Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

Published byJemima Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures."— Presentation transcript:

1 How Safe are They?

2 Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures

3 Non-Technical Passwords

4 Brute Force Approach Steps 0-0-0 0-0-1 0-0-2 … 9-9-9 Until Found or Start Over

5 Passwords Protect Information Seen as Secure Cracking Algorithms All or Nothing Off by One Same as Not Close 8 Characters Lower Case 217.1 Billion Combinations 8 Characters Upper and Lower 221 Trillion 8 Characters Upper, Lower, and Special 669 Quadrillion

6 Cracking Ways to get passwords Weak Encryption (Lan Man) Guess Default password Blank password Letters in row on keyboard User name Name important to user Social Engineering

7 Cracking Password length Possible All charactersOnly lowercase characters 3 characters260.86 second0.02 second 4 characters1,3521.36 minutes0.046 second 5 characters52,7282.15 hours11.9 seconds 6 characters1,827,9048.51 days5.15 minutes 7 characters59,406,8802.21 years2.23 hours 8 characters1,853,494,6562.10 centuries2.42 days 9 characters56,222,671,23220 millenniums2.07 months * Using Brute Force for Every Combination of Characters

8 Cracking * Wired December 2012

9 On-Line Types of Attacks Dictionary – uses dictionary file Brute Force – All combinations Hybrid – Spin off of common passwords (password1 or 1password) Single Term – Brute Force

10 On-Line Password-Based Key Derivation Function Version 2 – PBKDF2 Heuristic Rules Produces Candidate Passwords Flushes Out Poorer Choices Faster than Randomly Chosen Ones

11 On-Line Tools Script Based – Custom, Metasploit, Sniffer Browser Based (Web Login) FireFox’s FireForce Extension Hydra / XHydra

12 Off-Line Requires Access to Password Data Gained Access SQL Injection Local File System Access Long Periods for Success Many Tools and Techniques

13 Off-Line Rainbow Tables (Time Memory Trade Off) Applies Hashing Algorithms Uses Dictionary Accumulated in Brute Force Techniques Method Results Saved in Table or Matrix Compare only Hashed Values Can Save Time, Uses a Lot of Memory Needs Lots of Storage Space for Tables / Matrices

14 Off-Line Tools John the Ripper Cain and Able Ophcrack (Windows) Windows Password FGDump – Retrieves Passwords from SAM Free On-Line OphCrack http://www.objectif-securite.ch/en/ophcrack.php

15 Off-Line Two parts to Windows Passwords Called LM1 and LM2 Separated by ‘:’ LM1 Contains Password LM2 Contains Case Information

16 Off-Line Windows Password Tests 49F83571A279997F1172D0580DAC68AA:2B95310914BD5 2173FA8E3370B9DDB29 512DataDrop4u 83BAC0B36F5221502EDC073793ADCD02:CA49CC1CFF4 7EAD7E4809AD01FF47F56 Croi$$ants!

17 Counter Measures Longer the Better Obfuscated Passphrase Best I Like To Eat Two Tacos! – Il2e#2T Avoid Hyphens Between Words Avoid Punctuation at End of Password or Passphrase Replace Vowels with Number – Maybe Lock Down System Access Multi-Factor Authentication

18 References http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force- attack-how-important-is-password-complexity/ http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force- attack-how-important-is-password-complexity/ http://redmondmag.com/articles/2013/08/14/password-complexity.aspx Hydra password list ftp://ftp.openwall.com/pub/wordlists/ http://gdataonline.com/downloads/GDict/ http://www.zdnet.com/brute-force-attacks-beyond-password-basics- 7000001740/ http://www.zdnet.com/brute-force-attacks-beyond-password-basics- 7000001740/ http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-page- with.html http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-page- with.html http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-make- bruteforce-security-hacks-possible (MindStorms Robot Book Capture) http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-make- bruteforce-security-hacks-possible http://www.objectif-securite.ch/en/ophcrack.php (On-Line Ophcrack) http://www.objectif-securite.ch/en/ophcrack.php http://foofus.net/goons/fizzgig/fgdump/ (FGDump) http://foofus.net/goons/fizzgig/fgdump/

Download ppt "How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.

By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Information Security and Cybercrimes

Information Security and Cybercrimes
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Information Systems Security for the Special Educator MGMT 636 – Information Systems Security.

Information Systems Security for the Special Educator MGMT 636 – Information Systems Security.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

Similar presentations

Ads by Google