Password War Games Webinar

51
© 2012 nCircle. All Rights Reserved. Password War Games

description

nCircle Webinar Speaker John Alexander

Transcript of Password War Games Webinar

Page 1: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password War Games

Page 2: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Basics – How Passwords are Stored

One way Encryption

Algorithm

PASSWORD: ENCRYPTED

PASSWORD:

bone33 6d19f07b3849a96156fe5b18733c07bb

md5

NT Hash

SHA-1

SHA-256

Blowfish

SHA-512

SHA-crypt

bcrypt

scrypt

jalex:$1$R4mDH$aOcFaA9.Dq6Ww2u3XmCfK/:

14641:0:99999:7:::

Algorithm used (1=md5 in this case)

Salt (“R4mDH”) Account

encrypted password

Example:

Page 3: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Basic Password Math Character Complexity and Length

• Numbers only = 10n

• Lower case only = 26n

• Mixed case = (26+26)n

• Mixed case + numbers = (26+26+10)n

• Mixed case + num + special = (26+26+10+30)n

• All ASCII = (256)n

c = number of characters in the character set, e.g. numbers = 10

n = the length of the password

Special characters include the “space” character

Number of password

combinations = cn

Page 4: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Basic Password Math Examples:

141 = 103 = 1000

cat = 263 = 17,576

Cat = (26+26)3 = 140,608

C2t = (26+26+10)3 = 238,828

#2t = (26+26+10+20)3 = 551,368

…..

thecatjumpedoutofthecup = 2623 =

3,500,000,000,000,000,000,000,000,000,000,000

Character complexity is important but Length is King!!

Page 5: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Games Hackers Play

Password cracking techniques:

– Guessing

• Lists of common passwords,

personal information, default passwords

– Dictionary

• One or more dictionaries to include foreign dictionaries

– Hybrid

• One or more dictionaries (plus word lists, personal information, and rules)

– Brute Force

• Random passwords

Page 6: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Quiz Question #1

What is the correct ordering of password

cracking techniques from most powerful to

least?

a. Hybrid, Brute-Force, Guessing, Dictionary

b. Dictionary, Brute-Force, Dictionary, Guessing

c. Brute-Force, Dictionary, Hybrid, Guessing

d. Brute-Force, Hybrid, Dictionary, Guessing

Page 7: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Guessing Attacks

Page 8: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Most Common Passwords

• These are some standard common

passwords. Common passwords are the

weakest of all password types. Avoid them

like the plague:

Common Passwords

password letmein sunshine

123456 trustno1 opensesame

12345678 dragon ashley

qwerty baseball passw0rd

abc123 111111 shadow

monkey iloveyou 123123

1234567 master 654321

Source: Splashdata annual list of worst Internet passwords

Page 9: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Many networking devices come

preconfigured with “default” passwords

• Many users don’t change this default

password

• Example: 2Wire Router

– Default login user name: admin

– Default password: 2Wire

Default and Blank Passwords

Page 10: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Background Checks

• Do Not Use Personal Information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password if it includes information such as: – Names: Your name, Pet Names, Names

of family members and friends (e.g. Joshua)

– Numbers: Phone numbers, addresses, social security numbers, license plate numbers, zip codes

– Dates: Birth dates / anniversary dates

– Favorites: Hobbies, sports teams, movie

stars, colors, wine, books, cars, …

Page 11: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

The Dictionary Attack

Page 12: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Word Games

• Do Not Use Dictionary or Recognizable Words —

Words such as proper names, dictionary words,

or even terms from television shows or novels

– guest

– quartet

– hogwarts

– ds-9

– obiwan

– spiderman

Page 13: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Foreign Language Words

• Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is not a good practice. This includes Klingon ;-)

– betenoir

– bienvenido

– gutenmorgen

Page 14: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Word Lists

• Dictionary attacks can be augmented

by pre-built and custom word lists:

– Slang

– Jargon

– Dirty words

– Klingon, Romulan, Elvish word lists, …

– Custom lists: SF 49-ers, Star Trek, Jane Austen,

Marilyn Monroe word lists, rock climbing terms…

Page 15: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Double Jeopardy

• Don’t combine two words:

– cathycathy

– springale

– realginger

– elegantpresentation

– scissorsauto

– brokenmouse

Page 16: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Hybrid Attacks (Augmenting the dictionary with rules)

Page 17: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Prefixes and Postfixes

• Do Not add numbers or special characters to

a simple words

– superman7

– nevada999

– 34phonebook

– desayuno!@

– %%stockmarket

Page 18: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Inversion/Reversal

• Do Not Invert or Reverse Words — Good

password checkers check for reversed

words, so inverting/reversing a bad

password does not make it any more secure:

– etamitigel

– ardnassac

– nauj

– 9-SD

Page 19: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Don’t use simple keyboard patterns:

– 123

– 123123

– 1234567890

– qwerty

– qwertyuiop

– asdfghj

– zaqwsx

– !@#$%^&*()

Keyboard Patterns (sequences)

Page 20: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Character Substitutions & Leetspeak (elite speak = l33tspeak = leetspeak)

Common Character Substitutions:

$=S, @=A, 4=A, 1=L, 1=I, !=I, 3=E, 0=O, #=H

• Examples: – PASWORD = P@$$w0rd

– livefish = l!v3f1S#

– ELITE = ELEET = 3L33T

– n00b = newbie

– Iamsurprised:-o

Page 21: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Leetspeak Table (source: Wikipedia)

Page 22: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Don’t Make it Up

• Good password cracking programs can check many made up words using something called frequency tables.

• Idea is that certain letters follow others more frequently than others in a given language

• There are frequency tables for each language

• Examples: – markap

– yunk

– quirp

Page 23: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Quiz Question #2

What is the problem with the following

password: minulauck?

a. Susceptible to a dictionary cracking

b. Susceptible to hybrid cracking (two words)

c. Susceptible to hybrid cracking (made up word)

d. Susceptible to guessing (a common word)

Page 24: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Quiz Question #3

Which of these two passwords is weaker?

a. superman56

b. Y&f2*e

Page 25: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Brute-Force Attack

Page 26: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Brute Force Attacks

• When all else fails the cracking software will try every possible combination

• Brute-force is intelligent in its search it will go in a certain order (that can be configured)

• Example:

– Single character, 2 character passwords, 3 character passwords, 4 digit numbers, 4 character lowercase, 4 character all character, ….

Page 27: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Letters or Numbers Only

• Do NOT use only letters or numbers:

– 8675309

– miwhdd

– prwlkj

Length is key, but character complexity

is also important in defending against

Brute force attacks

Page 28: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Loose Lips Sink Ships Password Best Practices

Page 29: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Hide & Seek

• Do Not Write Down Your Password — Never

store your password on paper. Come up with

a good memory scheme.

Page 30: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

The Golden Password

• Do Not Use the Same Password For All

Machines — i.e. This is called a gold or

golden password. Crackers love them. It is

important that you make separate

passwords for each account. This way if one

system is compromised, all of your

machines/accounts/data will not be

immediately at risk.

Page 31: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Length

• Make the Password At Least Eight

Characters Long

• The longer the password, the better

• Most firms have a minimal acceptable

length that they consider strong

• Use longer passwords for more sensitive

data

Page 32: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Alphanumerics

• Mix Letters and Numbers — Adding numbers

to passwords, especially when added to the

middle (not just at the beginning or the end),

can enhance password strength.

Where n = length of password

Lower case alphabet = 26n combinations

Alphabet + numbers = (26+10)n combinations

Page 33: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Mixed Case

• Mix Upper and Lower Case Letters — By

mixing cases, you will enhance the strength

of the password.

Where n = length of password

26n versus (26+26)n

26 combinations of lowercase , 52 combinations of mixed case

Page 34: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Special Sauce

• Including Special characters such as &, $, #,

>, … can greatly improve the strength of a

password

Where n = length of password

Lower case only = 26n

Mixed case = (26+26)n

Mixed case + numbers = (26+26+10)n

Mixed case + numbers + special char = (26+26+10+20)n

Page 35: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Pragmatism

• Pick a Password You Can Remember — The

best password in the world does you little

good if you cannot remember it or feel you

have to write it down.

• Use acronyms or other mnemonic

devices to aid in memorizing

passwords or use a “Password

Manager” program

Page 36: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Most password strength checkers will not

discover certain types of bad passwords.

• Organizations should use password cracking

software as part of their audit procedures

• Most password are not as sophisticated as

actual password cracking programs.

• Example: Procr4$tin4te

i.e., a password checker might accept this password,

while a good cracking program will easily break this.

Password Checkers vs. Password Cracking

Page 37: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Quiz Question #4

How many times should you reuse a

password?

a. Never

b. Twice

c. Everywhere but your financial accounts

d. Everywhere but your medical and financial accounts

Page 38: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Subterfuge Snooping and Social Engineering

Page 39: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Theft

• Search - Passwords written down: under

keyboard, on monitor, on wall, in desk

drawer, under leaf of plant, under plant pot

• Bribery

• Coercion/Extortion/Subversion/Blackmail

• Social Engineering (phishing,

impersonation,…)

Password Acquisition Methods (1 of 3)

Page 40: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Insider (admin, users, someone has access

to password database)

• Sniffer (to include wiretapping, rogue

devices, wireless sniffing, could be insider

assisted.)

• Keylogger (hardware or software)

• Logon spoofing (to include ATM spoofing)

Password Acquisition Methods (2 of 3)

Page 41: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Shoulder surfing (to include hidden

cameras)

• Keyboard “Audio” detection

• Dumpster diving

• Access to password databases (safe, admin

access,…)

Password Acquisition Methods (3 of 3)

Page 42: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Quiz Question #5

What is the one of the most common methods

that hackers use to steal passwords?

a. phishing

b. dumpster diving

c. spamming

d. breaking into your house and looking for passwords

Page 43: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Counter Intelligence

Page 44: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Password Policies – Password Use Policies

• Don’t give your password to anyone

• Don’t use the same password on multiple accounts

• Password strength (length and character complexity)

• Required use of password manager software

– Logon, Aging, and Lockout Policies • Logon process should not indicate if you typed in a valid

username

• Delay of login response should be the same for correct and incorrect logins

• Lockout policies (time and tries)

• Password age

• Password history

Policies

Page 45: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Password Checkers

– Password Policy Tester

– Password Defender

• Password Auditing

– Auditing for weak passwords using password crackers, e.g. ophcrack, John the Ripper, …

– Sniffing

– Physical security audits and Pen Testing

Checking and Auditing

Page 46: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Multiple factor authentication:

– RSA tokens

– Knowledge based redundancy

– Smartcards

– Biometrics

– Location-based

• Graphical passwords

• Virtual keyboards

Multi-Factor and Non-text Input Methods

Page 47: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Education

• Do not store or transmit passwords in the clear

• Logging (login failure attempts)

• Slower encryption methods (password hashing, e.g. SHA-crypt, bcrypt)

• Password salts – Response to use of rainbow tables (i.e. pre-computation attacks)

• Use of local parameterization

• Use of password stretching (configurable iteration counts)

Defenses

Page 48: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Password Manager Example: KeePass • Easy to Use

• Drag-n-drop

• Hard to Get Into

• Composite Master Key

• Key Transformation (Stretching)

• Random password Generator

Page 49: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Personal Identifiable Information Reference • Names: (first, last, middle, maiden, hyphenated, ranks, titles), Names of relatives, friends,

pets (to a lesser extent acquaintances), Nicknames

• Addresses (home, addresses of relatives and friends, offices, current, old addresses, numbers, street names, city names, state names, country names)

• License plate (all vehicles owned by victim to include previous vehicles)

• Drivers license number (to include numbers of acquaintances)

• Schools: Name of schools (elementary, middle, HS, college, fraternities, clubs)

• Telephone numbers (home, cell, work, relatives, friends, office, contacts)

• Social security number, account numbers, identification numbers, …

• Dates: Birthday (victim, relatives, friends, pets), anniversaries (wedding, engagement, special occasion, graduation), astrological signs

• Room numbers, office numbers

• Clubs and military: Unit names and designations

• Favorites: Colors, music groups, songs, actors/actresses, auto models, movies, books, food, wine, hobbies, sport teams,…

• Web: urls of favorite sites

Page 50: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

• Enterprise-class security scanning

• State-of-the-art cloud delivery

• Easy to use

• No hardware or software to deploy

or manage

nCircle PureCloud

Twice the Security at Half the Cost

Cloud-based network security services platform designed

for small to medium enterprises

Page 51: Password War Games Webinar

© 2012 nCircle. All Rights Reserved.

Questions?

http://connect.ncircle.com

Continue the conversation at