4. Despite providing access to their online identities, which are becoming more and
more valuable as more and more services are offered online, people are still using
weak and easy to guess passwords.
5. Percentage of security tests where
a corporate network was
compromised because of weak
passwords?
66%
9. How are passwords stored?
- Plaintext
- Encrypted
- Hashed without a salt
- Hashed with a salt
10. Plaintext
Passwords must not be stored in plaintext
In the event that an attacker obtains access to the password database, they will
not need to do any additional work to begin compromising user accounts
Username Password
alice M1ddleEarth
bob Cant0na!
eve L@mbCh0ps
12. Encryption
Encryption requires a secret key to transform the plaintext into unreadable
ciphertext
What to do with the secret key? It needs to be readily accessible to encrypt and
decrypt passwords
13. stored in the application source code?
Both Cisco and Microsoft have had notable failures using reversible encryption
with keys stored in the source code
Microsoft published the key to decrypt passwords stored in Group Policy
Preferences (GPP) XML files. the passwords stored in these files were typically for
privileged administrator accounts
Cisco stored passwords encrypted with a modified Vigenere cipher using a hard-
coded key. these were known as type 7 passwords
14. Stored in the database?
If the attacker has gained access to the encrypted passwords in the database,
then they’ve also gained access to the key
Key
0x64, 0x73, 0x66, 0x64, 0x3b,
0x6b, 0x66, 0x6f, 0x41, 0x2c,
0x2e, 0x69, 0x79, 0x65, 0x77,
0x72, 0x6b, 0x6c, 0x64, 0x4a,
0x4b, 0x44, 0x48, 0x53 , 0x55,
0x42
Username Password
alice 022B555F0F0A0A044D5C1D11
bob 022505551F5601200D
eve 022A2456092507715C5D
15. Hashed without a salt
“A cryptographic hash function is a mathematical algorithm that maps data of
arbitrary size to a bit string of fixed size which is designed to also be a one-way
function, that is, a function which is infeasible to invert”
Wikipedia
16. Hashing vs Encryption
Hashing is very similar to encryption, with the following exceptions:
- hashing does not require a secret key
- hashing produces an output of fixed size
- given the output from a hashing function, it is very difficult to determine the
input
So how do we know that the password provided by a user when they try to log in
is the same as the one held by the application?
19. Not all algorithms are created equal
Some hashing algorithms are better than others
Windows used to store hashes generated using the LM algorithm. these are weak
and easy to “crack”. that is, given the hash it is relatively easy to retrieve the
plaintext password
Windows now stores hashes generated using the stronger NT algorithm
There was a brief period of time where Windows would store both the weaker LM
hash and the stronger NT hash
20. Are we there yet?
If two users select the same password, then the hash stored in the back-end will
also be identical
This can be exploited by pre-computing likely password hashes, and creating
something called a rainbow table, making the cracking process much quicker
Username Password
alice AAD3B435B51404EEAAD3B435B51404EE:857CFB92F16DCD36950FAFEB50BE709A
bob AAD3B435B51404EEAAD3B435B51404EE:A32E692D322A3226DC96B91FB8D86A15
eve AAD3B435B51404EEAAD3B435B51404EE:BEAA54FDADD4C4FA99151798B71009E0
mallory AAD3B435B51404EEAAD3B435B51404EE:BEAA54FDADD4C4FA99151798B71009E0
21. Hashed with a salt
The process is (not surprisingly) very similar to hashing without a salt
A salt is a short random piece of text that is appended to the user’s password
before it is hashed
This makes the creation of rainbow tables infeasible, as it would require huge
amounts of computer memory
23. The best solution
The best solution to the problem (so far) is hashing with a salt
The choice of algorithm is also important…
Username Password
alice $6$ryhYU2VU$n.sUKVAQDVa3dVRJiVNUxVAh3BfClhp6SVfi9MlYnFxzDvTGkKRQJFb7
WOWeWOJmqWHVNhp5VnC/WXm8jNn.J1
bob $6$edUWTiGp$.kBzLOYrfSweOtWRWrkHjWdfGixAM7jg9CD8mDN04nzgpWPpN4WQtsr
sgpJPFXcdaddt5nH2x0nRYdNJ.JuvI0
eve $6$J9CjU1ZD$WLmD6joKMBh5pqvho8Rl620wxk8ch.CfbkZxGrdbwo5qCqfYXePSDlhhM
dk4JIIeQzAC8FQuqlgomh1WDAfOg0
25. Password cracking
Assume that an attacker has the password hashes from a Microsoft Windows
Active Directory domain
To retrieve the plaintext passwords they’ll need to “crack” the hashes
Cracking is the process of generating hashes from a list of possible values and
comparing them to the hashes taken from a breach. if the hash generated
matches any taken from the breach, then you’ve successfully guessed the
password
What is the most efficient way of selecting the passwords to be guessed though?
27. Dictionary
The attacker simply compiles a text file containing commonly used passwords and
passwords from previous data breaches
This is why it’s recommended that your passwords be unique for each user
account
If your password appeared in a previous password dump and you’re using the
same password on another site, then the attackers will likely already have it
28. Hybrid / Rule
The attacker manipulates their list of passwords by:
- changing the case of letters
- prepending and appending digits or symbols
- changing letters around. for example, replacing the letter ‘O’ with the digit ‘0’
29. Markov
Many users will select a password that conform to their native language
By combining common elements that exist within that language, it is possible to
create good password candidates, including “alien” words
For example, the letter ‘q’ is very likely going to be followed by the letter ‘u’, so
“qu” would be a common element
Think of it as being like the predictive text on your phone…
31. Mask
The attacker will next attempt a targeted brute-force attack to try all passwords
that match a given structure
By “structure” we are referring to the types of characters and their ordering
For example, the password “Password123” has a structure of an upper case letter,
followed by seven lower case letters, followed by three digits. This would be
notated as “ulllllllddd”
Many people when asked to include an upper case letter in their password will put
it at the beginning. similarly, when asked to include a digit they will put it at the end
32. Brute-Force
After exhausting all likely passwords, the attacker must resort to brute force
attacks
The attacker is required to exhaustively search across all possible passwords
- aaaaaaaa
- aaaaaaab
- Aaaaaaac
- ...
You want your password to be in this space
33. If you remember one thing from this presentation...
Length trumps complexity when it comes to resisting password attacks
Rather than thinking of a password, think of a
passphrase
36. Password Cracking
The hypothetical Microsoft Windows Active Directory mentioned earlier? that was
the organisation’s domain
The hypothetical attacker? That was the Cyber Security team
What did we learn?
39. Storing Passwords Securely
- Passwords must be hashed – not encrypted
- Random salts must be added to passwords before hashing
- Strong hashing algorithms must be used, such as bcrypt
- Access to password hashes must be restricted to only authorised users
40. Choosing a good password
- Make your password as long as
possible
- Make it a passphrase, rather than a
password
- Include a mixture of different
character classes
- Do not base your password on a
dictionary word
- Capitalising the first letter and
adding a digit or special character
to the end is not sufficient
- Use unique passwords for every
account
- Use a password manager
- Use two factor authentication
When you access an online service that requires you to identify yourself, you are typically prompted for two pieces of information:
A username that acts as your identity for the service; and
A password that proves that you own this identity.
The password allows the service to verify that you are actually who you say you are.
Praetroian – How to Dramatically Improve Corporate IT Security Without Spending Millions (https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve%20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf)
Praetorian looked at 100 penetration test reports that included an internal network security assessment, across 75 unique organisations. The focus was to identify the most common, recurring security weaknesses that led to a compromise.
Weak passwords were the most common way that networks were compromised, followed by:
2. Broadcast Name Resolution Poisoning
3. Local Administrator Attacks (i.e. pass the hash)
4. Cleartext Passwords Stored in Memory (extracted using Mimkatz, or similar)
5. Insufficient Network Access Controls
Image credit to SMBC.com
An online password attack is when the attacker has access to an online service. They are simply trying to guess your password, while trying to bypass any mitigations in place. For example, account lockouts, etc.
An offline password attack is when the attacker has access to a database breach and is attempting to retrieve credentials to use against an online service. This is much more effective since all of the work can be done without triggering any account lockouts, etc. This is what we’ll be focussing on for the purposes of this presentation.
Occasionally there will be a news story that an online services has been hacked resulting in the disclosure of users’ details.
These details vary depending on the nature of the online service that was hacked and what the hackers were able to access, but can include personal information (DoB, address, etc.), financial information (bank account number, etc.) and authentication information (usernames, password details, etc.).
For the purposes of this discussion, we’ll obviously focus on authentication information.
Screenshot taken from https://haveibeenpwned.com/PwnedWebsites
Very simple. No transformation is made, so the passwords are stored as is.
The Vigenere cipher used by Cisco is a modified Caesar cipher with a different shift at each position in the text; the value of the shift is defined using a repeating keyword. For example, “abc” encrypted with the key “bbb” would be “cde”.
Microsoft published the AES key on MSDN - https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2
A script to decrypt the “cpassword” value in gpp.xml files is included in Kali Linux. Detail here - http://tools.kali.org/password-attacks/gpp-decrypt
A script to decrypt (and create) type 7 passwords can be found here - https://www.m00nie.com/2011/09/cisco-type-7-password-decryption-and-encryption-with-perl/
If the back-end database is compromised, then so is the key.
This seems very complicated, but can be easily described with some images.
Hashing, for the purposes of this discussion is similar to encryption.
There’s no key to store, so that fixes the primary weakness of reversible encryption
The output is always a fixed size making it difficult to determine the original password length
It is non-trivial to retrieve the password given its hash
But how then do we know that the password provided by the user is the same as the one held by the application?
The user selects a password, which the application puts through the hashing algorithm to produce a password hash
The password hash is stored
The user supplies their username and password
The password is put through the hashing algorithm
The output from the algorithm is compared to the stored hash for the supplied username
if the two are identical, then the user has submitted the correct username and password combination, and logged in
Cracking is the term given to process of retrieving plaintext passwords given the password hash.
We’ll see why storing both password hashes is bad later.
These are hashes taken from a Windows machine. Everything before the ‘:’ character is the LM hash.
Here they are unused (hence why they are all the same). Everything after the ‘:’ is the NT hash.
We don’t know what kassender’s password, but what can we determine by looking at the password hashes?
They’re the same!
Very similar to how we created and verified a password, but now we add some random junk.
It doesn’t matter that the salt is stored with the hash. It doesn’t need to be kept secret necessarily. It’s simply there to prevent rainbow table attacks.
These hashes were generated on a Linux host using the SHA-512 algorithm. This is what the 6 means. The next short string (for example, ryhYU2VU) is the salt. The final longer string is the hash (for example, n.sUKVAQDVa3dVRJiVNUxVAh3BfClhp6SVfi9MlYnFxzDvTGkKRQJFb7WOWeWOJmqWHVNhp5VnC/WXm8jNn.J).
Extra considerations for password hashing:
You want an algorithm that is unlikely to generate “collisions”. That is, two plaintext values that both create the same hash. For example, if “password” and “really complicated password” create the same hash, then that’s a problem.
You want an algorithm that is quite slow. This seems counter intuitive, but a normal user is likely only to need to hash their password when they create it and when they’re logging in. Having a slower algorithm is unlikely to be noticed normally. However, an attacker trying to crack passwords is likely to really notice the additional time as they will trying many different passwords against the same hash.
Think of cracking as trying to figure out the recipe required to make a cake when you’ve only been given the cake.
It’s impossible to figure out the recipe used to create a cake. Instead you have to try every possible combination of recipes until you get the same cake.
“Alien” words are what my children calls nonsense words. The school uses them to help children read unfamiliar words, and are not actual words, but the blending of various n-grams.
Source: https://xkcd.com/1068/
The key is to choose a password unique to you.
Source: https://xkcd.com/936/