How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.

Password Cracking Lesson 10. Why crack passwords?

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Chapter 3 Passwords Principals Authenticate to systems.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Information Security and Cybercrimes

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Information Systems Security for the Special Educator MGMT 636 – Information Systems Security.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

What Password Cracking Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.

CIS 450 – Network Security Chapter 8 – Password Security.

Chapter X When can I consider my personal data secure?

Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,

Mark Shtern. Passwords are the most common authentication method They are inherently insecure.

Access Control Identification and Authentication.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

Exercises Information Security Course Eric Laermans – Tom Dhaene.

Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

Component 9 – Networking and Health Information Exchange Unit 9-2 Privacy, Confidentiality, and Security Issues and Standards This material was developed.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

Password Cracking By Allison Ramondetta & Christine Giordano.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.

Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.

Ethical Hacking: Defeating Logon Passwords. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.

By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.

Understanding Security Policies Lesson 3. Objectives.

MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum We could consider using the Mighty Cracker Logo located in the Network Folder.

Protection of Data 31 Protection of Data 31. Protection of Data 31 Having looked at threats, we’ll now look at ways to protect data: Physical Barriers.

Password Cracking COEN 252 Computer Forensics. Social Engineering Perps trick Law enforcement, private investigators can ask. Look for clues: Passwords.

Understanding Security Policies

I have edited and added material.

Password Management Limit login attempts Encrypt your passwords

Password Cracking Lesson 10.

Kiran Subramanyam Password Cracking 1.

Understanding Security Policies

Exercise: Hashing, Password security, And File Integrity

Elijah Hursey & Austin Keener Academy of Science Summer Bridge 2013

Network Penetration Testing & Defense

Presentation transcript:

How Safe are They?

Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures

Non-Technical Passwords

Brute Force Approach Steps … Until Found or Start Over

Passwords Protect Information Seen as Secure Cracking Algorithms All or Nothing Off by One Same as Not Close 8 Characters Lower Case Billion Combinations 8 Characters Upper and Lower 221 Trillion 8 Characters Upper, Lower, and Special 669 Quadrillion

Cracking Ways to get passwords Weak Encryption (Lan Man) Guess Default password Blank password Letters in row on keyboard User name Name important to user Social Engineering

Cracking Password length Possible All charactersOnly lowercase characters 3 characters second0.02 second 4 characters1, minutes0.046 second 5 characters52, hours11.9 seconds 6 characters1,827, days5.15 minutes 7 characters59,406, years2.23 hours 8 characters1,853,494, centuries2.42 days 9 characters56,222,671,23220 millenniums2.07 months * Using Brute Force for Every Combination of Characters

Cracking * Wired December 2012

On-Line Types of Attacks Dictionary – uses dictionary file Brute Force – All combinations Hybrid – Spin off of common passwords (password1 or 1password) Single Term – Brute Force

On-Line Password-Based Key Derivation Function Version 2 – PBKDF2 Heuristic Rules Produces Candidate Passwords Flushes Out Poorer Choices Faster than Randomly Chosen Ones

On-Line Tools Script Based – Custom, Metasploit, Sniffer Browser Based (Web Login) FireFox’s FireForce Extension Hydra / XHydra

Off-Line Requires Access to Password Data Gained Access SQL Injection Local File System Access Long Periods for Success Many Tools and Techniques

Off-Line Rainbow Tables (Time Memory Trade Off) Applies Hashing Algorithms Uses Dictionary Accumulated in Brute Force Techniques Method Results Saved in Table or Matrix Compare only Hashed Values Can Save Time, Uses a Lot of Memory Needs Lots of Storage Space for Tables / Matrices

Off-Line Tools John the Ripper Cain and Able Ophcrack (Windows) Windows Password FGDump – Retrieves Passwords from SAM Free On-Line OphCrack

Off-Line Two parts to Windows Passwords Called LM1 and LM2 Separated by ‘:’ LM1 Contains Password LM2 Contains Case Information

Off-Line Windows Password Tests 49F83571A279997F1172D0580DAC68AA:2B BD5 2173FA8E3370B9DDB29 512DataDrop4u 83BAC0B36F EDC073793ADCD02:CA49CC1CFF4 7EAD7E4809AD01FF47F56 Croi$$ants!

Counter Measures Longer the Better Obfuscated Passphrase Best I Like To Eat Two Tacos! – Il2e#2T Avoid Hyphens Between Words Avoid Punctuation at End of Password or Passphrase Replace Vowels with Number – Maybe Lock Down System Access Multi-Factor Authentication

References attack-how-important-is-password-complexity/ attack-how-important-is-password-complexity/ Hydra password list ftp://ftp.openwall.com/pub/wordlists/ / / with.html with.html bruteforce-security-hacks-possible (MindStorms Robot Book Capture) bruteforce-security-hacks-possible (On-Line Ophcrack) (FGDump)