1 / 46

Objectives - PowerPoint PPT Presentation

  • Uploaded on

Objectives. Explore the current authentication problem Explain current anatomy and security of traditional single factor authentication Demonstrate Tools, Techniques, and Strategies for recovering encrypted passwords Discuss password recovery resistance methodology

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Objectives' - ernie

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  • Explore the current authentication problem

  • Explain current anatomy and security of traditional single factor authentication

  • Demonstrate Tools, Techniques, and Strategies for recovering encrypted passwords

  • Discuss password recovery resistance methodology

  • Discuss new authentication alternatives and technologies

Recent enterprise password fails
Recent Enterprise Password Fails

LinkedIn/E-Harmony (June 6th 2012)

  • Passwords believed to be leaked by Russian Hacker

  • 165,000 passwords cracked in first week

  • Most used passwords: link, 1234, work, god, job

    Yahoo (July 11th 2012)

  • Password leaked by group called D33Ds

  • Usernames and Passwords in clear text

  • Over 100,000 Gmail addresses included with leak

    Twitter (Feb 1st 2013)

  • usernames, email addresses, session tokens, and the encrypted and salted versions of passwords where compromised

  • Attack was reported to be sophisticated and hinted to Java plug-in exploit

2013 verizon dbir findings
2013 Verizon *DBIR Findings

*Data Breach Investigation Report

The historic password problem
The Historic Password Problem

Access Control Using Single Factor Authentication

  • Passwords exist to deter unauthorized access

  • Passwords stored locally to ensure access

  • Passwords traditional keys to the kingdom

  • Accidental access or authentication bypass put passwords at risk

  • Originally passwords kept in clear text file

  • Encryption added to make password file pillaging less effective

How modern passwords work
How Modern Passwords Work

Passwords are stored in an Encrypted Hash Format

  • There is a guaranteed 1-to-1 correlation between password and encrypted hash

  • The hashing algorithm is irreversible

  • Vulnerable to password guessing and brute force attacks

    Some Password Hashing Examples:

    The SHA1 for Bsides is = 8215350dfd7b6a15af09798f1d3e754da1e3c2fe

    The MD5 for Bsides is = 474c302dd6c73aeb2bfbeccef0da8adf

How access is granted for a user
How Access is Granted for a User

Type in Username and Password->Press “Enter”

  • The Computer will generate an encrypted hash of the password typed

  • Then compares this hash with the one stored on the machine for the specific user

  • If they match access is granted

  • If they are different user is asked to try again

Type Password

Ex. Bsides

Calculate Hash (MD5)

Bsides = 474c302dd6c73aeb2bfbeccef0da8adf


Does Hash Match?


Access Granted

How password complexity works
How Password Complexity Works

Password authentication results from a subset of

combinations from the following characters

Lowercase = 26 Characters (abc….xyz)

Uppercase = 26 Characters (ABC…XYZ)

Numbers = 10 Characters (123…890)

Special characters < ~33 Characters (!@#...^&*)

(26 + 26 + 10 + 33) = 95 Character Total

How password length works
How Password Length Works

Let: T = total combinations of possible passwords

L = length of the password

C = number of unique character keys that can be used

The total number of possible passwords can be modeled by:



7675309 = 107+ 106+ 105+ 104+ 103+ 102+ 101 = 11,111,110

bsides = 266 + 265 +264 + 263 + 262 + 261 = 8,353,082,582

Bsides = 526 + 525 +524 + 523 + 522 + 521 = 1,048,229,971,204

Bs!des = 956 + 955 +954 + 953 + 952 + 951 = 65,545,047,154,954

How passwords are compromised
How Passwords Are Compromised

Some Tools of the Trade

Cain and Abel – Windows GUI based Password Cracker

John the Ripper – Multiplatform command line Cracker

HashCat – Multi-platform, GUI, Multi-GPU Cracker

THC Hydra - A fast network authentication cracker

PWDump - extracts NTLM and LanMan hashes


Obtain and dump windows credentials into password cracking program
Obtain and Dump Windows Credentials into Password Cracking Program

  • NT hash - Full 95 Characters

  • LM hash - Not Case sensitive, 14 Char Max (2 blocks of 7 characters)

Inherent password problems
Inherent Password Problems Program

  • LM hashes store up to 14 character passwords by concatenating two groups of 7 characters

Recovery sequencing
Recovery Sequencing Program

Minimizing Time to Recover (Fastest to Slowest)

1) Dictionary Attack/Password Guessing

2) Brute force (Least Energy Calculation Sequencing)

2.1) Numbers (10)

2.2) Lowercase (26)

2.3) Lowercase + Numbers (36)

2.4) Lowercase + Uppercase (52)

2.5) Lowercase + Uppercase + Numbers (62)

2.6) Lowercase + Uppercase + Numbers + Special Characters (95)

Dictionary recovery tricks
Dictionary Recovery Tricks Program

Millions of users passwords are aggregated and studied for use and frequency patterns

  • Dictionary are built on password popularity instead of ordering for (A to Z)

  • Specialized word lists available via the web

  • These patterns then can be automated to increase the likelihood of cracking a password.

  • Here are some of Cain and Abel’s Advance Dictionary Attack techniques for success.

Advance dictionary techniques
Advance Dictionary Techniques Program

Online Services: Cloud-based Dictionary Attack for Fee

  • Moxie Marlinspike’s Cloud Cracker

  • Dictionary LM/NTLM = 385,000,000,000,000 words

Brute force recovery 10
Brute Force Recovery (10) Program

  • 8 Digits – 20 seconds or less (Ex. Birthday)

  • 9 Digits – 2 minutes or less (Ex. SSN)

  • 10 Digits – 20 minutes or less (Ex. Phone # with Area code)

  • 11 Digits – 4 hours or less

Brute force lowercase 26
Brute Force Lowercase (26) Program

  • 7 Characters - 17 minutes or less

  • 8 Characters - 7 hours or less

  • 9 Characters - 7 days or less

  • 10 Characters - 220 days or less

More brute force calculations
More Brute Force Calculations Program

Uppercase + Lowercase

  • 7 Characters – 1.4 days or less

  • 8 Characters - 85 days or less

  • 9 Characters – 10 years or less

  • 10 Characters - 570 years or less

    Upper + Lower + Numbers

  • 7 Characters – 5 days or less

  • 8 Characters - 300 days or less

  • 9 Characters – 53 years or less

  • 10 Characters - 3000 years or less

Even more brute force calculations
Even More Brute Force Calculations Program

Brute Force Upper + Lower + Numbers + Special Characters

  • 7 Characters – 5 days or less

  • 8 Characters - 300 days or less

  • 9 Characters – 53 years or less

  • 10 Characters - 3000 years or less

Brute force advance techniques
Brute Force Advance Techniques Program

Rainbow Tables:

  • Pre-calculated hash values kept in Dictionary for Speed

  • Time/Space Trade off

    • Larger searches increase in size exponentially

Removing restricted password lengths
Removing Restricted Password Lengths Program

- Corporate Password Policy states minimum password must be 8 characters or greater. 62 Chars Min

  • = 221,919,451,578,090

  • = 218, 340,105,584,896


    A reduction of 3,579,345,993,194 possibilities

    However this is only 2% overall

Brute force advance techniques1
Brute Force Advance Techniques Program

  • Key Casting:

    • Studies by August Dvorak as far back as the 1936 noted that some keys are used more than others:

      Here was the order of most used letter to least used letters:

      E T A O I H N S R D L U W G C Y M F P B K V Q X J Z

Reducing the key space wheel of fortune recovery methodology
Reducing the Key Space ProgramWheel of Fortune Recovery Methodology

  • abcdefghijklmnopqrstuvwxyz

    • 8 Characters

    • 217,180,147,158

      acdefghilmnorstuwy removed pbkvqxjz

    • 9 Characters

    • 210,027,483,918

Floor vs ceiling key space complexity
Floor vs. Ceiling Key Space Complexity Program

mississippi - Lower Case

Maximum Characters Space = 26 keys

(2611+… 261) = 3,817,158,266,467,286 Combinations

Minimum Character Space = 4 Characters = “MISP”

(411+… 41) = 5592404 Combinations

Time To Crack = 1 Second!

So passwords are weak now what
So Passwords are Weak….Now What? Program

Be Dictionary Recovery/Crack Resistant

Brute force password resistance
Brute Force Password Resistance Program

Improve Minimum Floor Combination Space

Maximum number of combinations (ie., strength of the password) happens when:

# of unique Characters = Length of the Password

when C = L for CL

This means passwords with no repeating characters are inherently harder to crack because they are more resistant to key space reduction techniques.

Ex. Floor combination space for utah(4) > Floor combination space for ohio(3)

44 >34

Length trumps complexity
Length Trumps Complexity Program

Recall that password strength, T, is modeled by: T = CL

where L is the length of the password and

C is the number of unique characters used

With this model, a slight change to the exponent, L, will have a much more significant impact on T than will a similar change to the base, C.

For example, compare the following changes:

103 =1000 but 104 =10000 compared to 103 = 1000 but 113 = 1331

Thus, it is always more advantageous to increase the length of the password over increasing the number of character options available.

10 Character password minimum

Special Characters

Unique Characters

15 Character passwords will break LM hashing

Establish multiple passwords
Establish Multiple Passwords Program

Develop an easy general rule to make passwords

unique to each of your accounts


- Incorporate the URL into each of your passwords.

- This will make each password unique

- Increase the length of your base word

- Also add Complex Noise

- Creates Enclave Protect Defense In Depth Practices


Gmail account = gma##Fluffy1 or Fluffy1@g#m#a

Yahoo account = hay##Fluffy1 or Fluffy1@h#a#y

Consider a password vault service
Consider a Password Vault Service Program

One Password to rule them all

Here is a list of some of the most popular services:

- KeePass(Windows/Mac/Linux/Mobile, Free)

- Robofrom(Windows, Basic: Free/Pro: $29.95)

- LastPass (Windows/Mac/Linux/Mobile, Basic: Free/Premium: $1/month)

- SplashID (Windows/Mac/Mobile, Desktop: $19.95/Mobile:$9.95

- 1Password (Mac OS X/iPhone, Desktop: $39.95/iPhone:$14.95)

Fixing the problem
Fixing the Problem Program

Take the user out of the equation

Security GPO’s for Windows/

PAM for *nix(Linux/Unix)

  • (9-10) Min Char Length

  • Enforce Complexity

  • (90 -180) Day Password Expire

2012 Worst Passwords

1               password        2               123456            3               12345678        4               abc123            5               qwerty             6               monkey

7 letmein8               dragon        9               111111            10             baseball          11             iloveyou12             trustno1          13             1234567          14             sunshine         15             master             

Salt and encrypt stored c redentials
Salt and ProgramEncrypt Stored Credentials


  • A variant of Blowfish Encryption algorithm

  • Extremely slow to calculate hashes

    • This makes recovery/cracking slow

  • Implementations written in:

    • Java, Python, C, C#, Ruby, Perl, PHP 5.3+ and many other. languages

Compromise detection strategies
Compromise Detection Strategies Program

Honey Passwords

  • Seed the Cached Credentials with a few fake users with low privileges and easier to crack passwords for the fictitious users.

  • Create log rules for login or attempted logins from those users

  • If someone try’s to log in or does log in a “Mickey Mouse” you achieve a positive indicator or of possible compromise of stored credentials

    Warning: May be susceptible to privilege escalation…must monitor diligently

Strong multi factor authentication
Strong Multi-Factor Authentication Program

3 Types of Authentication

What You Have


-ID Card

-Security Token

-Software Token

- Phone

- Cell phone

What You Are

  • Fingerprint

  • Retinal Pattern

  • DNA Sequence

  • Signature

  • Face

  • Voice

  • Other biometric identifiers.

What You Know

  • Password

  • Passphrase

  • PIN

  • Challenge Response

  • Pattern

2step 2factor authentication
2Step != 2Factor Authentication Program

2-Factor Authentication

Must use at least two of the three authentication types

2-Step Verification

Can be the same type

of authentication

Hard tokens strongest most expensive protection
Hard Tokens Program– Strongest Most Expensive Protection

  • Hard Token is difficult to hack/compromise

  • Must have the token to sign in

  • High cost to purchase and maintain….must weigh security versus cost

  • Weakness is keeping the private certificate secure….onus on vendor

RSA SecureID Token

Smart Cards


Soft tokens good protection at a reasonable price
Soft Tokens – ProgramGood Protection at a Reasonable Price

  • Companies save money on purchasing hard tokens

  • Works well with BYOD and cellular environments

  • Cheaper than hard tokens to implement and maintain

  • Weakness is if both devices become compromised then credentials can be stolen.

2fa application development
2FA Application Development Program

Google Authenticator

  • An open source project

  • supports both the HOTP and TOTP

    • algorithms

      • *HMAC -Based One-time Password (HOTP) algorithm specified in RFC 4226

      • Time-based One-time Password (TOTP) algorithm specified in RFC 6238

  • Modules and Apps available for:

    • PC

    • Android

    • iOS

    • Blackberry

    • PAM Module

*Hash-based Message Authentication Code

The future of 2fa
The Future of 2FA? Program

  • MasterCard Piloting new credit card in Singapore referenced as the "next generation of payment cards."

  • Display Card has an LCD screen and

  • Touch-sensitive buttons for one-time password (OTP).

  • OTPs supplied by text messages or hardware token.

The future of 2fa1
The Future of 2FA? Program


  • brainwave-based computer authentication

  • electroencephalograms (EEGs), or brainwave measurements, for computer authentication

Conclusion 2fa knowledge is power
Conclusion: 2FA - Knowledge Is Power! Program

*Data Breach Investigation Report

References Program

Background Photo obtained from - http://freestockphotos.com/

Graphics Created with – http://www.blender.org/

LinkedIn/E-Harmony breach http://articles.washingtonpost.com/2012-06-07/business/35462356_1_million-passwords-linkedin-passwords-linkedin-app

Most popular cracked LinkedIn passwords - http://mashable.com/2012/06/08/linkedin-stolen-passwords-list/

Yahoo breach - http://abcnews.go.com/blogs/technology/2012/07/yahoo-password-breach-includes-gmail-hotmail-and-aol-users/

Twitter breach - http://www.theregister.co.uk/2013/02/02/twitter_breach_leaks_user_data/

Verizon DBIR - http://www.verizonenterprise.com/DBIR/2013/

Cain and Abel - http://www.oxid.it/cain.html

John The Ripper - http://www.openwall.com/john/

THC Hydra - http://www.thc.org/thc-hydra/

HashCat - http://hashcat.net/oclhashcat-plus/

PWDump - http://www.foofus.net/~fizzgig/pwdump/

Numerous Eye Candy Photo Credit - http://www.freedigitalphotos.net

Cloud Cracker - https://www.cloudcracker.com

Downloadable RainbowTables – https://tbhost.eu/rt.php

References Program

Keyboard Frequency Pic - http://img.gawkerassets.com/img/1854qtk80dduyjpg/original.jpg

August Dvorak Keyboard Studies - http://en.wikipedia.org/wiki/Dvorak_Simplified_Keyboard

2012 Worst Passwords - http://splashdata.com/press/PR121023.htm

Setting Windows Password Policy -http://technet.microsoft.com/en-us/library/cc875814.aspx

Two Factor Auth Wiki - https://en.wikipedia.org/wiki/Multi-factor_authentication

MasterCard 2FA Card - http://www.theage.com.au/technology/technology-news/new-credit-card-has-lcd-screen-touchsensitive-buttons-20121109-2923y.html

Brain wave Passwords - http://phys.org/news/2013-04-password-future-passthoughts.html

Google Authenticator - http://code.google.com/p/google-authenticator/

Thank you
Thank You! Program


Email: RabidSecurity@gmail.com

Twitter: @rabidsecurity