Understanding common password design:a study towards building a penetration testing tool

Abstract. Almost everything that is meant to be kept private is currently being protected by passwords. While systems and devices can be designed with robust security measures, the effcacy of such systems can be compromised if the end-user chooses a weak password, especially one easily found in common wordlists. Given the prevailing security dynamics, especially with the ongoing Ukraine war and Finland’s NATO membership considerations, the inadequate protection of WiFi devices may transcend individual privacy concerns. Supo, the Finnish Security and Intelligence Service, posits that routers with subpar security could pose considerable national security risks. This thesis aims to investigate the strategies people use when creating new passwords. This is done by using prior knowledge about password creation habits and by conducting an analysis of leaked passwords. The study also examines existing tools for password list generation for penetration testing to see what the strengths and weaknesses of those tools are. This will be the groundwork for creating a lightweight tool for password list generation that can be used to do penetration testing with dictionary attacks and possibly detect if weak passwords are being used. The problem with the current tools is that they either create a very large wordlist or are too small to be practical. They also seem to lack the mangling capabilities of the wordlists. The proposed solution is evaluated using the wardriving method, accompanied by the acquisition of pmkid hashes from WiFi access points. Subsequently, these hashes are matched against passwords generated by the designated tool, leveraging Hashcat to ascertain their decryptability. Through this process, the study also provides a snapshot of WiFi password robustness within the City of Oulu. The fndings revealed that approximately 6% of WiFi access points employed passwords deemed too weak. This discovery aligns with earlier research conducted in the city of Oulu, where a related investigation highlighted that nearly 14.78% of devices lack password protection, effectively operating as open access points [1].Yleisten suunnittelumenetelmien ymmärtäminen salasanojen luomiseen : tutkimus penetraatiotestaustyökalun rakentamiseen. Tiivistelmä. Lähes kaikki yksityisenä pidettävät asiat ovat tällähetkellä salasanojen suojaamia. Laitteet ja järjestelmät voidaan suunnitella tietoturvaominaisuuksiltaan kattavaksi, mutta näiden laitteiden ja järjestelmien turvallisuus voi vaarantua, jos loppukäyttäjä valitsee laitteen salasanaksi heikon salasanan. Etenkin jos valittu salasana sattuu vielä löytymään yleisistä salasanalistoista. Wif laitteiden riittämätön suojaaminen voi aiheuttaa turvallisuusongelmia, kun tarkastellaan vallitsevaa turvallisuusdynamiikkaa, Ukrainan sotaan ja Suomen Nato jäsenyyteen liittyen. Suojelupoliisi arvioi että heikosti suojatut reitittimet voivat aiheuttaa merkittäviä kansallisia turvallisuusriskejä. Tämän opinnäytetyön tavoitteena on tutkia ihmisten käyttämiä strategioita salasanojen luomiseen. Tämä tehdään käyttämällä aiempaa tietoa salasanojen luomistavoista, sekä tekemällä analyysi aiemmin nettiin vuotaneista salasanoista. Tutkimuksessa myös tarkastellaan olemassa olevia työkaluja salasanalistojen luomiseen ja selvitetään mitkä ovat näiden työkalujen vahvuudet ja heikkoudet. Edellämainitut toimenpiteet ovat pohjatyö jonka perusteella rakennetaan kevyt työkalu salasanalistojen luomiseen penetraatiotestausta varten. Jo tehtävää varten olemassaolevien työkalujen ongelmana on että ne luovat joko liian suuria tai pieniä sanalistoja ollakseen käytännöllisiä. Niistä puuttuu myös toiminnallisuus sanalistojen muokkaamiseen. Työkalun tehokkuutta arvioidaan ja testataan wardriving menetelmällä Wiftukipisteistä hankituilla pmkid hasheilla. Myöhemmin hashejä verrataan työkalun luomiin sanalistoihin käyttäen apuna Hashcat nimistä työkalua ja tutkitaan löytyykö vastaavuuksia, ts. vastaako jokin työkalun luomista sanoista salasanaa jolla hash on luotu. Tätä kautta saadaan myös tilannekuva Wifsalasanojen vahvuudesta Oulun kaupungissa. Tulokset paljastivat että noin 6 % Wif-tukipisteistä käytetään liian heikkoa salasanaa. Tämä löytö on linjassa aiemmin Oulussa tehdyn tutkimuksen kanssa, jossa kyseinen tutkimus osoitti että lähes 14.78 % laitteista puuttuu salasanasuojaus ja laitteet toimivat noissa tapauksissa avoimina tukiasemina. [1

On Enhancing Security of Password-Based Authentication

Password has been the dominant authentication scheme for more than 30 years, and it will not be easily replaced in the foreseeable future. However, password authentication has long been plagued by the dilemma between security and usability, mainly due to human memory limitations. For example, a user often chooses an easy-to-guess (weak) password since it is easier to remember. The ever increasing number of online accounts per user even exacerbates this problem. In this dissertation, we present four research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays a very important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. We create a new metric---Coverage---to quantify the personal information in passwords. Armed with this knowledge, we develop a novel password cracker named Personal-PCFG (Probabilistic Context-Free Grammars) that leverages personal information for targeted password guessing. Experiments show that Personal-PCFG is much more efficient than the original PCFG in cracking passwords. The second project aims to ease the password management hassle for a user. Password managers are introduced so that users need only one password (master password) to access all their other passwords. However, the password manager induces a single point of failure and is potentially vulnerable to data breach. To address these issues, we propose BluePass, a decentralized password manager that features a dual-possession security that involves a master password and a mobile device. In addition, BluePass enables a hand-free user experience by retrieving passwords from the mobile device through Bluetooth communications. In the third project, we investigate an overlooked aspect in the password lifecycle, the password recovery procedure. We study the password recovery protocols in the Alexa top 500 websites, and report interesting findings on the de facto implementation. We observe that the backup email is the primary way for password recovery, and the email becomes a single point of failure. We assess the likelihood of an account recovery attack, analyze the security policy of major email providers, and propose a security enhancement protocol to help securing password recovery emails by two factor authentication. \newline Finally, we focus on a more fundamental level, user identity. Password-based authentication is just a one-time checking to ensure that a user is legitimate. However, a user\u27s identity could be hijacked at any step. For example, an attacker can leverage a zero-day vulnerability to take over the root privilege. Thus, tracking the user behavior is essential to examine the identity legitimacy. We develop a user tracking system based on OS-level logs inside an enterprise network, and apply a variety of techniques to generate a concise and salient user profile for identity examination

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

A Survey on Password Guessing

Text password has served as the most popular method for user authentication so far, and is not likely to be totally replaced in foreseeable future. Password authentication offers several desirable properties (e.g., low-cost, highly available, easy-to-implement, reusable). However, it suffers from a critical security issue mainly caused by the inability to memorize complicated strings of humans. Users tend to choose easy-to-remember passwords which are not uniformly distributed in the key space. Thus, user-selected passwords are susceptible to guessing attacks. In order to encourage and support users to use strong passwords, it is necessary to simulate automated password guessing methods to determine the passwords' strength and identify weak passwords. A large number of password guessing models have been proposed in the literature. However, little attention was paid to the task of providing a systematic survey which is necessary to review the state-of-the-art approaches, identify gaps, and avoid duplicate studies. Motivated by that, we conduct a comprehensive survey on all password guessing studies presented in the literature from 1979 to 2022. We propose a generic methodology map to present an overview of existing methods. Then, we explain each representative approach in detail. The experimental procedures and available datasets used to evaluate password guessing models are summarized, and the reported performances of representative studies are compared. Finally, the current limitations and the open problems as future research directions are discussed. We believe that this survey is helpful to both experts and newcomers who are interested in password securityComment: 35 pages, 5 figures, 5 table

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

An investigation of the security of passwords derived from African languages

Password authentication has become ubiquitous in the cyber age. To-date, there have been several studies on country based passwords by authors who studied, amongst others, English, Finnish, Italian and Chinese based passwords. However, there has been a lack of focused study on the type of passwords that are being created in Africa and whether there are benefits in creating passwords in an African language. For this research, password databases containing LAN Manager (LM) and NT LAN Manager (NTLM) hashes extracted from South African organisations in a variety of sectors in the economy, were obtained to gain an understanding of user behaviour in creating passwords. Analysis of the passwords obtained from these hashes (using several cracking methods) showed that many organisational passwords are based on the English language. This is understandable considering that the business language in South Africa is English even though South Africa has 11 official languages. African language based passwords were derived from known English weak passwords and some of the passwords were appended with numbers and special characters. The African based passwords created using eight Southern African languages were then uploaded to the Internet to test the security around using passwords based on African languages. Since most of the passwords were able to be cracked by third party researchers, we conclude that any password that is derived from known weak English words marked no improvement in the security of a password written in an African language, especially the more widely spoken languages, namely, isiZulu, isiXhosa and Setswana

The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants

Since the burgeoning days of IoT, Mirai has been established as the canonical IoT botnet. Not long after the public release of its code, researchers found many Mirai variants compete with one another for many of the same vulnerable hosts. Over time, the myriad Mirai variants evolved to incorporate unique vulnerabilities, defenses, and regional concentrations. In this paper, we ask: have Mirai variants evolved to the point that they are fundamentally distinct? We answer this question by measuring two of the most popular Mirai descendants: Hajime and Mozi. To actively scan both botnets simultaneously, we developed a robust measurement infrastructure, BMS, and ran it for more than eight months. The resulting datasets show that these two popular botnets have diverged in their evolutions from their common ancestor in multiple ways: they have virtually no overlapping IP addresses, they exhibit different behavior to network events such as diurnal rate limiting in China, and more. Collectively, our results show that there is no longer one canonical IoT botnet. We discuss the implications of this finding for researchers and practitioners

Your Culture is in Your Password: An Analysis of a Demographically-diverse Password Dataset

A large number of studies on passwords make use of passwords leaked by attackers who compromised online services. Frequently, these leaks contain only the passwords themselves, or basic information such as usernames or email addresses. While metadata-rich leaks exist, they are often limited in the variety of demographics they cover. In this work, we analyze a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base. We provide an analysis of passwords created by groups of people of different cultural backgrounds, some of which are under-represented in existing data leaks, e.g., Arab, Filipino, Indian, and Pakistani. The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information

A principled approach to measuring the IoT ecosystem

Internet of Things (IoT) devices combine network connectivity, cheap hardware, and actuation to provide new ways to interface with the world. In spite of this growth, little work has been done to measure the network properties of IoT devices. Such measurements can help to inform systems designers and security researchers of IoT networking behavior in practice to guide future research. Unfortunately, properly measuring the IoT ecosystem is not trivial. Devices may have different capabilities and behaviors, which require both active measurements and passive observation to quantify. Furthermore, the IoT devices that are connected to the public Internet may vary from those connected inside home networks, requiring both an external and internal vantage point to draw measurements from. In this thesis, we demonstrate how IoT measurements drawn from a single vantage point or mesaurement technique lead to a biased view of the network services in the IoT ecosystem. To do this, we conduct several real-world IoT measurements, drawn from both inside and outside home networks using active and passive monitoring. First, we leverage active scanning and passive observation in understanding the Mirai botnet---chiefly, we report on the devices it infected, the command and control infrastructure behind the botnet, and how the malware evolved over time. We then conduct active measurements from inside 16M home networks spanning 83M devices from 11~geographic regions to survey the IoT devices installed around the world. We demonstrate how these measurements can uncover the device types that are most at risk and the vendors who manufacture the weakest devices. We compare our measurements with passive external observation by detecting compromised scanning behavior from smart homes. We find that while passive external observation can drive insight about compromised networks, it offers little by way of concrete device attribution. We next compare our results from active external scanning with active internal scanning and show how relying solely on external scanning for IoT measurements under-reports security important IoT protocols, potentially skewing the services investigated by the security community. Finally, we conduct passive measurements of 275~smart home networks to investigate IoT behavior. We find that IoT device behavior varies by type and devices regularly communicate over a myriad of bespoke ports, in many cases to speak standard protocols (e.g., HTTP). Finally, we observe that devices regularly offer active services (e.g., Telnet, rpcbind) that are rarely, if ever, used in actual communication, demonstrating the need for both active and passive measurements to properly compare device capabilities and behaviors. Our results highlight the need for a confluence of measurement perspectives to comprehensively understand IoT ecosystem. We conclude with recommendations for future measurements of IoT devices as well as directions for the systems and security community informed by our work

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions