage of security tests where a corporate network was compromised because of weak passwords? 66%
Two types of password attack - Online - Offline
Storage
Data Breaches
How are passwords stored? - Plaintext - Encrypted - Hashed without a salt - Hashed with a salt
Plaintext Passwords must not be stored in plaintext In the event that an attacker obtains access to the password database, they will not need to do any additional work to begin compromising user accounts Username Password alice M1ddleEarth bob Cant0na! eve L@mbCh0ps
Encryption Passwords must not be stored using reversible encryption Encryption is good though, right? WRONG!
Encryption Encryption requires a secret key to transform the plaintext into unreadable ciphertext What to do with the secret key? It needs to be readily accessible to encrypt and decrypt passwords
stored in the application source code? Both Cisco and Microsoft have had notable failures using reversible encryption with keys stored in the source code Microsoft published the key to decrypt passwords stored in Group Policy Preferences (GPP) XML files. the passwords stored in these files were typically for privileged administrator accounts Cisco stored passwords encrypted with a modified Vigenere cipher using a hard- coded key. these were known as type 7 passwords
Stored in the database? If the attacker has gained access to the encrypted passwords in the database, then they’ve also gained access to the key Key 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 Username Password alice 022B555F0F0A0A044D5C1D11 bob 022505551F5601200D eve 022A2456092507715C5D
Hashed without a salt “A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of fixed size which is designed to also be a one-way function, that is, a function which is infeasible to invert” Wikipedia
Hashing vs Encryption Hashing is very similar to encryption, with the following exceptions: - hashing does not require a secret key - hashing produces an output of fixed size - given the output from a hashing function, it is very difficult to determine the input So how do we know that the password provided by a user when they try to log in is the same as the one held by the application?
Creating a password
Logging in
Not all algorithms are created equal Some hashing algorithms are better than others Windows used to store hashes generated using the LM algorithm. these are weak and easy to “crack”. that is, given the hash it is relatively easy to retrieve the plaintext password Windows now stores hashes generated using the stronger NT algorithm There was a brief period of time where Windows would store both the weaker LM hash and the stronger NT hash
Are we there yet? If two users select the same password, then the hash stored in the back-end will also be identical This can be exploited by pre-computing likely password hashes, and creating something called a rainbow table, making the cracking process much quicker Username Password alice AAD3B435B51404EEAAD3B435B51404EE:857CFB92F16DCD36950FAFEB50BE709A bob AAD3B435B51404EEAAD3B435B51404EE:A32E692D322A3226DC96B91FB8D86A15 eve AAD3B435B51404EEAAD3B435B51404EE:BEAA54FDADD4C4FA99151798B71009E0 mallory AAD3B435B51404EEAAD3B435B51404EE:BEAA54FDADD4C4FA99151798B71009E0
Hashed with a salt The process is (not surprisingly) very similar to hashing without a salt A salt is a short random piece of text that is appended to the user’s password before it is hashed This makes the creation of rainbow tables infeasible, as it would require huge amounts of computer memory
Creating and verifying a password
The best solution The best solution to the problem (so far) is hashing with a salt The choice of algorithm is also important… Username Password alice $6$ryhYU2VU$n.sUKVAQDVa3dVRJiVNUxVAh3BfClhp6SVfi9MlYnFxzDvTGkKRQJFb7 WOWeWOJmqWHVNhp5VnC/WXm8jNn.J1 bob $6$edUWTiGp$.kBzLOYrfSweOtWRWrkHjWdfGixAM7jg9CD8mDN04nzgpWPpN4WQtsr sgpJPFXcdaddt5nH2x0nRYdNJ.JuvI0 eve $6$J9CjU1ZD$WLmD6joKMBh5pqvho8Rl620wxk8ch.CfbkZxGrdbwo5qCqfYXePSDlhhM dk4JIIeQzAC8FQuqlgomh1WDAfOg0
Attacks
Password cracking Assume that an attacker has the password hashes from a Microsoft Windows Active Directory domain To retrieve the plaintext passwords they’ll need to “crack” the hashes Cracking is the process of generating hashes from a list of possible values and comparing them to the hashes taken from a breach. if the hash generated matches any taken from the breach, then you’ve successfully guessed the password What is the most efficient way of selecting the passwords to be guessed though?
Password Cracking Phases - Dictionary - Hybrid / Rule - Markov - Mask - Brute-Force
Dictionary The attacker simply compiles a text file containing commonly used passwords and passwords from previous data breaches This is why it’s recommended that your passwords be unique for each user account If your password appeared in a previous password dump and you’re using the same password on another site, then the attackers will likely already have it
Hybrid / Rule The attacker manipulates their list of passwords by: - changing the case of letters - prepending and appending digits or symbols - changing letters around. for example, replacing the letter ‘O’ with the digit ‘0’
Markov Many users will select a password that conform to their native language By combining common elements that exist within that language, it is possible to create good password candidates, including “alien” words For example, the letter ‘q’ is very likely going to be followed by the letter ‘u’, so “qu” would be a common element Think of it as being like the predictive text on your phone…
xkcd Comic
Mask The attacker will next attempt a targeted brute-force attack to try all passwords that match a given structure By “structure” we are referring to the types of characters and their ordering For example, the password “Password123” has a structure of an upper case letter, followed by seven lower case letters, followed by three digits. This would be notated as “ulllllllddd” Many people when asked to include an upper case letter in their password will put it at the beginning. similarly, when asked to include a digit they will put it at the end
Brute-Force After exhausting all likely passwords, the attacker must resort to brute force attacks The attacker is required to exhaustively search across all possible passwords - aaaaaaaa - aaaaaaab - Aaaaaaac - ... You want your password to be in this space
If you remember one thing from this presentation... Length trumps complexity when it comes to resisting password attacks Rather than thinking of a password, think of a passphrase
Another xkcd Comic
Passwords at Work
Password Cracking The hypothetical Microsoft Windows Active Directory mentioned earlier? that was the organisation’s domain The hypothetical attacker? That was the Cyber Security team What did we learn?
Findings Add a few slides on your findings from the password audit
Best Practice
Storing Passwords Securely - Passwords must be hashed – not encrypted - Random salts must be added to passwords before hashing - Strong hashing algorithms must be used, such as bcrypt - Access to password hashes must be restricted to only authorised users
Choosing a good password - Make your password as long as possible - Make it a passphrase, rather than a password - Include a mixture of different character classes - Do not base your password on a dictionary word - Capitalising the first letter and adding a digit or special character to the end is not sufficient - Use unique passwords for every account - Use a password manager - Use two factor authentication
Questions?

More Related Content

ODP
Disclosing password hashing policies
byMichal Špaček
 
PDF
Honeywords
bySreya Sridhar PP
 
ODP
I forgot my password – what a secure password reset needs to have and why
byMichal Špaček
 
PPTX
Presentation 3 1 1 1
byAshwin Kumar
 
PPTX
Storing passwords-honey words
bykandulasindhu
 
PPTX
Honeywords - BSides London 2014
byGavin Holt
 
DOCX
Achieving flatness selecting the honeywords
byKamal Spring
 
PPT
Examining And Bypassing The IE8 XSS Filter
bykuza55
 
Disclosing password hashing policies
byMichal Špaček
 
Honeywords
bySreya Sridhar PP
 
I forgot my password – what a secure password reset needs to have and why
byMichal Špaček
 
Presentation 3 1 1 1
byAshwin Kumar
 
Storing passwords-honey words
bykandulasindhu
 
Honeywords - BSides London 2014
byGavin Holt
 
Achieving flatness selecting the honeywords
byKamal Spring
 
Examining And Bypassing The IE8 XSS Filter
bykuza55
 

What's hot

PPTX
Honeywords
byPratiksha Kale
 
ODP
Introduction To Encryption in Lasso 8.5
bybilcorry
 
PDF
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
PPTX
Hashing Considerations In Web Applications
byIslam Heggo
 
PDF
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
byMMT - Multimediatreff
 
PDF
Stu r33 b (2)
bySelectedPresentations
 
PDF
Iam r31 a (2)
bySelectedPresentations
 
PDF
Mario heiderich. got your nose! how to steal your precious data without using...
byYury Chemerkin
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PDF
Passwords good badugly181212-2
byIftach Ian Amit
 
PPSX
Heartbleed Explained & LastPass Demo
byWilliam Mann
 
PDF
Reification
byShunsaku Kudo
 
PDF
Password Security
byCSCJournals
 
PDF
whats wrong with modern security tools and other blurps
byF _
 
PDF
Password (in)security
byEnrico Zimuel
 
PDF
Phd III - defending enterprise
byF _
 
Honeywords
byPratiksha Kale
 
Introduction To Encryption in Lasso 8.5
bybilcorry
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
Hashing Considerations In Web Applications
byIslam Heggo
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
byMMT - Multimediatreff
 
Stu r33 b (2)
bySelectedPresentations
 
Iam r31 a (2)
bySelectedPresentations
 
Mario heiderich. got your nose! how to steal your precious data without using...
byYury Chemerkin
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
Passwords good badugly181212-2
byIftach Ian Amit
 
Heartbleed Explained & LastPass Demo
byWilliam Mann
 
Reification
byShunsaku Kudo
 
Password Security
byCSCJournals
 
whats wrong with modern security tools and other blurps
byF _
 
Password (in)security
byEnrico Zimuel
 
Phd III - defending enterprise
byF _
 

Similar to P@ssw0rds

PPTX
Improving Password Based Security
byRare Input
 
PPT
Kieon secure passwords theory and practice 2011
byKieon
 
ODP
An Introduction to Hashing and Salting
byRahul Singh
 
ODP
Passwords
byKevin OBrien
 
PDF
Authetication ppt
byPranav Doshi
 
ODP
All Your Password Are Belong To Us
byCharles Southerland
 
PDF
Securing Database Passwords Using a Combination of hashing and Salting Techni...
byFego Ogwara
 
PDF
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
PPT
Presentation2f_for_passwords_MS_Class.ppt
bytahirsaleem54
 
PDF
User Authentication: Passwords and Beyond
byJim Fenton
 
PDF
Protecting Your Clients' Privacy
byAijaz Ansari
 
DOCX
Password Cracking
byHajer alriyami
 
PPT
password.ppt
byKaxa5
 
PPTX
Secure passwords-theory-and-practice
byAkash Mahajan
 
PDF
How to Design Passwords
byUniversity of Hertfordshire
 
PPTX
Securing Passwords
byMandeep Singh
 
PPTX
TM112 Meeting12-Cryptography.pptx
byMohammedYusuf609377
 
PPTX
When will passwords die? Research challenges and opportunities in user authen...
byShujun Li
 
PPTX
Techniques for password hashing and cracking
byNipun Joshi
 
PPTX
Password craking techniques
byأحلام انصارى
 
Improving Password Based Security
byRare Input
 
Kieon secure passwords theory and practice 2011
byKieon
 
An Introduction to Hashing and Salting
byRahul Singh
 
Passwords
byKevin OBrien
 
Authetication ppt
byPranav Doshi
 
All Your Password Are Belong To Us
byCharles Southerland
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
byFego Ogwara
 
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
Presentation2f_for_passwords_MS_Class.ppt
bytahirsaleem54
 
User Authentication: Passwords and Beyond
byJim Fenton
 
Protecting Your Clients' Privacy
byAijaz Ansari
 
Password Cracking
byHajer alriyami
 
password.ppt
byKaxa5
 
Secure passwords-theory-and-practice
byAkash Mahajan
 
How to Design Passwords
byUniversity of Hertfordshire
 
Securing Passwords
byMandeep Singh
 
TM112 Meeting12-Cryptography.pptx
byMohammedYusuf609377
 
When will passwords die? Research challenges and opportunities in user authen...
byShujun Li
 
Techniques for password hashing and cracking
byNipun Joshi
 
Password craking techniques
byأحلام انصارى
 

Recently uploaded

PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PDF
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PDF
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PDF
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
PPTX
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
PDF
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 

P@ssw0rds

  • 1.
  • 2.
  • 3.
    What is apassword?
  • 4.
    Despite providing accessto their online identities, which are becoming more and more valuable as more and more services are offered online, people are still using weak and easy to guess passwords.
  • 5.
    Percentage of securitytests where a corporate network was compromised because of weak passwords? 66%
  • 6.
    Two types ofpassword attack - Online - Offline
  • 7.
  • 8.
  • 9.
    How are passwordsstored? - Plaintext - Encrypted - Hashed without a salt - Hashed with a salt
  • 10.
    Plaintext Passwords must notbe stored in plaintext In the event that an attacker obtains access to the password database, they will not need to do any additional work to begin compromising user accounts Username Password alice M1ddleEarth bob Cant0na! eve L@mbCh0ps
  • 11.
    Encryption Passwords must notbe stored using reversible encryption Encryption is good though, right? WRONG!
  • 12.
    Encryption Encryption requires asecret key to transform the plaintext into unreadable ciphertext What to do with the secret key? It needs to be readily accessible to encrypt and decrypt passwords
  • 13.
    stored in theapplication source code? Both Cisco and Microsoft have had notable failures using reversible encryption with keys stored in the source code Microsoft published the key to decrypt passwords stored in Group Policy Preferences (GPP) XML files. the passwords stored in these files were typically for privileged administrator accounts Cisco stored passwords encrypted with a modified Vigenere cipher using a hard- coded key. these were known as type 7 passwords
  • 14.
    Stored in thedatabase? If the attacker has gained access to the encrypted passwords in the database, then they’ve also gained access to the key Key 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 Username Password alice 022B555F0F0A0A044D5C1D11 bob 022505551F5601200D eve 022A2456092507715C5D
  • 15.
    Hashed without asalt “A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of fixed size which is designed to also be a one-way function, that is, a function which is infeasible to invert” Wikipedia
  • 16.
    Hashing vs Encryption Hashingis very similar to encryption, with the following exceptions: - hashing does not require a secret key - hashing produces an output of fixed size - given the output from a hashing function, it is very difficult to determine the input So how do we know that the password provided by a user when they try to log in is the same as the one held by the application?
  • 17.
  • 18.
  • 19.
    Not all algorithmsare created equal Some hashing algorithms are better than others Windows used to store hashes generated using the LM algorithm. these are weak and easy to “crack”. that is, given the hash it is relatively easy to retrieve the plaintext password Windows now stores hashes generated using the stronger NT algorithm There was a brief period of time where Windows would store both the weaker LM hash and the stronger NT hash
  • 20.
    Are we thereyet? If two users select the same password, then the hash stored in the back-end will also be identical This can be exploited by pre-computing likely password hashes, and creating something called a rainbow table, making the cracking process much quicker Username Password alice AAD3B435B51404EEAAD3B435B51404EE:857CFB92F16DCD36950FAFEB50BE709A bob AAD3B435B51404EEAAD3B435B51404EE:A32E692D322A3226DC96B91FB8D86A15 eve AAD3B435B51404EEAAD3B435B51404EE:BEAA54FDADD4C4FA99151798B71009E0 mallory AAD3B435B51404EEAAD3B435B51404EE:BEAA54FDADD4C4FA99151798B71009E0
  • 21.
    Hashed with asalt The process is (not surprisingly) very similar to hashing without a salt A salt is a short random piece of text that is appended to the user’s password before it is hashed This makes the creation of rainbow tables infeasible, as it would require huge amounts of computer memory
  • 22.
  • 23.
    The best solution Thebest solution to the problem (so far) is hashing with a salt The choice of algorithm is also important… Username Password alice $6$ryhYU2VU$n.sUKVAQDVa3dVRJiVNUxVAh3BfClhp6SVfi9MlYnFxzDvTGkKRQJFb7 WOWeWOJmqWHVNhp5VnC/WXm8jNn.J1 bob $6$edUWTiGp$.kBzLOYrfSweOtWRWrkHjWdfGixAM7jg9CD8mDN04nzgpWPpN4WQtsr sgpJPFXcdaddt5nH2x0nRYdNJ.JuvI0 eve $6$J9CjU1ZD$WLmD6joKMBh5pqvho8Rl620wxk8ch.CfbkZxGrdbwo5qCqfYXePSDlhhM dk4JIIeQzAC8FQuqlgomh1WDAfOg0
  • 24.
  • 25.
    Password cracking Assume thatan attacker has the password hashes from a Microsoft Windows Active Directory domain To retrieve the plaintext passwords they’ll need to “crack” the hashes Cracking is the process of generating hashes from a list of possible values and comparing them to the hashes taken from a breach. if the hash generated matches any taken from the breach, then you’ve successfully guessed the password What is the most efficient way of selecting the passwords to be guessed though?
  • 26.
    Password Cracking Phases -Dictionary - Hybrid / Rule - Markov - Mask - Brute-Force
  • 27.
    Dictionary The attacker simplycompiles a text file containing commonly used passwords and passwords from previous data breaches This is why it’s recommended that your passwords be unique for each user account If your password appeared in a previous password dump and you’re using the same password on another site, then the attackers will likely already have it
  • 28.
    Hybrid / Rule Theattacker manipulates their list of passwords by: - changing the case of letters - prepending and appending digits or symbols - changing letters around. for example, replacing the letter ‘O’ with the digit ‘0’
  • 29.
    Markov Many users willselect a password that conform to their native language By combining common elements that exist within that language, it is possible to create good password candidates, including “alien” words For example, the letter ‘q’ is very likely going to be followed by the letter ‘u’, so “qu” would be a common element Think of it as being like the predictive text on your phone…
  • 30.
  • 31.
    Mask The attacker willnext attempt a targeted brute-force attack to try all passwords that match a given structure By “structure” we are referring to the types of characters and their ordering For example, the password “Password123” has a structure of an upper case letter, followed by seven lower case letters, followed by three digits. This would be notated as “ulllllllddd” Many people when asked to include an upper case letter in their password will put it at the beginning. similarly, when asked to include a digit they will put it at the end
  • 32.
    Brute-Force After exhausting alllikely passwords, the attacker must resort to brute force attacks The attacker is required to exhaustively search across all possible passwords - aaaaaaaa - aaaaaaab - Aaaaaaac - ... You want your password to be in this space
  • 33.
    If you rememberone thing from this presentation... Length trumps complexity when it comes to resisting password attacks Rather than thinking of a password, think of a passphrase
  • 34.
  • 35.
  • 36.
    Password Cracking The hypotheticalMicrosoft Windows Active Directory mentioned earlier? that was the organisation’s domain The hypothetical attacker? That was the Cyber Security team What did we learn?
  • 37.
    Findings Add a fewslides on your findings from the password audit
  • 38.
  • 39.
    Storing Passwords Securely -Passwords must be hashed – not encrypted - Random salts must be added to passwords before hashing - Strong hashing algorithms must be used, such as bcrypt - Access to password hashes must be restricted to only authorised users
  • 40.
    Choosing a goodpassword - Make your password as long as possible - Make it a passphrase, rather than a password - Include a mixture of different character classes - Do not base your password on a dictionary word - Capitalising the first letter and adding a digit or special character to the end is not sufficient - Use unique passwords for every account - Use a password manager - Use two factor authentication
  • 41.

Editor's Notes

  • #4 When you access an online service that requires you to identify yourself, you are typically prompted for two pieces of information: A username that acts as your identity for the service; and A password that proves that you own this identity. The password allows the service to verify that you are actually who you say you are.
  • #6 Praetroian – How to Dramatically Improve Corporate IT Security Without Spending Millions (https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve%20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf) Praetorian looked at 100 penetration test reports that included an internal network security assessment, across 75 unique organisations. The focus was to identify the most common, recurring security weaknesses that led to a compromise. Weak passwords were the most common way that networks were compromised, followed by: 2. Broadcast Name Resolution Poisoning 3. Local Administrator Attacks (i.e. pass the hash) 4. Cleartext Passwords Stored in Memory (extracted using Mimkatz, or similar) 5. Insufficient Network Access Controls Image credit to SMBC.com
  • #7 An online password attack is when the attacker has access to an online service. They are simply trying to guess your password, while trying to bypass any mitigations in place. For example, account lockouts, etc. An offline password attack is when the attacker has access to a database breach and is attempting to retrieve credentials to use against an online service. This is much more effective since all of the work can be done without triggering any account lockouts, etc. This is what we’ll be focussing on for the purposes of this presentation.
  • #9 Occasionally there will be a news story that an online services has been hacked resulting in the disclosure of users’ details. These details vary depending on the nature of the online service that was hacked and what the hackers were able to access, but can include personal information (DoB, address, etc.), financial information (bank account number, etc.) and authentication information (usernames, password details, etc.). For the purposes of this discussion, we’ll obviously focus on authentication information. Screenshot taken from https://haveibeenpwned.com/PwnedWebsites
  • #11 Very simple. No transformation is made, so the passwords are stored as is.
  • #14 The Vigenere cipher used by Cisco is a modified Caesar cipher with a different shift at each position in the text; the value of the shift is defined using a repeating keyword. For example, “abc” encrypted with the key “bbb” would be “cde”. Microsoft published the AES key on MSDN - https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2 A script to decrypt the “cpassword” value in gpp.xml files is included in Kali Linux. Detail here - http://tools.kali.org/password-attacks/gpp-decrypt A script to decrypt (and create) type 7 passwords can be found here - https://www.m00nie.com/2011/09/cisco-type-7-password-decryption-and-encryption-with-perl/
  • #15 If the back-end database is compromised, then so is the key.
  • #16 This seems very complicated, but can be easily described with some images.
  • #17 Hashing, for the purposes of this discussion is similar to encryption. There’s no key to store, so that fixes the primary weakness of reversible encryption The output is always a fixed size making it difficult to determine the original password length It is non-trivial to retrieve the password given its hash But how then do we know that the password provided by the user is the same as the one held by the application?
  • #18 The user selects a password, which the application puts through the hashing algorithm to produce a password hash The password hash is stored
  • #19 The user supplies their username and password The password is put through the hashing algorithm The output from the algorithm is compared to the stored hash for the supplied username if the two are identical, then the user has submitted the correct username and password combination, and logged in
  • #20 Cracking is the term given to process of retrieving plaintext passwords given the password hash. We’ll see why storing both password hashes is bad later.
  • #21 These are hashes taken from a Windows machine. Everything before the ‘:’ character is the LM hash. Here they are unused (hence why they are all the same). Everything after the ‘:’ is the NT hash. We don’t know what kassender’s password, but what can we determine by looking at the password hashes? They’re the same!
  • #23 Very similar to how we created and verified a password, but now we add some random junk. It doesn’t matter that the salt is stored with the hash. It doesn’t need to be kept secret necessarily. It’s simply there to prevent rainbow table attacks.
  • #24 These hashes were generated on a Linux host using the SHA-512 algorithm. This is what the 6 means. The next short string (for example, ryhYU2VU) is the salt. The final longer string is the hash (for example, n.sUKVAQDVa3dVRJiVNUxVAh3BfClhp6SVfi9MlYnFxzDvTGkKRQJFb7WOWeWOJmqWHVNhp5VnC/WXm8jNn.J). Extra considerations for password hashing: You want an algorithm that is unlikely to generate “collisions”. That is, two plaintext values that both create the same hash. For example, if “password” and “really complicated password” create the same hash, then that’s a problem. You want an algorithm that is quite slow. This seems counter intuitive, but a normal user is likely only to need to hash their password when they create it and when they’re logging in. Having a slower algorithm is unlikely to be noticed normally. However, an attacker trying to crack passwords is likely to really notice the additional time as they will trying many different passwords against the same hash.
  • #26 Think of cracking as trying to figure out the recipe required to make a cake when you’ve only been given the cake. It’s impossible to figure out the recipe used to create a cake. Instead you have to try every possible combination of recipes until you get the same cake.
  • #30 “Alien” words are what my children calls nonsense words. The school uses them to help children read unfamiliar words, and are not actual words, but the blending of various n-grams.
  • #31 Source: https://xkcd.com/1068/
  • #35 The key is to choose a password unique to you. Source: https://xkcd.com/936/