2012 03 The Death of Passwords by Artëm Kazantsev, Duke IT Security

1. The Death of Passwords

2. Dangers to Passwords
● Passwords are “phished”
● Passwords are shared
● Users use dictionary words or “lazy” passwords
● Users reuse password for different sites
● Users recycle passwords or add numbers at the end (BlueDevil#9)
● Passwords can be cracked using:
Brute Force the hashes
AND / OR Rainbow Tables
AND / OR GPU Cracking ...

3. Demo of the GPU cracking
5 characters of mixed cases, characters and
numbers: ~2.5 min brute force of NVidia NVS
3100M (16 cores, 512 Mb)
for comparison,
NVidia card PCI Express - eVGA
Memory clock 4212 MHz Effective. Shader clock 1800 MHz.
Cuda cores 512. Memory 3072MB GDDR5.
~$600

4. Cracking Passwords
d131dd02c5e
d131dd02c5e 6eec4693d9a
Password Guess
HASH
6eec4693d9a 0698aff95c
0698aff95c
Password File
Password Type Using the CPU Using the GPU
6 char (no spec chars) 1 hour 30 sec 4 seconds
7 char (no spec chars) 4 days 17 minutes 30
seconds
7 char (spec chars) 75 days 7 hours
9 char (spec chars) 43 years 48 days

5. 12345 anyone?
“I'm so clever” passwords:
Q1W2E3R4
A!S@D#F$
zxcv/.,m
Aq1Sw2De3Fr4
L33tSp3@K (th3y w1ll n3v3r gu3$$)

6. Dictionary lists, hybrid attacks
and mangle rules
#define RULE_OP_MANGLE_LREST 'l' // lower case all chars
#define RULE_OP_MANGLE_UREST 'u' // upper case all chars
#define RULE_OP_MANGLE_LREST_UFIRST 'c' // lower case all chars, upper case 1st
#define RULE_OP_MANGLE_UREST_LFIRST 'C' // upper case all chars, lower case 1st
#define RULE_OP_MANGLE_TREST 't' // switch the case of each char
#define RULE_OP_MANGLE_TOGGLE_AT 'T' // switch the case of each char on pos N
#define RULE_OP_MANGLE_REVERSE 'r' // reverse word
#define RULE_OP_MANGLE_DUPEWORD 'd' // append word to itself
#define RULE_OP_MANGLE_DUPEWORD_TIMES 'p' // append word to itself N times
#define RULE_OP_MANGLE_REFLECT 'f' // reflect word (append reversed word)
#define RULE_OP_MANGLE_ROTATE_LEFT '{' // rotate the word left. ex: hello -> elloh
#define RULE_OP_MANGLE_ROTATE_RIGHT '}' // rotate the word right. ex: hello -> ohell
#define RULE_OP_MANGLE_APPEND '$' // append char X
#define RULE_OP_MANGLE_PREPEND '^' // prepend char X
#define RULE_OP_MANGLE_DELETE_FIRST '[' // delete first char of word
#define RULE_OP_MANGLE_DELETE_LAST ']' // delete last char of word
#define RULE_OP_MANGLE_DELETE_AT 'D' // delete char of word at pos N
#define RULE_OP_MANGLE_EXTRACT 'x' // delete X chars of word at pos N
#define RULE_OP_MANGLE_INSERT 'i' // insert char X at pos N
#define RULE_OP_MANGLE_OVERSTRIKE 'o' // overwrite with char X at pos N
#define RULE_OP_MANGLE_TRUNCATE_AT '''// cut the word at pos N
#define RULE_OP_MANGLE_REPLACE 's' // replace all chars X with char Y
#define RULE_OP_MANGLE_PURGECHAR '@' // -- not implemented --
#define RULE_OP_MANGLE_DUPECHAR_FIRST 'z' // prepend first char of word to itself. ex:
hello -> hhello
#define RULE_OP_MANGLE_DUPECHAR_LAST 'Z' // append last char of word to itself. ex:
hello -> helloo
#define RULE_OP_MANGLE_DUPECHAR_ALL 'q' // duplicate all chars. ex: hello ->
hheelllloo

7. Rainbow Tables
● http://www.freerainbowtables.com/ (using
BOINC distributed computing for
calculation) (5271 GB as of 02/20/2012)
● RainbowCrack –your local friendly rainbow
tables generator / converter (different
formats of RT) / cracker

8. RainbowCrack Project example
ntlm_mixalpha-numeric#1-9
Hash Algorithm: NTLM
Charset:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Plaintext Length: 1 to 9
Key Space: 13,759,005,997,841,642 (about 253.6)
Table Pre-computation Effort: 59,476,604,035,792,896 (about
255.7) hash computations
Table Size: 864 GB
That pretty much means the game is over for NTLM
passwords under 10 digits alphanumeric!

9. Methods to Compromise
Defense
Accounts/Passwords
Longer
Accou Mu Netw Host-
Password Attack passwor Regular
nt lti-
Edu
ork based
ds Password cati
locko fac encry securi
(passphr changes on
uts tor ption ty
ases)
Password Cracking
• Dictionary Attack
• Brute Force ✔ ✔ ✔ ✔
• Rainbow Tables
• GPU Cracking
Password Sharing ✔ ✔
Phishing/Social
✔ ✔
Engineering
Man-in-the-Middle
✔ ✔ ✔
Attack
Network Sniffing ✔ ✔ ✔ ✔ ✔
Keylogger ✔
✔
* *(unless digital cert)

10. What is Multi-Factor
• Authentication involves:
– Something you know (e.g. password)
– Something you have (e.g. digital cert, “token”)
– Something you are (e.g. fingerprint, voice pattern)
– Somewhere you are (e.g. GPS or network IP)
• Passwords provide 1 of these items. What if we supported
the use of a second? Or a third?
• Depending on a user role AND the application they are trying
to access we could provide a second factor for authentication

11. Option
Multifactor Options:
Pros Cons
Tokens Industry standard; Token replacement costs;
can implement into if lost, stolen, or not
current available, cannot log-in;
authentication may not be able to log-in
services; can run on from a guest machine;
top of existing ‘seed’ server must be
password policy protected at all costs
Digital Cheapest option (via Only ½ of a factor in some
Certificates Incommon); Least cases; Cert must be
impact to users; can installed on all user
run on top of existing devices; cannot log-in
password policy from a guest machine;
depend on user key
protection
Phone (SMS/QR Similar to tokens; User has to have a phone
tech) low-cost/open source that can take pictures or
options; works well SMS; If phone is lost,
for those that have stolen, or not available,
smart phones; can cannot log-in

12. Passwords Alone Are No
Longer Effective