Supercharged Password Cracking Lessons

by Auston Holt, CISSP

I recently attended Rick Redman's talk on password cracking techniques at a meeting of the Open Web Application Security Project (OWASP) local Austin chapter. This presentation held much potential value since passwords are used by almost every application to protect information. As a security professional, I was especially interested because we help enable developers to protect sensitive information through their implementation of sound authentication mechanisms. One such example involves password mechanisms and an analysis of the attack potential needed to defeat them (see the vulnerability assessment activities found in the Common Criteria for Information Technology Security Evaluation). In the interest of spreading good password security practices and banishing the bad ones, I've provided the following digest of key lessons learned from Rick's presentation: “Supercharged Password Cracking Techniques" (full presentation to be made available here):

Top three password cracking lessons:

1. RockYou
   When using password cracking tools (i.e. John the Ripper) to assess security use current password lists/dictionaries from recent real world exploits. The "RockYou" exploit list contains over a million unique user passwords and was emphasized over and over; be sure to google "RockYou" to find and use this list for password cracking.
   
   
2. Stored Hashes
   Stored password hashes are gold. It's not as important to have a password lockout mechanism to kick in after X number of tries, as it is to protect the actual stored password hashes. If an attacker is able to exploit a vulnerability in the system and gain the password hashes, the presence of a lockout mechanism won't matter much. Attackers will be able to attempt to crack passwords offline all day once they gain the password hashes. Again, an assumption has been made that system passwords are stored as hashed values and not in encrypted form (the lone exception being when weak encryption such as DES used).
   
   
3. MD5, SHA-1, and the power of GPUs
   MD5 and SHA-1 hashes are very vulnerable to any attack. A machine set up with 12 graphics cards (total cost around $6K) is able to crack any 8 character MD5/SHA-1 hashed password in 24 hours. Lesson learned- use stronger hashes; SHA-2 and bcrypt were recommended.

More jewels:

4. The big picture: hashes are meant to protect integrity, not confidentiality
   What we are seeing as information security practitioners is a breakdown of confidentiality based on the misuse of hashing. Passwords are being stored as hashes instead of being stored in encrypted form and we're all paying the price. Hashing was never meant to protect the confidentiality of data; this is the goal of encryption.
   
   
5. Use GPUs
   I hinted at this in point number 3: systems utilizing graphics cards (GPUs) are very powerful. GPU based systems should be used in any serious password cracking endeavor because of their relative low cost and raw processing power.
   
   
6. Keep, update, and use your own password dictionary
   In addition to using password lists from real world exploits such as RockYou, keep a running list of your own cracked passwords. The idea is to use real world examples to cut down on the the time it takes for automated tools to "guess" user passwords.
   
   
7. Use, customize, and update your rule sets
   Use, customize, and update the rules sets you feed as input into your tools based on your experiences. Many out-of-the-box configurations for password cracking tools guess only very basic, widely used passwords (google John the Ripper rules for examples).
   
   
8. "Why aren't public sites enforcing password complexity like the corporate world?"
   Unauthorized disclosure of user credentials results in monetary loss, loss of reputation, and more. It makes sense for public facing Internet sites to start enforcing password complexity rules as strict as those in the corporate world.
   
   
9. Use two-factor authentication in authentication systems
   Applications using two factor authentication aren't as susceptible to password cracking since they require another credential in addition to a password. The second credential is often a changing random number displayed on a hand held device (example companies who have done this include: Bank of America, Google, PayPal...).

To sum it up,

• As a user: protect yourself against attacks by using complex, non-dictionary based passwords (examples of what not to use: p@ssword1, B0stonRedSox5, baby2011MyChildsName!…). Better yet, think “passphrase” not “password.”
  
  
• As an information security practitioner: make use of GPU based systems, customized tool rule sets, and password lists posted from recent exploits; and
  
  
• As a developer: protect any stored password hashes dearly by using strong encryption, seek independent security assessments, and ask atsec for help