Embed Size (px)
Citation preview
compositionA password …• Is a string of letters, numbers, and/or special characters• Is THE primary authentication and authorization method• Is passed through a mathematical function to obfuscate it• SHOULD be stored encrypted• Is only as strong as the time that it takes for an attacker to crack it• With access to modern computing power, doesn’t take very long• Rainbow table is every possible pre-computed hash• Is no match for a massively parallel cluster (Hadoop, Google, etc.)
compositionSearch Space• Depth (alphabet)• Length (number of characters)• Exhaustive search (guess every possibility in the space)• Dictionary (reduce the search space to good guesses)Time to search (how long to guess the hash – real wall clock time)• Online (generate guesses in real time)• Offline (pre-computed rainbow tables)• Massively parallel GPU array (nation states, hackers, google, etc.)
explanationEncryption methods• MD5 hash: pre-calculated rainbow tables
available, easily cracked• SHA1/256/512 hashes: multiple attacks
demonstrated• Phpass (PHP): basically blowfish – some
implementations are buggyCloud computing and parallel computing greatly reduce time to crack (TTC)Modern GPU video cards easily can perform 1,000,000 guesses/secondUsing common dictionary words (or permutations) makes it easyWhat you want is called “entropy” or more commonly “randomness”
examplesPassword: brewerComposition: all lower case (26 characters)Length: 6 charactersExhaustive search size: 321,272,406 possibilities (3.21 x 108)• Online: 3.72 days• Offline (rainbow tables): 0.00321 seconds• Cluster: 0.00000321 secondsConclusion: not a strong password
examplesPassword: Chase123Composition: upper and lower case and numbers (26+26+10 = 62)Length: 8 charactersExhaustive search size: 221,919,451,578,090 possibilities (2.22 x 1014)• Online: 70.56 centuries• Offline (rainbow tables): 36.99 minutes• Cluster: 2.22 secondsConclusion: not a strong password
examplesPassword: SubuKrishnamurtiComposition: upper and lower case (26+26 = 52)Length: 16 charactersExhaustive search size: 2,913,980,664,356,126,978,428,175,620 possibilities (2.91 x 1027)• Online: 9.27 hundred trillion centuries• Offline (rainbow tables): 9.27 million centuries• Cluster: 9.27 thousand centuriesConclusion: a strong password
examplesPassword: Ch4n…….. (eight periods)Composition: upper and lower case (26+26+10+33 = 95)Length: 12 charactersExhaustive search size: 546,108,599,233,516,079,517,120 possibilities (5.46 x 1023)• Online: 1.74 hundred billion centuries• Offline (rainbow tables): 1.74 thousand centuries• Cluster: 1.74 thousand centuriesConclusion: a strong password doesn’t have to be hard to remember
observationsSo, mister password smarty pants, how good are *your* passwords?• Everything is ten (10) characters or more• Everything is upper and lower with at least one special character• Sounds pretty impressive, right? Guess what…• They STILL suck!Length: 10 characters, depth: 95 (26+26+10+33 = 95)Exhaustive search size: 60,510,648,114,517,017,120 (6.05 x 1019)Time to Crack (TTC): between 2.5 hours and 28 months (cluster)Conclusion: I need to change some of my passwords
observationsSize matters - BUT content matters also• 12345678901234567890 – space is 20 characters, but depth is only 10
digits• Exhaustive search size: 111,111,111,111,111,111,110 (1.11 x 1020)• Online: 35.33 million centuries• Offline: 35.33 years• Cluster: 1.84 weeksConclusion: NOT a strong password
observationsContent matters - BUT size matters also• UR0wn3d! – depth is 95 (26+26+10+33), but space is only 8 characters• Exhaustive search size: 6,704,780,954,517,120 (6.70 x 1015)• Online: 2.13 thousand centuries• Offline: 18.62 hours• Cluster: 1.12 minutesConclusion: NOT a strong password
modificationsReviewing my own commonly used passwords …Almost all were weaker than I believed – I thought had strong passwordsA very simple modification fixes the problem – add 1 or 2 more characters• Example: password cracking (cluster) was 1.83 years (still potentially
vulnerable)• Added one (+1) or two (+2) additional characters to each existing
password• Result: new password cracking time (cluster) becomes 1.74 CENTURIESNo more difficult to memorize or remember since I use a password vaultAs long as password hashes are stored encrypted my credentials are safe
conclusions• Need to use the largest available character space• Need to use the longest password length possible• Eight (8) characters DEFINITELY is NOT enough
L!v2H4K! – length: 8, depth: 95, TTC: 1.12 minutes (cluster) (18.62 hours offline)IsThisLongEnuf – length: 14, depth: 52, TTC: 3.43 centuries (cluster)@@TheMovies!! – length:13, depth: 85, TTC: 38.90 centuries (cluster)@TheM0vies! – length: 11, depth: 95, TTC: 1.83 years (cluster)• If forced to choose, length beats content
conclusions• Most frequently used password in the recent Avid Media breach:• 123456• Password• Eight (8) characters DEFINITELY is NOT enough• Fourteen characters is the new BLACK• Get creative – utilize the password strength policy to your advantage• Password aging is NOT a good policy – users will pick weaker passwords• Online password strength testers are available – test your new passwords
