DOCSLIB.ORG

Effective Password Cracking

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Effective Password Cracking Effective Password Cracking An Offline Attack on Norwegian Passwords Nicklas Mortensen Hamang Thesis submitted for the degree of Master in Network and system administration 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2019 Effective Password Cracking An Offline Attack on Norwegian Passwords Nicklas Mortensen Hamang © 2019 Nicklas Mortensen Hamang Effective Password Cracking http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Abstract This thesis focuses on studying characteristics of Norwegian passwords as a means to find the best way of attacking them. This was done by using a password-cracking tool to attack offline copies of several password data breaches. We found that a majority of Norwegian passwords use long passwords but equally as many of them still use passwords found in known password leaks. In conclusion we recommend that Norwegians can strengthen their passwords by increasing their passwords length, add more special Norwegian characters and most importantly check their passwords against lists of leaked passwords. i ii Contents 1 Introduction1 1.1 Motivation and Background.....................1 1.2 Research Questions..........................1 1.3 Structure of Thesis..........................2 1.4 Research Method...........................2 2 The Principle of Passwords3 2.1 History of the Password.......................3 2.1.1 Passwords and Cryptography Prior to Computers....3 2.1.2 In the information age....................4 2.2 Password storage...........................5 2.2.1 Plain-Text...........................5 2.2.2 MULTIC Scrambler and PNT................6 2.2.3 Hash..............................6 2.2.4 Salted Hash..........................7 2.2.5 Shadowed Files........................7 2.2.6 SAM File............................8 2.2.7 Password Managers.....................8 2.3 Password Guidelines.........................9 2.4 Psychology of Password Creation.................. 10 3 Cryptography 11 3.1 Symmetric Cryptography...................... 11 3.1.1 DES............................... 12 3.1.2 Triple DES........................... 13 3.1.3 AES............................... 14 3.2 Asymmetric Cryptography..................... 15 3.3 Cryptographic Hash Functions................... 15 3.3.1 SHA X............................. 17 3.3.2 MD4 and MD5........................ 17 3.3.3 LMHash and NTHash.................... 18 3.3.4 Crypt.............................. 18 4 User Authentication 21 4.1 What is user authentication?..................... 21 4.2 The types of User Authentication.................. 21 4.2.1 Knowledge/memorization-based authentication..... 21 4.2.2 Possession-Based Authentication.............. 22 4.2.3 Inheritance-Based Authentication............. 23 4.2.4 Multi Factor.......................... 23 4.3 NIST.................................. 23 4.3.1 SP 800-63B Authentication & Lifecycle Management.. 24 iii 5 Attacking Passwords 29 5.1 Password Attacks........................... 29 5.1.1 Password cracking...................... 30 5.1.2 MITM - Man-in-the-Middle................. 35 5.1.3 Key Logger.......................... 36 5.1.4 Social Engineering...................... 36 5.2 Data Breaches............................. 39 5.3 Password Attack Tools........................ 42 5.3.1 Brutus............................. 43 5.3.2 Cain & Abel.......................... 44 5.3.3 John the Ripper........................ 45 5.3.4 Hash Suite........................... 46 5.3.5 THC Hydra.......................... 46 5.3.6 RainbowCrack........................ 47 5.3.7 Hashcat............................ 48 5.3.8 AirCrack NG......................... 49 5.3.9 WinDump........................... 49 5.3.10 Wireshark........................... 50 5.3.11 Gophish............................ 50 5.3.12 Social Engineer Toolkit (SET)................ 51 6 Experiment 53 6.1 The Machine and Software...................... 53 6.2 Datasets................................ 53 6.2.1 Hemmelig.com........................ 55 6.3 More on Hashcat........................... 55 6.3.1 Test Case............................ 57 6.4 Going on the Attack.......................... 57 6.4.1 Brute.............................. 57 6.4.2 Numbers............................ 58 6.4.3 Existing Lists......................... 61 6.4.4 Norwegian.......................... 64 6.4.5 English............................. 78 6.4.6 Rounding off the Attacks.................. 85 7 Conclusion 87 8 Glossary 89 8.1 Avalanche effect............................ 89 8.2 CAPTCHA............................... 89 8.3 cygwin................................. 89 8.4 Feistel Structure............................ 89 8.5 Iterations................................ 89 8.6 Key Stretching............................. 90 8.7 Offline Attack............................. 90 8.8 Online attack.............................. 90 8.9 Regex.................................. 90 A All Result Outputs 99 A.1 Experiment Files........................... 99 A.2 Numbers................................ 99 A.3 Brute-force............................... 101 A.4 Existing Lists.............................. 102 A.5 Norwegian Names.......................... 103 iv A.6 Sports.................................. 110 A.7 Country- or Place-name....................... 113 A.8 Norwegian Words........................... 116 A.8.1 All Norwegian Dictionaries................. 119 A.9 English Names............................ 121 A.10 Country- or Place-name in English or Native Languages.... 126 A.11 Movies................................. 129 A.12 English Dictionary.......................... 131 A.13 Norwegian After English....................... 134 v vi List of Figures 2.1 MULTICS Scrambler notation [16].................6 2.2 Hash Salting [17]...........................7 2.3 Shadow File Entry...........................7 2.4 Generic Shadow File Entry......................7 3.1 Principle of a symmetric-key cipher [26].............. 11 3.2 Caesar cipher Shift [28]........................ 12 3.3 DES with round function components; the key splitter KS, the bit expansion E, the S-boxes S, and the bit permutation P [29].. 13 3.4 encrypting and decrypting using Triple DES [30]......... 14 3.5 A asymmetric key cipher [26].................... 15 3.6 An illustration of a Hash function [33]............... 16 3.7 Illustration of the properties of a hash function.......... 16 3.8 bcrypt [40]............................... 19 4.1 Examples of some common patterns [42].............. 22 4.2 Authenticators............................. 22 4.3 Biometrics............................... 23 4.4 Summery of AAL requirements [41]................ 26 5.1 Simple Rainbow reduction [56]................... 34 5.2 A password reset attack with CAPTCHA and a security question [57]................................... 35 5.3 Example of phising email, claiming to be PayPal [60]...... 37 5.4 A couple of tools to identify possible password leaks...... 42 5.5 Brutus on Windows [81]....................... 44 5.6 Cain & Abel on Windows [82].................... 45 5.7 John the Ripper on Linux [86].................... 46 5.8 THC Hydra on Unix [88]....................... 47 5.9 RainbowCrack on Windows [90].................. 47 5.10 Raibow table generation with RainbowCrack [90]........ 48 5.11 HashCat MD5 Benchmark on Windows.............. 49 5.12 Start monitoring wireless adapter in aircrack using backtrack [93] 49 5.13 Wireshark sniffing packets [95]................... 50 5.14 Gophish result template [96]..................... 51 5.15 Social Engineer Toolkit main manu [98].............. 52 6.1 Breakdown of Numbers Recovered................. 61 6.2 Breakdown of Names recovered................... 69 6.3 Breakdown of Norwegian Words.................. 76 6.4 Breakdown of Names Recovered.................. 80 6.5 Breakdown of English Attack.................... 85 6.6 A Breakdown of all Attacks..................... 86 vii 8.1 Hash iterations............................ 90 viii List of Tables 2.1 Hash examples............................6 2.2 UK top 10 passwords.........................9 3.1 The search space of a Hash...................... 17 3.2 SHA Properties [36].......................... 17 5.1 Password combinations, Time with our machine in mind.... 31 5.2 examples of using mangling rules.................. 32 5.3 Hash suite supported Hashes.................... 46 6.1 Attack Options............................ 55 6.2 A selection of supported encryption scheme............ 56 6.3 The Debug Option For Hashcat................... 57 6.4 Simple rules used rockyou.txt.................... 64 8.1 Hashcat Word Mangling Rules................... 91 ix x Chapter 1 Introduction 1.1 Motivation and Background The Internet has become part of our daily lives, and encompasses more and more of our activities. This includes things like how we read about current events trough blogs and news sites, how we socialize using social media and web forums, as well as to how we conduct our finances with online banking websites and payment apps like vipps. All these services require some form of user authentication, which usually takes the form of user names and passwords. As people register to new websites this can lead to the need for each person to maintain a relatively large number of passwords. The password-manager developer Dashlane reported in 2018 that the average user has over 200 different digital accounts using passwords [1], which can lead to negligent password hygiene. With this many accounts a user is likely
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • Truecrack Bruteforcing Per Volumi Truecrypt
    Luca Vaccaro http://code.google.com/p/truecrack/ [email protected] User development guide. TrueCrypt © . software application used for on-the-fly encryption (OTFE). TrueCrack . bruteforce password cracker for TrueCrypt © (Copyrigth) volume files, optimazed with Nvidia Cuda technology. This software is Based on TrueCrypt, freely available athttp://www.truecrypt.org/ Master key . Crypt the volume of data. Generated one time in the volume creation phase from random value. Write inside the header section of the volume file. Header key . Crypt the header section of the volume file. Generated from a user password and a random salt (64 bytes). The salt is write in plain text in the first 64 bytes of volume file. Hard disk encryption: . Standard block cipher: XTS . Hash availables: AES, Serpent, Twofish . Default: AES Key derivation function: . Standard algorithm: PBKDF2 . Hash availables: RIPEMD160, SHA-512, Whirpool . Default: RIPEMD160 Master Header Key Key Plain Cipher Volume data data + file header Opening a TrueCrypt volume means to retrieve the Master Key from the Header section In the Header there are some fields (true, crc32) for checking the success of the decipher operation . If the password is right or wrong Header key User password salt Volume Master file key CUDA or Compute Unified Device Architecture is a parallel computing architecture developed by Nvidia. CUDA gives developers access to the virtual instruction set and memory of the parallel computational elements in CUDA GPUs. Each GPU is a collection of multicores. Each core can run mmore cuda «block», and each block can run a numbers of parallel «thread» 1. Level of parallilism : block 2.
    [Show full text]
  • Study on Massive-Scale Slow-Hash Recovery Using Unified
    S S symmetry Article Study on Massive-Scale Slow-Hash Recovery Using Unified Probabilistic Context-Free Grammar and Symmetrical Collaborative Prioritization with Parallel Machines Tianjun Wu 1,*,†, Yuexiang Yang 1,†, Chi Wang 2,† and Rui Wang 2,† 1 College of Computer, National University of Defense Technology, Changsha 410073, China; [email protected] 2 VeriClouds Co., Seattle, WA 98105, USA; [email protected] (C.W.); [email protected] (R.W.) * Correspondence: [email protected]; Tel.: +86-13-54-864-2846 † The authors contribute equally to this work and are co-first authors. Received: 23 February 2019; Accepted: 26 March 2019; Published: 1 April 2019 Abstract: Slow-hash algorithms are proposed to defend against traditional offline password recovery by making the hash function very slow to compute. In this paper, we study the problem of slow-hash recovery on a large scale. We attack the problem by proposing a novel concurrent model that guesses the target password hash by leveraging known passwords from a largest-ever password corpus. Previously proposed password-reused learning models are specifically designed for targeted online guessing for a single hash and thus cannot be efficiently parallelized for massive-scale offline recovery, which is demanded by modern hash-cracking tasks. In particular, because the size of a probabilistic context-free grammar (PCFG for short) model is non-trivial and keeping track of the next most probable password to guess across all global accounts is difficult, we choose clever data structures and only expand transformations as needed to make the attack computationally tractable. Our adoption of max-min heap, which globally ranks weak accounts for both expanding and guessing according to unified PCFGs and allows for concurrent global ranking, significantly increases the hashes can be recovered within limited time.
    [Show full text]
  • Analysis of Password Cracking Methods & Applications
    The University of Akron IdeaExchange@UAkron The Dr. Gary B. and Pamela S. Williams Honors Honors Research Projects College Spring 2015 Analysis of Password Cracking Methods & Applications John A. Chester The University Of Akron, [email protected] Please take a moment to share how this work helps you through this survey. Your feedback will be important as we plan further development of our repository. Follow this and additional works at: http://ideaexchange.uakron.edu/honors_research_projects Part of the Information Security Commons Recommended Citation Chester, John A., "Analysis of Password Cracking Methods & Applications" (2015). Honors Research Projects. 7. http://ideaexchange.uakron.edu/honors_research_projects/7 This Honors Research Project is brought to you for free and open access by The Dr. Gary B. and Pamela S. Williams Honors College at IdeaExchange@UAkron, the institutional repository of The nivU ersity of Akron in Akron, Ohio, USA. It has been accepted for inclusion in Honors Research Projects by an authorized administrator of IdeaExchange@UAkron. For more information, please contact [email protected], [email protected]. Analysis of Password Cracking Methods & Applications John A. Chester The University of Akron Abstract -- This project examines the nature of password cracking and modern applications. Several applications for different platforms are studied. Different methods of cracking are explained, including dictionary attack, brute force, and rainbow tables. Password cracking across different mediums is examined. Hashing and how it affects password cracking is discussed. An implementation of two hash-based password cracking algorithms is developed, along with experimental results of their efficiency. I. Introduction Password cracking is the process of either guessing or recovering a password from stored locations or from a data transmission system [1].
    [Show full text]
  • Password Cracking Using Cain & Abel
    Password Cracking Using Cain & Abel Learning Objectives: This exercise demonstrates how password could be cracked through ​ various methods, specifically regarding MD5 encrypted passwords. Summary: You will use Cain & Abel for this exercise. ​ Deliverables: Submit a lab report by answering the review questions. In some review ​ questions, you may provide screen captures. Dictionary attack Dictionary attack uses a predetermined list of words from a dictionary to generate possible passwords that may match the MD5 encrypted password. This is one of the easiest and quickest way to obtain any given password. 1. Start Cain & Abel via the Desktop Shortcut ‘Cain’ or Start menu. ​ ​ ​ ​ ​ ​ a. (Start > Programs > Cain > Cain). 2. Choose ‘Yes’ to proceed when a ‘User Account Control’ notification pops up regarding ​ ​ software authorization. 3. Once on, select the ‘Cracker’ tab with the key symbol, then click on MD5 Hashes. The ​ ​ ​ result should look like the image below. 1 Collaborative Virtual Computer Lab (CVCLAB) Penn State Berks 4. As you might have noticed we don’t have any passwords to crack, thus for the next few steps we will create our own MD5 encrypted passwords. First, locate the Hash Calculator among a row of icons near the top. Open it. 5. Next, type into ‘Text to Hash’ the word password. It will generate a list of hashes ​ ​ ​ pertaining to different types of hash algorithms. We will be focusing on MD5 hash so ​ copy it. Then exit calculator by clicking ‘Cancel’ (Fun Fact: Hashes are case sensitive so ​ any slight changes to the text will change the hashes generated, try changing a letter or two and you will see.
    [Show full text]
  • User Authentication and Cryptographic Primitives
    User Authentication and Cryptographic Primitives Brad Karp UCL Computer Science CS GZ03 / M030 16th November 2016 Outline • Authenticating users – Local users: hashed passwords – Remote users: s/key – Unexpected covert channel: the Tenex password- guessing attack • Symmetric-key-cryptography • Public-key cryptography usage model • RSA algorithm for public-key cryptography – Number theory background – Algorithm definition 2 Dictionary Attack on Hashed Password Databases • Suppose hacker obtains copy of password file (until recently, world-readable on UNIX) • Compute H(x) for 50K common words • String compare resulting hashed words against passwords in file • Learn all users’ passwords that are common English words after only 50K computations of H(x)! • Same hashed dictionary works on all password files in world! 3 Salted Password Hashes • Generate a random string of bytes, r • For user password x, store [H(r,x), r] in password file • Result: same password produces different result on every machine – So must see password file before can hash dictionary – …and single hashed dictionary won’t work for multiple hosts • Modern UNIX: password hashes salted; hashed password database readable only by root 4 Salted Password Hashes • Generate a random string of bytes, r Dictionary• For user password attack still x, store possible [H(r,x after), r] in attacker seespassword password file file! Users• Result: should same pick password passwords produces that different aren’t result close to ondictionary every machine words. – So must see password file
    [Show full text]
  • Cryptanalytic Tools
    Cryptanalytic Tools Authors: Prof. Dr.-Ing. Tim Güneysu Dipl. Ing. Alexander Wild B. Sc. Tobias Schneider Ruhr-Universität Bochum Module Cryptanalytic Tools Chapter 3: Introduction to Cryptanalysis Chapter 4: Computational Complexity and Parallelism Chapter 5: Secret Parameters and Keys Chapter 6: Tools for Symmetric Cryptanalysis Chapter 7: Tools for Asymmetric Cryptanalysis Authors: Prof. Dr.-Ing. Tim Güneysu Dipl. Ing. Alexander Wild B. Sc. Tobias Schneider 1. edition Ruhr-Universität Bochum © 2015 Ruhr-Universität Bochum Universitätsstraße 150 44801 Bochum 1. edition (31. March 2015) Das Werk einschließlich seiner Teile ist urheberrechtlich geschützt. Jede Ver- wendung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung der Verfasser unzulässig und strafbar. Das gilt insbesondere für Vervielfältigungen, Übersetzungen, Mikroverfilmungen und die Einspe- icherung und Verarbeitung in elektronischen Systemen. Um die Lesbarkeit zu vereinfachen, wird auf die zusätzliche Formulierung der weiblichen Form bei Personenbezeichnungen verzichtet. Wir weisen deshalb darauf hin, dass die Verwendung der männlichen Form explizit als geschlechtsunabhängig verstanden werden soll. Das diesem Bericht zugrundeliegende Vorhaben wurde mit Mitteln des Bundesministeriums für Bildung, und Forschung unter dem Förderkennze- ichen 16OH12026 gefördert. Die Verantwortung für den Inhalt dieser Veröf- fentlichung liegt beim Autor. Contents Page3 Contents Introduction to the module books 5 I. Icons and colour codes . 5 Chapter 3 Introduction to Cryptanalysis 7 3.1 Definition of Security . 7 3.1.1 Security of Cryptographic Systems . 7 3.1.2 Categories of Attacks . 8 3.1.3 Categories of Attackers . 9 3.1.4 Secret Key Lengths . 10 3.2 Outline of this Lecture . 11 3.3 Further Reading Materials . 11 Chapter 4 Computational Complexity and Parallelism 13 4.1 Asymptotic Computational Complexity .
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]
  • Hash Crack: Password Cracking Manual
    Hash Crack. Copyright © 2017 Netmux LLC All rights reserved. Without limiting the rights under the copyright reserved above, no part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission. ISBN-10: 1975924584 ISBN-13: 978-1975924584 Netmux and the Netmux logo are registered trademarks of Netmux, LLC. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor Netmux LLC, shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. While every effort has been made to ensure the accuracy and legitimacy of the references, referrals, and links (collectively “Links”) presented in this book/ebook, Netmux is not responsible or liable for broken Links or missing or fallacious information at the Links. Any Links in this book to a specific product, process, website, or service do not constitute or imply an endorsement by Netmux of same, or its producer or provider. The views and opinions contained at any Links do not necessarily express or reflect those of Netmux.
    [Show full text]
  • Processwire-Järjestelmän Perusteet Kehittäjille
    PROCESSWIRE-JÄRJESTELMÄN PERUSTEET KEHITTÄJILLE Teppo Koivula Opinnäytetyö Joulukuu 2015 Tietojärjestelmäosaamisen koulutusohjelma, YAMK TIIVISTELMÄ Tampereen ammattikorkeakoulu Tietojärjestelmäosaamisen koulutusohjelma, YAMK KOIVULA, TEPPO: ProcessWire-järjestelmän perusteet kehittäjille Opinnäytetyö 120 sivua, joista liitteitä 96 sivua Joulukuu 2015 Tämän opinnäytetyön tavoitteena oli tuottaa monipuolinen, helppokäyttöinen ja ennen kaikkea suomenkielinen perehdytysmateriaali sivustojen, sovellusten ja muiden web- ympäristössä toimivien ratkaisujen toteuttamiseen hyödyntäen sisällönhallintajärjestel- mää ja sisällönhallintakehystä nimeltä ProcessWire. ProcessWire on avoimen lähdekoodin alusta, jonka suunniteltu käyttöympäristö on PHP-kielen, MySQL-tietokannan sekä Apache-web-palvelimen muodostama palve- linympäristö. Koska järjestelmä sisältää piirteitä sekä sisällönhallintajärjestelmistä että sisällönhallintakehyksistä, se on käytännössä osoittautunut erittäin joustavaksi ratkai- suksi monenlaisiin web-pohjaisiin projekteihin. Opinnäytteen varsinaisena lopputuotteena syntyi opas, jonka tavoitteena on sekä teo- riapohjan että käytännön ohjeistuksen välittäminen perustuen todellisiin projekteihin ja niiden tiimoilta esiin nousseisiin havaintoihin. Paitsi perehdytysmateriaalina järjestel- mään tutustuville uusille käyttäjille, oppaan on jatkossa tarkoitus toimia myös koke- neempien käyttäjien apuvälineenä. Opinnäytetyöraportin ensimmäinen luku perehdyttää lukijan verkkopalvelujen teknisiin alustaratkaisuihin pääpiirteissään, minkä jälkeen
    [Show full text]
  • Password Security - When Passwords Are There for the World to See
    Password Security - When Passwords are there for the World to see Eleanore Young Marc Ruef (Editor) Offense Department, scip AG Research Department, scip AG [email protected] [email protected] https://www.scip.ch https://www.scip.ch Keywords: Bitcoin, Exchange, GitHub, Hashcat, Leak, OWASP, Password, Policy, Rapid, Storage 1. Preface password from a hash without having to attempt a reversal of the hashing algorithm. This paper was written in 2017 as part of a research project at scip AG, Switzerland. It was initially published online at Furthermore, if passwords are fed through hashing https://www.scip.ch/en/?labs.20170112 and is available in algorithms as is, two persons who happen to use the same English and German. Providing our clients with innovative password, will also have the same hash value. As a research for the information technology of the future is an countermeasure, developers have started adding random essential part of our company culture. user-specific values (the salt) to the password before calculating the hash. The salt will then be stored alongside 2. Introduction the password hash in the user account database. As such, even if two persons use the same password, their resulting The year 2016 has seen many reveals of successful attacks hash value will be different due to the added salt. on user account databases; the most notable cases being the attacks on Yahoo [1] and Dropbox [2]. Thanks to recent Modern GPU architectures are designed for large scale advances not only in graphics processing hardware (GPUs), parallelism. Currently, a decent consumer-grade graphics but also in password cracking software, it has become card is capable of performing on the order of 1000 dangerously cheap to determine the actual passwords from calculations simultaneously.
    [Show full text]
  • Appendix a the Ten Commandments for Websites
    Appendix A The Ten Commandments for Websites Welcome to the appendixes! At this stage in your learning, you should have all the basic skills you require to build a high-quality website with insightful consideration given to aspects such as accessibility, search engine optimization, usability, and all the other concepts that web designers and developers think about on a daily basis. Hopefully with all the different elements covered in this book, you now have a solid understanding as to what goes into building a website (much more than code!). The main thing you should take from this book is that you don’t need to be an expert at everything but ensuring that you take the time to notice what’s out there and deciding what will best help your site are among the most important elements of the process. As you leave this book and go on to updating your website over time and perhaps learning new skills, always remember to be brave, take risks (through trial and error), and never feel that things are getting too hard. If you choose to learn skills that were only briefly mentioned in this book, like scripting, or to get involved in using content management systems and web software, go at a pace that you feel comfortable with. With that in mind, let’s go over the 10 most important messages I would personally recommend. After that, I’ll give you some useful resources like important websites for people learning to create for the Internet and handy software. Advice is something many professional designers and developers give out in spades after learning some harsh lessons from what their own bitter experiences.
    [Show full text]