Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(•...
Transcript of Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(•...
![Page 1: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/1.jpg)
Password Cracking
![Page 2: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/2.jpg)
About me • Originally from Fargo, ND • Came down to DSU in 2007 – B.S. Computer & Network Security
– Minor in Networking – M.S. InformaHon Assurance – D.Sc. Cyber OperaHons (working on it)
![Page 3: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/3.jpg)
Security Work • Web ApplicaHon/SoMware Developer (2008) • Network Administrator (2010) • Security Consultant (2011) – Worked for a large firm in Fargo, ND for about three years
• Independent Security Consultant (current) • Instructor at DSU (current)
![Page 4: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/4.jpg)
Disclaimer • You’ll learn some real aUacks, I’ll show you how to get close on others
• You will NOT do this on any device that you don’t own – Not at school, buddies’ computers, etc.
![Page 5: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/5.jpg)
LegiHmate Password Cracking
![Page 6: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/6.jpg)
What makes a strong password? • Length (total number of characters) • Complexity – Upper/lower case – Numbers – Special characters
• Frequency of change – If it takes you 60 days to crack my password, and I change it every 59…guess what?
![Page 7: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/7.jpg)
How do aUackers break passwords?
• Really not a trick quesHon, just want to know what you guys think.
![Page 8: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/8.jpg)
Two Main Categories • Online – Trying to authenHcate to a real service with a live, acHve account
– Sibng down in front of your buddy's computer and trying to log in to their FaceBook account
• Offline – Gebng a secure password value, taking it back to your own computer, and trying to breakit
![Page 9: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/9.jpg)
How about a brute-‐force aUack? • SystemaHcally guessing every possible combinaHon unHl you get the correct answer
![Page 10: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/10.jpg)
![Page 11: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/11.jpg)
CalculaHng Character Space • In passwords, we can reuse characters • Determine the number of allowed characters – Just lowercase: 26 total – Upper/lower: 52 total – Add in numbers (0-‐9) 62 total
• Figure out how long the password is • Raise the number of allowed characters to the power of the length of the password
• (Character Space)^Length
![Page 12: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/12.jpg)
CalculaHng Character Space • What if you can only use numbers for your password – Numbers 0-‐9, count them, there’s 10 possibiliHes
• If your password is 1234 (length of 4) • We can take 10*10*10*10 or 10^4 • There’s only about 10,000 possibiliHes
![Page 13: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/13.jpg)
CalculaHng Character Space • A bit more complex… • 26 upper case + 26 lower case = 52 total • My password is Password (8 characters long) • 52*52*52*52*52*52*52*52 or 52^8 • 52^8 = 53,459,728,531,456 – FiMy-‐three trillion possible combinaHons
![Page 14: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/14.jpg)
hUps://www.grc.com/haystack.htm
• Password Haystack – how long will it take to brute force your password?
![Page 15: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/15.jpg)
![Page 16: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/16.jpg)
![Page 17: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/17.jpg)
![Page 18: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/18.jpg)
![Page 19: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/19.jpg)
![Page 20: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/20.jpg)
Brute-‐force • Ok, sweet. We can take every possible combinaHon, but what are some problems with it? – Takes forever – Account lockouts – does your bank allow you to fail logging in 100 Hmes
– For most things, it’s really not that pracHcal
![Page 21: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/21.jpg)
How are passwords stored? • Windows and most websites don’t actually store your password as a humanly readable word – If the system or their database get’s pwned, they’re in a world of hurt
• Hashes • Salted Passwords
![Page 22: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/22.jpg)
Password Hash • A hash is a one-‐way, non-‐reversible way to store some sort of data – Anyone used MD5, SHA1
• To authenHcate a user, the password presented by the user is hashed and compared with the stored hash – Can’t get the password back from a hash
![Page 23: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/23.jpg)
Hashing
![Page 24: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/24.jpg)
Windows Password Hashes • Windows stores user passwords in the system’s password database (called “SAM”) in an encrypted hash
• LM Hash – old and really broken – Windows XP = Easy! – Windows Vista and above – turned off by default
• NTLM Hash – new and not as broken – Used in Windows Vista and above
![Page 25: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/25.jpg)
LM Hash Major Flaws • Password is restricted to a maximum of fourteen characters
• Password is converted to uppercase • This password is null-‐padded to 14 bytes • The “fixed-‐length” password is split into two seven-‐byte halves
![Page 26: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/26.jpg)
NTLM Hash • NTLM is case sensiHve • Character set is 65,535, and it does not limit stored passwords to two 7-‐character parts
• Considered a much stronger hashing algorithm
• Same concept in the end, just harder to break
![Page 27: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/27.jpg)
Hashes • LM – 855c3697d9979e78ac404c4ba2c66533
• NTLM – $NT$7f8fe03093cc84b267b109625f6bbf4b
• Bunch of sample hashes: – hUp://openwall.info/wiki/john/sample-‐hashes
![Page 28: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/28.jpg)
Gebng a Password Hash • PW Dump • Cain & Able • FG Dump • Get a root shell on the machine remotely, and use some 1337 tools in Kali to extract them
![Page 29: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/29.jpg)
Ok, we have the hashes… • Now, it’s Hme to break them • We can start by brute-‐forcing some
![Page 30: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/30.jpg)
John the Ripper john -‐-‐user:<username> <hash file> NOTE: The user name is case sensiHve!
![Page 31: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/31.jpg)
Even Easier
![Page 32: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/32.jpg)
DicHonary AUacks • AUackers are preUy smart • Once you break a bunch of passwords, why not write them down
• Compile a huge list of passwords that people actually use
• Try each of those hashes to see if they’re the right one
![Page 33: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/33.jpg)
RockYou.txt • In 2009, a major password breach occurred • 32.6 million stolen passwords of the website's users disclosed
• AUackers have grabbed this, and added to it • hUp://cyberstars.ialab.us/Password_KiUeh/
![Page 34: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/34.jpg)
John the Ripper john -‐-‐user:<username> -‐-‐wordlist:<dicEonary file> -‐-‐<hash file>
NOTE: The user name is case sensiHve!
![Page 35: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/35.jpg)
Rainbow Tables • Precomputed table for reversing cryptographic hash funcHons, usually for cracking password hashes
• Using less computer processing Hme and more storage than a brute-‐force aUack
• More processing Hme and less storage than a simple lookup table with one entry per hash
![Page 36: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/36.jpg)
Rainbow Tables • To store every single 7 character password possible for the given example, it would require a least 417 TB of space -‐ rainbow tables only need around 80 GB of storage space, depending on your generaHon opHons
• Middle ground between brute force and dicHonary aUack
• hUps://www.freerainbowtables.com
![Page 37: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/37.jpg)
rcracki
![Page 38: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/38.jpg)
Easiest
![Page 39: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/39.jpg)
GPU vs. CPU • Any gamers in here? • I bet if you’re 1337, you have a nice graphics card – You want full FPS, 1080 resoluHon, etc.
• What a GPU really does is alleviate some of the load of the CPU and handles some computaHon for the output on the screen
![Page 40: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/40.jpg)
![Page 41: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/41.jpg)
GPU vs. CPU • CPU has only few cores/mulHple cores with lots of cache memory that can handle few soMware threads at a Hme
• GPU has hundreds of cores that can handle thousand of threads simultaneously
![Page 42: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/42.jpg)
GPU vs. CPU • GPUs are highly specialized in number crunching, something that graphics processing desperately needs
• MulHple GPUs can also be employed to achieve a single goal
• TL;DR; GPUs are really fast, but designed for very specific types of applicaHons
![Page 43: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/43.jpg)
Not all GPUs are created equally… • Some graphics cards are more capable than others
• Look at how many cores they have • How much memory • Before you go buy a password cracking machine, do your due diligence!
![Page 44: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/44.jpg)
![Page 45: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/45.jpg)
![Page 46: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/46.jpg)
Hurdles • What about non-‐English passwords? • Those that use special character sets – Wingdings anybody? – Wingding’s anybody?
• Change frequency • Locking accounts out
![Page 47: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/47.jpg)
More IteraHons • Running a hash through the hashing algorithms mulHple Hmes
• Running a password through SHA256, for instance, and then feeding the hashed output back through the algorithm another 500 Hmes would certainly make wordlist and brute force aUacks slower
![Page 48: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/48.jpg)
SalHng • SalHng aUempts to defeat table lookup aUacks by adding several characters to the password before passing it through the hashing algorithm
• Characters don't have to remain secret • SalHng also thwarts cracking techniques that rely on rainbow tables
![Page 49: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/49.jpg)
SalHng
![Page 50: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/50.jpg)
Length
![Page 51: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/51.jpg)
MulHfactor AuthenHcaHon • Something you know • Something you have • Something you are
![Page 52: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/52.jpg)
MulHfactor AuthenHcaHon
![Page 53: Password(Cracking(gencyber.ialab.dsu.edu/2015/Electives/Password... · Rainbow(Tables(• Precomputed(table(for(reversing(cryptographic(hash(funcHons,(usually(for(cracking(password(hashes(•](https://reader035.fdocuments.in/reader035/viewer/2022062918/5ede0590ad6a402d66694918/html5/thumbnails/53.jpg)
Google AuthenHcator