Showing posts from November, 2009

Biometrics Are Not Going to Save Us - Or Get Used to Your Password

Abstract: It generally is taken as common wisdom that one day, everyone is going to switch to biometrics so we can finally get rid of those pesky passwords. This post is an attempt to stave off that future. This isn't because I'm in the password cracking business, (I'm sure horse-buggy salesmen thought that cars were a poor substitute as well). Instead it's because biometrics are a really bad solution. In fact, over the long run, biometrics will make it even easier for an attacker to break your authentication schemes. The rest of this post is an attempt to explain why this is the case, along with some other reasons why you probably shouldn't go out and buy that thumbprint reader quite yet. If Biometrics Are So Bad, Why Do People Still Like Them: Let's face it, passwords suck. This is a blog pretty much devoted to password cracking. I'm aware of the fact that they suck. Passwords are a pain to use, a pain to remember, and pain to make secure. Who doesn't

Analysis of 10k Hotmail Passwords Part 5: Markov Model Showdown

Don't worry; I'm still not done with this data-set. A little over a week ago I received an e-mail from Ilya Sokolov, saying: If I'm getting the numbers right from your graphs - you've got around 3k hashes bruteforced in about 1G guesses. Assuming you used --incremental mode of John, right? I guess you should try --markov too :) How right he is. Ilya went on to send some statistics my way, so I truly do appreciate e-mails like this. Before I talk about the results, first let me back up and spend a little time talking about the incremental and markov modes in John the Ripper. Aren't they both Markov based attacks? -- Ed Note: The following description of how the incremental attack works has been updated since I was incorrect about how JtR used trigraphs. A copy of the original incorrect description can be found in the comments. Well surprisingly yes they are, though they go about it in different ways. The --incremental option actually models the probability of trigra

Installing John the Ripper Version Tutorial

I just upgraded to the newest version of John the Ripper so I decided to make a tutorial out of my experience, (with screen-shots), since it was a fairly time consuming ordeal. It's mostly focused on installing John the Ripper on a Mac OSX Snow Leopard, but you should be able to use most of it when installing it to various flavors of Linux as well. Besides going over the base install, I also tried to cover: Which patches to install, where to find them, and how to apply them Picking the right build options Modifying the Makefile so it actually will install on Snow Leopard Modifying the code so you can use incremental attacks against passwords longer than eight characters long You can find it on my tools page , or by clicking on this link .

Defcon 17 Videos Posted Online

The title says it all. You can get all of the videos here . Just a warning, I may have used some inappropriate language in my talk on password cracking , so you might not want to watch it in front of small children. Also, my writeup of a couple of the talks can be found here , and here if you are having trouble deciding what to watch.