Password Cracking Prof. Tom Austin San Jos State University How - PowerPoint PPT Presentation

Apr 19, 2023 •236 likes •359 views

CS 166: Information Security Password Cracking Prof. Tom Austin San Jos State University How should you store users' passwords? Reverse-lookup tables A cryptographic hash is irreversible. However, you can make a table of common hashes.

CS 166: Information Security Password Cracking Prof. Tom Austin San José State University
How should you store users' passwords?
Reverse-lookup tables A cryptographic hash is irreversible. However, you can make a table of common hashes. MD5 hash value Password 5ebe2294ecd0e0f08eab7690d2a6ee69 "secret" 084e0343a0486ff05530df6c705c8bb4 "guest" 5f4dcc3b5aa765d61d8327deb882cf99 "password" 482c811da5d5b4bc6d497ffa98491e38 "password123" 0d107d09f5bbe40cade3de5c71e9e9b7 "letmein"
***WARNING*** The passwords.txt file is LARGE. It may kill your text editor. It is still small compared to what serious password crackers use.
Lab: Part 1 Download Cracker.java and passwords.txt from http://www.cs.sjsu.edu/~austin/cs166- spring18/labs/lab08/. What username/password combinations can you identify in input.txt?
Salted hashes • With lookup tables, a single hash allows you to check all passwords for matches. • Using salt values forces the attacker to check each password individually. Salt Password Hash 25c2f2345300e540d4f2b6a86002874e "AE" "secret" 675c17712c444cd7512ceadb29fde6cf "19" "secret" d0633e11f62c38ad06d13545908ee223 "E0" "secret" 5fb6bf90896adb43a2eb625d8e75f9f9 "0B" "secret"
Lab: Part 2 Download inputSalted.txt. These credentials include salt values used in the hash, created by: md5hash(salt+password) Extend Cracker.java to break as many of these passwords as you can. How much slower is this program?
Pepper Value • Salt values slow down an attacker, but an attacker can still get many passwords. • A pepper value is a secret value added to the hash input. • Adding a pepper value requires additional work from the attacker (until it is broken).
Modern Password Hashing • Newer algorithms use key stretching to increase the work required per hash. – The initial key is fed into an algorithm that outputs an enhanced key . • Examples: – Bcrypt – PBKDF2 (Password-Based Key Derivation Function 2)
One Key Stretching Algorithm String hashStretchKey( String password, String salt, String pepper, int workFactor) { String hash = ""; for (int i=0; i<workFactor; i++) { hash = hashFun(hash + salt + pepper + password); } return key; }
Lab: Part 3 Download inputSaltedPeppered.txt. These credentials include salt values used in the hash, along with an unknown pepper value , created by: md5hash(salt+pepper+password) Extend Cracker.java. The pepper value is a number between 1 and 10. How much slower is this program?

Download Presentation

Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Distributed GPU password cracking Alexander Kasabov & Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov & Jochem van Kerkwijk System and Network Engineering { akasabov | jkerkwijk } @os3.nl February 2, 2011 Outline Introduction Password cracking Graphics processing unit Distributed

501 views • 16 slides

Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

1.88k views • 85 slides

Password Cracking Sam Martin and Mark Tokutomi CS466/566: Computer Security April 22, 2012 Sam

Introduction Lets Attack A Time-Memory Trade-Off The LanManager Hash Physical Attacks Password Cracking Sam Martin and Mark Tokutomi CS466/566: Computer Security April 22, 2012 Sam Martin and Mark Tokutomi Password Cracking

1.49k views • 76 slides

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides

Running a FireSim Simulation: Password Cracking on a RISC-V SoC with SHA-3 Accelerators and Linux

Running a FireSim Simulation: Password Cracking on a RISC-V SoC with SHA-3 Accelerators and Linux https://fires.im @firesimproject MICRO Tutorial 2019 Albert Ou Agenda Configure and launch a simulation runfarm Boot Linux interactively

770 views • 28 slides

Reasoning Analytically About Password-Cracking Software Enze Alex Liu, Amanda Nakanishi,

Reasoning Analytically About Password-Cracking Software Enze Alex Liu, Amanda Nakanishi, Maximilian Golla, David Cash, and Blase Ur November 26, 2019 | PasswordsCon | Stockholm, Sweden People Choose Weak Passwords Johnny14! 2 November 26,

2.25k views • 49 slides

Speeding up GPU-based password cracking SHARCS 2012 Martijn Sprengers 1 , 2 Lejla Batina 2 , 3

Speeding up GPU-based password cracking SHARCS 2012 Martijn Sprengers 1 , 2 Lejla Batina 2 , 3 Sprengers.Martijn@kpmg.nl KPMG IT Advisory 1 Radboud University Nijmegen 2 K.U. Leuven 3 March 17-18, 2012 Introduction Background Research Results

389 views • 34 slides

Reasoning Analytically About Password-Cracking Software Enze Alex Liu , Amanda Nakanishi,

Reasoning Analytically About Password-Cracking Software Enze Alex Liu , Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur Chic4go 2 Attack Model 80d561388725fa74f2d03cd16e1d687c 3 Attack Model 80d561388725fa74f2d03cd16e1d687c

822 views • 81 slides

Cracking Platform Dimitar Pavlov Supervisors : Gerrie Veerman Marc Smeets UvA SNE Master

Distributed Password Cracking Platform Dimitar Pavlov Supervisors : Gerrie Veerman Marc Smeets UvA SNE Master Students Michiel van Veen 08-02-2012 1 The project Research Question : How can a scalable , modular and extensible middleware

357 views • 22 slides

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay Brain T2-Hyperintensity Sachs Stem Pelizaeus- B12 Metabolism U-Fibres Merzbacher Hypomyelination T1-Hypointensity CSF Salla LEUKODYSTROPHY

918 views • 62 slides

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code: Value for Money Rickard Mills Council Member, IAPF THANK YOU SPONSOR Cracking the DC Code: Value for Money HOUSEKEEPING Cracking the DC Code:

1.04k views • 54 slides

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides

twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

A RCHITECTURAL S TRUCTURES : Concrete in Compression F ORM, B EHAVIOR, AND D ESIGN ARCH 331 crushing D R. A NNE N ICHOLS vertical cracking S PRING 2018 tension lecture twenty six diagonal cracking shear f c

137 views • 3 slides

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are

512 views • 32 slides

Credential Access with Hashcat Dawid Czagan SECURITY INSTRUCTOR @dawidczagan Creator: Jens

Credential Access with Hashcat Dawid Czagan SECURITY INSTRUCTOR @dawidczagan Creator: Jens Steube Hashcat is the no. 1 offline password cracker. It supports different password cracking techniques and many hash algorithms. What's more it

894 views • 19 slides

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger Pirk Eleni Petraki Strato Idreos Stefan Manegold Martin Kersten EVALUATING RANGE PREDICATES COMPLEXITY ON PAPER Scanning: O(n) Sorting:

910 views • 43 slides

Attack Frameworks and Tools Pranav Jagdish Betreuer: Nadine Herold Seminar Innovative Internet

Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universitt Mnchen, Germany Attack Frameworks and Tools Pranav Jagdish Betreuer: Nadine Herold Seminar Innovative Internet Technologies and Mobile

584 views • 30 slides

Database cracking Stratos Idreos, Martin Kersten and Stefan Manegold CWI Amsterdam, The

Database cracking Stratos Idreos, Martin Kersten and Stefan Manegold CWI Amsterdam, The Netherlands The open problem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dynamic

627 views • 30 slides

Winning The Race Against Winning The Race Against Software Pirates Software Pirates Software

Winning The Race Against Winning The Race Against Software Pirates Software Pirates Software Pirates Software Pirates Next Generation Copy Protection 1 Yours Truly Yours Truly Erik Simon Erik Simon Veteran of the German Development

613 views • 40 slides

Preparation Begets Safe Performance Planning for an Underwater Munitions Investigation 2015 M2S2

Preparation Begets Safe Performance Planning for an Underwater Munitions Investigation 2015 M2S2 Webinar Series April 23, 2015 Former Raritan Arsenal The former Raritan Arsenal covers approximately 3,200 acres of central New Jersey

462 views • 15 slides

Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements:

Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements: Materials are taken from the Internet COMP4631 1 Agenda of this lecture Zombie computers, bots, botnets Denial of service (DoS) a/acks

630 views • 45 slides

In collabora*on with IDPF and BISG Session 4: DRM Moderator: Oliver

In collabora*on with IDPF and BISG Session 4: DRM Moderator: Oliver Brooks Gerardo Capiel Minhyung Ko Jim Dovey Valobox Benetech Samsung Kobo Ill talk about general

642 views • 28 slides

Probabilistic Reasoning; Network-based reasoning COMPSCI 276, Spring 2017 Set 1: Introduction

Probabilistic Reasoning; Network-based reasoning COMPSCI 276, Spring 2017 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Example of Common Sense Reasoning Zebra on Pajama : (7:30 pm): I

626 views • 47 slides

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org Se Settin ing T The St Stage 1

495 views • 20 slides