Password Attacks

1
Password Attacks

• Password Strength
• Password Schemes
• Password Cracking

2
References

• Richard E. Smith, The Strong Password Dilemma,
  Computer Security Journal, 2002,
  http//www.smat.us/sanity/pwdilemma.html
• Skoudis, Ed., Counter Hack Reloaded A
  Step-by-Step Guide to Computer Attacks and
  Effective Defenses (2nd Edition), Prentice Hall,
  2005
• DoD, Password Management Guideline
  CSC-STD-002-85, 1985

3
Teaching Points

• Password Strength
• Unix Passwords
• Windows Passwords

4
Password Strength
2
5
6
5
Password Strength
2
6
0
8
6
How important are passwords?

• Obviously root is important
• But, I only use this account for laserprinting
  class handouts, so it has a simple password

7
So we need good passwords
8
Why do we think we need all these rules?

• E.g
• Unix DES encripts passwords 25 times
• DES has 56 bit keys
• 256 ? 7.21 x 1016
• At 1000 tries per second? 2.3 million years
• PRETTY GOOD, EH!

9
But, what is the password space?

• 4 lower case letters
• 264 ? 4.57 x 105 (approx. 7 min)
• 5 lower case letters
• 265 ? 1.19 x 107 (approx. 3.3 hr)
• 6 lower case letters
• 266 ? 3.09 x 108 (approx. 86 hr)
• 8 lower case letters
• 268 ? 2.09 x 1011 (approx. 6.6 years)
• 6 lower/upper/digit characters
• 626 ? 5.68 x 1010 (approx. 1.8 years)
• 8 lower/upper/digit characters
• 628 ? 2.18 x 1014 (approx. 69 years)

10
But, are all passwords just as likely to be used?

• If we try guessing the most likely ones we can
  work with a smaller search space
• Dictionary Attack
• English dictionary
• Common jargon lists
• Foreign dictionaries
• Words from the password file (names, etc.)
• Permutations of these (0 for o, 3 for e, appended
  numbers, backwards, laughs for laugh, etc.)
• This space is MUCH smaller!

11
Cracking Example

• 1988 Internet worm
• Dictionaries
• User permutations 6
• List of jargon 432
• Unix online dictionary 24,474
• Null
• Cracked 50 of the passwords

12
Average Attack Space

• The average number of tries needed against the
  users in the password database
• Dictionary size 24,914
• On average need to try ½ the entries
• 50 chance any given password is in the
  dictionary
• So, 24,914/(2 x 0.5) 24,914 (? 25 sec)

13
More General Results

• Klein, 1990
• Dictionary size (base) 60,000
• Dictionary size (permutations) 3.3 milion
• On average need to try ½ the entries
• 24.2 chance any given password is in the
  dictionary
• 3,300,000/(2 x 0.242) 223 (? 140 sec)
• Not so Good!

14
Need to use strong passwords

• Each password you choose must be new and
  different
• Passwords must be memorized. If a password is
  written down, it must be locked up
• Passwords must be at least six characters long,
  and probably longer, depending on the size of the
  password's character set
• Passwords must be replaced periodically
• Passwords must contain a mixture of letters (both
  upper- and lowercase), digits, and punctuation
  characters

15
So we need good passwords
16
The Password Dilemma

• With these strong rules usability fails
• People cant remember easily
• Note when do we have to change passwords
• Do we have a new one ready?
• We are usually at another task
• We cant see it as we enter it
• To move from short to long term memory requires
  work
• We have to sacrifice the attention to the job at
  hand to devote focus to conversion to long term
  memory

17
Alternatives

• Balanced rules
• Password tokens/one-time passwords
• Biometrics
• ?

18
Unix Passwords
accountcoded password datauidgidGCOS-fieldhom
edirshell gigawaltfURfuu4.4hY0U129129Walter
Belgers/home/gigawalt/bin/csh

• 8 characters plain text
• 2 bytes salt (4096 possibilites used)
• DES x 25
• 11 bytes encrypted 2 salt 13 bytes

19
Windows Passwords

• SAM database
• Old LM passwords
• 14 characters (SLIT IN TWO !)
• DES encrypted
• NT passwords
• Hashed
• Not-split

20
Teaching Points

• Password Strength
• Unix Passwords
• Windows Passwords