how safe are they?. overview passwords cracking attack avenues on-line off-line counter measures
TRANSCRIPT
![Page 1: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/1.jpg)
PasswordsHow Safe are They?
![Page 2: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/2.jpg)
OverviewPasswordsCrackingAttack Avenues
On-lineOff-line
Counter Measures
![Page 3: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/3.jpg)
Non-Technical Passwords
![Page 4: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/4.jpg)
Non-Technical PasswordsBrute Force Approach
Steps 0-0-0 0-0-1 0-0-2 … 9-9-9
Until Found or Start Over
![Page 5: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/5.jpg)
PasswordsProtect InformationSeen as Secure
Cracking Algorithms All or NothingOff by One Same as Not Close8 Characters Lower Case 217.1 Billion
Combinations8 Characters Upper and Lower 221 Trillion8 Characters Upper, Lower, and Special 669
Quadrillion
![Page 6: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/6.jpg)
CrackingWays to get passwords
Weak Encryption (Lan Man)Guess
Default password Blank password Letters in row on keyboard User name Name important to user
Social Engineering
![Page 7: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/7.jpg)
CrackingPassword length
Possible All characters Only lowercase characters
3 characters
26 0.86 second 0.02 second
4 characters
1,352 1.36 minutes 0.046 second
5 characters
52,728 2.15 hours 11.9 seconds
6 characters
1,827,904 8.51 days 5.15 minutes
7 characters
59,406,880 2.21 years 2.23 hours
8 characters
1,853,494,656
2.10 centuries 2.42 days
9 characters
56,222,671,232
20 millenniums 2.07 months
* Using Brute Force for Every Combination of Characters
![Page 8: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/8.jpg)
Cracking
* Wired December 2012
![Page 9: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/9.jpg)
On-LineTypes of Attacks
Dictionary – uses dictionary fileBrute Force – All combinationsHybrid – Spin off of common passwords
(password1 or 1password)Single Term – Brute Force
![Page 10: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/10.jpg)
On-LinePassword-Based Key Derivation Function
Version 2 – PBKDF2Heuristic Rules Produces Candidate PasswordsFlushes Out Poorer ChoicesFaster than Randomly Chosen Ones
![Page 11: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/11.jpg)
On-LineTools
Script Based – Custom, Metasploit, SnifferBrowser Based (Web Login)
FireFox’s FireForce ExtensionHydra / XHydra
![Page 12: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/12.jpg)
Off-LineRequires Access to Password DataGained Access
SQL InjectionLocal File System Access
Long Periods for SuccessMany Tools and Techniques
![Page 13: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/13.jpg)
Off-LineRainbow Tables (Time Memory Trade Off)
Applies Hashing AlgorithmsUses DictionaryAccumulated in Brute Force Techniques
MethodResults Saved in Table or MatrixCompare only Hashed ValuesCan Save Time, Uses a Lot of MemoryNeeds Lots of Storage Space for Tables /
Matrices
![Page 14: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/14.jpg)
Off-LineTools
John the RipperCain and AbleOphcrack (Windows)
Windows PasswordFGDump – Retrieves Passwords from SAMFree On-Line OphCrack
http://www.objectif-securite.ch/en/ophcrack.php
![Page 15: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/15.jpg)
Off-LineTwo parts to Windows PasswordsCalled LM1 and LM2Separated by ‘:’LM1 Contains PasswordLM2 Contains Case Information
![Page 16: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/16.jpg)
Off-LineWindows Password Tests
49F83571A279997F1172D0580DAC68AA:2B95310914BD52173FA8E3370B9DDB29 512DataDrop4u
83BAC0B36F5221502EDC073793ADCD02:CA49CC1CFF47EAD7E4809AD01FF47F56 Croi$$ants!
![Page 17: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/17.jpg)
Counter MeasuresLonger the BetterObfuscated Passphrase Best
I Like To Eat Two Tacos! – Il2e#2TAvoid Hyphens Between WordsAvoid Punctuation at End of Password or
PassphraseReplace Vowels with Number – MaybeLock Down System AccessMulti-Factor Authentication
![Page 18: How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649f1e5503460f94c360fd/html5/thumbnails/18.jpg)
References http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-
force-attack-how-important-is-password-complexity/
http://redmondmag.com/articles/2013/08/14/password-complexity.aspx
Hydra password list ftp://ftp.openwall.com/pub/wordlists/ http://gdataonline.com/downloads/GDict/
http://www.zdnet.com/brute-force-attacks-beyond-password-basics-7000001740/
http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-page-with.html
http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-make-bruteforce-security-hacks-possible (MindStorms Robot Book Capture)
http://www.objectif-securite.ch/en/ophcrack.php (On-Line Ophcrack)
http://foofus.net/goons/fizzgig/fgdump/ (FGDump)