SlideShare a Scribd company logo

Passwords & security

Download as PPTX, PDF
Per Thorsheim
Per Thorsheim

This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.

Technology
1 of 65
Passwords & Security#Finse2011 Per Thorsheim CISA, CISM, CISSP-ISSAP securitynirvana.blogspot.com
Disclaimer My presentation, as well as anything I say, do, show, demonstrate, give away or try to sell you is my personal stuff & opinions. My employer have chosen not to be a part of this in any way, as such my employer cannot and will not be held liable. My opinions does not necessarily reflect that of my employer, our customers or partners. Etc etc.
About me Valid certifications: Certified Information Systems Auditor Certified Information Security Manager Certified Information Systems Security Professional Information Systems Security Architecture Professional ITIL v3 Foundations Passwords^10 conference in December 2010 Videos: http://ftp.ii.uib.no/pub/passwords10/
Passwords^11, June 7-8, Bergen Prof. Frank Stajano (Cambridge) Prof. KirsiHelkala (Gjøvik) Simon Josefsson(Head of R&D, Yubico) Bendik Mjaaland (Accenture) John Arild M. Johansen (CSO, Buypass) Erlend Dyrnes(CSO, Nextgentel) Chris Lyon(Mozilla) James Nobis(Freerainbowtables.com) DmitrySklyarov(Elcomsoft)
Examples
Sony Playstation Network 70+ million accountscompromised #PSNunavailable for 3 weeks Playstation store unavailable for 4 weeks New firmware: v3.61 All passwords must be changed
#PSNPassword Reset Playstation Online (web)
PS3 Policy #1 Revealed Playstation Online (web)
PS3 Policy #2 Revealed Playstation Online (web)
Web Password Reset CAPTCHA Playstation Online (web)
#PSNPartial CC Data Stored Playstation Online (web)
PS3 vs Web – Policy Comparison Playstation Online (web)
#PSNPassword Reset Playstation Online (web)
#PSN – There’s more!
Sony BGM Greece
Bergen Bompengeselskap AS
Login (https)
I Forgot My Password!
Which Language Sir?
E-mail received:
Or: License Number + Tag ID…
Breaking in – online attacks
Todo List Weneed: Usernames and/or usernamealgorithm at targetcorp Windows domain (if applicable) Account lockout policy FQDN to webmail service Online passwordcracker Somepasswords(statisticsareyourfriend!) (Google is yourfriend…) And patience… 
Online Password Attacks Ncrack THC Hydra Medusa http://www.thc.org/thc-hydra/network_password_cracker_comparison.html
Possible targets found: Potential targets: Webmail.ntnu.no Webmail.inbox.com Webmail.nr.no Webmail.uib.no Webmail.unik.no Webmail.uia.no Webmail.uni.lu
Offline Password Attacks
Got Hash? SQL Injection Attacks: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. Source: Wikipedia 
Hashkiller.com
Cracking Passwords
Offline password cracking A widenumberoftools& techniquesavailable: Rainbowtables Dictionary attacks Various hybrid/logicalattacks Bruteforce Time is on your side!
RainbowTables (wikipedia) A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Proper key derivation functions employ salt to make this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman that used the inversion of hashes by looking up precomputed hash chains.
RainbowTablesavailable: Freerainbowtables.com (99.9% hitrate) LM/NTLM, MD5, SHA-1, HALFLMCHALL CPU/GPU generation, CPU cracking (for now) Project-rainbowcrack.com LM/NTLM, MD5, SHA-1 (CPU/GPU) Cryptohaze.com MD5, NTLM (Full US charset, chainlength 200k, GPU only!)
lm_lm-frt-cp437-850#1-7_20000 Windows LM passwordslength 1-14 566Gb (1400+ files) tableset;charsetcoverage:
ntlm_mixalpha-numeric#1-8_40000 Windows NTLM Mixalpha_numeric_1-8 453Gb, covers A-Z,a-z,0-9
Hybrid Rainbowtables ntlm_hybrid2(alpha#1-1,loweralpha#5-5,loweralpha-numeric#2-2,numeric#1-3) is currently being finished by freerainbowtables.com With more to come!
Hybrid attacks John the Ripper (JtR) www.openwall.com/john/ Hashcat family (lite, plus, ocl) Hashcat.net Cain & Abel www.oxid.it … And many, many more!
Bruteforce Bruteforcing is increasingly hard to do; Graphics Processing Units (GPUs) to therescue!
PasswordStatistics Time to show some cool/interesting/boring numbers!
Password Resets
Storing passwords «I’musing MD5, so I’m safe.» Response from web applicationdeveloperafter I talkedabout storing passwords in cleartextbeing a bad idea.
Thomas Ptacek Enough With The RainbowTables: WhatYouNeed To KnowAboutSecurePasswordSchemes http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
Lastpass.com Source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html
Chris Lyon “SHA-512 w/ per User Salts is Not Enough” http://cslyon.net/2011/05/10/sha-512-w-per-user-salts-is-not-enough/
BypassingPassword Security
BypassingPassword Security Microsoft Windows Pass-the-Hashattacks Microsoft Windows Pass-the-Ticketattacks Forensictoolkits Passware – «bypassing» Microsoft Bitlocker ElcomsoftEPPB Smartphone (in)security
Pass-the-Hash / Pass-the-Ticket Windows Credentials Editor v1.2: http://www.ampliasecurity.com/research.html Scenario description: Eve just started in Alices company. Bob, thedomainadminguy, givesyouyour brand newlaptop, ready to use. You have localadminrights. Bob’slogincredentialsarecached on your computer. Extract, send credentials (username + hashvalue), getaccess.
Passware Kit Forensic vs Microsoft Bitlocker: Live memory dump from target system usingFirewire, utilizingDirect Memory Access. Search dump, getdecryption keys, getaccess Remove disk from hibernated computer. Physicalmemory is written to disk, parts of it unencrypted. Searchand finddecryption keys, mount volume, getaccess. Video demonstration: http://ftp.ii.uib.no/pub/passwords10/Passware_at_Passwords10.mp4
CorporateAndroid Security Android devices: no hardware encryption Nitro software – softwareencryption Butonly for Microsoft Activesync data (Mail, Calendar, Contacts) Samsung Galaxy S II Hardware deviceencryption 90% of all MS Activesyncpoliciessupported Not even Microsoft doesthat!
CorporateiOS Security
CorporateiOS Security AES hardware deviceencryption is good, but.. iTunes configurationissues Frequentupdates(Quicktime + Safari + iTunes) Backuppasswordprotection Hardware Device has «passwordprotect» flag Withoutpasswordprotection: Device-specificencryption key is used to protectkeychain Almost all other data availableunencrypted in backup
Elcomsoft, Tuesday, May 24th: http://www.prweb.com/releases/iPhone/forensics/prweb8470927.htm
PasswordUsability
NorSIS / nettvett.no (Norway)
PasswordUsability Minimum/Maximum Length Complexityrequirements PasswordHistory ChangeFrequency Lost Password (Password Reset) Reauthentication (BankID) Single Sign-On
Usabilityvs Security Minimum/Maximum Length Complexityrequirements PasswordHistory ChangeFrequency Lost Password (Password Reset) Reauthentication (BankID) Single Sign-On Usepassphrases / implement support for it! Length = complexity Patterndetection «Windowofopportunity» VERY hard to do in real-life environments! «Dearmom…» Goodidea, but…
Recommendations
My User Recommendation: Use a normal sentence as yourpassword. Change it whenyouthink it is necessary.
My Policy Recommendation: Use a normal sentence as yourpassword. It must be changedevery 13 months.
Technical Recommendation Has to be a little more complexthentheprevious slides, but; Do NOT tell your end-users or othersabouttheactualrulesimplemented! Provideuseful feedback whenpasswordsarerejected Do 100% technicalimplementationofwritten policy SSO: store passwordhashes at thestrongest system
DynamicPreventionofCommonPasswords Somewebsites have static lists of «forbidden» (common) passwords Can be found & documented (Twitter…) Does not providebettersecurity Easilycircumvented (blocking bad passwords is hard!)
DynamicPreventionofCommonPasswords My suggestion: A custom DLL for Windows. It receives a usersrequestedpassword. Checkagainstrules (length, complexity, historyetc). If OK, thenhash and store hashwithcounter= 1 DLL config has a thresholdvalue Any given passwordcanonlyexist on X accounts at the same time
Thankyou! And do not forget: Passwords^11, June 7-8, UiB, Bergen. 2 days, onlyaboutpasswords.

Recommended

Passwords: Security vs Usability
Passwords: Security vs UsabilityPasswords: Security vs Usability
Passwords: Security vs Usability
Per Thorsheim
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
Tony Perez
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Seminar1
Seminar1Seminar1
Seminar1
Satish Padnani
 
Practical Cyber Attacking Tutorial
Practical Cyber Attacking TutorialPractical Cyber Attacking Tutorial
Practical Cyber Attacking Tutorial
Yam Peleg
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 

Recommended

Passwords: Security vs Usability
Passwords: Security vs UsabilityPasswords: Security vs Usability
Passwords: Security vs Usability
Per Thorsheim
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
Tony Perez
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Seminar1
Seminar1Seminar1
Seminar1
Satish Padnani
 
Practical Cyber Attacking Tutorial
Practical Cyber Attacking TutorialPractical Cyber Attacking Tutorial
Practical Cyber Attacking Tutorial
Yam Peleg
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Rahul Sharma
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
Tjylen Veselyj
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
ThreatReel Podcast
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Password management
Password managementPassword management
Password management
Wilmington University
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
Sigsiu.NET
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
xsist10
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Microsoft Argentina y Uruguay [Official Space]
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
E Hacking
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
fool2fish
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
zeus7856
 

More Related Content

What's hot

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
ThreatReel Podcast
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
Sigsiu.NET
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 

What's hot (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Password management
Password managementPassword management
Password management
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 

Similar to Passwords & security

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
Henry Stamerjohann
 

Similar to Passwords & security (20)

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security Solutions
 
Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft
Watch Your Back: Let’s Talk Web Safety and Personal Identity TheftWatch Your Back: Let’s Talk Web Safety and Personal Identity Theft
Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Password Attack
Password Attack Password Attack
Password Attack
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental ii
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Fordham Tech. Innovators - Password Management Presentation
Fordham Tech. Innovators - Password Management PresentationFordham Tech. Innovators - Password Management Presentation
Fordham Tech. Innovators - Password Management Presentation
 

More from Per Thorsheim

More from Per Thorsheim (11)

Bergen næringsråd 14122011-per-thorsheim
Bergen næringsråd 14122011-per-thorsheimBergen næringsråd 14122011-per-thorsheim
Bergen næringsråd 14122011-per-thorsheim
 
WhatsHot Stavanger 2011 - Per Thorsheim
WhatsHot Stavanger 2011 - Per ThorsheimWhatsHot Stavanger 2011 - Per Thorsheim
WhatsHot Stavanger 2011 - Per Thorsheim
 
Er styremedlemmer en sikkerhetsrisiko?
Er styremedlemmer en sikkerhetsrisiko?Er styremedlemmer en sikkerhetsrisiko?
Er styremedlemmer en sikkerhetsrisiko?
 
Brettvett og Skyvett
Brettvett og SkyvettBrettvett og Skyvett
Brettvett og Skyvett
 
Passord - fremdeles den store synderen?
Passord - fremdeles den store synderen?Passord - fremdeles den store synderen?
Passord - fremdeles den store synderen?
 
Boring password statistics
Boring password statisticsBoring password statistics
Boring password statistics
 
Board Member Security
Board Member SecurityBoard Member Security
Board Member Security
 
Firsttuesday Per Thorsheim
Firsttuesday Per ThorsheimFirsttuesday Per Thorsheim
Firsttuesday Per Thorsheim
 
Hackers Pub Per Thorsheim Jan 31, 2011
Hackers Pub Per Thorsheim Jan 31, 2011Hackers Pub Per Thorsheim Jan 31, 2011
Hackers Pub Per Thorsheim Jan 31, 2011
 
Creating Secure Passwords
Creating Secure PasswordsCreating Secure Passwords
Creating Secure Passwords
 
Styresikkerhet
StyresikkerhetStyresikkerhet
Styresikkerhet
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Passwords & security

  • 1. Passwords & Security#Finse2011 Per Thorsheim CISA, CISM, CISSP-ISSAP securitynirvana.blogspot.com
  • 2. Disclaimer My presentation, as well as anything I say, do, show, demonstrate, give away or try to sell you is my personal stuff & opinions. My employer have chosen not to be a part of this in any way, as such my employer cannot and will not be held liable. My opinions does not necessarily reflect that of my employer, our customers or partners. Etc etc.
  • 3.
  • 4. About me Valid certifications: Certified Information Systems Auditor Certified Information Security Manager Certified Information Systems Security Professional Information Systems Security Architecture Professional ITIL v3 Foundations Passwords^10 conference in December 2010 Videos: http://ftp.ii.uib.no/pub/passwords10/
  • 5. Passwords^11, June 7-8, Bergen Prof. Frank Stajano (Cambridge) Prof. KirsiHelkala (Gjøvik) Simon Josefsson(Head of R&D, Yubico) Bendik Mjaaland (Accenture) John Arild M. Johansen (CSO, Buypass) Erlend Dyrnes(CSO, Nextgentel) Chris Lyon(Mozilla) James Nobis(Freerainbowtables.com) DmitrySklyarov(Elcomsoft)
  • 7. Sony Playstation Network 70+ million accountscompromised #PSNunavailable for 3 weeks Playstation store unavailable for 4 weeks New firmware: v3.61 All passwords must be changed
  • 9. PS3 Policy #1 Revealed Playstation Online (web)
  • 10. PS3 Policy #2 Revealed Playstation Online (web)
  • 11. Web Password Reset CAPTCHA Playstation Online (web)
  • 12. #PSNPartial CC Data Stored Playstation Online (web)
  • 13. PS3 vs Web – Policy Comparison Playstation Online (web)
  • 19. I Forgot My Password!
  • 22. Or: License Number + Tag ID…
  • 23. Breaking in – online attacks
  • 24. Todo List Weneed: Usernames and/or usernamealgorithm at targetcorp Windows domain (if applicable) Account lockout policy FQDN to webmail service Online passwordcracker Somepasswords(statisticsareyourfriend!) (Google is yourfriend…) And patience… 
  • 25. Online Password Attacks Ncrack THC Hydra Medusa http://www.thc.org/thc-hydra/network_password_cracker_comparison.html
  • 26. Possible targets found: Potential targets: Webmail.ntnu.no Webmail.inbox.com Webmail.nr.no Webmail.uib.no Webmail.unik.no Webmail.uia.no Webmail.uni.lu
  • 28. Got Hash? SQL Injection Attacks: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. Source: Wikipedia 
  • 31. Offline password cracking A widenumberoftools& techniquesavailable: Rainbowtables Dictionary attacks Various hybrid/logicalattacks Bruteforce Time is on your side!
  • 32. RainbowTables (wikipedia) A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Proper key derivation functions employ salt to make this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman that used the inversion of hashes by looking up precomputed hash chains.
  • 33. RainbowTablesavailable: Freerainbowtables.com (99.9% hitrate) LM/NTLM, MD5, SHA-1, HALFLMCHALL CPU/GPU generation, CPU cracking (for now) Project-rainbowcrack.com LM/NTLM, MD5, SHA-1 (CPU/GPU) Cryptohaze.com MD5, NTLM (Full US charset, chainlength 200k, GPU only!)
  • 34. lm_lm-frt-cp437-850#1-7_20000 Windows LM passwordslength 1-14 566Gb (1400+ files) tableset;charsetcoverage:
  • 35. ntlm_mixalpha-numeric#1-8_40000 Windows NTLM Mixalpha_numeric_1-8 453Gb, covers A-Z,a-z,0-9
  • 36. Hybrid Rainbowtables ntlm_hybrid2(alpha#1-1,loweralpha#5-5,loweralpha-numeric#2-2,numeric#1-3) is currently being finished by freerainbowtables.com With more to come!
  • 37. Hybrid attacks John the Ripper (JtR) www.openwall.com/john/ Hashcat family (lite, plus, ocl) Hashcat.net Cain & Abel www.oxid.it … And many, many more!
  • 38. Bruteforce Bruteforcing is increasingly hard to do; Graphics Processing Units (GPUs) to therescue!
  • 39. PasswordStatistics Time to show some cool/interesting/boring numbers!
  • 41. Storing passwords «I’musing MD5, so I’m safe.» Response from web applicationdeveloperafter I talkedabout storing passwords in cleartextbeing a bad idea.
  • 42. Thomas Ptacek Enough With The RainbowTables: WhatYouNeed To KnowAboutSecurePasswordSchemes http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
  • 44. Chris Lyon “SHA-512 w/ per User Salts is Not Enough” http://cslyon.net/2011/05/10/sha-512-w-per-user-salts-is-not-enough/
  • 46. BypassingPassword Security Microsoft Windows Pass-the-Hashattacks Microsoft Windows Pass-the-Ticketattacks Forensictoolkits Passware – «bypassing» Microsoft Bitlocker ElcomsoftEPPB Smartphone (in)security
  • 47. Pass-the-Hash / Pass-the-Ticket Windows Credentials Editor v1.2: http://www.ampliasecurity.com/research.html Scenario description: Eve just started in Alices company. Bob, thedomainadminguy, givesyouyour brand newlaptop, ready to use. You have localadminrights. Bob’slogincredentialsarecached on your computer. Extract, send credentials (username + hashvalue), getaccess.
  • 48. Passware Kit Forensic vs Microsoft Bitlocker: Live memory dump from target system usingFirewire, utilizingDirect Memory Access. Search dump, getdecryption keys, getaccess Remove disk from hibernated computer. Physicalmemory is written to disk, parts of it unencrypted. Searchand finddecryption keys, mount volume, getaccess. Video demonstration: http://ftp.ii.uib.no/pub/passwords10/Passware_at_Passwords10.mp4
  • 49. CorporateAndroid Security Android devices: no hardware encryption Nitro software – softwareencryption Butonly for Microsoft Activesync data (Mail, Calendar, Contacts) Samsung Galaxy S II Hardware deviceencryption 90% of all MS Activesyncpoliciessupported Not even Microsoft doesthat!
  • 51.
  • 52.
  • 53. CorporateiOS Security AES hardware deviceencryption is good, but.. iTunes configurationissues Frequentupdates(Quicktime + Safari + iTunes) Backuppasswordprotection Hardware Device has «passwordprotect» flag Withoutpasswordprotection: Device-specificencryption key is used to protectkeychain Almost all other data availableunencrypted in backup
  • 54. Elcomsoft, Tuesday, May 24th: http://www.prweb.com/releases/iPhone/forensics/prweb8470927.htm
  • 57. PasswordUsability Minimum/Maximum Length Complexityrequirements PasswordHistory ChangeFrequency Lost Password (Password Reset) Reauthentication (BankID) Single Sign-On
  • 58. Usabilityvs Security Minimum/Maximum Length Complexityrequirements PasswordHistory ChangeFrequency Lost Password (Password Reset) Reauthentication (BankID) Single Sign-On Usepassphrases / implement support for it! Length = complexity Patterndetection «Windowofopportunity» VERY hard to do in real-life environments! «Dearmom…» Goodidea, but…
  • 60. My User Recommendation: Use a normal sentence as yourpassword. Change it whenyouthink it is necessary.
  • 61. My Policy Recommendation: Use a normal sentence as yourpassword. It must be changedevery 13 months.
  • 62. Technical Recommendation Has to be a little more complexthentheprevious slides, but; Do NOT tell your end-users or othersabouttheactualrulesimplemented! Provideuseful feedback whenpasswordsarerejected Do 100% technicalimplementationofwritten policy SSO: store passwordhashes at thestrongest system
  • 63. DynamicPreventionofCommonPasswords Somewebsites have static lists of «forbidden» (common) passwords Can be found & documented (Twitter…) Does not providebettersecurity Easilycircumvented (blocking bad passwords is hard!)
  • 64. DynamicPreventionofCommonPasswords My suggestion: A custom DLL for Windows. It receives a usersrequestedpassword. Checkagainstrules (length, complexity, historyetc). If OK, thenhash and store hashwithcounter= 1 DLL config has a thresholdvalue Any given passwordcanonlyexist on X accounts at the same time
  • 65. Thankyou! And do not forget: Passwords^11, June 7-8, UiB, Bergen. 2 days, onlyaboutpasswords.