70 likes | 165 Views
EECS 354 Network Security. Passwords and Cryptography. Cracking a Hash. Modern hashing techniques are essentially uncrackable for unpatterned passwords of >7 characters But, lucky for hackers: Users choose bad passwords Administrators don’t use modern hashing methods. Some Examples.
E N D
EECS 354Network Security Passwords and Cryptography
Cracking a Hash • Modern hashing techniques are essentially uncrackable for unpatterned passwords of >7 characters • But, lucky for hackers: • Users choose bad passwords • Administrators don’t use modern hashing methods
Some Examples • 2013 Adobe breach: At least 28 million passwords in Triple DES • 2013 Cupid Media breach: 42 million passwords in plain text • 2011 Sony Playstation breach: 77 million passwords and credit card numbers in ? • 2010 Gawker breach: 1 million passwords in DES
Stolen Passwords • Eventually, someone usually notices their database has been hacked • Before: • Administrative access? Data tampering? Data collection? • After: • Users reuse passwords • Database associates password with identifying info • email, username, real name • grep for .gov, sensitive accounts • Leads to more sensitive data • Hacking email, social media
Dictionary Attacks • Effective against basic hash functions • MD5, SHA1, SHA2, etc • Dictionaries vary in size • Append, prepend, mutate dictionary entries • Password lists are also common for cracking (can be in the millions) • Password salting • Users with the same password won’t be cracked simultaneously
Dictionary Attacks • Here’s one word from your dictionary: password • With simple operations you can crack: • password123 • p4ssw0rd • Password • Password2014
“Good” Hashing • People don’t notice if it takes one second to verify their password • Method: Use hashing. A lot. ~100,000 times, repeatedly. And a long salt. • Standard: PBKDF2 • Alternatives: bcrypt, scrypt • Strength varies in password length, character diversity • brute force: useless (huge key space)dictionary: bad passwords are still bad