Passwords - PowerPoint PPT Presentation

shepry
passwords n.
Skip this Video
Loading SlideShow in 5 Seconds..
Passwords PowerPoint Presentation
play fullscreen
1 / 18
Download Presentation
Passwords
172 Views
Download Presentation

Passwords

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Passwords How Safe are They?

  2. Overview • Passwords • Cracking • Attack Avenues • On-line • Off-line • Counter Measures

  3. Non-Technical Passwords

  4. Non-Technical Passwords • Brute Force Approach • Steps • 0-0-0 • 0-0-1 • 0-0-2 • … • 9-9-9 • Until Found or Start Over

  5. Passwords • Protect Information • Seen as Secure • Cracking Algorithms All or Nothing • Off by One Same as Not Close • 8 Characters Lower Case 217.1 Billion Combinations • 8 Characters Upper and Lower 221 Trillion • 8 Characters Upper, Lower, and Special 669 Quadrillion

  6. Cracking • Ways to get passwords • Weak Encryption (Lan Man) • Guess • Default password • Blank password • Letters in row on keyboard • User name • Name important to user • Social Engineering

  7. Cracking * Using Brute Force for Every Combination of Characters

  8. Cracking * Wired December 2012

  9. On-Line • Types of Attacks • Dictionary – uses dictionary file • Brute Force – All combinations • Hybrid – Spin off of common passwords (password1 or 1password) • Single Term – Brute Force

  10. On-Line • Password-Based Key Derivation Function Version 2 – PBKDF2 • Heuristic Rules Produces Candidate Passwords • Flushes Out Poorer Choices • Faster than Randomly Chosen Ones

  11. On-Line • Tools • Script Based – Custom, Metasploit, Sniffer • Browser Based (Web Login) • FireFox’s FireForce Extension • Hydra / XHydra

  12. Off-Line • Requires Access to Password Data • Gained Access • SQL Injection • Local File System Access • Long Periods for Success • Many Tools and Techniques

  13. Off-Line • Rainbow Tables (Time Memory Trade Off) • Applies Hashing Algorithms • Uses Dictionary • Accumulated in Brute Force Techniques • Method • Results Saved in Table or Matrix • Compare only Hashed Values • Can Save Time, Uses a Lot of Memory • Needs Lots of Storage Space for Tables / Matrices

  14. Off-Line • Tools • John the Ripper • Cain and Able • Ophcrack (Windows) • Windows Password • FGDump – Retrieves Passwords from SAM • Free On-Line OphCrack • http://www.objectif-securite.ch/en/ophcrack.php

  15. Off-Line • Two parts to Windows Passwords • Called LM1 and LM2 • Separated by ‘:’ • LM1 Contains Password • LM2 Contains Case Information

  16. Off-Line • Windows Password Tests • 49F83571A279997F1172D0580DAC68AA:2B95310914BD52173FA8E3370B9DDB29 • 512DataDrop4u • 83BAC0B36F5221502EDC073793ADCD02:CA49CC1CFF47EAD7E4809AD01FF47F56 • Croi$$ants!

  17. Counter Measures • Longer the Better • Obfuscated Passphrase Best • I Like To Eat Two Tacos! – Il2e#2T • Avoid Hyphens Between Words • Avoid Punctuation at End of Password or Passphrase • Replace Vowels with Number – Maybe • Lock Down System Access • Multi-Factor Authentication

  18. References • http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force-attack-how-important-is-password-complexity/ • http://redmondmag.com/articles/2013/08/14/password-complexity.aspx • Hydra password list • ftp://ftp.openwall.com/pub/wordlists/ • http://gdataonline.com/downloads/GDict/ • http://www.zdnet.com/brute-force-attacks-beyond-password-basics-7000001740/ • http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-page-with.html • http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-make-bruteforce-security-hacks-possible (MindStorms Robot Book Capture) • http://www.objectif-securite.ch/en/ophcrack.php (On-Line Ophcrack) • http://foofus.net/goons/fizzgig/fgdump/ (FGDump)