SlideShare une entreprise Scribd logo

Enterprise Password Worst Practices

Imperva
Imperva

Enterprise password policies are often insufficient to protect against hackers. A recent analysis of nearly 100,000 passwords from a data breach showed that password cracking tools could discover many of the most common passwords within minutes using rainbow tables and dictionaries. While hashing provides some protection, hackers can bypass hashes to crack passwords. Organizations must implement stronger practices like salting hashes and enforcing minimum password strengths.

Technologie
1  sur  6
Télécharger pour lire hors ligne
December 2011 Hacker Intelligence Initiative, Monthly Trend Report #7 Enterprise Password Worst Practices Nearly two years ago, Imperva published a report on 32 million breached passwords entitled “Consumer Password Worst Practices.” Since then, successive breaches have highlighted consumers’ inability to make sufficient password choices. Even a recent Google public ad campaign went bust when, in an effort to improve consumer password practices, the ad failed to make the right password recommendation. A Cambridge researcher pointed out that: Google’s example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”. Empirically though, this is not a strong password, it’s almost exactly average! When it comes to consumers implementing good passwords, we give up. Instead of consumers, responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data – even if PCI or other security mandates don’t apply. We hope this paper guides enterprises to rectify poor password management practices. For color and context, we present findings of our analysis of a recently exposed list of nearly 100,000 passwords following a data breach at FilmRadar.com, a website for film enthusiasts.
Hacker Intelligence Initiative, Monthly Trend Report Obstacles What is the right password policy to put in place? Two major obstacles impede enterprises today: › Hashing isn’t enough. Many organizations store passwords using a form of encryption, called cryptographic hash functions, often comprising the password’s sole security measure. However, attackers do not attempt to directly attack the strength of the cryptographic measure. Rather, different methods exist which allow attackers to bypass the cryptographic measures – much like a burglar who doesn’t bother to pick the lock but instead jumps the fence. › Many techniques and tools exist to help hackers crack passwords. Password cracking tools are widely available. Some have actually been developed by the security community to help in the efforts of strengthening passwords, yet, like many white hat tools, they end up helping hackers. For example, using these readily available tools on the FilmRadar.com list, we were able to discover 77 of the 100 most popular passwords in less than ten minutes. Passwords: The Basics A password is a shared secret between a user and a service. When a user wants to connect to the service, she identifies with her user name (or any other form of account identifier) and proves her identity (i.e., authenticates) by providing the password. The service compares the provided password against what the user supplied during registration before granting the user access to the service. Since passwords are the user’s key to the service, organizations are wary of storing complete passwords. Instead, they choose to store a value which represents the password called a “digest”. The password digest (a.k.a., a “password hash”) is a mathematical transformation of the password which allows the comparison to the original password, but does not easily disclose the password itself. The most commonly used mathematical transformation is a cryptographic hash function called SHA-1. This function is strong enough so that there is no mathematical reverse function that takes the digest and reconstructs potential sources. However, when an enterprise fails to hash the passwords altogether, this is known as storing them “in the clear” and represents the most negligent practice possible. Cryptographic Digests: Not a Silver Bullet Contrary to common belief, cryptographic hash functions in general – whether they are SHA-1 or any other cryptographic function – are not impervious to hackers. The strength of a hash function, even if mathematically proven to be unbreakable, does not play a role in the cracking game. Instead of directly trying to attack the function, alternate methods exist which allow the adversary to bypass the cryptographic measures and guess the hashed passwords. There are two widely used techniques to crack passwords: › Rainbow tables – These are pre-computed data sets containing hash values from nearly every combination of alphanumeric character up to a certain length. Although creating the rainbow tables is a lengthy process, they are created only once. In fact, hackers consider creating such tables a worth-while investment since after the rainbow tables are generated they can be used over and over again. One hacker website, for instance, developed 50 billion values for public use. › Dictionaries – These are lists of common passwords together with a pre-calculated hash value. In this manner, a hacker can compare a digest with the pre-computed values. Dictionary attacks have proven to be an effective technique to crack passwords since many people have the tendency to use common passwords based on names, numerical or keyboard sequences. For example, in our previous analysis, we demonstrated that the most common password was ‘123456’. Report #7, December 2011 2
Hacker Intelligence Initiative, Monthly Trend Report Password Cracking Tools: A Hacker Community Effort Password cracking tools – using rainbow tables and dictionaries – abound. With enough determination, a hacker can easily find tools and multiple dictionaries for password cracking. Most of these resources are free and available to anyone to download. We list here some of the more popular ones: › MD5 decrypter – This site offers online cracking (twelve passwords per request) based on 8.7 billion unique hash values. This site also offers a forum to upload large datasets for decryption. In particular, this tool clearly demonstrates the power of the hacker community as they work together to crack passwords. One of our recent HII reports highlighted how hackers leverage hacker forums as a collaboration platform to aid one another in attack efforts. This site is no different as one of its features is the ability to post a digest which will most likely be identified by other users. Site postings have shown that nearly all such requests were cracked successfully. In fact, we tried this out in our labs when we were stumped against digests we were not certain about. We found that the list of hashed passwords was updated with our unknown digests within a week following our original query. › Cyberwar Zone – This site provides lists of common used passwords such as Disney characters, film actors, common family names and even Chinese words. Also, there are rainbow tables with 50 billion hash values. Report #7, December 2011 3
Hacker Intelligence Initiative, Monthly Trend Report › Cain and Able – This site hosts a password recovery tool which offers various methods for cracking passwords, including a dictionary of common passwords. › John the Ripper – This site contains a password cracking tool includes a dictionary of common passwords. Lessons from the Real Life: The Analysis of 100,000 Digests A couple of months ago, a data breach at FilmRadar.com exposed 95,167 hashed user passwords. Like many online services, FilmRadar stored the passwords in a digested format, using the SHA1 hash function, hoping to guarantee confidentiality. However, storing the user passwords as a cryptographic digest is just not enough. To prove just how weak this type of security measure is, we analyzed the FilmRadar passwords using both rainbow and dictionary attacks. Using publicly available tools, we could: › Uncover 77 of the 100 most popular passwords in less than ten minutes using rainbow tables through an online service. Interestingly, this also gave us insight to the power of collaboration amongst the hacker community. We observed that when hackers struggled to find corresponding passwords, it usually took just a week for the community to contribute updates. › Guess nearly 5% of all passwords on the list in less than two days by using dictionaries. Lesson one: Using various dictionaries from multiple resources, hackers can still figure out passwords even though the process is slow. Lesson two: The bigger the dataset, the more common passwords it contains, the faster the hacking. A smaller dataset – or even just non-common passwords – would make cracking much slower if not impossible. Report #7, December 2011 4
Hacker Intelligence Initiative, Monthly Trend Report Out of the top 15 passwords (see Table 1), there was only one which we were not able to guess. Once again, uncovering password lists provides ample fodder regarding user password practices: › The 100 most common passwords in the list constitute ~10% of the entire list. › Human nature forces associations between the passwords with the service. Consider the most popular password, ‘Blink123’. Most likely, this was influenced by the movie Blink. › The most common password in the RockYou 32 million password dictionary, ‘123456’, was displaced on the FilmRadar list. However, common sequences remain a popular choice. As the list shows, nearly all passwords end with a numeric sequence. › Many of the uncovered passwords are listed in common dictionaries. Table 1: 15 Most Common Password from FilmRadar.com Password popularity Password Number of Occurrences rank 1 Blink123 1578 2 Greatday1 441 3 Gendut80 436 4 Sample123 420 5 Baobao87 375 6 Matttt24 309 7 Speak2me 261 8 ABcd1234 252 9 [not found] 245 10 abcd1234 215 11 Sara2000 194 12 blueU1234 179 13 Tgold1973 165 14 Hello123 146 15 Timetoget1 144 Defeating Rainbow Tables: Salting We were able to analyze the FilmRadar password digests as they simply used a cryptographic hash function. This is a common practice. In fact, a Booz Allen breach in July showed that they relied only on the SHA-1 hash function as their password security mechanism. An analysis of the Booz Allen breach appears in our blog where we demonstrated how security measures can easily be defeated using rainbow tables. How can organization defeat rainbow table attacks? An effective measure is called “salting.” A salt value is a random value pre-pended to the password before it gets encrypted. In this manner, the computational time required to break weak passwords increases exponentially. For example, a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold. To be clear, salting does not make the passwords hack-proof. However, this is not a concern as the point is to increase the cost of guessing the password. This is a simple measure for the organization to employ. By contrast, it represents a costly investment for the commercial hacker. Report #7, December 2011 5
Hacker Intelligence Initiative, Monthly Trend Report Mitigation Passwords are a convenient authentication method. Yet, stored incorrectly and they can cause a lot of hassle in the event of a breach. To begin with, hash functions protect only strong passwords while naïve hashing (without a salt) exposes passwords to rainbow table attacks. Advice to users is to choose strong passwords. The rest is up to the business. What should site owners do to mitigate the effectiveness of crackers? › Allow users to choose longer passwords which are easier to remember. We recommend passphrases. Passphrases provide the necessary length yet do not require the user to write down the secret on a note left on the worker’s desk. › Enforce strong password policy. This doesn’t mean just applying restriction on the character types but also by comparing against dictionaries used by attackers. In fact, Hotmail recently banned the usage of common passwords. This also means defining and banning site-specific passwords, like FilmRadar’s ‘Blink123’. Likewise, numerical or keyboard sequences need to be banned altogether. › Use salted digests. As mentioned in the previous section, a salted value should increase the cost of guessing the password so that financially-motivated hackers will not make such an investment. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and “Protecting the Data That Drives Business” are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-DECEMBER#7-2011-1211rev1

Recommandé

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
Christian Martorella
 
A Database for Every Occasion
A Database for Every OccasionA Database for Every Occasion
A Database for Every Occasion
Safe Software
 
Learn Hacking
Learn HackingLearn Hacking
Learn Hacking
hackingtraining
 
128 BIT WHAT?
128 BIT WHAT?128 BIT WHAT?
128 BIT WHAT?
Razorpoint Security
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Filtering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media StreamingFiltering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media Streaming
Cloud Elements
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
Christian Martorella
 

Recommandé

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
Christian Martorella
 
A Database for Every Occasion
A Database for Every OccasionA Database for Every Occasion
A Database for Every Occasion
Safe Software
 
Learn Hacking
Learn HackingLearn Hacking
Learn Hacking
hackingtraining
 
128 BIT WHAT?
128 BIT WHAT?128 BIT WHAT?
128 BIT WHAT?
Razorpoint Security
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Filtering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media StreamingFiltering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media Streaming
Cloud Elements
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
Christian Martorella
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwords
ahyaimie
 
Sustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvSustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdv
Ketheley Freire
 
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
Kerstin Forsberg
 
Vehicle tracking solution
Vehicle tracking solutionVehicle tracking solution
Vehicle tracking solution
Asha Hariharan
 
A Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking SystemsA Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking Systems
deepakiitr15
 
A survey on moving object tracking in video
A survey on moving object tracking in videoA survey on moving object tracking in video
A survey on moving object tracking in video
ijitjournal
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
zeus7856
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
In responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxIn responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docx
mecklenburgstrelitzh
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a password
Rob Gillen
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
lord
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
Yury Chemerkin
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
Kieon
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
OWASP Delhi
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptx
FarhanaMariyam1
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Fego Ogwara
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
shyamuopiv
 
ACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptxACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptx
LakshayNRReddy
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
MohammedYusuf609377
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mukul Agarwal
 

Contenu connexe

En vedette

Sustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvSustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdv
Ketheley Freire
 
A Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking SystemsA Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking Systems
deepakiitr15
 
A survey on moving object tracking in video
A survey on moving object tracking in videoA survey on moving object tracking in video
A survey on moving object tracking in video
ijitjournal
 

En vedette (6)

Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwords
 
Sustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvSustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdv
 
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
 
Vehicle tracking solution
Vehicle tracking solutionVehicle tracking solution
Vehicle tracking solution
 
A Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking SystemsA Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking Systems
 
A survey on moving object tracking in video
A survey on moving object tracking in videoA survey on moving object tracking in video
A survey on moving object tracking in video
 

Similaire à Enterprise Password Worst Practices

In responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxIn responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docx
mecklenburgstrelitzh
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Fego Ogwara
 

Similaire à Enterprise Password Worst Practices (20)

Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
In responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxIn responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docx
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a password
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptx
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
 
ACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptxACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptx
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdfLinux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 

Plus de Imperva

Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 

Plus de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Dernier (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Enterprise Password Worst Practices

  • 1. December 2011 Hacker Intelligence Initiative, Monthly Trend Report #7 Enterprise Password Worst Practices Nearly two years ago, Imperva published a report on 32 million breached passwords entitled “Consumer Password Worst Practices.” Since then, successive breaches have highlighted consumers’ inability to make sufficient password choices. Even a recent Google public ad campaign went bust when, in an effort to improve consumer password practices, the ad failed to make the right password recommendation. A Cambridge researcher pointed out that: Google’s example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”. Empirically though, this is not a strong password, it’s almost exactly average! When it comes to consumers implementing good passwords, we give up. Instead of consumers, responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data – even if PCI or other security mandates don’t apply. We hope this paper guides enterprises to rectify poor password management practices. For color and context, we present findings of our analysis of a recently exposed list of nearly 100,000 passwords following a data breach at FilmRadar.com, a website for film enthusiasts.
  • 2. Hacker Intelligence Initiative, Monthly Trend Report Obstacles What is the right password policy to put in place? Two major obstacles impede enterprises today: › Hashing isn’t enough. Many organizations store passwords using a form of encryption, called cryptographic hash functions, often comprising the password’s sole security measure. However, attackers do not attempt to directly attack the strength of the cryptographic measure. Rather, different methods exist which allow attackers to bypass the cryptographic measures – much like a burglar who doesn’t bother to pick the lock but instead jumps the fence. › Many techniques and tools exist to help hackers crack passwords. Password cracking tools are widely available. Some have actually been developed by the security community to help in the efforts of strengthening passwords, yet, like many white hat tools, they end up helping hackers. For example, using these readily available tools on the FilmRadar.com list, we were able to discover 77 of the 100 most popular passwords in less than ten minutes. Passwords: The Basics A password is a shared secret between a user and a service. When a user wants to connect to the service, she identifies with her user name (or any other form of account identifier) and proves her identity (i.e., authenticates) by providing the password. The service compares the provided password against what the user supplied during registration before granting the user access to the service. Since passwords are the user’s key to the service, organizations are wary of storing complete passwords. Instead, they choose to store a value which represents the password called a “digest”. The password digest (a.k.a., a “password hash”) is a mathematical transformation of the password which allows the comparison to the original password, but does not easily disclose the password itself. The most commonly used mathematical transformation is a cryptographic hash function called SHA-1. This function is strong enough so that there is no mathematical reverse function that takes the digest and reconstructs potential sources. However, when an enterprise fails to hash the passwords altogether, this is known as storing them “in the clear” and represents the most negligent practice possible. Cryptographic Digests: Not a Silver Bullet Contrary to common belief, cryptographic hash functions in general – whether they are SHA-1 or any other cryptographic function – are not impervious to hackers. The strength of a hash function, even if mathematically proven to be unbreakable, does not play a role in the cracking game. Instead of directly trying to attack the function, alternate methods exist which allow the adversary to bypass the cryptographic measures and guess the hashed passwords. There are two widely used techniques to crack passwords: › Rainbow tables – These are pre-computed data sets containing hash values from nearly every combination of alphanumeric character up to a certain length. Although creating the rainbow tables is a lengthy process, they are created only once. In fact, hackers consider creating such tables a worth-while investment since after the rainbow tables are generated they can be used over and over again. One hacker website, for instance, developed 50 billion values for public use. › Dictionaries – These are lists of common passwords together with a pre-calculated hash value. In this manner, a hacker can compare a digest with the pre-computed values. Dictionary attacks have proven to be an effective technique to crack passwords since many people have the tendency to use common passwords based on names, numerical or keyboard sequences. For example, in our previous analysis, we demonstrated that the most common password was ‘123456’. Report #7, December 2011 2
  • 3. Hacker Intelligence Initiative, Monthly Trend Report Password Cracking Tools: A Hacker Community Effort Password cracking tools – using rainbow tables and dictionaries – abound. With enough determination, a hacker can easily find tools and multiple dictionaries for password cracking. Most of these resources are free and available to anyone to download. We list here some of the more popular ones: › MD5 decrypter – This site offers online cracking (twelve passwords per request) based on 8.7 billion unique hash values. This site also offers a forum to upload large datasets for decryption. In particular, this tool clearly demonstrates the power of the hacker community as they work together to crack passwords. One of our recent HII reports highlighted how hackers leverage hacker forums as a collaboration platform to aid one another in attack efforts. This site is no different as one of its features is the ability to post a digest which will most likely be identified by other users. Site postings have shown that nearly all such requests were cracked successfully. In fact, we tried this out in our labs when we were stumped against digests we were not certain about. We found that the list of hashed passwords was updated with our unknown digests within a week following our original query. › Cyberwar Zone – This site provides lists of common used passwords such as Disney characters, film actors, common family names and even Chinese words. Also, there are rainbow tables with 50 billion hash values. Report #7, December 2011 3
  • 4. Hacker Intelligence Initiative, Monthly Trend Report › Cain and Able – This site hosts a password recovery tool which offers various methods for cracking passwords, including a dictionary of common passwords. › John the Ripper – This site contains a password cracking tool includes a dictionary of common passwords. Lessons from the Real Life: The Analysis of 100,000 Digests A couple of months ago, a data breach at FilmRadar.com exposed 95,167 hashed user passwords. Like many online services, FilmRadar stored the passwords in a digested format, using the SHA1 hash function, hoping to guarantee confidentiality. However, storing the user passwords as a cryptographic digest is just not enough. To prove just how weak this type of security measure is, we analyzed the FilmRadar passwords using both rainbow and dictionary attacks. Using publicly available tools, we could: › Uncover 77 of the 100 most popular passwords in less than ten minutes using rainbow tables through an online service. Interestingly, this also gave us insight to the power of collaboration amongst the hacker community. We observed that when hackers struggled to find corresponding passwords, it usually took just a week for the community to contribute updates. › Guess nearly 5% of all passwords on the list in less than two days by using dictionaries. Lesson one: Using various dictionaries from multiple resources, hackers can still figure out passwords even though the process is slow. Lesson two: The bigger the dataset, the more common passwords it contains, the faster the hacking. A smaller dataset – or even just non-common passwords – would make cracking much slower if not impossible. Report #7, December 2011 4
  • 5. Hacker Intelligence Initiative, Monthly Trend Report Out of the top 15 passwords (see Table 1), there was only one which we were not able to guess. Once again, uncovering password lists provides ample fodder regarding user password practices: › The 100 most common passwords in the list constitute ~10% of the entire list. › Human nature forces associations between the passwords with the service. Consider the most popular password, ‘Blink123’. Most likely, this was influenced by the movie Blink. › The most common password in the RockYou 32 million password dictionary, ‘123456’, was displaced on the FilmRadar list. However, common sequences remain a popular choice. As the list shows, nearly all passwords end with a numeric sequence. › Many of the uncovered passwords are listed in common dictionaries. Table 1: 15 Most Common Password from FilmRadar.com Password popularity Password Number of Occurrences rank 1 Blink123 1578 2 Greatday1 441 3 Gendut80 436 4 Sample123 420 5 Baobao87 375 6 Matttt24 309 7 Speak2me 261 8 ABcd1234 252 9 [not found] 245 10 abcd1234 215 11 Sara2000 194 12 blueU1234 179 13 Tgold1973 165 14 Hello123 146 15 Timetoget1 144 Defeating Rainbow Tables: Salting We were able to analyze the FilmRadar password digests as they simply used a cryptographic hash function. This is a common practice. In fact, a Booz Allen breach in July showed that they relied only on the SHA-1 hash function as their password security mechanism. An analysis of the Booz Allen breach appears in our blog where we demonstrated how security measures can easily be defeated using rainbow tables. How can organization defeat rainbow table attacks? An effective measure is called “salting.” A salt value is a random value pre-pended to the password before it gets encrypted. In this manner, the computational time required to break weak passwords increases exponentially. For example, a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold. To be clear, salting does not make the passwords hack-proof. However, this is not a concern as the point is to increase the cost of guessing the password. This is a simple measure for the organization to employ. By contrast, it represents a costly investment for the commercial hacker. Report #7, December 2011 5
  • 6. Hacker Intelligence Initiative, Monthly Trend Report Mitigation Passwords are a convenient authentication method. Yet, stored incorrectly and they can cause a lot of hassle in the event of a breach. To begin with, hash functions protect only strong passwords while naïve hashing (without a salt) exposes passwords to rainbow table attacks. Advice to users is to choose strong passwords. The rest is up to the business. What should site owners do to mitigate the effectiveness of crackers? › Allow users to choose longer passwords which are easier to remember. We recommend passphrases. Passphrases provide the necessary length yet do not require the user to write down the secret on a note left on the worker’s desk. › Enforce strong password policy. This doesn’t mean just applying restriction on the character types but also by comparing against dictionaries used by attackers. In fact, Hotmail recently banned the usage of common passwords. This also means defining and banning site-specific passwords, like FilmRadar’s ‘Blink123’. Likewise, numerical or keyboard sequences need to be banned altogether. › Use salted digests. As mentioned in the previous section, a salted value should increase the cost of guessing the password so that financially-motivated hackers will not make such an investment. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and “Protecting the Data That Drives Business” are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-DECEMBER#7-2011-1211rev1