Password Security

From Security Lab Wiki

This lab will illustrate how passwords can be broken and why it is important to choose strong passwords.

This lab requires Windows with admin privileges. The program we are going to run is called Cain (www.oxid.it/cain.html). All of the machines in the lab already have Cain installed on the XP virtual machines. If you are installing it at home, be aware that certain anti-virus programs will delete or block this program. It is NOT malware, but it performs some functions that mimic malware. It is a security testing and educational tool that does many things. Today, we are interested in its password cracking functions.

Cain is set up to crack passwords stored in well known and standard authentication schemes. Examples are Microsoft operating systems and well known databases. We will keep it simple and just attack specific passwords instead of cracking real systems.

Start up Cain, click on the cracker tab. You will see a list of many hashing algorithms; we are only interested in MD5 and SHA 1 and 2. These are the most common hashing algorithms used to store passwords. Of course an attacker might not know what hashing algorithms are used, making it a much more time consuming task.

All you need to know about hashing algorithms for this lab is that it mixes and mashes a password into a set length (MD5=128 bits, 128 bits < SHA < 1024+ bits). The longer the better but it takes much longer to hash a string into 1024 bits than it does for 128 bits. This hash is stored, and when you log in, your password gets hashed and compared to the stored hash. Hashing algorithms have a very low collision rate. A collision means that two different strings (or whatever) get hashed into the same bit order.

As a side note, these are the same algorithms used to hash programs into checksums to verify download integrity.

Before we dive in, write down several passwords that you want to test if you have not already done this. You can test passwords you currently use, or make up new ones. Try to get a mix of what you would consider weak and strong passwords. 3-4 should be sufficient, but feel free to write down more.

Activities

The lab activities are broken up in several parts. Dictionary based attacks, brute-force, weak points in authentication, and methods of strengthening passwords. You may work on this lab in groups of 2. If you aren’t sure how to perform a task, or do not understand what is going on, please ask!

Dictionary Based Attacks

The simplest way to attack a password is by using word lists. A dictionary in this context is just a word list saved as a text file. The terms dictionary and word list are used interchangeably. There are thousands of word lists online covering real words, company names, slang, etc. A good attacker will use as many word lists as he can get a hold of, but that takes a lot of time run. There is a link to these word lists at the beginning of the lab.

We are going to try to crack 2 passwords to start with so you can understand how this process works. The passwords we will use are ‘password’ and ‘password1’. You can use MD5 or SHA, it doesn’t matter, but be consistent!

The first thing to do is get the hash for these passwords. In Cain, go to Tools -> Hash Calculator. In the first box type password and click calculate. You will see a list of hashes, choose MD5(or SHA-x), select the hash and copy. Exit from this dialog box.

On the left hand side or the main window select MD5 or the appropriate SHA size among the list. Right click on the right hand side, select add to list. Copy the hash string into the dialog box and click OK. Repeat this process for ‘password1’, use the same hashing algorithm as in the first word.

We need to add word lists to Cain. Download the word lists at cyberlab/dictionaries.html and save and extract the folder on the desktop. Alternatively, you can go to the links provided above and download as many word lists as you want. Some may need to have .txt appended to the name for Cain to see it. If you do this, your results may be different.

Right click on the first hash entry in Cain. Select dictionary attack. Right click in the dictionary area and click Add to list. A dialog box will appear, naviagate to the dictionary folder and select each of them and click OK. You can keep the options as they are and click Start. The Case Perm option is far more thorough, but it’s orders of magnitude slower.

Select password1 and choose dictionary attack. You have to click reset in the dictionary list so the dictionaries used to crack the first password can be used again. To do this, right click over the dictionary list and select 'reset all initial file positions'. Before starting uncheck the last options box so it doesn’t check for numbers at the end. Run the cracker, hopefully it will not find it. Reset the dictionary, and check the last options box and run it again. It should crack it.

Now, follow these steps for the passwords that you collected. Remember to reset the dictionary after each run. It is a good idea to save the hashes for your collected passwords in a text file. You will be using them at least twice.

Answer questions 1 and 2.

Brute Force Attacks

If dictionary based attacks fail. The attacker will likely try to brute-force their way in. This means that the attacker will use every combination in a range of word lengths and check if it works. For example, if the only allowed characters are a and b (either case), they will try aa, ab, bb, ba, and then use case combinations.

Normally, all letters are allowed, 0-9, and 32 symbols which sums to 94 characters. Based on this the number of combinations is 94x, where X is the length of the passwords. The following table shows the number of combinations based on 94 characters.

Length	Combinations
1	94
2	8,836
3	830,584
4	78,074,896
5	7,339,040,224
6	689,869,781,056
7	64,847,759,419,264
8	6,095,689,385,410,820

As you can see the number grows very quickly. Modern computers are very fast, but can they hash and compare 6,095 trillion strings very fast? What if passwords can be 20 characters long? That is 2,901,062,411,314,618,233,730,627,546,741,369,470,976 combinations by the way (at least according to the Ruby interpreter). How lucky would an attacker have to feel to try that on an average desktop? Of course, most password policies have a lower limit, so an attacker won’t have to bother with the cases that the length is less than that value, but as you can see from the chart, that is relatively few.

Answer questions 3 & 4.

If Cain is not started, start it up and click on the cracker tab. Since Cain already cracked the two passwords, we need to start over. Right click and choose remove all. As before find and copy the hash for two passwords. This time we are going to use shorter passwords: secret, and secret1. Right click and choose brute force.

For our purposes we will choose the predefined values, all letters and numbers, not including upper-case. To keep the estimated scan time down choose the max length to be the length of secret, 6 characters. Don’t forget, an attacker won’t know how long your password is, just the predefined max and min lengths. Click start. Look at the estimated time. Is it surprising, given the short range of lengths, and limited characters?

While Cain is chewing on our password, answer question 5.

Now crack secret1, don’t forget to change the range to 7, also change the minimum range to 7, so it only tries all possibilities of length 7. Do you think it will save a significant amount of time?

Look at the estimated time, and answer questions 6 and 7.

If you don’t want to wait around, you can cancel the attack.

Now try to brute force at least of your passwords. For settings, change the charset to all normal keyboard characters (a-zA-Z0-9, and all symbols) with a minimum length of 5(use 1 if the length of the password is < 5) and maximum is 20(use the length +5 if it is longer than that).

Run it and note the estimated time. Answer question 8 and 9 . You can stop Cain unless you want to wait until it cracks it.

Aren’t you glad that most hackers don’t have access to supercomputer clusters? If they did, do you think it would make a big enough difference to matter if the password is sufficiently long? It probably will not, unless the attacker is a vampire or incredibly lucky.

Social Engineering

Another common way to get passwords is to simply ask for them! This is part of an attack called social engineering. These attacks may be in the form of phishing emails, phone calls from the "IT staff", or even in person. Avoiding these attacks are fairly simple if you remember one thing: Anyone who might legitimately need access to your account/data will already have administrator access(commonly called root) and not need it. If this topic has not yet been covered in class it will.

Choosing a good password

Before we talk about choosing a good password it is worth noting that programs that store passwords have mechanisms to help protect your password. Beyond the obvious ones of making sure attackers can’t access the database and enforcing rules(password length, using case, numbers, and symbols) there is another way that helps. It involves attaching other data to the password before hashing it. This is called salting the password. A salt is also saved along with the password, and is usually composed of constant and random data. In stronger password schemes the salt is stored in a different place than the password, but on less critical systems in may be stored in the same database table. There are other methods like hashing the password, then appending the salt and hashing the entire byte string. These different sequences will have to be discovered by the attacker to be successful.

Here is a simple Ruby method that combines static data along with the password and salt to produce a 512 bit string.

 def self.encrypted_password(password,salt)
     hash = "f5g597@r" + Digest::SHA256.hexdigest(password) + "5g56tg"d4Gt45fdgdd45re4234R5445!DF4fh57" 
            + salt
     Digest::SHA512.hexdigest(hash)
  end

So even if an attacker got a hold of the hashed password, it would be very challenging to crack it without the salt and source code, and this snippet is not as good as it could be. Don't worry if you don't understand the above code.

Of course, if your password is simple and the website does not take special care against brute-force and dictionary attacks it doesn't matter if the attacker can get the source code or salt. They will own you easily.

A strong password that is easily remembered (never write down your passwords) but difficult to guess can be tricky. Many people put lots of personal information in publically accessible places such as Facebook and MySpace, attackers can often use this information to more easily guess your password. Email addresses are often used as user names and to make matters worse, people often use the same password for everything. Therefore, if your facebook page has enough clues that someone can guess your password, and your email address is listed, this could lead to identity theft.

Many places offer password resets when just given a valid email address, and if the attacker got into your email account, they now own nearly everything. Banks and other critical institutions are becoming more sophisticated, making it tougher for the bad guys, but is not fool-proof. If that is not bad enough, many businesses have lax employee password standards, so your weak password that is easy to remember can cost your employer a lot as well.

If you have not read the information in the first link please do so now.

Answer the remaining questions.

Questions

Can you give an example of a website implementing a policy that is designed to thwart dictionary based attacks?
Of your list of passwords, how many were cracked? Was it surprising? If you didn't use the case permutation option do you think that might have caused it to crack the password? In other words is your password likely in the dictionaries but you have one or more case changes?
From an attackers perspective what is the problem with brute forcing?
From an end-users point of view, what is the problem with a long password?
Will the scan likely take the entire estimated time? Why or why not?
If the estimated time is more for secret1 than it was for secret, is it significantly longer? What does that say about the importance of password length?
Do the results so far imply anything about the importance of avoiding dictionary based passwords?
How long is the estimated time? If it is in a notation you don’t understand raise your hand for help.
Will this method guarantee to crack the password given enough time? Assume that all characters in the password are not whitespace but otherwise on a standard english-101 keyboard.
You are trying to come up with a strong password. One way is to mutate a favorite poem or song into a password. Assume you are a huge fan of The Cure(who isn't?), so you u following lyrics: “it fades and spins-sing out loud-we all die-laughing into the fire- is it always like this?”*** Come up with a mnemonic based password on this that is not dictionary based and includes numbers and symbols.
If you have those lyrics posted on your MySpace page and is public, do you think that is a problem? Think about if the attacker knows you and your username or is just a random stranger that crossed by your page, but doesn’t have knowledge of any of your usernames, email addresses, etc.
There are third party programs that encrypt and store passwords, either on your system or online. Hopefully, they properly encrypt your passwords, but that means you need to create and remember the passphrase to unlock the encryption. This might be better, since remembering one password is easier than remembering many. It also makes it easier to avoid using the same password in multiple places. Is it really better, or is putting all your security eggs in one basket a bad idea? There is not a right or wrong answer, just give your opinion.

*** Siamese Twins by The Cure – It what was playing when I wrote that question. No, my passwords are not based on this or any Cure song. :)~

Navigation

Password Security

From Security Lab Wiki

Contents

Background Reading

Optional

Other resources

Goals

Learning Objectives

Getting started