Take control of your SAP testing with UiPath Test Suite
PDX Tech Meetup - The changing landscape of passwords
1. Passwords
Changing times
Two ways forward
The Changing Landscape of Passwords
Ryan Smith, Ph.D.
Data Scientist
August 18, 2014
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
3. nition
A hash function is a 'one way' function that scrambles the input so
that a) it's infeasible to guess the input from the output, and b)
slight changes to the input have a large eect on the output.
Input Hashed Output
password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Password 8be3c943b1609fbfc51aad666d0a04adf83c9d
1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220
DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43
Table: Hashes using the SHA-1 algorithm
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
5. nition
A hash function is a 'one way' function that scrambles the input so
that a) it's infeasible to guess the input from the output, and b)
slight changes to the input have a large eect on the output.
Input Hashed Output
password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Password 8be3c943b1609fbfc51aad666d0a04adf83c9d
1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220
DB+U44@5wK83g*6 df3c73999cc44aabbba6c7167cc8a846a7425f43
Table: Hashes using the SHA-1 algorithm
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
6. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How do hash functions aect your life?
Data integrity
Bitcoin
All password-based authentication
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
7. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How do hash functions aect your life?
Data integrity
Bitcoin
All password-based authentication
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
8. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How do hash functions aect your life?
Data integrity
Bitcoin
All password-based authentication
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
9. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
10. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
11. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
12. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
How password authentication works
1 User enters their password
2 Server computes the hash of their password
3 Server compares the hashed password to a master list
[root@localhost ~]# cat /etc/shadow
root:$1$flVALfyK$ kJfaoYnsAm7/plT3.PCmJ/ :15816:0:99999:7:::
bob:$1$MIyV9col$ Up9YON8Z.TI1x37xgFvuO0 :15804:0:99999:7:::
sue:$1$0Iwvz7CA$ QOJLfOSJZuSLC19LSFxt1. :15810:0:99999:7
4 User is authenticated or denied.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
13. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
... because that's where the money is
How do attackers compromise password lists?
SQL injection attacks
Cross-site scripting
Buer over
ows
: : :
Avoid single points of failure
Password policies should assume that an attacker has access to the
list of hashed master passwords.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
14. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
... because that's where the money is
How do attackers compromise password lists?
SQL injection attacks
Cross-site scripting
Buer over
ows
: : :
Avoid single points of failure
Password policies should assume that an attacker has access to the
list of hashed master passwords.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
15. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
Guess and check
Example
Suppose the hash of Laura's password is d83f445224a58355b13.
Password Hash
cat 3389fc855f142c3d40f
uy e1e986bc62f6c988dd
whiskers 8ae5f0c19282e29f203
: : : : : :
kitten42 d83f445224a58355b13
We know that Laura's password was kitten42
Danger
These are not hypothetical attacks! John the Ripper and Hashcat
are both widely available.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
16. Passwords
Changing times
Two ways forward
Hash Functions
Defeating password authentication
Guess and check
Example
Suppose the hash of Laura's password is d83f445224a58355b13.
Password Hash
cat 3389fc855f142c3d40f
uy e1e986bc62f6c988dd
whiskers 8ae5f0c19282e29f203
: : : : : :
kitten42 d83f445224a58355b13
We know that Laura's password was kitten42
Danger
These are not hypothetical attacks! John the Ripper and Hashcat
are both widely available.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
17. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
Order of magnitude comparisons
De
18. nition
Embarrassingly parallel problems scale perfectly with more
processor power
Device Cores NTLM hashes per second
Intel Core i5 4 5-15 million attempts per second
NVIDIA GTX 690 3072 12-14 billion of attempts per second
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
19. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
Order of magnitude comparisons
De
20. nition
Embarrassingly parallel problems scale perfectly with more
processor power
Device Cores NTLM hashes per second
Intel Core i5 4 5-15 million attempts per second
NVIDIA GTX 690 3072 12-14 billion of attempts per second
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
21. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
GPU computing
A cluster of 25 AMD Radeon
HD6990s achieved:
350 billion guesses per
second using NTLM
hashing,
a complete search of all
eight character passwords
with uppercase, lower case,
letters, digits, and symbols
in six hours!
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
22. Passwords
Changing times
Two ways forward
Enter the GPU
The Cloud
Remark
Why run one GPU for 100 hours, when you could run 100 GPU's
for one hour?
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
23. Passwords
Changing times
Two ways forward
Repeated hash functions
Third party authentication
Repeated hash functions
Apply a hash function more than once
SHA1(SHA1(doge)) = SHA1(aa3cca7d : : :)
= 59c77262 : : :
This is not always such a bad idea, encrypted .dmg
24. les on OS X
use 250,000 iterations of SHA1.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
25. Passwords
Changing times
Two ways forward
Repeated hash functions
Third party authentication
Repeated hash functions
Apply a hash function more than once
SHA1(SHA1(doge)) = SHA1(aa3cca7d : : :)
= 59c77262 : : :
This is not always such a bad idea, encrypted .dmg
26. les on OS X
use 250,000 iterations of SHA1.
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords
27. Passwords
Changing times
Two ways forward
Repeated hash functions
Third party authentication
Let someone else solve the problem for you
Build your websites to use a third party authentication
OpenID - Google, Yahoo, Twitter
Facebook Connect
OAuth 2.0
Ryan Smith, Ph.D. Data Scientist The Changing Landscape of Passwords