The speaker, Rick Redman of Korelogic, is a professional hacker who is hired by companies to try to break into their systems.
How passwords are stored: Typically when you sign up to some internet site (facebook, blogger, paypal, etc.) you have to enter a username (or email) and password. They store the password on their servers. Usually they run the password through some encryption and store the encrypted password. An example of a simple (crappy) encryption algorithm would be to increase every entry by one. Make every 'a' a 'b', every 'b' a 'c', every 'S' a 'T', every '6' a '7', etc. Here's some examples:
Un-encrypted password | Pencil | Number1Hasher | ||
Encrypted Password | Qfodjm | Ovncfs2Ibtifs |
There are less than a dozen common encryption algorithms. Some are fairly simple (not nearly as bad as mine) and some are quite complex but the algorithms are all known and readily available. Usually the more simple algorithms are used because it takes more CPU cycles to execute them or the implementer is just lazy.
A couple years ago a company called "RockYou!" wrote a plug-in for facebook. They asked for you facebook password so they could link in with your facebook friends, interests, etc., and said they would never store the password. Well it turns out they actually did store it and they didn't even bother encrypting them. They had horrible security on their own server and someone hacked it using an old, well-known hack (SQL injection?) and got full access. They snooped around and found a file called something like "passwords.txt" which contained 32 million un-encrypted text format. The hacker posted the file on the net and hackers around the world downloaded it and went to town. The entries looked something like this:
username | password | |||
---|---|---|---|---|
johnsmith | jsmith@aol.com | pencil | ||
janedoe | janedoe1@myspace.com | 123456 | ||
superhasher | hasher1@yahoo.com | onon |
Not done yet... Before this the hacker community had a "dictionary" of what they thought were the most common passwords they'd use when trying to hack into an encrypted system. An amazing number of people use things like "password", "password1", "pencil", their favorite sports team or college, etc. So there was a dictionary of about 500 words that were tried against every account. The list wasn't that good so their success rate of cracking the passwords were low. But now they had a list of 32 million actual passwords that people used. They piped this into a spreadsheet and found the most common ones, and then updated and vastly improved their dictionary. To illustrate how poor of passwords are commonly used, here's the top 10:
- 123456
- 12345
- 123456789
- password
- iloveyou
- princess
- 1234567
- rockyou (hacked website was "rockyou")
- 12345678
- abc123
There's a couple of free tools they recommended: John The Ripper, hushcat, and oclhushcat. John is open source, the other two aren't. oclhushcat is valuable because it uses the GPU instead of the CPU, which is at least 2 orders of magnitude faster. You feed these tools an encrypted password, some parameters like the dictionary and what to check for, and it uses brute force to tries every combination of password you specified to find a matching solution.
What I came away with:
- Never use the same passwords for goof-off accounts (facebook, blogger, etc) as I do for ones with data I need to protect, i.e. online banking.
- Verify that my "strong" passwords weren't on the list.
- Avoid using any site that has access to your money that forces weak passwords. For instance, RockYou! would not allow special characters.
- Have a better idea of what people commonly do and avoid it:
- Mix lower and upper case letters, and don't just capitalize the first letter, i.e. "Password"
- Add numbers and not just at the front or back, i.e. "password123"
- They know all the tricks for substituting numbers/special characters for letters, i.e. '3" for 'E', '$' for 'S', 'I' for '1", etc.
- Horizontal keyboard patterns like "qwertyuiop" (top row) are well known and checked for
- Vertical keyboard patterns like "NHY^6yhn" are known too. (Up in caps, down in lower case)
- People love putting in dates, i.e. "2011", "Feb2011". These are used especially when they have to change their passwords monthly.
- Common and uncommon names of people, places, sports teams, etc are known.
There was a guy last year at defcon who built a machine with 6 high-end GPU cards. It could crack any 8-character MD5 password in 2 minutes (or something along those lines...) This is by using brute-force, i.e. checking every possibility of every character combination (6.6 quadrillion) instead of using intelligent search patterns. A longer password stored with bcrypt would take much longer but could still eventually be cracked. The idea is to make it so time-consuming (in terms of CPU cycles) that they'll give up and find easier prey.