So, What’s in a Password?

Presented by / Rob Gillen @argodev

This work is licensed under a .

This talk and related resources are available online:

Creative Commons Attribution 4.0 International License

https://github.com/argodev/talks/

Don't be StupidThe following presentation describes real attacks on realsystems. Please note that most of the attacks described wouldbe considered ILLEGAL if attempted on machines that you do nothave explicit permission to test and attack. I assume noresponsibility for any actions you perform based on the contentof this presentation or subsequent conversations.

Please remember this basic guideline: With knowledge comesresponsibility.

DisclaimerThe content of this presentation represents my personal viewsand thoughts at the present time. I reserve the right to changemy views and opinions at any time. This content is not endorsedby, or representative in any way of my employer nor is itintended to be a view into my work or a reflection on the typeof work that I or my group performs. It is simply a hobby andpersonal interest and should be considered as such.

Password AttacksA Year in Review

Pixel FederationIn December 2013, a breach of the web-based game communitybased in Slovakia exposed over 38,000 accounts which werepromptly posted online. The breach included email addresses andunsalted MD5 hashed passwords, many of which were easilyconverted back to plain text.

http://haveibeenpwned.com/

VodafoneIn November 2013, Vodafone in Iceland suffered an attackattributed to the Turkish hacker collective "Maxn3y". The datawas consequently publicly exposed and included user names,email addresses, social security numbers, SMS message, serverlogs and passwords from a variety of different internalsources.

http://haveibeenpwned.com/

AdobeThe big one. In October 2013, 153 million accounts werebreached with each containing an internal ID, username, email,encrypted password and a password hint in plain text. Thepassword cryptography was poorly done and many were quicklyresolved back to plain text. The unencrypted hints alsodisclosed much about the passwords adding further to the riskthat hundreds of millions of Adobe customers already faced.

http://haveibeenpwned.com/

TwitterFebruary 2013 - This week, we detected unusual access patternsthat led to us identifying unauthorized access attempts toTwitter user data. We discovered one live attack and were ableto shut it down in process moments later. However, ourinvestigation has thus far indicated that the attackers mayhave had access to limited user information – usernames, emailaddresses, session tokens and encrypted/salted versions ofpasswords – for approximately 250,000 users.

https://blog.twitter.com/2013/keeping-our-users-secure

More...cvideo.co.il – 10/15/2013 – 3,339

penangmarathon.gov.my – 10/8/2013 – 1,387

tomsawyer.com – 10/6/2013 – 57,462

ahashare.com – 10/3/2013 – 169,874

http://hackread.com/iranian-hackers-hack-israeli-job-site/

http://www.cyberwarnews.info/2013/10/07/45000-penang-marathon-participants-personal-details-leaked/

http://www.cyberwarnews.info/2013/10/07/software-company-tom-sawyer-hacked-61000-vendors-accounts-leaked/

http://www.cyberwarnews.info/2013/10/04/ahashare-com-hacked-complete-database-with-190-000-user-credentials-leaked/

https://shouldichangemypassword.com/all-sources.php

More...Unknown Israeli website – 7/30/2013 – 26,064

UK emails – 7/17/2013 – 8,002

UK emails (part 2) – 7/17/2013 – 7,514

http://www.pakistanintelligence.com – 5/27/2013 – 75,942

http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leak-login-details-of-33895-israelis/

http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html

http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html

http://www.ehackingnews.com/2013/05/pakistan-intelligence-job-board-website.html

https://shouldichangemypassword.com/all-sources.php

More...McDonalds Taiwan – 3/27/2013 – 185,620

karjera.ktu.lt – 3/14/2013 – 14,133

avadas.de – 3/9/2013 – 3,344

angloplatinum.co.za – 3/5/2013 – 7,967

http://www.cyberwarnews.info/2013/03/28/official-mcdonalds-austria-taiwan-korea-hacked-over-200k-credentials-leaked/

http://www.cyberwarnews.info/2013/03/14/14000-student-credentials-leaked-from-ktu-career-center-lithuania/

http://hackread.com/avast-germany-website-hacked-defaced-20000-user-accounts-leaked-by-maxney/

http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html

https://shouldichangemypassword.com/all-sources.php

More...angloplatinum.com – 3/5/2013 – 723

Walla.co.il – 2/19/2013 – 531,526

Bank Executives – 2/4/2013 – 4,596

bee-network.co.za – 1/29/2013 – 81

http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html

http://www.haaretz.com/news/national/anonymous-activists-hack-into-600-000-israeli-email-accounts.premium-1.504093

http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

https://shouldichangemypassword.com/all-sources.php

More...omni-id.com – 1/29/2013 – 1,151

moolmans.com – 1/29/2013 – 117

servicedesk.ufs.ac.za – 1/29/2013 – 3,952

servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

https://shouldichangemypassword.com/all-sources.php

More...westcol.co.za – 1/29/2013 – 99

digital.postnet.co.za – 1/29/2013 – 45,245

French Chamber of Commerce – 1/29/2013 – 515

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html

http://news.softpedia.com/news/French-Chamber-of-Commerce-and-Industry-Portal-Hacked-by-Tunisian-Cyber-Army-324716.shtml

https://shouldichangemypassword.com/all-sources.php

Types of AttacksAlgorithm WeaknessImplementation WeaknessesDictionary AttacksBrute-Force AttacksMask Attacks

Algorithmic WeaknessesCollision, Second Pre-Image, Pre-ImageConfirmed:GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD,RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128,WHIRLPOOL

Theoretical:SHA-256/224SHA-512/384

http://en.wikipedia.org/wiki/Cryptographic_hash_function

Account HashesWindows HashEAD0CC57DDAAE50D876B7DD6386FA9C7

Linux Hash$6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol.xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/KXCNHZ8P7zJDi2HHb1K.xfE.

File EncryptionMS OfficePDFsZip/7z/rarTrueCrypt

How do they work?Known file-format/implementation weaknessHeader data to indicate encryptionType, keylength, etc.Often some small portion to decrypt/validate

How is it that changing encryption keys is fast?Your key encrypts “real” key

Is it really cracking?

Password Guessing

char string1[maxPassLength + 1];char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";

for 0 --> maxLength for each char in alphanum…

Slightly Better...

int min = 8;int max = 12;char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";

// known rules// first & last must be char// no consecutive-ordered chars/nums// no repeated chars/nums

DEMO: Cracking aWindows HashWith oclHashCat

(more) Intelligent PasswordGuessing

What do people usually use?What can we do to reduce the set of possibilities?Cull terms/domain knowledge from relevant dataDating sites, religious sites, others

Best: Already used/real-world passwords

Determine Your GoalsCracking a single, specific pwd?Cracking a large % of an “acquired set”?

Mark Burnett, author of Perfect PasswordsList of 6,000,000, culled down to 10,000 most frequently usedTop 10,000 passwords represent by 99.8% of all passwords

More Password Stats...Overview4.7% of users have the password password8.5% have the passwords password or 1234569.8% have the passwords password, 123456 or 1234567814% have a password from the top 10 passwords40% have a password from the top 100 passwords79% have a password from the top 500 passwords91% have a password from the top 1000 passwords

From a uniqueness standpoint...99.6% of the unique passwords are used by only 0.18% ofusers

https://xato.net/passwords/more-top-worst-passwords/

Lists....

PACKPassword Analysis and Cracking ToolkitPeter Kacherginsky, PasswordCon, 7/30-7/31

Intelligent cycle of cracking, analysis, rule generation

http://thesprawl.org/projects/pack/

Statistical AnalysisPassword Length AnalysisCharacter Set AnalysisWord Mangling Analysis

Example: Length

https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf

DEMO: Statisticson Real PWs

Advanced AnalyticsLevenshtein Edit Distance

http://en.wikipedia.org/wiki/Levenshtein_distance

Levenshtein Edit DistanceMinimum number of changes required to change one string into anotherMeasure distance b/t actual words and cracked list to optimize the word mangling rulesi.e. XX% of words can be achieved with Levenshtein edit distance of <=2Only gen rules that match

http://www.let.rug.nl/~kleiweg/lev/

http://www.kurzhals.info/static/samples/levenshtein_distance/

What if I don't have yourPassword?Pass the HashBut We use SmartCards!?

Avoidance TechniquesDon’t use "monkey"Don’t reuse "monkey"If you must use "monkey", require something else as wellSalt is goodYour own salt is betterUtilize memory-hard algorithmsUtilize multiple iterations (a lot)Your username is half of the equation

Referenceshttp://haveibeenpwned.com/https://lastpass.com/adobe/https://lastpass.com/linkedin/https://lastpass.com/lastfm/https://shouldichangemypassword.com/all-sources.php

Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev

This talk and related resources are available online:https://github.com/argodev/talks/