Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANnLRdhuSpEHUC9jFSWOefRdHVA=BuOA-n+S7PT5yr=PZVJSDg@mail.gmail.com>
Date: Wed, 6 Jun 2012 10:30:57 -0600
From: Stephen John Smoogen <smooge@...il.com>
To: john-users <john-users@...ts.openwall.com>
Subject: Methods to test password security: fast hashes

Ok if the stories are true, there is a list of 6 million SHA1 hashes
taken from LinkedIn somewhere. I don't know where this site is and I
don't have a copy of them, but it does give a way to test your sites
local security. These sorts of fast hashes are a boon to an attacker,
and as a defender need to be taken advantage of in the standard game
of catchup.

Password reuse is a large problem not just where Alexis uses her
password 'Q1w@...4t%yasdfG' at multiple sites because she thinks it is
unique, but because Bob and Charlie also thought this password was
unique and it passed various tests for being a long strong password.
You as a site administrator need to figure out where these common
words are and to get users not to use them because even if you are
using Blowfish-crypt or SHA256crypt, your work place still allows for
multiple ways for an attacker to test passwords (VPN, website,
webmail, ssh servers, etc) which means if Q1w@...4t%yasdfG shows up in
LinkedIn or BlahBlah sites list, it will be tested against.

First step, check with your legal department that they feel the
following steps are ok and would not get them or you in trouble. IANAL
and will not say the following is ok anywhere.

Collecting fast hashes is a good way to figure out which memes and
codewords people will use in their passwords in order to remember
them. First they are quick to run a checker against to figure out what
kinds of memes and events are being used as password reminders, and
they also will show various obsfuscators people will use to try and
make their password's unique or to get past various strength checkers.
So if you have a list and find out that people are using
'f451LinkedInbradbury' a lot then, you can have a good idea that
'f451<yourcompanyname>bradbury' may be used at your site. And while
the built in rules for john the ripper are good at finding the high
probability ones, they may miss the previous example. However you can
find these 'trending' obsfuscators and then do something like

grep -i rockyou rockyou-dictionary.txt | sed 's/rockyou/abccorp/ig' > testset

Then run testset against your hashes to see if you end up with a lot
of matches. In that case, it is time to get people to change their
passwords, hopefully to something less guessable.



-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.