Upload
raleigh-issa
View
173
Download
3
Embed Size (px)
DESCRIPTION
2012 03 The Death of Passwords by Artëm Kazantsev, Duke IT Security
Citation preview
The Death of Passwords
Dangers to Passwords●Passwords are “phished”●Passwords are shared●Users use dictionary words or “lazy” passwords●Users reuse password for different sites●Users recycle passwords or add numbers at the end (BlueDevil#9)●Passwords can be cracked using:
Brute Force the hashes AND / OR Rainbow TablesAND / OR GPU Cracking ...
Demo of the GPU cracking
5 characters of mixed cases, characters and numbers: ~2.5 min brute force of NVidia NVS
3100M (16 cores, 512 Mb) for comparison,
NVidia card PCI Express - eVGA Memory clock 4212 MHz Effective. Shader clock 1800 MHz.
Cuda cores 512. Memory 3072MB GDDR5. ~$600
Cracking Passwords
Password File
HA
SHPassword Guess d131dd02c5e
6eec4693d9a0698aff95c
d131dd02c5e6eec4693d9a
0698aff95c
Password Type Using the CPU Using the GPU
6 char (no spec chars) 1 hour 30 sec 4 seconds
7 char (no spec chars) 4 days 17 minutes 30 seconds
7 char (spec chars) 75 days 7 hours
9 char (spec chars) 43 years 48 days
12345 anyone?
“I'm so clever” passwords: Q1W2E3R4A!S@D#F$zxcv/.,mAq1Sw2De3Fr4L33tSp3@K (th3y w1ll n3v3r gu3$$)
Dictionary lists, hybrid attacks and mangle rules
#define RULE_OP_MANGLE_LREST 'l' // lower case all chars#define RULE_OP_MANGLE_UREST 'u' // upper case all chars#define RULE_OP_MANGLE_LREST_UFIRST 'c' // lower case all chars, upper case 1st#define RULE_OP_MANGLE_UREST_LFIRST 'C' // upper case all chars, lower case 1st#define RULE_OP_MANGLE_TREST 't' // switch the case of each char#define RULE_OP_MANGLE_TOGGLE_AT 'T' // switch the case of each char on pos N#define RULE_OP_MANGLE_REVERSE 'r' // reverse word#define RULE_OP_MANGLE_DUPEWORD 'd' // append word to itself#define RULE_OP_MANGLE_DUPEWORD_TIMES 'p' // append word to itself N times#define RULE_OP_MANGLE_REFLECT 'f' // reflect word (append reversed word)#define RULE_OP_MANGLE_ROTATE_LEFT '{' // rotate the word left. ex: hello -> elloh#define RULE_OP_MANGLE_ROTATE_RIGHT '}' // rotate the word right. ex: hello -> ohell#define RULE_OP_MANGLE_APPEND '$' // append char X#define RULE_OP_MANGLE_PREPEND '^' // prepend char X#define RULE_OP_MANGLE_DELETE_FIRST '[' // delete first char of word#define RULE_OP_MANGLE_DELETE_LAST ']' // delete last char of word#define RULE_OP_MANGLE_DELETE_AT 'D' // delete char of word at pos N#define RULE_OP_MANGLE_EXTRACT 'x' // delete X chars of word at pos N#define RULE_OP_MANGLE_INSERT 'i' // insert char X at pos N#define RULE_OP_MANGLE_OVERSTRIKE 'o' // overwrite with char X at pos N#define RULE_OP_MANGLE_TRUNCATE_AT '\''// cut the word at pos N#define RULE_OP_MANGLE_REPLACE 's' // replace all chars X with char Y#define RULE_OP_MANGLE_PURGECHAR '@' // -- not implemented --#define RULE_OP_MANGLE_DUPECHAR_FIRST 'z' // prepend first char of word to itself. ex: hello -> hhello#define RULE_OP_MANGLE_DUPECHAR_LAST 'Z' // append last char of word to itself. ex: hello -> helloo#define RULE_OP_MANGLE_DUPECHAR_ALL 'q' // duplicate all chars. ex: hello -> hheelllloo
Rainbow Tables
● http://www.freerainbowtables.com/ (using BOINC distributed computing for calculation) (5271 GB as of 02/20/2012)
● RainbowCrack –your local friendly rainbow tables generator / converter (different formats of RT) / cracker
RainbowCrack Project example
ntlm_mixalpha-numeric#1-9
Hash Algorithm: NTLMCharset: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Plaintext Length: 1 to 9Key Space: 13,759,005,997,841,642 (about 253.6)Table Pre-computation Effort: 59,476,604,035,792,896 (about 255.7) hash computationsTable Size: 864 GB
That pretty much means the game is over for NTLM passwords under 10 digits alphanumeric!
Methods to Compromise Accounts/Passwords
Password Attack
Defense
Longer passwords (passphrases)
Regular Password changes
Account lockouts
Multi-factor
Education
Network encryption
Host-based security
Password Cracking• Dictionary Attack • Brute Force• Rainbow Tables • GPU Cracking
✔ ✔ ✔ ✔
Password Sharing ✔ ✔
Phishing/Social Engineering ✔ ✔
Man-in-the-Middle Attack ✔ ✔ ✔
Network Sniffing ✔ ✔ ✔ ✔ ✔
Keylogger ✔* ✔*(unless digital cert)
What is Multi-Factor
• Authentication involves:
– Something you know (e.g. password)
– Something you have (e.g. digital cert, “token”)
– Something you are (e.g. fingerprint, voice pattern)
– Somewhere you are (e.g. GPS or network IP)
• Passwords provide 1 of these items. What if we supported the use of a second? Or a third?
• Depending on a user role AND the application they are trying to access we could provide a second factor for authentication
Multifactor Options:Option Pros Cons
Tokens Industry standard; can implement into current authentication services; can run on top of existing password policy
Token replacement costs; if lost, stolen, or not available, cannot log-in; may not be able to log-in from a guest machine; ‘seed’ server must be protected at all costs
Digital Certificates
Cheapest option (via Incommon); Least impact to users; can run on top of existing password policy
Only ½ of a factor in some cases; Cert must be installed on all user devices; cannot log-in from a guest machine; depend on user key protection
Phone (SMS/QR tech)
Similar to tokens; low-cost/open source options; works well for those that have smart phones; can run on top of existing password policy
User has to have a phone that can take pictures or SMS; If phone is lost, stolen, or not available, cannot log-in
Passwords Alone Are No Longer Effective