|
Message-ID: <1339004712.86895.YahooMailNeo@web120702.mail.ne1.yahoo.com> Date: Wed, 6 Jun 2012 10:45:12 -0700 (PDT) From: NeonFlash <psykosonik_frequenz@...oo.com> To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com> Subject: Re: Methods to test password security: fast hashes Thank you for this interesting post. According to me, what you have stated is an extension to the Password Pattern Recognition Ability. To get away with the nagging password policies of corporates, websites, users often try to come up with schemes that will help them choose a password as soon as possible. This is most common in the Corporate Organizations where the employees are forced to change their password every 1 month, 3 months and so on. And when they need to access various sites within their network, each having its own password scheme, they try to come up with a pattern. A pattern which they can reuse. Password Padding is often used to get away with the Enforced Password Policies. Sometimes, password policies though enforced to make the users pick longer and stronger password end up making the users choose predictable patterns. This makes it easier for the attackers. Fast hashes are a great way to compile the list of real life passwords, and then statistical analysis can be performed on them. There are still a lot of intelligent users out there who choose patterns which are not yet guessable, which are not yet implemented in the form of rules in john. ________________________________ From: Stephen John Smoogen <smooge@...il.com> To: john-users <john-users@...ts.openwall.com> Sent: Wednesday, June 6, 2012 10:00 PM Subject: [john-users] Methods to test password security: fast hashes Ok if the stories are true, there is a list of 6 million SHA1 hashes taken from LinkedIn somewhere. I don't know where this site is and I don't have a copy of them, but it does give a way to test your sites local security. These sorts of fast hashes are a boon to an attacker, and as a defender need to be taken advantage of in the standard game of catchup. Password reuse is a large problem not just where Alexis uses her password 'Q1w@...4t%yasdfG' at multiple sites because she thinks it is unique, but because Bob and Charlie also thought this password was unique and it passed various tests for being a long strong password. You as a site administrator need to figure out where these common words are and to get users not to use them because even if you are using Blowfish-crypt or SHA256crypt, your work place still allows for multiple ways for an attacker to test passwords (VPN, website, webmail, ssh servers, etc) which means if Q1w@...4t%yasdfG shows up in LinkedIn or BlahBlah sites list, it will be tested against. First step, check with your legal department that they feel the following steps are ok and would not get them or you in trouble. IANAL and will not say the following is ok anywhere. Collecting fast hashes is a good way to figure out which memes and codewords people will use in their passwords in order to remember them. First they are quick to run a checker against to figure out what kinds of memes and events are being used as password reminders, and they also will show various obsfuscators people will use to try and make their password's unique or to get past various strength checkers. So if you have a list and find out that people are using 'f451LinkedInbradbury' a lot then, you can have a good idea that 'f451<yourcompanyname>bradbury' may be used at your site. And while the built in rules for john the ripper are good at finding the high probability ones, they may miss the previous example. However you can find these 'trending' obsfuscators and then do something like grep -i rockyou rockyou-dictionary.txt | sed 's/rockyou/abccorp/ig' > testset Then run testset against your hashes to see if you end up with a lot of matches. In that case, it is time to get people to change their passwords, hopefully to something less guessable. -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.