1 / 18

Passwords

Passwords. How Safe are They?. Overview. Passwords Cracking Attack Avenues On-line Off-line Counter Measures. Non-Technical Passwords. Non-Technical Passwords. Brute Force Approach Steps 0-0-0 0-0-1 0-0-2 … 9-9-9 Until Found or Start Over. Passwords. Protect Information

shepry
Télécharger la présentation

Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Passwords How Safe are They?

  2. Overview • Passwords • Cracking • Attack Avenues • On-line • Off-line • Counter Measures

  3. Non-Technical Passwords

  4. Non-Technical Passwords • Brute Force Approach • Steps • 0-0-0 • 0-0-1 • 0-0-2 • … • 9-9-9 • Until Found or Start Over

  5. Passwords • Protect Information • Seen as Secure • Cracking Algorithms All or Nothing • Off by One Same as Not Close • 8 Characters Lower Case 217.1 Billion Combinations • 8 Characters Upper and Lower 221 Trillion • 8 Characters Upper, Lower, and Special 669 Quadrillion

  6. Cracking • Ways to get passwords • Weak Encryption (Lan Man) • Guess • Default password • Blank password • Letters in row on keyboard • User name • Name important to user • Social Engineering

  7. Cracking * Using Brute Force for Every Combination of Characters

  8. Cracking * Wired December 2012

  9. On-Line • Types of Attacks • Dictionary – uses dictionary file • Brute Force – All combinations • Hybrid – Spin off of common passwords (password1 or 1password) • Single Term – Brute Force

  10. On-Line • Password-Based Key Derivation Function Version 2 – PBKDF2 • Heuristic Rules Produces Candidate Passwords • Flushes Out Poorer Choices • Faster than Randomly Chosen Ones

  11. On-Line • Tools • Script Based – Custom, Metasploit, Sniffer • Browser Based (Web Login) • FireFox’s FireForce Extension • Hydra / XHydra

  12. Off-Line • Requires Access to Password Data • Gained Access • SQL Injection • Local File System Access • Long Periods for Success • Many Tools and Techniques

  13. Off-Line • Rainbow Tables (Time Memory Trade Off) • Applies Hashing Algorithms • Uses Dictionary • Accumulated in Brute Force Techniques • Method • Results Saved in Table or Matrix • Compare only Hashed Values • Can Save Time, Uses a Lot of Memory • Needs Lots of Storage Space for Tables / Matrices

  14. Off-Line • Tools • John the Ripper • Cain and Able • Ophcrack (Windows) • Windows Password • FGDump – Retrieves Passwords from SAM • Free On-Line OphCrack • http://www.objectif-securite.ch/en/ophcrack.php

  15. Off-Line • Two parts to Windows Passwords • Called LM1 and LM2 • Separated by ‘:’ • LM1 Contains Password • LM2 Contains Case Information

  16. Off-Line • Windows Password Tests • 49F83571A279997F1172D0580DAC68AA:2B95310914BD52173FA8E3370B9DDB29 • 512DataDrop4u • 83BAC0B36F5221502EDC073793ADCD02:CA49CC1CFF47EAD7E4809AD01FF47F56 • Croi$$ants!

  17. Counter Measures • Longer the Better • Obfuscated Passphrase Best • I Like To Eat Two Tacos! – Il2e#2T • Avoid Hyphens Between Words • Avoid Punctuation at End of Password or Passphrase • Replace Vowels with Number – Maybe • Lock Down System Access • Multi-Factor Authentication

  18. References • http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force-attack-how-important-is-password-complexity/ • http://redmondmag.com/articles/2013/08/14/password-complexity.aspx • Hydra password list • ftp://ftp.openwall.com/pub/wordlists/ • http://gdataonline.com/downloads/GDict/ • http://www.zdnet.com/brute-force-attacks-beyond-password-basics-7000001740/ • http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-page-with.html • http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-make-bruteforce-security-hacks-possible (MindStorms Robot Book Capture) • http://www.objectif-securite.ch/en/ophcrack.php (On-Line Ophcrack) • http://foofus.net/goons/fizzgig/fgdump/ (FGDump)

More Related