Reasoning Analytically About Password-Cracking Software Enze “Alex” Liu, Amanda Nakanishi, Maximilian Golla, David Cash, and Blase Ur November 26, 2019 | PasswordsCon | Stockholm, Sweden
People Choose Weak Passwords Johnny14! 2 November 26, 2019 | PasswordsCon | Stockholm, Sweden
What Makes a Password “Weak”? Weak Passwords Frequency Fr Pas asswords 3 November 26, 2019 | PasswordsCon | Stockholm, Sweden
What Makes a Password “Weak”? Weak Passwords Frequency Fr Pas asswords Guess # 1.3 x 10 9 Guess #1 Guess #387 123456 qwerty1 nx71!iceCream 4 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Guess Number = Approximate Strength Example: Johnny14! Guess #: 390,000 5 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Application 1: Strength Meters Strength Meter 6 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Application 2: Proactive Checking Password123! 7 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Application 2: Proactive Checking “No!” 8 November 26, 2019 | PasswordsCon | Stockholm, Sweden Per Thorsheim, founder of PasswordsCon
Application 3: Academic Research 9 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Guess # Depends on Model We don’t think in “cracks,” we think in guess numbers! RNN != != != PCFG Guess #: Guess #: Guess #: Guess #: 1,928,730,033 8,346,290,721 inf. 390,000 Password Cracking: Guess Number: Johnny14! - cracked Depends on “trained” model 10 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Goals For Guess Numbers 1. Compute guess numbers efficiently 2. Configure guessing method systematically 3. Approximate real-world attack Password Guess Efficient Number Configuration Real-World 11 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Outline State of the art 1. How software password-cracking tools work 2. Our efficient techniques for guess numbers 3. Our techniques for systematic configuration 4. 12 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Password-Cracking Methods Probabilistic Models Software Tools 13 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Probabilistic Models Markov Models [Narayanan and Shmatikov, CCS 2005] Probabilistic Context-Free Grammars [Weir et al., S&P 2009] Neural Networks [Melicher et al., USENIX Security 2016] Guess # Configuration Real 14 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Password-Cracking Methods Probabilistic Models Software Tools 15 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Software Tools John the Ripper Hashcat 16 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Guess Number by Enumeration 123456 1. password 2. monkey Does Not Scale !!! 3. letmein 4. p@ssw0rd 5. Johnny14! 6. 17 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Software Tools John the Ripper Hashcat Guess # Configuration [S&P 2019] Real 18 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Outline State of the art 1. How software password-cracking tools work 2. Our efficient techniques for guess numbers 3. Our techniques for systematic configuration 4. 19 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Mangled Wordlist Attack Wordlist Rulelist Guesses Super Append “1” Super1 1. Password Replace “a” → “4” Password1 2. Chicago Lowercase all Chicago1 3. Super P4ssword Chic4go 20 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Mangled Wordlist Attack Wordlist Rulelist Guesses Super Append “1” Super1 1. Password Replace “a” → “4” Password1 2. Chicago Lowercase all Chicago1 3. Super P4ssword Chic4go super password chicago 21 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Example Wordlists and Rulelists Wordlist Rulelist Linkedin (≈ 60,000,000) Korelogic (≈ 5,000) 10 9 – 10 15+ HIBP (≈ 500,000,000) Megatron (≈ 15,000) guesses Generated2 (≈ 65,000) + Professionals’ private word/rule lists 22 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Outline State of the art 1. How software password-cracking tools work 2. Our efficient techniques for guess numbers 3. Our techniques for systematic configuration 4. 23 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Is This Password in the Guesses? Guesses Super1 Password1 Chic4go Chicago1 Super P4ssword Chic4go super password chicago 24 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Is This Password in the Guesses? Wordlist Rulelist Guesses Super Append “1” Super1 1. Password Replace “a” → “4” Password1 2. Chicago Lowercase all Chicago1 3. Super P4ssword Chic4go super password chicago 25 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Insight We can work backwards! 26 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Insight “Rule Reversal” Marechal (PasswordsCon 2012) Kacherginsky (PasswordsCon 2013) and many others 27 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Inversion Process Rulelist Password Append “1” Chic4go 1. Replace “a” → “4” 2. Lowercase all 3. 28 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Inversion Process Preimages Rulelist Password Append “1” Chic4go Chicago 1. Replace “a” → “4” Chic4go 2. Lowercase all 3. 29 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Count Guesses Wordlist Rulelist Guesses Super Append “1” Super1 1. Password Replace “a” → “4” Password1 2. Chicago Lowercase all Chicago1 3. Super P4ssword Chic4go super password chicago 30 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Count Guesses Wordlist Rulelist Guesses Super Append “1” Super1 1. 3 3 Password Replace “a” → “4” Password1 2. Chicago Lowercase all Chicago1 3. Super P4ssword Chic4go super password chicago 31 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Count Guesses Wordlist Rulelist Guesses Super Append “1” Super1 1. Password Replace “a” → “4” Password1 2. Chicago Lowercase all Chicago1 3. Super P4ssword Chic4go super password chicago 32 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Approach Invert each password for each rule • Identify the first rule, if any, that guesses it • Sum guesses made by previous rules • Count guesses per rule (JtR) / word (Hashcat) • Do this once per wordlist / rulelist combo • 33 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Why is this non-trivial? 34 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Inverting Passwords 35 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Approach to Inverting Passwords Chic4go Represent preimages as ≈ regex • Few: [ {C} {h} {i} {c} {a,4} {g} {o} ] • Many: 4444 → [ {a,4} {a,4} {a,4} {a,4} ] • (“Purge 1” reversed): [ {1}* {C} {1}* {h} {1}* {i} • {1}* {c} {1}* {a,4} {1}* {g} {1}* {o} {1}* ] Represent wordlist as trie • 36 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Counting Guesses For Each Rule Wordlist Rule Guesses Super Reject if no “a”; 2 Password Replace a→ 4 Chicago Replace e→ a Super 3 Reject if no “a”; Password Chicago Replace a→ 4 37 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Advantages and Disadvantages Method is preferable: • Few target passwords • Need guess number quickly • Not preferable: • Many target passwords • 38 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Fast Guess Number Estimation LinkedIn + SpiderLabs Guesses Enumeration Our Approach Size ~ 3 PB ~ 10 GB Preprocessing > 2 years < 1 day Mean Lookup ??? < 1 second 39 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Outline State of the art 1. How software password-cracking tools work 2. Our efficient techniques for guess numbers 3. Our techniques for systematic configuration 4. 40 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Software Tools Depend On Contents of the wordlist Order of words Contents of the rulelist Order of rules 41 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Insight: Data-Driven Configuration Rulelist Password Set Wordlist New configuration 42 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Data-Driven Configuration Contents of the wordlist Order of words Contents of the rulelist Order of rules 43 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Rule Ordering Should the rules be in a different order? Key idea: Order by # cracks per guess Append “1” Replace “a” → “4” 1. 1. Replace “a” → “4” Lowercase all 2. 2. Lowercase all Append “1” 3. 3. 44 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Rule Ordering Results Ideal Data-driven Original 45 45 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Word Completeness Should other words be in the wordlist? Key idea: Add frequent preimage “misses” Preimages Rulelist Passwords Append “1” Dagarna1 1. Dagarna Replace “a” → “@” D@g@rn@ 2. Lowercase all dagarna 3. 46 November 26, 2019 | PasswordsCon | Stockholm, Sweden
Recommend
More recommend
