Password Habits and Cracking Toolkit

Passwords comprise important pieces of information nowadays. They are on the basis of many access control systems and are often the first, something-you-know factor of authentication mechanisms. They comprise keys to computer systems, confidential information or even physical facilities, and their widespread adoption makes of their discovery one of the main objectives of the initial phase of computer attacks and an interesting research topic. On the one hand, since passwords are sequences of characters with which the input of users have to be compared to, their representations have to be stored in computer systems; on the other, given their sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves, it is common and preferable to save transformations of these sequences of characters, which should be obtained using functions with stringent properties such as the ones of cryptographically secure hash or encryption functions. There are many known methods available and documented nowadays for such task, scrutinized in the literature and considered secure, though they are not always correctly employed. Obtaining a password from a representation is thus, normally, a computationally unfeasible task. Cracking a password often refers to the procedure of submitting several known passwords (using dictionaries or compendiums) or patterns (using brute force attacks) to the transformation procedure and compare the result with a representation, until a match is obtained, if ever. As such, the security of the mechanism used to obtain the representations is also dependent of how guessable the passwords are. This dissertation addresses the topics of habits for construction of passwords and tools for cracking them. Several specialized tools for cracking are available nowadays, most of them free or open source, designed for command line interaction only. One of the main contributions of this work comprised the development of a Graphical User Interface (GUI) for several cracking tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI, was then used in the cracking attempt of several Databases (DBs) with password representations that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they were to the procedure, and also the contemporary habits of people in terms of construction of passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared and delivered to 64 participants. This analysis of password habits constitutes another contribution of this work. PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional, easy to use and made freely available as an open-source project. It was written in Java and tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak passwords also contributed for this number (e.g., a significant number of 4 digits long passwords was found in one of the DBs). The results from the survey corroborate other works in the area, namely in terms of stereotypes. For example, the answers suggest that men use longer and more diverse (in terms of character sets) passwords than women. Nonetheless, several contracting aspects lead to the conclusion that the participants may be claiming to construct stronger passwords than they really use.As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação. Estas estão muitas vezes na base de mecanismos de controlo de acesso e constituem frequentemente o primeiro factor something you know de mecanismos de autenticação. São chaves para computadores, sistemas de software, informação confidêncial e até para edifícios, e a sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de ataques informáticos e uma área de investigação muito interessante. Por um lado, dado que as palavras-passe são sequências de caracteres com as quais valores fornecidos por utilizadores têm de ser comparados, a sua representação tem de ser guardada em sistemas computacionais; por outro, dada a sua natureza sensível, estas têm de ser guardadas de uma forma segura. Ao invés de guardar as palavras-passe em texto limpo, é comum e preferível guardar transformações destas sequências de caracteres, obtidas através de funções com propriedades muito especificas, tais como funções de cifra ou resumo criptográficas. Existem vários métodos conhecidos e documentados hoje em dia para a execução desta tarefa, descritos na literatura da especialidade e considerados seguros, embora estas não sejam sempre corretamente utilizadas. Assim, a obtenção de uma palavras-passe a partir da representação constitui normalmente uma tarefa computacionalmente inviável. O compromentimento de palavras-passe (do inglês password cracking) é então tentado através da submissão repetida de diversas palavras já conhecidas (usando dicionários ou compendios) ou padrões à função de transformação, comparando o seu resultado com a representação capturada, até que uma correspondência seja encontrada ou as possibilidades se esgotem. Assim, a segurança dos mecanismos usados para a obtenção das representações está dependente do quão previsíveis as palavras-passe são. Esta dissertação aborda temas relacionados com hábitos de construção de palavras-passe e ferramentas de password cracking. Muitas ferramentas especializadas de cracking estão disponíveis nos dia de hoje, sendo muitas delas gratuidas ou código aberto, desenhadas apenas para interação em linha de comandos. Uma das principais contribuições deste trabalho foi o desenvolvimento de uma interface gráfica para diversas ferramentas de cracking (como o Hashcat, John the Ripper e RainbowCrack), reunindo as suas funcionalidades mais interessantes de uma forma concisa e inteligente. A ferramenta desenvolvida, designada por PassCRackGUI, foi usada com o intuito de descobrir palavras-passe em diversas bases de dados contendo representações, e que vazaram para a Internet em 2014 e 2015. Este estudo foi feito com a intenção de analisar o quão expostas as respetivas palavras-passe estão e também de perceber os hábitos dos utilizadores na construção destas sequências de caracteres. Para um melhor estudo deste último tópico, foi preparado e entregue um questionário a 64 participantes. A análise dos resultados deste questionário constitui outra contribuição deste trabalho. PassCrackGUI é o principal resultado deste programa de mestrado. É totalmente funcional, fácil de usar e está disponível gratuitamente como um projeto open source. Foi desenvolvido em Java e testado nos sistemas operativos Linux, Windows e Mac OS. Quando usado na tentativa de cracking das bases de dados vazadas, foi possível recuperar 36% de 4233 representações de palavras-passe, apenas utilizando dicionários e simples regras num computador portátil vulgar. Parte do problema reside nos mecanismos adotados para a obtenção das representações, já ultrapassados na maioria dos casos; enquanto que a existência de palavras-passe fracas também contribuiu para este número (e.g., um significante número de palavras-passe eram constituídas por 4 dígitos apenas). Os resultados do questionário estão em conformidade com outros trabalhos nesta área, nomeadamente em termos de esteriótipos. Por exemplo, as respostas sugerem que os homens usam palavras-passe com maior diversidade e comprimento do que as mulheres. Ainda assim, vários aspectos contraditórios nas respostas levam à conclusão que os participantes parecem estar a alegar usar palavras-passe mais fortes do que usam realmente

Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations. Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10% of US mobile phone numbers for WhatsApp and 100% for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings. Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool JTR we can iterate through the entire world-wide mobile phone number space in <150s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest. Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal\u27s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information

A New Approach in Expanding the Hash Size of MD5

The enhanced MD5 algorithm has been developed by expanding its hash value up to 1280 bits from the original size of 128 bit using XOR and AND operators. Findings revealed that the hash value of the modified algorithm was not cracked or hacked during the experiment and testing using powerful bruteforce, dictionary, cracking tools and rainbow table such as CrackingStation, Hash Cracker, Cain and Abel and Rainbow Crack which are available online thus improved its security level compared to the original MD5. Furthermore, the proposed method could output a hash value with 1280 bits with only 10.9 ms additional execution time from MD5. Keywords: MD5 algorithm, hashing, client-server communication, modified MD5, hacking, bruteforce, rainbow table

Modified SHA1: A Hashing Solution to Secure Web Applications through Login Authentication

The modified SHA1 algorithm has been developed by expanding its hash value up to 1280 bits from the original size of 160 bit. This was done by allocating 32 buffer registers for variables A, B, C and D at 5 bytes each. The expansion was done by generating 4 buffer registers in every round inside the compression function for 8 times. Findings revealed that the hash value of the modified algorithm was not cracked or hacked during the experiment and testing using powerful online cracking tool, bruteforce and rainbow table such as CrackingStation and Rainbow Crack and bruteforcer which are available online thus improved its security level compared to the original SHA1

Análise da Gestão de Palavras-Chave

Gradualmente, tem-se vindo a verificar que a informação pertencente aos diversos utilizadores da Internet está cada vez mais exposta a ataques. Estas invasões comprometem os seus dados, e, para isso, têm surgido algumas respostas, tais como a segurança da informação. Um dos fatores que se destaca e que está relacionado com esta é a autenticidade. Técnicas de biometria e chaves eletrónicas são exemplos usados para a assegurar, na informação. Porém, o mecanismo que mais sobressai é a utilização de um par constituído por nome de utilizador e palavra-chave. Contudo, este tem revelado alguns problemas associados. Ora, se é usado um único segredo para salvaguardar todos os recursos privados, e este é descoberto, a informação do utilizador estará inteiramente comprometida. Já no caso de serem empregues múltiplas passwords, corre-se o risco de haver o esquecimento das credenciais de acesso. Por outro lado, existem inconvenientes se estas são curtas (facilmente encontradas) ou longas (difíceis de memorizar). Dadas as situações relatadas, têm vindo a ser aplicados gestores de palavras-chave. Tais métodos permitem o armazenamento dos segredos, bem como a sua criação, podendo estes ter vários tipos de resoluções, variando entre técnicas locais, móveis, ou até mesmo baseadas na web. Todas elas possuem vantagens (dependendo do cenário), assim como desvantagens comuns. De forma a verificar se estas ferramentas disponibilizam a segurança prometida, foi executada uma análise intensiva a alguns programas, escolhidos pelo seu desempenho e notoriedade, que já se encontram no mercado. Caso não se mostrassem eficazes, seria proposta uma aplicação, com vista a resolver os problemas descobertos. Porém, concluiu-se que já existe um mecanismo que oferece a salvaguarda pretendida. Assim, foi feito unicamente um estudo sobre as abordagens que podem ser adotadas, destacando a que se apresentou como mais adequada.It has been verified, gradually, that information belonging to different Internet users, is increasingly exposed to attacks. These invasions compromise their data, and so, some answers have arisen, such as information security. One of the most important factors, related to this concept, is authenticity. Biometrics and security tokens are examples used to ensure it. However, the mechanism that stands out more, is the pair composed by a username and password. Nevertheless, this has revealed some problems. If a single secret is used to protect all the websites, and it’s discovered, users’ information will be fully compromised. If there are used multiple passwords, there may be a risk of forgetting access credentials. On the other hand, there are drawbacks if they are short (easily found) or long (hard to remember). Considering the reported statements, password managers have been applied. Such methods allow to store and generate passwords, and can have different types of solutions, ranging between local, mobile or even web-based. All of these have advantages (depending on the scenario), as well as common disadvantages. In order to check if these tools offer the promised security, it was performed an intensive analysis to some programs, chosen by their performance and reputation, that are already on the market. If they proved to be ineffective, an application to solve the discovered problems would be proposed. However, it was concluded that a mechanism providing the desired protection, already exists. Thereby, it was only conducted a study about the approaches that can be adopted, pointing out the one that was presented as more appropriate

Guessing human-chosen secrets

Authenticating humans to computers remains a notable weak point in computer security despite decades of effort. Although the security research community has explored dozens of proposals for replacing or strengthening passwords, they appear likely to remain entrenched as the standard mechanism of human-computer authentication on the Internet for years to come. Even in the optimistic scenario of eliminating passwords from most of today's authentication protocols using trusted hardware devices or trusted servers to perform federated authentication, passwords will persist as a means of "last-mile" authentication between humans and these trusted single sign-on deputies. This dissertation studies the difficulty of guessing human-chosen secrets, introducing a sound mathematical framework modeling human choice as a skewed probability distribution. We introduce a new metric, alpha-guesswork, which can accurately models the resistance of a distribution against all possible guessing attacks. We also study the statistical challenges of estimating this metric using empirical data sets which can be modeled as a large random sample from the underlying probability distribution. This framework is then used to evaluate several representative data sets from the most important categories of human-chosen secrets to provide reliable estimates of security against guessing attacks. This includes collecting the largest-ever corpus of user-chosen passwords, with nearly 70 million, the largest list of human names ever assembled for research, the largest data sets of real answers to personal knowledge questions and the first data published about human choice of banking PINs. This data provides reliable numbers for designing security systems and highlights universal limitations of human-chosen secrets