SlideShare une entreprise Scribd logo

PDX Tech Meetup - The changing landscape of passwords

R
Ryan Smith

Slides from a talk I gave to the PDX Tech meet up group on 8/18/2014 about the growing dangers of password authentication.

Technologie
1  sur  21
Télécharger pour lire hors ligne
Passwords Changing times Two ways forward The Changing Landscape of Passwords Ryan Smith, Ph.D. Data Scientist August 18, 2014 Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication De
nition A hash function is a 'one way' function that scrambles the input so that a) it's infeasible to guess the input from the output, and b) slight changes to the input have a large eect on the output. Input Hashed Output password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 Password 8be3c943b1609fbfc51aad666d0a04adf83c9d 1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43 Table: Hashes using the SHA-1 algorithm Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication De
nition A hash function is a 'one way' function that scrambles the input so that a) it's infeasible to guess the input from the output, and b) slight changes to the input have a large eect on the output. Input Hashed Output password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 Password 8be3c943b1609fbfc51aad666d0a04adf83c9d 1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43 Table: Hashes using the SHA-1 algorithm Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How do hash functions aect your life? Data integrity Bitcoin All password-based authentication Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How do hash functions aect your life? Data integrity Bitcoin All password-based authentication Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How do hash functions aect your life? Data integrity Bitcoin All password-based authentication Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication ... because that's where the money is How do attackers compromise password lists? SQL injection attacks Cross-site scripting Buer over ows : : : Avoid single points of failure Password policies should assume that an attacker has access to the list of hashed master passwords. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication ... because that's where the money is How do attackers compromise password lists? SQL injection attacks Cross-site scripting Buer over ows : : : Avoid single points of failure Password policies should assume that an attacker has access to the list of hashed master passwords. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication Guess and check Example Suppose the hash of Laura's password is d83f445224a58355b13. Password Hash cat 3389fc855f142c3d40f uy e1e986bc62f6c988dd whiskers 8ae5f0c19282e29f203 : : : : : : kitten42 d83f445224a58355b13 We know that Laura's password was kitten42 Danger These are not hypothetical attacks! John the Ripper and Hashcat are both widely available. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Hash Functions Defeating password authentication Guess and check Example Suppose the hash of Laura's password is d83f445224a58355b13. Password Hash cat 3389fc855f142c3d40f uy e1e986bc62f6c988dd whiskers 8ae5f0c19282e29f203 : : : : : : kitten42 d83f445224a58355b13 We know that Laura's password was kitten42 Danger These are not hypothetical attacks! John the Ripper and Hashcat are both widely available. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Enter the GPU The Cloud Order of magnitude comparisons De
nition Embarrassingly parallel problems scale perfectly with more processor power Device Cores NTLM hashes per second Intel Core i5 4 5-15 million attempts per second NVIDIA GTX 690 3072 12-14 billion of attempts per second Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Enter the GPU The Cloud Order of magnitude comparisons De
nition Embarrassingly parallel problems scale perfectly with more processor power Device Cores NTLM hashes per second Intel Core i5 4 5-15 million attempts per second NVIDIA GTX 690 3072 12-14 billion of attempts per second Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
Passwords Changing times Two ways forward Enter the GPU The Cloud GPU computing A cluster of 25 AMD Radeon HD6990s achieved: 350 billion guesses per second using NTLM hashing, a complete search of all eight character passwords with uppercase, lower case, letters, digits, and symbols in six hours! Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords

Recommandé

Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashesn|u - The Open Security Community
 
We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooChristiaan Beek
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsTazdrumm3r
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Doing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthDoing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthTom Croucher
 
Php Security
Php SecurityPhp Security
Php Securityricardophp
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingPrathan Phongthiproek
 

Recommandé

Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashesn|u - The Open Security Community
 
We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooChristiaan Beek
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsTazdrumm3r
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Doing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthDoing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthTom Croucher
 
Php Security
Php SecurityPhp Security
Php Securityricardophp
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingPrathan Phongthiproek
 
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้องอาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้องjiranut
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Stu r33 b (2)
Stu r33 b (2)Stu r33 b (2)
Stu r33 b (2)SelectedPresentations
 
Python 3.3 チラ見
Python 3.3 チラ見Python 3.3 チラ見
Python 3.3 チラ見Toru Furukawa
 
Iam r31 a (2)
Iam r31 a (2)Iam r31 a (2)
Iam r31 a (2)SelectedPresentations
 
GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?Francois Zaninotto
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
 
Astec Australia - Mobile Underground Mining
Astec Australia - Mobile Underground MiningAstec Australia - Mobile Underground Mining
Astec Australia - Mobile Underground MiningAstec Australia
 
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Taboola
 
Cryptography With PHP
Cryptography With PHPCryptography With PHP
Cryptography With PHPMark Niebergall
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemAzharul Haque Shohan
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Troubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTroubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTanel Poder
 
Risk management in banking sector project report mba finance
Risk management in banking sector project report mba financeRisk management in banking sector project report mba finance
Risk management in banking sector project report mba financeBabasab Patil
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykNazar Tymoshyk, CEH, Ph.D.
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 

Contenu connexe

Tendances

อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้องอาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้องjiranut
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Python 3.3 チラ見
Python 3.3 チラ見Python 3.3 チラ見
Python 3.3 チラ見Toru Furukawa
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
 

Tendances (7)

อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้องอาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
อาชญากรรมทางคอมพิวเตอร์และกฎหมายที่เกี่ยวข้อง
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
 
Stu r33 b (2)
Stu r33 b (2)Stu r33 b (2)
Stu r33 b (2)
 
Python 3.3 チラ見
Python 3.3 チラ見Python 3.3 チラ見
Python 3.3 チラ見
 
Iam r31 a (2)
Iam r31 a (2)Iam r31 a (2)
Iam r31 a (2)
 
GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 

En vedette

Astec Australia - Mobile Underground Mining
Astec Australia - Mobile Underground MiningAstec Australia - Mobile Underground Mining
Astec Australia - Mobile Underground MiningAstec Australia
 
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Taboola
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemAzharul Haque Shohan
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Troubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTroubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTanel Poder
 
Risk management in banking sector project report mba finance
Risk management in banking sector project report mba financeRisk management in banking sector project report mba finance
Risk management in banking sector project report mba financeBabasab Patil
 

En vedette (7)

Astec Australia - Mobile Underground Mining
Astec Australia - Mobile Underground MiningAstec Australia - Mobile Underground Mining
Astec Australia - Mobile Underground Mining
 
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
Solving the Mobile Mystery: Tips for Achieving Your Content Goals on an Evolv...
 
Cryptography With PHP
Cryptography With PHPCryptography With PHP
Cryptography With PHP
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login System
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Troubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTroubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contention
 
Risk management in banking sector project report mba finance
Risk management in banking sector project report mba financeRisk management in banking sector project report mba finance
Risk management in banking sector project report mba finance
 

Similaire à PDX Tech Meetup - The changing landscape of passwords

Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykNazar Tymoshyk, CEH, Ph.D.
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
High Secure Password Authentication System
High Secure Password Authentication SystemHigh Secure Password Authentication System
High Secure Password Authentication SystemAkhil Nadh PC
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsJohn Congdon
 
Duplicates everywhere (Kiev)
Duplicates everywhere (Kiev)Duplicates everywhere (Kiev)
Duplicates everywhere (Kiev)Alexey Grigorev
 
String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?Jeremy Schneider
 
Inspec one tool to rule them all
Inspec one tool to rule them allInspec one tool to rule them all
Inspec one tool to rule them allKimball Johnson
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking MethodsDavid Barroso
 
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the thingsDefcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the thingsclaudijd
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 

Similaire à PDX Tech Meetup - The changing landscape of passwords (20)

Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
High Secure Password Authentication System
High Secure Password Authentication SystemHigh Secure Password Authentication System
High Secure Password Authentication System
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
 
Duplicates everywhere (Kiev)
Duplicates everywhere (Kiev)Duplicates everywhere (Kiev)
Duplicates everywhere (Kiev)
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFIT
 
Inspec one tool to rule them all
Inspec one tool to rule them allInspec one tool to rule them all
Inspec one tool to rule them all
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
 
Defcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the thingsDefcon 20 stamp out hash corruption crack all the things
Defcon 20 stamp out hash corruption crack all the things
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 

Dernier

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Dernier (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

PDX Tech Meetup - The changing landscape of passwords

  • 1. Passwords Changing times Two ways forward The Changing Landscape of Passwords Ryan Smith, Ph.D. Data Scientist August 18, 2014 Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 2. Passwords Changing times Two ways forward Hash Functions Defeating password authentication De
  • 3. nition A hash function is a 'one way' function that scrambles the input so that a) it's infeasible to guess the input from the output, and b) slight changes to the input have a large eect on the output. Input Hashed Output password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 Password 8be3c943b1609fbfc51aad666d0a04adf83c9d 1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43 Table: Hashes using the SHA-1 algorithm Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 4. Passwords Changing times Two ways forward Hash Functions Defeating password authentication De
  • 5. nition A hash function is a 'one way' function that scrambles the input so that a) it's infeasible to guess the input from the output, and b) slight changes to the input have a large eect on the output. Input Hashed Output password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 Password 8be3c943b1609fbfc51aad666d0a04adf83c9d 1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43 Table: Hashes using the SHA-1 algorithm Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 6. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How do hash functions aect your life? Data integrity Bitcoin All password-based authentication Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 7. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How do hash functions aect your life? Data integrity Bitcoin All password-based authentication Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 8. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How do hash functions aect your life? Data integrity Bitcoin All password-based authentication Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 9. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 10. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 11. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 12. Passwords Changing times Two ways forward Hash Functions Defeating password authentication How password authentication works 1 User enters their password 2 Server computes the hash of their password 3 Server compares the hashed password to a master list [root@localhost ~]# cat /etc/shadow root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7::: bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7::: sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7 4 User is authenticated or denied. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 13. Passwords Changing times Two ways forward Hash Functions Defeating password authentication ... because that's where the money is How do attackers compromise password lists? SQL injection attacks Cross-site scripting Buer over ows : : : Avoid single points of failure Password policies should assume that an attacker has access to the list of hashed master passwords. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 14. Passwords Changing times Two ways forward Hash Functions Defeating password authentication ... because that's where the money is How do attackers compromise password lists? SQL injection attacks Cross-site scripting Buer over ows : : : Avoid single points of failure Password policies should assume that an attacker has access to the list of hashed master passwords. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 15. Passwords Changing times Two ways forward Hash Functions Defeating password authentication Guess and check Example Suppose the hash of Laura's password is d83f445224a58355b13. Password Hash cat 3389fc855f142c3d40f uy e1e986bc62f6c988dd whiskers 8ae5f0c19282e29f203 : : : : : : kitten42 d83f445224a58355b13 We know that Laura's password was kitten42 Danger These are not hypothetical attacks! John the Ripper and Hashcat are both widely available. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 16. Passwords Changing times Two ways forward Hash Functions Defeating password authentication Guess and check Example Suppose the hash of Laura's password is d83f445224a58355b13. Password Hash cat 3389fc855f142c3d40f uy e1e986bc62f6c988dd whiskers 8ae5f0c19282e29f203 : : : : : : kitten42 d83f445224a58355b13 We know that Laura's password was kitten42 Danger These are not hypothetical attacks! John the Ripper and Hashcat are both widely available. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 17. Passwords Changing times Two ways forward Enter the GPU The Cloud Order of magnitude comparisons De
  • 18. nition Embarrassingly parallel problems scale perfectly with more processor power Device Cores NTLM hashes per second Intel Core i5 4 5-15 million attempts per second NVIDIA GTX 690 3072 12-14 billion of attempts per second Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 19. Passwords Changing times Two ways forward Enter the GPU The Cloud Order of magnitude comparisons De
  • 20. nition Embarrassingly parallel problems scale perfectly with more processor power Device Cores NTLM hashes per second Intel Core i5 4 5-15 million attempts per second NVIDIA GTX 690 3072 12-14 billion of attempts per second Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 21. Passwords Changing times Two ways forward Enter the GPU The Cloud GPU computing A cluster of 25 AMD Radeon HD6990s achieved: 350 billion guesses per second using NTLM hashing, a complete search of all eight character passwords with uppercase, lower case, letters, digits, and symbols in six hours! Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 22. Passwords Changing times Two ways forward Enter the GPU The Cloud Remark Why run one GPU for 100 hours, when you could run 100 GPU's for one hour? Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 23. Passwords Changing times Two ways forward Repeated hash functions Third party authentication Repeated hash functions Apply a hash function more than once SHA1(SHA1(doge)) = SHA1(aa3cca7d : : :) = 59c77262 : : : This is not always such a bad idea, encrypted .dmg
  • 24. les on OS X use 250,000 iterations of SHA1. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 25. Passwords Changing times Two ways forward Repeated hash functions Third party authentication Repeated hash functions Apply a hash function more than once SHA1(SHA1(doge)) = SHA1(aa3cca7d : : :) = 59c77262 : : : This is not always such a bad idea, encrypted .dmg
  • 26. les on OS X use 250,000 iterations of SHA1. Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
  • 27. Passwords Changing times Two ways forward Repeated hash functions Third party authentication Let someone else solve the problem for you Build your websites to use a third party authentication OpenID - Google, Yahoo, Twitter Facebook Connect OAuth 2.0 Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords