How Safe are They?
Overview
 Passwords
 Cracking
 Attack Avenues
 On-line
 Off-line
 Counter Measures
Non-Technical Passwords
Non-Technical Passwords
 Brute Force Approach
 Steps





0-0-0
0-0-1
0-0-2
…
9-9-9
 Until Found or Start Over
Passwords
 Protect Information
 Seen as Secure
 Cracking Algorithms All or Nothing
 Off by One Same as Not Close
 8 Characters Lower Case 217.1 Billion Combinations
 8 Characters Upper and Lower 221 Trillion
 8 Characters Upper, Lower, and Special 669 Quadrillion
Cracking
 Ways to get passwords
 Weak Encryption (Lan Man)
 Guess





Default password
Blank password
Letters in row on keyboard
User name
Name important to user
 Social Engineering
Cracking
Password
length
Possible
All characters
Only lowercase characters
3 characters
26
0.86 second
0.02 second
4 characters
1,352
1.36 minutes
0.046 second
5 characters
52,728
2.15 hours
11.9 seconds
6 characters
1,827,904
8.51 days
5.15 minutes
7 characters
59,406,880
2.21 years
2.23 hours
8 characters
1,853,494,656
2.10 centuries
2.42 days
9 characters
56,222,671,232
20 millenniums
2.07 months
* Using Brute Force for Every Combination of Characters
Cracking
* Wired December 2012
On-Line
 Types of Attacks
 Dictionary – uses dictionary file
 Brute Force – All combinations
 Hybrid – Spin off of common passwords (password1 or
1password)
 Single Term – Brute Force
On-Line
 Password-Based Key Derivation Function Version 2 –
PBKDF2
 Heuristic Rules Produces Candidate Passwords
 Flushes Out Poorer Choices
 Faster than Randomly Chosen Ones
On-Line
 Tools
 Script Based – Custom, Metasploit, Sniffer
 Browser Based (Web Login)

FireFox’s FireForce Extension
 Hydra / XHydra
Off-Line
 Requires Access to Password Data
 Gained Access
 SQL Injection
 Local File System Access
 Long Periods for Success
 Many Tools and Techniques
Off-Line
 Rainbow Tables (Time Memory Trade Off)
 Applies Hashing Algorithms
 Uses Dictionary
 Accumulated in Brute Force Techniques
 Method
 Results Saved in Table or Matrix
 Compare only Hashed Values
 Can Save Time, Uses a Lot of Memory
 Needs Lots of Storage Space for Tables / Matrices
Off-Line
 Tools
 John the Ripper
 Cain and Able
 Ophcrack (Windows)
 Windows Password
 FGDump – Retrieves Passwords from SAM
 Free On-Line OphCrack

http://www.objectif-securite.ch/en/ophcrack.php
Off-Line
 Two parts to Windows Passwords
 Called LM1 and LM2
 Separated by ‘:’
 LM1 Contains Password
 LM2 Contains Case Information
Off-Line
 Windows Password Tests
 49F83571A279997F1172D0580DAC68AA:2B95310914BD5
2173FA8E3370B9DDB29

512DataDrop4u
 83BAC0B36F5221502EDC073793ADCD02:CA49CC1CFF4
7EAD7E4809AD01FF47F56

Croi$$ants!
Counter Measures
 Longer the Better
 Obfuscated Passphrase Best
 I Like To Eat Two Tacos! – Il2e#2T
 Avoid Hyphens Between Words
 Avoid Punctuation at End of Password or Passphrase
 Replace Vowels with Number – Maybe
 Lock Down System Access
 Multi-Factor Authentication
References
 http://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force






attack-how-important-is-password-complexity/
http://redmondmag.com/articles/2013/08/14/password-complexity.aspx
Hydra password list
 ftp://ftp.openwall.com/pub/wordlists/
 http://gdataonline.com/downloads/GDict/
http://www.zdnet.com/brute-force-attacks-beyond-password-basics7000001740/
http://techfoxy.blogspot.com/2012/01/how-to-hack-website-login-pagewith.html
http://spectrum.ieee.org/automaton/robotics/diy/diy-robots-makebruteforce-security-hacks-possible (MindStorms Robot Book Capture)
http://www.objectif-securite.ch/en/ophcrack.php (On-Line Ophcrack)
http://foofus.net/goons/fizzgig/fgdump/ (FGDump)