Post on 25-May-2015
description
Credera is a full-service management and
technology consulting firm. Our clients range
from Fortune 1,000 companies to emerging
industry leaders. We provide expert, objective
advice to help solve complex business and
technology challenges.
Dallas Office15303 Dallas ParkwaySuite 300Addison, TX 75001
972.692.0010 Phone972.692.0019 Fax
Denver Office5445 DTC ParkwaySuite 1040Greenwood Village, CO 80111
303.623.1344 Phone303.484.4577 Fax
Houston Office800 Town & Country BlvdSuite 300Houston, TX 77024
713.496.0711 Phone713.401.9650 Fax
Austin Office9020 N Capital of Texas HwySuite 345Austin, TX 78759
512.327.1112 Phone512.233.0844 Fax
Discussion document – Strictly Confidential & Proprietary
correcthorsebatterystaple: hacking passwords by exampleDallas, TX
July 9, 2013
Dallas Web Security Group
Dustin Talk
04/12/2023
Dallas Web Security Group
3
Agenda …
P@ssw0rdZ
• Expectations and Objectives
• What makes a good password?
• Demo: Cracking a user list of ~1.5million users
– What a leak looks like
– Using rainbow tables (or google)
– Using the leaked information from others
– Using common passwords
– Lists created by experts
– Lists created by l33t h4x0r
– Brute Force on the GPU
– Hybrid Attacks & Key Sequences
• What can be done?
• Q&A
04/12/2023
Dallas Web Security Group
4
Dustin Talk (not Anonymous)
Dustin TalkDustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts.
Past Presentations:
• Addressing Top Security Threats in Web Applications• OWASP Top 10 - Live Exploits by Example• Stripe’s Capture The Flag #2• OAuth 1.0 / 2.0• OpenID
Introductions…
04/12/2023
Dallas Web Security Group
5
The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz)
Participant Expectations• Provide Education to Seed Investigation
• Learn how to secure yourself and those around you
Expectations and Objectives …
04/12/2023
Dallas Web Security Group
6
How strong are your passwords? Let’s ask Microsoft…
Microsoft has provided a free tool to ensure that your password is strong:
https://www.microsoft.com/security/pc-security/password-checker.aspx
How would these rate:• password12345678790• Luvnme4aChange@$
Let’s see if they are strong using some simple tools:• Online MD5 creator: http://md5-hash-online.waraxe.us/• Elite Google Password Decoder: http://www.google.com/
What makes a good password? …
*Figure and statistics from June 2012 WhiteHat Security Statistics Report
04/12/2023
Dallas Web Security Group
7
Perhaps we should ask someone else? Intel…
Microsoft Intel has provided a free tool to ensure that your password is strong:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html
How would these rate:• AdMos185auj;• Wt4e-79P-B13^qS
Let’s see if they are strong using some simple tools:• Online MD5 creator: http://md5-hash-online.waraxe.us/• Elite Google Password Decoder: http://www.google.com/
What makes a good password? …
*Figure and statistics from June 2012 WhiteHat Security Statistics Report
04/12/2023
Dallas Web Security Group
8
http://xkcd.com/936/
What makes a good password?
04/12/2023
Dallas Web Security Group
9
Simple tips for a better password
Creating a stronger password• The more random the better*• The longer the better*• A mix of numbers, letters (upper and lower), symbols• NO words! or anything L!K3 a word (the h4x0r knows)• No personal info (pin code, home address, etc.)• No keyboard tricks (!@#,123,QWE)
Use some helpful tools:• https://lastpass.com/passwordhelp.php?a=1• https://lastpass.com/generatepassword.php
What makes a good password? …
*Figure and statistics from June 2012 WhiteHat Security Statistics Report
04/12/2023
Dallas Web Security Group
10
DEMO:Cracking 1.5 million users
04/12/2023
Dallas Web Security Group
11
What can be done? …
Attend More Meetings…
What To Do Now• Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus• Don’t rely on salts to protect you• Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt
What to Do Now For Fun• Download John the Ripper• Download oclHashcat-plus (and get a decent GPU)
Reference Materials• http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
• http://hashcat.net/oclhashcat-plus/
• http://www.openwall.com/john/
04/12/2023
Dallas Web Security Group
12
Q&A