PasswordsHow Safe are They?

OverviewPasswordsCrackingAttack Avenues

On-lineOff-line

Counter Measures

Non-Technical Passwords

Non-Technical PasswordsBrute Force Approach

Steps 0-0-0 0-0-1 0-0-2 … 9-9-9

Until Found or Start Over

PasswordsProtect InformationSeen as Secure

Cracking Algorithms All or NothingOff by One Same as Not Close8 Characters Lower Case 217.1 Billion

Combinations8 Characters Upper and Lower 221 Trillion8 Characters Upper, Lower, and Special 669

Quadrillion

CrackingWays to get passwords

Weak Encryption (Lan Man)Guess

Default password Blank password Letters in row on keyboard User name Name important to user

Social Engineering

CrackingPassword length

Possible All characters Only lowercase characters

3 characters

26 0.86 second 0.02 second

4 characters

1,352 1.36 minutes 0.046 second

5 characters

52,728 2.15 hours 11.9 seconds

6 characters

1,827,904 8.51 days 5.15 minutes

7 characters

59,406,880 2.21 years 2.23 hours

8 characters

1,853,494,656

2.10 centuries 2.42 days

9 characters

56,222,671,232

20 millenniums 2.07 months

* Using Brute Force for Every Combination of Characters

Cracking

* Wired December 2012

On-LineTypes of Attacks

Dictionary – uses dictionary fileBrute Force – All combinationsHybrid – Spin off of common passwords

(password1 or 1password)Single Term – Brute Force

On-LinePassword-Based Key Derivation Function

Version 2 – PBKDF2Heuristic Rules Produces Candidate PasswordsFlushes Out Poorer ChoicesFaster than Randomly Chosen Ones

On-LineTools

Script Based – Custom, Metasploit, SnifferBrowser Based (Web Login)

FireFox’s FireForce ExtensionHydra / XHydra

Off-LineRequires Access to Password DataGained Access

SQL InjectionLocal File System Access

Long Periods for SuccessMany Tools and Techniques

Off-LineRainbow Tables (Time Memory Trade Off)

Applies Hashing AlgorithmsUses DictionaryAccumulated in Brute Force Techniques

MethodResults Saved in Table or MatrixCompare only Hashed ValuesCan Save Time, Uses a Lot of MemoryNeeds Lots of Storage Space for Tables /

Matrices

Off-LineTools

John the RipperCain and AbleOphcrack (Windows)

Windows PasswordFGDump – Retrieves Passwords from SAMFree On-Line OphCrack

http://www.objectif-securite.ch/en/ophcrack.php

Off-LineTwo parts to Windows PasswordsCalled LM1 and LM2Separated by ‘:’LM1 Contains PasswordLM2 Contains Case Information

Off-LineWindows Password Tests

49F83571A279997F1172D0580DAC68AA:2B95310914BD52173FA8E3370B9DDB29 512DataDrop4u

83BAC0B36F5221502EDC073793ADCD02:CA49CC1CFF47EAD7E4809AD01FF47F56 Croi$$ants!

Counter MeasuresLonger the BetterObfuscated Passphrase Best

I Like To Eat Two Tacos! – Il2e#2TAvoid Hyphens Between WordsAvoid Punctuation at End of Password or

PassphraseReplace Vowels with Number – MaybeLock Down System AccessMulti-Factor Authentication

References http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-

force-attack-how-important-is-password-complexity/

http://redmondmag.com/articles/2013/08/14/password-complexity.aspx

Hydra password list ftp://ftp.openwall.com/pub/wordlists/ http://gdataonline.com/downloads/GDict/

http://www.zdnet.com/brute-force-attacks-beyond-password-basics-7000001740/

http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-page-with.html

http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-make-bruteforce-security-hacks-possible (MindStorms Robot Book Capture)

http://www.objectif-securite.ch/en/ophcrack.php (On-Line Ophcrack)

http://foofus.net/goons/fizzgig/fgdump/ (FGDump)