1. So, What’s in a
Password?
Rob Gillen
@argodev
This work is licensed under a Creative Commons Attribution 3.0 License.
2. Don’t Be Stupid
The following presentation describes real
attacks on real systems. Please note that
most of the attacks described would be
considered ILLEGAL if attempted on
machines that you do not have explicit
permission to test and attack. I assume no
responsibility for any actions you perform
based on the content of this presentation
or subsequent conversations.
Please remember this basic guideline: With
knowledge comes responsibility.
3. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.
5. Pixel Federation
In December 2013, a breach of the webbased game community based in Slovakia
exposed over 38,000 accounts which were
promptly posted online. The breach
included email addresses and unsalted
MD5 hashed passwords, many of which
were easily converted back to plain
text.
http://haveibeenpwned.com/
6. Vodafone
In November 2013, Vodafone in Iceland
suffered an attack attributed to the
Turkish hacker collective "Maxn3y". The
data was consequently publicly exposed
and included user names, email
addresses, social security numbers, SMS
message, server logs and passwords from
a variety of different internal
sources.
http://haveibeenpwned.com/
7. Adobe
The big one. In October 2013, 153
million accounts were breached with
each containing an internal ID,
username, email, encrypted password and
a password hint in plain text. The
password cryptography was poorly done
and many were quickly resolved back to
plain text. The unencrypted hints also
disclosed much about the passwords
adding further to the risk that
hundreds of millions of Adobe customers
already faced.
http://haveibeenpwned.com/
8. Twitter
February 2013 - This week, we detected
unusual access patterns that led to us
identifying unauthorized access attempts
to Twitter user data. We discovered one
live attack and were able to shut it down
in process moments later. However, our
investigation has thus far indicated that
the attackers may have had access to
limited user information – usernames,
email addresses, session tokens and
encrypted/salted versions of passwords –
for approximately 250,000 users.
https://blog.twitter.com/2013/keeping-our-users-secure
18. How do they work?
• Known file-format/implementation
weakness
• Header data to indicate encryption
• Type, keylength, etc.
• Often some small portion to
decrypt/validate
• How is it that changing encryption
keys is fast?
• Your key encrypts “real” key
20. Password Guessing
char string1[maxPassLength + 1];
char alphanum[63] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789";
for 0 maxLength
for each char in alphanum…
21. Slightly Better…
int min = 8;
int max = 12;
char[] valid =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789";
#
#
#
#
known rules
first & last must be char
no consecutive-ordered chars/nums
no repeated chars/nums
23. Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
24. (more) Intelligent
Password Guessing
• What do people usually use?
• What can we do to reduce the set of
possibilities?
• Cull terms/domain knowledge from
relevant data
• Dating sites, religious sites, others
Best: Already used/real-world passwords
25. Determine your goals
• Cracking a single, specific pwd?
• Cracking a large % of an “acquired
set”?
26. • Mark Burnett, author of Perfect Passwords
• List of 6,000,000, culled down to 10,000
most frequently used
• Top 10,000 passwords are used by 98.8% of all users
• 2,342,603 (that’s 99.6%) unique passwords remaining
that are in use by only .18% of users!
https://xato.net/passwords/more-top-worst-passwords/
34. Levenshtein Edit Distance
• Minimum number of
changes required to
change one string into
another
• Measure distance b/t
actual words and cracked
list to optimize the
word mangling rules
• i.e. XX% of words can be
achieved with Levenshtein
edit distance of <=2
• Only gen rules that match
http://www.let.rug.nl/~kleiweg/lev/
http://www.kurzhals.info/static/samples/levenshtein_distance/
35. What if I don’t have your
Password?
• Pass the Hash
• Demo
• But We use Smart Cards!?
36. Avoidance Techniques
• Don’t use “monkey”
• Don’t reuse “monkey”
• If you must use monkey, require
something else as well
• Salt is good
• Your own salt is better
• Utilize memory-hard algorithms
• Utilize multiple iterations (a lot)
• Your username is half of the equation