Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1339004712.86895.YahooMailNeo@web120702.mail.ne1.yahoo.com>
Date: Wed, 6 Jun 2012 10:45:12 -0700 (PDT)
From: NeonFlash <psykosonik_frequenz@...oo.com>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Methods to test password security: fast hashes

Thank you for this interesting post.

According to me, what you have stated is an extension to the Password Pattern Recognition Ability.

To get away with the nagging password policies of corporates, websites, users often try to come up with schemes that will help them choose a password as soon as possible. This is most common in the Corporate Organizations where the employees are forced to change their password every 1 month, 3 months and so on. And when they need to access various sites within their network, each having its own password scheme, they try to come up with a pattern. A pattern which they can reuse.

Password Padding is often used to get away with the Enforced Password Policies. Sometimes, password policies though enforced to make the users pick longer and stronger password end up making the users choose predictable patterns.

This makes it easier for the attackers. Fast hashes are a great way to compile the list of real life passwords, and then statistical analysis can be performed on them.

There are still a lot of intelligent users out there who choose patterns which are not yet guessable, which are not yet implemented in the form of rules in john.


________________________________
 From: Stephen John Smoogen <smooge@...il.com>
To: john-users <john-users@...ts.openwall.com> 
Sent: Wednesday, June 6, 2012 10:00 PM
Subject: [john-users] Methods to test password security: fast hashes
 
Ok if the stories are true, there is a list of 6 million SHA1 hashes
taken from LinkedIn somewhere. I don't know where this site is and I
don't have a copy of them, but it does give a way to test your sites
local security. These sorts of fast hashes are a boon to an attacker,
and as a defender need to be taken advantage of in the standard game
of catchup.

Password reuse is a large problem not just where Alexis uses her
password 'Q1w@...4t%yasdfG' at multiple sites because she thinks it is
unique, but because Bob and Charlie also thought this password was
unique and it passed various tests for being a long strong password.
You as a site administrator need to figure out where these common
words are and to get users not to use them because even if you are
using Blowfish-crypt or SHA256crypt, your work place still allows for
multiple ways for an attacker to test passwords (VPN, website,
webmail, ssh servers, etc) which means if Q1w@...4t%yasdfG shows up in
LinkedIn or BlahBlah sites list, it will be tested against.

First step, check with your legal department that they feel the
following steps are ok and would not get them or you in trouble. IANAL
and will not say the following is ok anywhere.

Collecting fast hashes is a good way to figure out which memes and
codewords people will use in their passwords in order to remember
them. First they are quick to run a checker against to figure out what
kinds of memes and events are being used as password reminders, and
they also will show various obsfuscators people will use to try and
make their password's unique or to get past various strength checkers.
So if you have a list and find out that people are using
'f451LinkedInbradbury' a lot then, you can have a good idea that
'f451<yourcompanyname>bradbury' may be used at your site. And while
the built in rules for john the ripper are good at finding the high
probability ones, they may miss the previous example. However you can
find these 'trending' obsfuscators and then do something like

grep -i rockyou rockyou-dictionary.txt | sed 's/rockyou/abccorp/ig' > testset

Then run testset against your hashes to see if you end up with a lot
of matches. In that case, it is time to get people to change their
passwords, hopefully to something less guessable.



-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.