|
Message-ID: <CANnLRdhuSpEHUC9jFSWOefRdHVA=BuOA-n+S7PT5yr=PZVJSDg@mail.gmail.com> Date: Wed, 6 Jun 2012 10:30:57 -0600 From: Stephen John Smoogen <smooge@...il.com> To: john-users <john-users@...ts.openwall.com> Subject: Methods to test password security: fast hashes Ok if the stories are true, there is a list of 6 million SHA1 hashes taken from LinkedIn somewhere. I don't know where this site is and I don't have a copy of them, but it does give a way to test your sites local security. These sorts of fast hashes are a boon to an attacker, and as a defender need to be taken advantage of in the standard game of catchup. Password reuse is a large problem not just where Alexis uses her password 'Q1w@...4t%yasdfG' at multiple sites because she thinks it is unique, but because Bob and Charlie also thought this password was unique and it passed various tests for being a long strong password. You as a site administrator need to figure out where these common words are and to get users not to use them because even if you are using Blowfish-crypt or SHA256crypt, your work place still allows for multiple ways for an attacker to test passwords (VPN, website, webmail, ssh servers, etc) which means if Q1w@...4t%yasdfG shows up in LinkedIn or BlahBlah sites list, it will be tested against. First step, check with your legal department that they feel the following steps are ok and would not get them or you in trouble. IANAL and will not say the following is ok anywhere. Collecting fast hashes is a good way to figure out which memes and codewords people will use in their passwords in order to remember them. First they are quick to run a checker against to figure out what kinds of memes and events are being used as password reminders, and they also will show various obsfuscators people will use to try and make their password's unique or to get past various strength checkers. So if you have a list and find out that people are using 'f451LinkedInbradbury' a lot then, you can have a good idea that 'f451<yourcompanyname>bradbury' may be used at your site. And while the built in rules for john the ripper are good at finding the high probability ones, they may miss the previous example. However you can find these 'trending' obsfuscators and then do something like grep -i rockyou rockyou-dictionary.txt | sed 's/rockyou/abccorp/ig' > testset Then run testset against your hashes to see if you end up with a lot of matches. In that case, it is time to get people to change their passwords, hopefully to something less guessable. -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.