Transcription
Password Cracking 101City of PhoenixInformation Security and Privacy Office
Agenda Computer accounts Password crackingmethods Guess how long ittakes to crack apassword Creating a strongpassword Tools for home use
Computer Accounts
Computer Accounts Identify you to thecomputer system ornetwork Your permissions toaccess info andsystems are basedon your account
Passwords Verify that the personlogging into thecomputer system ornetwork is who heclaims to be In other words, yourpassword says youare the accountowner aka authentication
Free Bonus Info!Authentication Factors Something you know– Password Something you have– Badge, token, digital certificate Something you are (biometric)– Fingerprint, retina More factors Stronger authentication
Why Is a Strong Password Important? Like the key to your house, yourpassword is the key to your computeraccount, your access privileges, andyour information Passwords provide the first line ofdefense against unauthorized access Strong passwords help protect theconfidentiality, integrity, and availabilityof your information and systems
Strong passwordscan’t be easilyguessed
Strong PasswordsAre Not Shared
Are These Strong Passwords?
Strong PasswordsAre Easy to Remember So you don’t have towrite them down
Strong PasswordsCan’t Be Easily Cracked Password cracking:Using computingtechnology and powerto discover a password A typical desktopcomputer can trybetween 100,000 and1 million passwords persecond
Making a Strong Password Contains a combination of words, numbers, andcharacters from an easy-to-remember sentence orphrase Does not contain words in a dictionary, regardless of thelanguage Does not contain a proper name, such as your spouse’sname Does not contain numbers associated with you in anyway, such as your dog’s birthday or your child’s socialsecurity number
Using a PasswordStrength Checker “Call me paranoid, but how do we know these sites aren’t harvestingthe passwords they test?” Don’t use your actual password Use a “test” password with the same numberof letters (caps and lower case), numbers, andspecial characters in the same locations asyour actual password Your actual password would have the samestrength
Password Cracking 101
Cracking Methods Dictionary– Tries words in a dictionary (any language) Pre-computed– Compares encrypted password with listsof cracked passwords Hybrid– Checks common numbers or symbolssubstitutes for letters, such as 3 for E,or for S Brute Force– Attempts every combination of characters
WARNING Password cracking programs are availableon the Internet Do NOT visit sites that host them Do NOT download them Why?– These sites often contain malware
Time to CrackPasswordBarbara1Chicago5Gandalf1Crack MethodTime to Crack
Time to CrackPasswordCrack MethodTime to ictionary0d0h0m0s0d0h0m0s0d0h0m0s
Time to CrackPasswordOctober70ctobeR7Crack MethodTime to Crack
Time to CrackPasswordCrack MethodTime to CrackOctober70ctobeR7DictionaryBrute Force0d0h0m1s0d2h23m7s
Time to CrackPasswordtime2FlySp1drmanQwert123Crack MethodTime to Crack
Time to CrackPasswordCrack MethodTime to Cracktime2FlySp1drmanQwert123Brute ForceBrute ForceHybrid0d1h35m33s0d0h11m17s0d0h0m25s
Time to CrackPasswordgoBears4goBears!GoEag1esGoE@g1esCrack MethodTime to Crack
Time to CrackPasswordCrack MethodTime to CrackgoBears4goBears!GoEag1esBrute ForceBrute g1esBrute Force0d5h13m38s
Sample Output
Time to CrackPassword4*20 7ya4sc&7yrA87yr.aGoCrack MethodTime to Crack
Time to CrackPasswordCrack MethodTime to Crack4*20 7ya4sc&7yrA87yr.aGoBrute ForceBrute ForceBrute Force 1d6h24m3s 1d6h24m3s 1d6h24m3s
Still Going
Key Take Away The longer and more complex a password,the harder it is to crack
Bad Passwords Personally related to you– Address, birthday, anniversary,license plate, social securitynumber, favorite car, hobby, orsports team Job-related– Job title, work location Family-related– Spouse, children, or pets’names or birthdays Similar to or matchyour User ID Dictionary words– No matter what the language
Picking a Strong Password
Unleash Your Creativity!Base Passwords on a Phrase 4*20 7ya 4sc&7yrA 87yr.aGo Fourscore and seven yearsago (Gettysburg Address)
Unleash Your Creativity!Base Passwords on a Phrase Wygc?GB!
Use a Keyboard Pattern 3 5EdZxc– Forms the letter “I” (kinda)
How Many Passwords? Work Personal – high security– Online banking Personal – low security– News sites Recommended– Social media ONLY
Tools for Home Use Password Safe– Free Windows utility– Designed by Bruce Schneier– Keeps passwords securelyencrypted on your computers– Just one “Safe Combination”to remember http://passwordsafe.sourceforge.net/City of Phoenix does not endorse or support any tools for home use
Tools for Home Use LastPass– Free utility– Just one “master password” to remember– Can automatically log you on to web sitesand complete forms needed to buy goodsonline https://lastpass.com/features free.phpCity of Phoenix does not endorse or support any tools for home use
Reminder Change default passwords– Passwords that “come with” a device or set bythe vendor
You Can Protect yourself Pick strong,easy-to-rememberpasswords!
Resources Password Meter password strength checker– http://www.passwordmeter.com/ Computer World’s review of password managers– http://www.computerworld.com/s/article/9191339/4 password managers offer security anytime anywhere?source CTWNLE nlt security 2010-10-18 Password Managers– http://passwordsafe.sourceforge.net/– https://lastpass.com/features free.php
Thanks!Questions? Contactispo@phoenix.gov
Password Cracking 101 . Cracking Methods Dictionary - Tries words in a dictionary (any language) Pre-computed - Compares encrypted password with lists of cracked passwords Hybrid - Checks common numbers or symbols substitutes for letters, such as 3 for E,