SlideShare uma empresa Scribd logo

Honeywords - BSides London 2014

Transferir como PPTX, PDF
Gavin Holt
Gavin Holt
Tecnologia
1 de 63
Honeywords: Detectable Password Theft Gavin Holt Abertay University
whoami Gavin Holt (@GavinHolt) Fourth Year Honours Student at Abertay University One of the organisers of Securi-Tay 3 Vice President of Abertay Ethical Hacking Society (@AbertayHackers)
What are we covering today? Why is password theft so dangerous? How are passwords currently being stored? (The good, the bad and the plain stupid) What are Honeywords? How Honeywords can be implemented The benefits of Honeywords What Honeywords won’t save you from Summary Questions
Why is password theft so dangerous?
Obvious Answer: Because then someone has your password
Less Obvious Answer: Because then someone has your password…for everything
60%+ of users use the same password across multiple sites (PayPal Report)
300% Increase in a single quarter (Experian Report)
LinkedIn – 6.5 Million Passwords Zappos.com – 12 Million Passwords eHarmony – 1.5 Million Passwords Adobe – 38 Million Passwords Evernote – 50 Million Passwords
But when you analyse a dump, you have to wonder why you bother…
A lot of usernames and passwords out there.
But Gavin, People don’t store passwords in the plain anymore, right?
http://plaintextoffenders.com/
Oh okay, but the big guys are doing it right?
LinkedIn’s 6.5 Million Passwords were unsalted.
Even if they salt the passwords, they aren’t always per user salts.
Salting doesn’t stop a targeted attack
Password Cracking is getting faster!
Making the Hashing more complex and resource intensive is only part of the solution.
How do I even know if my password has been stolen?
You might not!
Some sneaky SysAdmins might put some fake accounts in.
So if the User “Rory” logs in, they can assume they have been compromised.
Pretty useful idea – Honeypot accounts.
Hackers are sneaky
Can potentially spot these fake accounts by looking at their activity and permissions.
So fake user accounts aren’t fool proof.
But we like the idea of making it a high-risk guessing game for the attacker.
Why not have fake Passwords?
Introducing: Honeywords
First discussed by Jules and Rivest of MIT in May 2013.
If for every user account, we have multiple passwords, with only one legit password, can we detect password theft by watching for our known entries?
An unsalted MD5 example (Don’t throw things) Traditional DBUID Username Password (Hashed, For Security obv) 1 Gavin 565E15D84CC59763D13D58B5F66C967F 2 Rory AD7FADB59974D0C2E66E628C0485F9C9 3 Tiago AA177EC5DCBF88CA5EDF17236C1981E8
A plain text example (Don’t throw things) Traditional DB Attacker Gets a hold of the database Fires up John or Similar Tool Gets Plain Text Passwords Back
Lets implement Honeywords…
How do we make Honeywords?
How do we make Honeywords? We need believable words We need some low hanging fruit We need some tough passwords We need to ensure we don’t use the users PW We need to be able to identify HoneyWords internally!
How do we make Honeywords? Start with a dictionary Select a handful of words of varying length Depending on how hard we want to make the password to crack we can: Mangle for Upper and Lower Case Prepend and Append numbers Substitute Symbols Concatenate Words Make sure it doesn’t make our users PW!
How do we make Honeywords? We need to make a correct Checksum for our users password We also need to make some fake checksums for the honeywords we have generated
An unsalted MD5 example Using Honeywords UID Username 1 Gavin 2 Rory 3 Tiago UI D Password Hash Checksum 1 565E15D84CC59763D13D58B5F66C 967F TU32R781V346R7ETV81ERTGE7RT8EV4 1 AD7FADB59974D0C2E66E628C0485 F9C9 SVEVREVR6571654SF7CEWF7E1FC51W 1 AA177EC5DCBF88CA5EDF17236C1 981E8 BCN7GHER17G8J7678A78W81CDFCTHY871 1 DC5F61F959F188478982A9DBB153 EWFFFFSEESYUUTRYER87F1S67F1S5E7F1SCE
An unsalted MD5 example Using Honeywords Attacker Gets a hold of the database Fires up John or Similar Tool Gets Plain Text Passwords Back Has a 20% chance of picking the correct password
1/5 Chance of getting it right
Can greatly decrease this chance by adding more Honeywords!
How would I even authenticate against that?
Authentication Process Web Server • Takes Password and Hashes It • Passes to DB Server DB Server • Retrieves Checksum where UID and Hash match and passes to Auth Server Auth Server • Performs additional secret cryptographic function on hash and compares to Passed Check Sum • Returns True or False to Web Server Web Server • Either: • Logs user in because they have a correct password • Doesn’t log user in and flags that a known “Honeyword” was used • Doesn’t log in due to incorrect password
In order to gain 100% certainty that they have the correct password, they attack would need to compromise all 3 boxes.
So we now know when a password we have purposely added to the DB is used.
We can detect password theft!
What else can we do with it?
Time based detection?
Change the fake passwords periodically to pinpoint when they were stolen?
Alerting other services that passwords have been stolen
Central API for Services to use
Pass UIDs of known compromised accounts to a central service to alert users across platforms they may be vulnerable?
The Benefits of Honeywords
The benefits of Honeywords Can be used to detect password theft Can be used to prevent the usage of stolen credentials Can provide warnings to other services that users may reuse passwords on Can be used to deter attackers from trying to compromise accounts
What Honeywords won’t do
What Honeywords won’t do Honeywords won’t stop your service being compromised If they have your Password file, you have problems to begin with Honeywords won’t stop the hashes from being cracked Only per hash salting and intensive hashing functions will slow that down Honeywords won’t stop attackers from gaining a users password by another method Social Engineering, Key Logger, or simply guessing a rubbish password
Honeywords are not a replacement to a strong password policy and user awareness
In Summary Honeywords allow for detectable password theft by seeding a database with known “wrong” passwords. Watching for these passwords allows Systems to detect when they have had their password DB stolen. Honeywords should be of varying difficulty in order to disguise themselves Honeywords are not a replacement for: A strong password policy A strong password storage mechanism End Point Security
Any Questions? Tweet me @GavinHolt later if you think of any

Recomendados

Presentation 3 1 1 1
Presentation 3 1 1 1Presentation 3 1 1 1
Presentation 3 1 1 1Ashwin Kumar
 
Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 
Achieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsAchieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsKamal Spring
 
Honeywords
HoneywordsHoneywords
HoneywordsPratiksha Kale
 
Honeywords
HoneywordsHoneywords
HoneywordsSreya Sridhar PP
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing MethodologyNetwork Intelligence India
 

Recomendados

Presentation 3 1 1 1
Presentation 3 1 1 1Presentation 3 1 1 1
Presentation 3 1 1 1Ashwin Kumar
 
Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 
Achieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsAchieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsKamal Spring
 
Honeywords
HoneywordsHoneywords
HoneywordsPratiksha Kale
 
Honeywords
HoneywordsHoneywords
HoneywordsSreya Sridhar PP
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing MethodologyNetwork Intelligence India
 
W make107
W make107W make107
W make107Greg in SD
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordMohammedAlhamoodi
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
Yours Advance Security Hood (Yash)
Yours Advance Security Hood (Yash)Yours Advance Security Hood (Yash)
Yours Advance Security Hood (Yash)IOSR Journals
 
Password management
Password managementPassword management
Password managementWilmington University
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Passwords, Passwords and more Passwords
Passwords, Passwords and more PasswordsPasswords, Passwords and more Passwords
Passwords, Passwords and more Passwordsclcewing
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityJarrod Overson
 
WHS-hackability-Index-083013
WHS-hackability-Index-083013WHS-hackability-Index-083013
WHS-hackability-Index-083013Janis Weiss
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web SecurityHarrison Kenyon Marketing
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication rightAndre N. Klingsheim
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentationJoan Dembowski
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018 World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018 Thycotic
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxAllanGuevarra1
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Mais conteúdo relacionado

Semelhante a Honeywords - BSides London 2014

Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
Yours Advance Security Hood (Yash)
Yours Advance Security Hood (Yash)Yours Advance Security Hood (Yash)
Yours Advance Security Hood (Yash)IOSR Journals
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Passwords, Passwords and more Passwords
Passwords, Passwords and more PasswordsPasswords, Passwords and more Passwords
Passwords, Passwords and more Passwordsclcewing
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityJarrod Overson
 
WHS-hackability-Index-083013
WHS-hackability-Index-083013WHS-hackability-Index-083013
WHS-hackability-Index-083013Janis Weiss
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentationJoan Dembowski
 
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018 World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018 Thycotic
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxAllanGuevarra1
 

Semelhante a Honeywords - BSides London 2014 (20)

W make107
W make107W make107
W make107
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password Management
Password ManagementPassword Management
Password Management
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - Passwords
 
Yours Advance Security Hood (Yash)
Yours Advance Security Hood (Yash)Yours Advance Security Hood (Yash)
Yours Advance Security Hood (Yash)
 
Password management
Password managementPassword management
Password management
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Passwords, Passwords and more Passwords
Passwords, Passwords and more PasswordsPasswords, Passwords and more Passwords
Passwords, Passwords and more Passwords
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
 
WHS-hackability-Index-083013
WHS-hackability-Index-083013WHS-hackability-Index-083013
WHS-hackability-Index-083013
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web Security
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentation
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018 World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
World Password Day Tips- 10 Common Password Mistakes to Avoid in 2018
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptx
 

Último

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Honeywords - BSides London 2014

  • 2. whoami Gavin Holt (@GavinHolt) Fourth Year Honours Student at Abertay University One of the organisers of Securi-Tay 3 Vice President of Abertay Ethical Hacking Society (@AbertayHackers)
  • 3. What are we covering today? Why is password theft so dangerous? How are passwords currently being stored? (The good, the bad and the plain stupid) What are Honeywords? How Honeywords can be implemented The benefits of Honeywords What Honeywords won’t save you from Summary Questions
  • 4. Why is password theft so dangerous?
  • 5. Obvious Answer: Because then someone has your password
  • 6. Less Obvious Answer: Because then someone has your password…for everything
  • 7. 60%+ of users use the same password across multiple sites (PayPal Report)
  • 8. 300% Increase in a single quarter (Experian Report)
  • 9. LinkedIn – 6.5 Million Passwords Zappos.com – 12 Million Passwords eHarmony – 1.5 Million Passwords Adobe – 38 Million Passwords Evernote – 50 Million Passwords
  • 10. But when you analyse a dump, you have to wonder why you bother…
  • 11.
  • 12.
  • 13. A lot of usernames and passwords out there.
  • 14. But Gavin, People don’t store passwords in the plain anymore, right?
  • 16. Oh okay, but the big guys are doing it right?
  • 17. LinkedIn’s 6.5 Million Passwords were unsalted.
  • 18. Even if they salt the passwords, they aren’t always per user salts.
  • 19. Salting doesn’t stop a targeted attack
  • 20. Password Cracking is getting faster!
  • 21. Making the Hashing more complex and resource intensive is only part of the solution.
  • 22. How do I even know if my password has been stolen?
  • 24. Some sneaky SysAdmins might put some fake accounts in.
  • 25. So if the User “Rory” logs in, they can assume they have been compromised.
  • 26. Pretty useful idea – Honeypot accounts.
  • 28. Can potentially spot these fake accounts by looking at their activity and permissions.
  • 29. So fake user accounts aren’t fool proof.
  • 30. But we like the idea of making it a high-risk guessing game for the attacker.
  • 31. Why not have fake Passwords?
  • 33. First discussed by Jules and Rivest of MIT in May 2013.
  • 34. If for every user account, we have multiple passwords, with only one legit password, can we detect password theft by watching for our known entries?
  • 35. An unsalted MD5 example (Don’t throw things) Traditional DBUID Username Password (Hashed, For Security obv) 1 Gavin 565E15D84CC59763D13D58B5F66C967F 2 Rory AD7FADB59974D0C2E66E628C0485F9C9 3 Tiago AA177EC5DCBF88CA5EDF17236C1981E8
  • 36. A plain text example (Don’t throw things) Traditional DB Attacker Gets a hold of the database Fires up John or Similar Tool Gets Plain Text Passwords Back
  • 38. How do we make Honeywords?
  • 39. How do we make Honeywords? We need believable words We need some low hanging fruit We need some tough passwords We need to ensure we don’t use the users PW We need to be able to identify HoneyWords internally!
  • 40. How do we make Honeywords? Start with a dictionary Select a handful of words of varying length Depending on how hard we want to make the password to crack we can: Mangle for Upper and Lower Case Prepend and Append numbers Substitute Symbols Concatenate Words Make sure it doesn’t make our users PW!
  • 41. How do we make Honeywords? We need to make a correct Checksum for our users password We also need to make some fake checksums for the honeywords we have generated
  • 42. An unsalted MD5 example Using Honeywords UID Username 1 Gavin 2 Rory 3 Tiago UI D Password Hash Checksum 1 565E15D84CC59763D13D58B5F66C 967F TU32R781V346R7ETV81ERTGE7RT8EV4 1 AD7FADB59974D0C2E66E628C0485 F9C9 SVEVREVR6571654SF7CEWF7E1FC51W 1 AA177EC5DCBF88CA5EDF17236C1 981E8 BCN7GHER17G8J7678A78W81CDFCTHY871 1 DC5F61F959F188478982A9DBB153 EWFFFFSEESYUUTRYER87F1S67F1S5E7F1SCE
  • 43. An unsalted MD5 example Using Honeywords Attacker Gets a hold of the database Fires up John or Similar Tool Gets Plain Text Passwords Back Has a 20% chance of picking the correct password
  • 44. 1/5 Chance of getting it right
  • 45. Can greatly decrease this chance by adding more Honeywords!
  • 46. How would I even authenticate against that?
  • 47. Authentication Process Web Server • Takes Password and Hashes It • Passes to DB Server DB Server • Retrieves Checksum where UID and Hash match and passes to Auth Server Auth Server • Performs additional secret cryptographic function on hash and compares to Passed Check Sum • Returns True or False to Web Server Web Server • Either: • Logs user in because they have a correct password • Doesn’t log user in and flags that a known “Honeyword” was used • Doesn’t log in due to incorrect password
  • 48. In order to gain 100% certainty that they have the correct password, they attack would need to compromise all 3 boxes.
  • 49. So we now know when a password we have purposely added to the DB is used.
  • 50. We can detect password theft!
  • 51. What else can we do with it?
  • 53. Change the fake passwords periodically to pinpoint when they were stolen?
  • 54. Alerting other services that passwords have been stolen
  • 55. Central API for Services to use
  • 56. Pass UIDs of known compromised accounts to a central service to alert users across platforms they may be vulnerable?
  • 57. The Benefits of Honeywords
  • 58. The benefits of Honeywords Can be used to detect password theft Can be used to prevent the usage of stolen credentials Can provide warnings to other services that users may reuse passwords on Can be used to deter attackers from trying to compromise accounts
  • 60. What Honeywords won’t do Honeywords won’t stop your service being compromised If they have your Password file, you have problems to begin with Honeywords won’t stop the hashes from being cracked Only per hash salting and intensive hashing functions will slow that down Honeywords won’t stop attackers from gaining a users password by another method Social Engineering, Key Logger, or simply guessing a rubbish password
  • 61. Honeywords are not a replacement to a strong password policy and user awareness
  • 62. In Summary Honeywords allow for detectable password theft by seeding a database with known “wrong” passwords. Watching for these passwords allows Systems to detect when they have had their password DB stolen. Honeywords should be of varying difficulty in order to disguise themselves Honeywords are not a replacement for: A strong password policy A strong password storage mechanism End Point Security
  • 63. Any Questions? Tweet me @GavinHolt later if you think of any