SlideShare une entreprise Scribd logo

Enterprise Password Best Practices

Imperva
Imperva

Enterprise password policies are often insufficient to protect against hackers. A recent analysis of nearly 100,000 passwords from a data breach showed that password cracking tools could discover many of the most common passwords within minutes using rainbow tables and dictionaries. While hashing provides some protection, hackers can bypass hashes to crack passwords. Organizations must implement stronger practices like salting hashes and enforcing minimum password strengths.

Technologie
1  sur  6
Télécharger pour lire hors ligne
December 2011 Hacker Intelligence Initiative, Monthly Trend Report #7 Enterprise Password Worst Practices Nearly two years ago, Imperva published a report on 32 million breached passwords entitled “Consumer Password Worst Practices.” Since then, successive breaches have highlighted consumers’ inability to make sufficient password choices. Even a recent Google public ad campaign went bust when, in an effort to improve consumer password practices, the ad failed to make the right password recommendation. A Cambridge researcher pointed out that: Google’s example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”. Empirically though, this is not a strong password, it’s almost exactly average! When it comes to consumers implementing good passwords, we give up. Instead of consumers, responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data – even if PCI or other security mandates don’t apply. We hope this paper guides enterprises to rectify poor password management practices. For color and context, we present findings of our analysis of a recently exposed list of nearly 100,000 passwords following a data breach at FilmRadar.com, a website for film enthusiasts.
Hacker Intelligence Initiative, Monthly Trend Report Obstacles What is the right password policy to put in place? Two major obstacles impede enterprises today: › Hashing isn’t enough. Many organizations store passwords using a form of encryption, called cryptographic hash functions, often comprising the password’s sole security measure. However, attackers do not attempt to directly attack the strength of the cryptographic measure. Rather, different methods exist which allow attackers to bypass the cryptographic measures – much like a burglar who doesn’t bother to pick the lock but instead jumps the fence. › Many techniques and tools exist to help hackers crack passwords. Password cracking tools are widely available. Some have actually been developed by the security community to help in the efforts of strengthening passwords, yet, like many white hat tools, they end up helping hackers. For example, using these readily available tools on the FilmRadar.com list, we were able to discover 77 of the 100 most popular passwords in less than ten minutes. Passwords: The Basics A password is a shared secret between a user and a service. When a user wants to connect to the service, she identifies with her user name (or any other form of account identifier) and proves her identity (i.e., authenticates) by providing the password. The service compares the provided password against what the user supplied during registration before granting the user access to the service. Since passwords are the user’s key to the service, organizations are wary of storing complete passwords. Instead, they choose to store a value which represents the password called a “digest”. The password digest (a.k.a., a “password hash”) is a mathematical transformation of the password which allows the comparison to the original password, but does not easily disclose the password itself. The most commonly used mathematical transformation is a cryptographic hash function called SHA-1. This function is strong enough so that there is no mathematical reverse function that takes the digest and reconstructs potential sources. However, when an enterprise fails to hash the passwords altogether, this is known as storing them “in the clear” and represents the most negligent practice possible. Cryptographic Digests: Not a Silver Bullet Contrary to common belief, cryptographic hash functions in general – whether they are SHA-1 or any other cryptographic function – are not impervious to hackers. The strength of a hash function, even if mathematically proven to be unbreakable, does not play a role in the cracking game. Instead of directly trying to attack the function, alternate methods exist which allow the adversary to bypass the cryptographic measures and guess the hashed passwords. There are two widely used techniques to crack passwords: › Rainbow tables – These are pre-computed data sets containing hash values from nearly every combination of alphanumeric character up to a certain length. Although creating the rainbow tables is a lengthy process, they are created only once. In fact, hackers consider creating such tables a worth-while investment since after the rainbow tables are generated they can be used over and over again. One hacker website, for instance, developed 50 billion values for public use. › Dictionaries – These are lists of common passwords together with a pre-calculated hash value. In this manner, a hacker can compare a digest with the pre-computed values. Dictionary attacks have proven to be an effective technique to crack passwords since many people have the tendency to use common passwords based on names, numerical or keyboard sequences. For example, in our previous analysis, we demonstrated that the most common password was ‘123456’. Report #7, December 2011 2
Hacker Intelligence Initiative, Monthly Trend Report Password Cracking Tools: A Hacker Community Effort Password cracking tools – using rainbow tables and dictionaries – abound. With enough determination, a hacker can easily find tools and multiple dictionaries for password cracking. Most of these resources are free and available to anyone to download. We list here some of the more popular ones: › MD5 decrypter – This site offers online cracking (twelve passwords per request) based on 8.7 billion unique hash values. This site also offers a forum to upload large datasets for decryption. In particular, this tool clearly demonstrates the power of the hacker community as they work together to crack passwords. One of our recent HII reports highlighted how hackers leverage hacker forums as a collaboration platform to aid one another in attack efforts. This site is no different as one of its features is the ability to post a digest which will most likely be identified by other users. Site postings have shown that nearly all such requests were cracked successfully. In fact, we tried this out in our labs when we were stumped against digests we were not certain about. We found that the list of hashed passwords was updated with our unknown digests within a week following our original query. › Cyberwar Zone – This site provides lists of common used passwords such as Disney characters, film actors, common family names and even Chinese words. Also, there are rainbow tables with 50 billion hash values. Report #7, December 2011 3
Hacker Intelligence Initiative, Monthly Trend Report › Cain and Able – This site hosts a password recovery tool which offers various methods for cracking passwords, including a dictionary of common passwords. › John the Ripper – This site contains a password cracking tool includes a dictionary of common passwords. Lessons from the Real Life: The Analysis of 100,000 Digests A couple of months ago, a data breach at FilmRadar.com exposed 95,167 hashed user passwords. Like many online services, FilmRadar stored the passwords in a digested format, using the SHA1 hash function, hoping to guarantee confidentiality. However, storing the user passwords as a cryptographic digest is just not enough. To prove just how weak this type of security measure is, we analyzed the FilmRadar passwords using both rainbow and dictionary attacks. Using publicly available tools, we could: › Uncover 77 of the 100 most popular passwords in less than ten minutes using rainbow tables through an online service. Interestingly, this also gave us insight to the power of collaboration amongst the hacker community. We observed that when hackers struggled to find corresponding passwords, it usually took just a week for the community to contribute updates. › Guess nearly 5% of all passwords on the list in less than two days by using dictionaries. Lesson one: Using various dictionaries from multiple resources, hackers can still figure out passwords even though the process is slow. Lesson two: The bigger the dataset, the more common passwords it contains, the faster the hacking. A smaller dataset – or even just non-common passwords – would make cracking much slower if not impossible. Report #7, December 2011 4
Hacker Intelligence Initiative, Monthly Trend Report Out of the top 15 passwords (see Table 1), there was only one which we were not able to guess. Once again, uncovering password lists provides ample fodder regarding user password practices: › The 100 most common passwords in the list constitute ~10% of the entire list. › Human nature forces associations between the passwords with the service. Consider the most popular password, ‘Blink123’. Most likely, this was influenced by the movie Blink. › The most common password in the RockYou 32 million password dictionary, ‘123456’, was displaced on the FilmRadar list. However, common sequences remain a popular choice. As the list shows, nearly all passwords end with a numeric sequence. › Many of the uncovered passwords are listed in common dictionaries. Table 1: 15 Most Common Password from FilmRadar.com Password popularity Password Number of Occurrences rank 1 Blink123 1578 2 Greatday1 441 3 Gendut80 436 4 Sample123 420 5 Baobao87 375 6 Matttt24 309 7 Speak2me 261 8 ABcd1234 252 9 [not found] 245 10 abcd1234 215 11 Sara2000 194 12 blueU1234 179 13 Tgold1973 165 14 Hello123 146 15 Timetoget1 144 Defeating Rainbow Tables: Salting We were able to analyze the FilmRadar password digests as they simply used a cryptographic hash function. This is a common practice. In fact, a Booz Allen breach in July showed that they relied only on the SHA-1 hash function as their password security mechanism. An analysis of the Booz Allen breach appears in our blog where we demonstrated how security measures can easily be defeated using rainbow tables. How can organization defeat rainbow table attacks? An effective measure is called “salting.” A salt value is a random value pre-pended to the password before it gets encrypted. In this manner, the computational time required to break weak passwords increases exponentially. For example, a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold. To be clear, salting does not make the passwords hack-proof. However, this is not a concern as the point is to increase the cost of guessing the password. This is a simple measure for the organization to employ. By contrast, it represents a costly investment for the commercial hacker. Report #7, December 2011 5
Hacker Intelligence Initiative, Monthly Trend Report Mitigation Passwords are a convenient authentication method. Yet, stored incorrectly and they can cause a lot of hassle in the event of a breach. To begin with, hash functions protect only strong passwords while naïve hashing (without a salt) exposes passwords to rainbow table attacks. Advice to users is to choose strong passwords. The rest is up to the business. What should site owners do to mitigate the effectiveness of crackers? › Allow users to choose longer passwords which are easier to remember. We recommend passphrases. Passphrases provide the necessary length yet do not require the user to write down the secret on a note left on the worker’s desk. › Enforce strong password policy. This doesn’t mean just applying restriction on the character types but also by comparing against dictionaries used by attackers. In fact, Hotmail recently banned the usage of common passwords. This also means defining and banning site-specific passwords, like FilmRadar’s ‘Blink123’. Likewise, numerical or keyboard sequences need to be banned altogether. › Use salted digests. As mentioned in the previous section, a salted value should increase the cost of guessing the password so that financially-motivated hackers will not make such an investment. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and “Protecting the Data That Drives Business” are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-DECEMBER#7-2011-1211rev1

Recommandé

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
A Database for Every Occasion
A Database for Every OccasionA Database for Every Occasion
A Database for Every OccasionSafe Software
 
Learn Hacking
Learn HackingLearn Hacking
Learn Hackinghackingtraining
 
128 BIT WHAT?
128 BIT WHAT?128 BIT WHAT?
128 BIT WHAT?Razorpoint Security
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Filtering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media StreamingFiltering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media StreamingCloud Elements
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 

Recommandé

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
A Database for Every Occasion
A Database for Every OccasionA Database for Every Occasion
A Database for Every OccasionSafe Software
 
Learn Hacking
Learn HackingLearn Hacking
Learn Hackinghackingtraining
 
128 BIT WHAT?
128 BIT WHAT?128 BIT WHAT?
128 BIT WHAT?Razorpoint Security
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Filtering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media StreamingFiltering From the Firehose: Real Time Social Media Streaming
Filtering From the Firehose: Real Time Social Media StreamingCloud Elements
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwordsahyaimie
 
Sustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvSustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvKetheley Freire
 
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings Kerstin Forsberg
 
Vehicle tracking solution
Vehicle tracking solutionVehicle tracking solution
Vehicle tracking solutionAsha Hariharan
 
A Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking SystemsA Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking Systemsdeepakiitr15
 
A survey on moving object tracking in video
A survey on moving object tracking in videoA survey on moving object tracking in video
A survey on moving object tracking in videoijitjournal
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
In responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxIn responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxmecklenburgstrelitzh
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlger Hoxha, CISSP CISM
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attackslord
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxFarhanaMariyam1
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
ACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptxACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptxLakshayNRReddy
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxMohammedYusuf609377
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingMukul Agarwal
 

Contenu connexe

En vedette

Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwordsahyaimie
 
Sustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvSustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvKetheley Freire
 
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings Kerstin Forsberg
 
Vehicle tracking solution
Vehicle tracking solutionVehicle tracking solution
Vehicle tracking solutionAsha Hariharan
 
A Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking SystemsA Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking Systemsdeepakiitr15
 
A survey on moving object tracking in video
A survey on moving object tracking in videoA survey on moving object tracking in video
A survey on moving object tracking in videoijitjournal
 

En vedette (6)

Staying Safe and Secure with Passwords
Staying Safe and Secure with PasswordsStaying Safe and Secure with Passwords
Staying Safe and Secure with Passwords
 
Sustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdvSustentabilidade no camp omed md8j3qdv
Sustentabilidade no camp omed md8j3qdv
 
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
MIE2014: A Framework for Evaluating and Utilizing Medical Terminology Mappings
 
Vehicle tracking solution
Vehicle tracking solutionVehicle tracking solution
Vehicle tracking solution
 
A Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking SystemsA Study of Wireless Technology Based Pilgrim Tracking Systems
A Study of Wireless Technology Based Pilgrim Tracking Systems
 
A survey on moving object tracking in video
A survey on moving object tracking in videoA survey on moving object tracking in video
A survey on moving object tracking in video
 

Similaire à Enterprise Password Best Practices

Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
In responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxIn responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxmecklenburgstrelitzh
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attackslord
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxFarhanaMariyam1
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxMohammedYusuf609377
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdfLinux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdfxererenhosdominaram
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 

Similaire à Enterprise Password Best Practices (20)

Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
In responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docxIn responding to your peers’ posts, assess your peers’ recommendatio.docx
In responding to your peers’ posts, assess your peers’ recommendatio.docx
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a password
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptx
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
 
ACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptxACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptx
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdfLinux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
Linux_Basics_for_Hackers_OccupyTheWeb_Complex.pdf
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 

Plus de Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

Plus de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Dernier

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Dernier (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Enterprise Password Best Practices

  • 1. December 2011 Hacker Intelligence Initiative, Monthly Trend Report #7 Enterprise Password Worst Practices Nearly two years ago, Imperva published a report on 32 million breached passwords entitled “Consumer Password Worst Practices.” Since then, successive breaches have highlighted consumers’ inability to make sufficient password choices. Even a recent Google public ad campaign went bust when, in an effort to improve consumer password practices, the ad failed to make the right password recommendation. A Cambridge researcher pointed out that: Google’s example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”. Empirically though, this is not a strong password, it’s almost exactly average! When it comes to consumers implementing good passwords, we give up. Instead of consumers, responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data – even if PCI or other security mandates don’t apply. We hope this paper guides enterprises to rectify poor password management practices. For color and context, we present findings of our analysis of a recently exposed list of nearly 100,000 passwords following a data breach at FilmRadar.com, a website for film enthusiasts.
  • 2. Hacker Intelligence Initiative, Monthly Trend Report Obstacles What is the right password policy to put in place? Two major obstacles impede enterprises today: › Hashing isn’t enough. Many organizations store passwords using a form of encryption, called cryptographic hash functions, often comprising the password’s sole security measure. However, attackers do not attempt to directly attack the strength of the cryptographic measure. Rather, different methods exist which allow attackers to bypass the cryptographic measures – much like a burglar who doesn’t bother to pick the lock but instead jumps the fence. › Many techniques and tools exist to help hackers crack passwords. Password cracking tools are widely available. Some have actually been developed by the security community to help in the efforts of strengthening passwords, yet, like many white hat tools, they end up helping hackers. For example, using these readily available tools on the FilmRadar.com list, we were able to discover 77 of the 100 most popular passwords in less than ten minutes. Passwords: The Basics A password is a shared secret between a user and a service. When a user wants to connect to the service, she identifies with her user name (or any other form of account identifier) and proves her identity (i.e., authenticates) by providing the password. The service compares the provided password against what the user supplied during registration before granting the user access to the service. Since passwords are the user’s key to the service, organizations are wary of storing complete passwords. Instead, they choose to store a value which represents the password called a “digest”. The password digest (a.k.a., a “password hash”) is a mathematical transformation of the password which allows the comparison to the original password, but does not easily disclose the password itself. The most commonly used mathematical transformation is a cryptographic hash function called SHA-1. This function is strong enough so that there is no mathematical reverse function that takes the digest and reconstructs potential sources. However, when an enterprise fails to hash the passwords altogether, this is known as storing them “in the clear” and represents the most negligent practice possible. Cryptographic Digests: Not a Silver Bullet Contrary to common belief, cryptographic hash functions in general – whether they are SHA-1 or any other cryptographic function – are not impervious to hackers. The strength of a hash function, even if mathematically proven to be unbreakable, does not play a role in the cracking game. Instead of directly trying to attack the function, alternate methods exist which allow the adversary to bypass the cryptographic measures and guess the hashed passwords. There are two widely used techniques to crack passwords: › Rainbow tables – These are pre-computed data sets containing hash values from nearly every combination of alphanumeric character up to a certain length. Although creating the rainbow tables is a lengthy process, they are created only once. In fact, hackers consider creating such tables a worth-while investment since after the rainbow tables are generated they can be used over and over again. One hacker website, for instance, developed 50 billion values for public use. › Dictionaries – These are lists of common passwords together with a pre-calculated hash value. In this manner, a hacker can compare a digest with the pre-computed values. Dictionary attacks have proven to be an effective technique to crack passwords since many people have the tendency to use common passwords based on names, numerical or keyboard sequences. For example, in our previous analysis, we demonstrated that the most common password was ‘123456’. Report #7, December 2011 2
  • 3. Hacker Intelligence Initiative, Monthly Trend Report Password Cracking Tools: A Hacker Community Effort Password cracking tools – using rainbow tables and dictionaries – abound. With enough determination, a hacker can easily find tools and multiple dictionaries for password cracking. Most of these resources are free and available to anyone to download. We list here some of the more popular ones: › MD5 decrypter – This site offers online cracking (twelve passwords per request) based on 8.7 billion unique hash values. This site also offers a forum to upload large datasets for decryption. In particular, this tool clearly demonstrates the power of the hacker community as they work together to crack passwords. One of our recent HII reports highlighted how hackers leverage hacker forums as a collaboration platform to aid one another in attack efforts. This site is no different as one of its features is the ability to post a digest which will most likely be identified by other users. Site postings have shown that nearly all such requests were cracked successfully. In fact, we tried this out in our labs when we were stumped against digests we were not certain about. We found that the list of hashed passwords was updated with our unknown digests within a week following our original query. › Cyberwar Zone – This site provides lists of common used passwords such as Disney characters, film actors, common family names and even Chinese words. Also, there are rainbow tables with 50 billion hash values. Report #7, December 2011 3
  • 4. Hacker Intelligence Initiative, Monthly Trend Report › Cain and Able – This site hosts a password recovery tool which offers various methods for cracking passwords, including a dictionary of common passwords. › John the Ripper – This site contains a password cracking tool includes a dictionary of common passwords. Lessons from the Real Life: The Analysis of 100,000 Digests A couple of months ago, a data breach at FilmRadar.com exposed 95,167 hashed user passwords. Like many online services, FilmRadar stored the passwords in a digested format, using the SHA1 hash function, hoping to guarantee confidentiality. However, storing the user passwords as a cryptographic digest is just not enough. To prove just how weak this type of security measure is, we analyzed the FilmRadar passwords using both rainbow and dictionary attacks. Using publicly available tools, we could: › Uncover 77 of the 100 most popular passwords in less than ten minutes using rainbow tables through an online service. Interestingly, this also gave us insight to the power of collaboration amongst the hacker community. We observed that when hackers struggled to find corresponding passwords, it usually took just a week for the community to contribute updates. › Guess nearly 5% of all passwords on the list in less than two days by using dictionaries. Lesson one: Using various dictionaries from multiple resources, hackers can still figure out passwords even though the process is slow. Lesson two: The bigger the dataset, the more common passwords it contains, the faster the hacking. A smaller dataset – or even just non-common passwords – would make cracking much slower if not impossible. Report #7, December 2011 4
  • 5. Hacker Intelligence Initiative, Monthly Trend Report Out of the top 15 passwords (see Table 1), there was only one which we were not able to guess. Once again, uncovering password lists provides ample fodder regarding user password practices: › The 100 most common passwords in the list constitute ~10% of the entire list. › Human nature forces associations between the passwords with the service. Consider the most popular password, ‘Blink123’. Most likely, this was influenced by the movie Blink. › The most common password in the RockYou 32 million password dictionary, ‘123456’, was displaced on the FilmRadar list. However, common sequences remain a popular choice. As the list shows, nearly all passwords end with a numeric sequence. › Many of the uncovered passwords are listed in common dictionaries. Table 1: 15 Most Common Password from FilmRadar.com Password popularity Password Number of Occurrences rank 1 Blink123 1578 2 Greatday1 441 3 Gendut80 436 4 Sample123 420 5 Baobao87 375 6 Matttt24 309 7 Speak2me 261 8 ABcd1234 252 9 [not found] 245 10 abcd1234 215 11 Sara2000 194 12 blueU1234 179 13 Tgold1973 165 14 Hello123 146 15 Timetoget1 144 Defeating Rainbow Tables: Salting We were able to analyze the FilmRadar password digests as they simply used a cryptographic hash function. This is a common practice. In fact, a Booz Allen breach in July showed that they relied only on the SHA-1 hash function as their password security mechanism. An analysis of the Booz Allen breach appears in our blog where we demonstrated how security measures can easily be defeated using rainbow tables. How can organization defeat rainbow table attacks? An effective measure is called “salting.” A salt value is a random value pre-pended to the password before it gets encrypted. In this manner, the computational time required to break weak passwords increases exponentially. For example, a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold. To be clear, salting does not make the passwords hack-proof. However, this is not a concern as the point is to increase the cost of guessing the password. This is a simple measure for the organization to employ. By contrast, it represents a costly investment for the commercial hacker. Report #7, December 2011 5
  • 6. Hacker Intelligence Initiative, Monthly Trend Report Mitigation Passwords are a convenient authentication method. Yet, stored incorrectly and they can cause a lot of hassle in the event of a breach. To begin with, hash functions protect only strong passwords while naïve hashing (without a salt) exposes passwords to rainbow table attacks. Advice to users is to choose strong passwords. The rest is up to the business. What should site owners do to mitigate the effectiveness of crackers? › Allow users to choose longer passwords which are easier to remember. We recommend passphrases. Passphrases provide the necessary length yet do not require the user to write down the secret on a note left on the worker’s desk. › Enforce strong password policy. This doesn’t mean just applying restriction on the character types but also by comparing against dictionaries used by attackers. In fact, Hotmail recently banned the usage of common passwords. This also means defining and banning site-specific passwords, like FilmRadar’s ‘Blink123’. Likewise, numerical or keyboard sequences need to be banned altogether. › Use salted digests. As mentioned in the previous section, a salted value should increase the cost of guessing the password so that financially-motivated hackers will not make such an investment. Hacker Intelligence Initiative Overview The Imperva Hacker Intelligence Initiative goes inside the cyber-underground and provides analysis of the trending hacking techniques and interesting attack campaigns from the past month. A part of Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, Web application security and cyber-crime business models with the goal of improving security controls and risk management processes. Imperva Tel: +1-650-345-9000 3400 Bridge Parkway, Suite 200 Fax: +1-650-345-9004 Redwood City, CA 94065 www.imperva.com © Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and “Protecting the Data That Drives Business” are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #HII-DECEMBER#7-2011-1211rev1