Kiran Subramanyam ps2471@nyu.edu Password Cracking 1.

Slides:



Advertisements
Similar presentations
By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.
Advertisements

Use of a One-Way Hash without a Salt
Lecture 5: Cryptographic Hashes
Not for noobs…. What even is a GPU?  A GPU (Graphics Processing Unit) is piece of hardware(single chip processor) primarily used for computing 3D functions.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
CIS 450 – Network Security Chapter 8 – Password Security.
Databases and security continued CMSC 461 Michael Wilson.
Mark Shtern. Passwords are the most common authentication method They are inherently insecure.
Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
What do you know about password? By Guang Ling Oct. 8 th,
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.
A BRIEF INTRODUCTION TO CACHE LOCALITY YIN WEI DONG 14 SS.
Computer Architecture Lecture 26 Past and Future Ralph Grishman November 2015 NYU.
Operating Systems Security
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum We could consider using the Mighty Cracker Logo located in the Network Folder.
Understanding Security Policies
APPENDIX A Hardware and Software Basics
Graphics Processor Graphics Processing Unit
Introduction to Parallel Computing: MPI, OpenMP and Hybrid Programming
Authentication Schemes for Session Passwords using Color and Images
What is GPU? how does it work?
Password Management Limit login attempts Encrypt your passwords
Cryptographic Hash Function
Chapter 1: Introduction
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Password Cracking Lesson 10.
Cache memory Direct Cache Memory Associate Cache Memory
CS 465 PasswordS Last Updated: Nov 7, 2017.
Crypto 101 & Password Cracking
Edited by : Noor Alhareqi
Cryptographic Hash Functions Part I
Cryptographic Hash Functions
Edited by : Noor Alhareqi
PHP: Security issues FdSc Module 109 Server side scripting and
Objective of This Course
Ch 4. The Evolution of Analytic Scalability
Chapter 1 Introduction.
Morgan Kaufmann Publishers Memory Hierarchy: Virtual Memory
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Elections Choose wisely, this is your chance to prove if election by popular vote works or not.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Exercise: Hashing, Password security, And File Integrity
CS5220 Advanced Topics in Web Programming Secure REST API
Elijah Hursey & Austin Keener Academy of Science Summer Bridge 2013
Network Penetration Testing & Defense
6- General Purpose GPU Programming
Hash Function Requirements
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Kiran Subramanyam ps2471@nyu.edu Password Cracking 1

Introduction Password authentication is everywhere, but vulnerable. In 1979, Robert Morris and Ken Thompson published “Password Security: A Case History”* which estimated that 86% of all passwords can be cracked. Two types of attacks: Online and Offline *http://cm.bell-labs.com/who/dmr/passwd.ps 2

Online Attacks Try to login to a live system by trying various ID/password combinations. This method is not very efficient as it is time consuming. Most systems lock the account/ID after a certain number of unsuccessful attempts, a strategy known as “rate limiting”. 3

Offline Attacks Obtain objects (e.g. files) that store passwords. But passwords are not stored in clear text. Most modern systems store either hashes of passwords or in an encrypted form. Therefore it is necessary to “crack” the passwords using various tools and techniques. 4

What is Hashing Hash functions map data of arbitrary size to data of fixed size (hash value or digest) with the following important properties: it is easy to compute the hash value for any given input text. it is infeasible to generate the input text from a given hash value (one way function). it is infeasible to find two different inputs with the same hash. Examples are MD5, SHA-1, SHA-256 etc. 5

Offline Attack Types Dictionary Attack – Build a list of candidate passwords and hash/encrypt each one to see if there is a match. Brute Force Attack – Systematically try all possible combinations of characters. Hybrid Attack – Try variations of each candidate based on mangling rules. Rainbow Table Lookups. 6

What are Rainbow Tables A pre-computed table of hash values of all possible inputs (usually up to a given length). Such tables require large amounts of storage. Searching for values in a table is faster than computing large number of hashes. This represents a space/time trade-off in comparison with wordlist based attacks. Hash chains are a further optimization of Rainbow Tables to decrease their storage requirement. 7

Evolution of Cracking Traditional methods employ tools such as Cain and Able, John The Ripper etc. using CPU core power. Advanced tools use graphical processing units (GPUs) on video cards and load rainbow tables onto very fast solid state drives (SSDs). Tools like Hashcat, Rainbow Crack, Cryptohaze Multiforcer, etc., are GPU-supported tools that utilize the GPU cores for cracking the hashes. 8

CPU versus GPU Architecturally, the CPU is composed of a few cores with lots of cache memory that can handle a few software threads at a time. In contrast, a GPU is composed of hundreds of cores that can handle thousands of threads simultaneously. For e.g. a CPU core can execute four 32-bit instructions per clock, whereas a GPU like the Radeon HD 5970 can execute 3200 32-bit instructions per clock. 9

Time required to Crack 10 characters: 3.76 quadrillion possible combinations Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks. Cracking offline using high‐powered servers or desktops (one hundred billion guesses/second): 10.45 hours Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second): 37.61 seconds. 10

Defense: Salts Salt is random data that is used as an additional input to the hashing function and different for each password I,e. Hash value = hash(salt, password) Salts combat the use of rainbow tables because the size of the table increases exponentially with the length of the password. When cracking lists, use of salts negates any potential efficiency due to repeated passwords since salts make each hash value unique. 11

Defense: Expensive Hash Typically hash functions are fast, but it also makes cracking them faster. Solution is to use expensive hash functions. bcrypt – Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower. scrypt – The algorithm was specifically designed to make it costly to perform large-scale custom hardware attacks by requiring large amounts of memory. 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.