Reusable Security

This is part #2 in a (mumble, cough, mumble) part serious of posts discussing the results published in the paper I co-authored on the effectiveness of passwords security metrics. Part #1 can be found here . I received a lot of insightful comments on the paper since my last post, (one of the benefits of having a slow update schedule), and one thing that stands out is people really like the idea of password entropy. Here’s a good example: “As to entropy, I think it would actually be a good measure of password complexity, but unfortunately there's no way to compute it directly. We would need a password database comparable in size (or preferably much larger than) the entire password space in order to be able to do that. Since we can't possibly have that (there are not that many passwords in the world), we can't compute the entropy - we can only try to estimate it in various ways (likely poor)” First of all I want to thank everyone for their input and support as I really apprec...

I'm in Chicago at the ACM CCS conference , and the paper I presented there: "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords", is now available online. Direct Download of PDF View Online Since I had the paper and presentation approved through my company's public release office I was given permission to blog about this subject while the larger issue of my blog is still going through the proper channels. Because of that I'm going to limit my next couple of posts to this subject rather than talking about the CCS conference as a whole, but let me quickly point you to the amazing paper " The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis ", written by Yinqian Zhang, Fabian Monrose and Michael Reiter. In short, they managed to obtain a great dataset, their techniques were innovative and sound, and there's some really good analysis on how effective password expiration poli...

Digging into this data is like watching an episode of Lost . Whenever it seems like one question gets answered, about ten other questions pop up. Before I get into details, I want to start with a comment Per Thorsheim sent me as to what other password cracking programs support salted sha1 hashes: The sha1(lowercase_username.password_guess) is at least supported by these: Extreme GPU Bruteforcer ( www.insidepro.com ) hashcat and oclhashcat (cpu/gpu respectively) www.hashcat.net I'm kicking myself for not thinking about hashcat, since it's a extremely powerful password cracker; plus it's free. Unfortunately the GPU version doesn't support the salted sha1 hash type, but even the non-gpu version is quite nice. As for InsidePro, it also is very good, though it does cost some money. I've had a license-free version of questionable origin offered to me before, but I turned that down. Legality aside, installing pirated software given to you by shady people at a hacker confe...

So I figure I probably should get around to looking at the passwords in this list, since password cracking techniques are the focus of this blog... First though, a real quick definition. I needed to decide what to call the various parties involved in this whole shenanigans. For example, when I'm talking about the 'hackers', am I referring to the people collecting stolen credit card data who belonged to the board, or the people who hacked carders.cc? Likewise, if I use the term criminals, that could refer to both groups as well. Therefore, in my blog posts I'm going to use the following terms to refer to the two groups: Carders/Users : The people who belonged to the board. Normally I would also use the term 'victims', but I don't want to honor them with that title. Hackers/Attackers : The people who broke into the forum and posted the data online. Ok, now that we have that out of the way, the rest of this post is going to be broken up into four parts: Executi...

You've all heard me complain/stress out about writing my dissertation, so now that it's done of course I'm going to post it online. My PhD. dissertation, "Using Probabilistic Techniques to Aid in Password Cracking Attacks" is available for download from my tools page here . A lot of it is going to look fairly familiar if you've seen my talks or been reading this blog, which makes sense since my dissertation is a summary of what I've been up to for the last three years. Here's a quick breakdown of what's in it: Chapter 1: Overview + background info The need for password cracking General terms and techniques Obtaining the datasets, and basic statistics about the datasets A quick survey of common password hashes and popular password cracking tools Chapter 2: Brute Force Attacks 95% of it I've talked about on this blog before The remaining 5%, which I really should post an entry on, is a comparison of a targeted brute force attack against a pure Ma...

Over at the John the Ripper mailing list , (I'm sure you already belong to it right?!), SolarDesigner, the creator of JtR, raised the following question about the re-ordered Single Mode rule-set I released last night. It is not clear whether you have full (or any) separation between your training and test sets when you re-order the rules. (You do say that you have such separation for your "UnLock" test, but that's another one.) In other words, the improvement from "Original Single Rules" to "Edited Single Version 2" that you've demonstrated might be partially attributable to you training (re-ordering) the rules on the same set that you later test them on. It's a valid question and it's something I've worried about myself. Referring back to my original post : For the target set, the RockYou list seemed like an obvious choice. I actually used a subset of the RockYou list of one million passwords I designated for training purposes, (t...

While I've been doing a lot of analysis, I figure it's been a while since I actually released anything. That obviously needs to change. As one small step in the right direction, I decided to optimize John the Ripper's "Single" mode word mangling rules for use in normal dictionary based attacks. If you don't want to read through the rest of this post on my methodology, you can grab the new rule-set right here . To make use of it in a cracking session, simply enter the flag: -rules=Modified_Single For a more detailed explanation on what I did, please read on. The Problem: First of all, did you know that starting with John the Ripper version 1.7.4 you can have multiple rulesets in the same john.conf config file? Also SolarDesigner added a several new mangling rules, (such as the ability to insert/append whole strings), and increased the speed at which the mangling rules generate guesses. I know the current 1.7.5 branch is still not considered the stable version,...

I've twice gotten into heated debates, (and I remember the count since I still find it weird that I've gotten into arguments about this), that there is no universal letter frequency probability values for the English language. Both times I stumbled into this argument by answering the question, "So, do passwords match letter frequency analysis of the English language as a whole", by replying, "Well, it depends on what training set you use to calculate the probabilities of the English language, but for the most part, yes". In reality I should have just said, "For the most part yes..." Letter frequency analysis, and its big brother Markov models, depend entirely on their training sets. This means while different training sets may share common characteristics, there is no one LFA, or Markov set of probabilities that perfectly model the English, (or any other), language. But what about those tables Wikipedia posted ? Well, they are based on a study in 1...

So it's been an interesting last couple of days. First of all, it's a bit amazing how popular the Rockyou list has become after it was mentioned in the New York Times article. While I'm not going to provide a link, let's be honest, if you can't find it, you are not looking . The thing that keeps going through my head is that we may have just narrowly missed having a black swan event , (Ok, Mr. O'Conner just posted about those in his blog so the term is stuck in my head, even though I'm using it wrong.) Can you imagine what would have happened if the public RockYou list had contained e-mail addresses? While lists of this size have been distributed before, (and black hats have been able to obtain the whole list + email addresses), I really don't know what a public disclosure of a list this size containing e-mail addresses and passwords would be like. It probably won't lead to an internet apocalypse , but we would have people looking up friends/co-wo...