DOCSLIB.ORG

CMSC 355 Lab 2: Password Security Due: Thursday, October 8Th, 2020

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CMSC 355 Lab 2: Password Security Due: Thursday, October 8Th, 2020 CMSC 355 Lab 2: Password Security Due: Thursday, Sept. 16th, 2021 by 11:59:59pm Password systems are by far the most common means of authenticating access to resources. Unfortunately, the strength of a password system is determined largely by the user's choice of a good password. Weak passwords can be easily exploited using several common password cracking techniques. In this lab, we are going to investigate three techniques for finding weak passwords: a brute-force attack, a rainbow table attack, and a dictionary attack (also called a word list). Step 1. Getting Started This lab requires you to work with some rather large files. For this reason, it is wise to work from the /scratch folder on the hard drive of the computer rather from your /home directory stored on the network drive. Download the file Lab2.tar.gz from my web site and then extract it: cd /scratch/username wget http://marmorstein.org/~robert/Fall2021/cs355/Lab2.tar.gz tar xzvf Lab2.tar.gz Then change directories to the Lab2/ folder. The folder contains several different files: "fakeshadow" is an example password file that has several weak passwords I created. We will be trying to crack the passwords in this file using various cracking techniques. "hash.txt" contains the same passwords, but without salt. We'll talk more about password salt later in the lab. The "rainbow_tables" folder contains a set of pre-computed cracking tables (called rainbow tables) which we will use in Step 3. The “hashcat-6.1.1” folder contains an updated version of the “hashcat” password cracker, which we will use in Step 5. "report.txt" contains a list of questions that you will fill out as we complete this lab. Edit this file now to place your name at the top. This is the only file you will need to submit electronically. The remaining files in this lab belong to a password cracking utility called "rainbow crack" that we will play around with in Step 3. Step 2. Brute force A program called "John the ripper" is installed on all of the systems in the lab. John is a password cracking utility that employs a brute-force technique to find passwords in a password file. It supports several different hash types, including the most common hashing algorithms used by both Linux and Windows. A naive brute-force approach would try the password "a" and then the password "b" and so forth until it had tried all possible letters. It would then try "aa" through "zz" and so forth. It might also try adding numbers and symbols to various places in the password. Or it might loop through all the ASCII characters in order. To defend against brute force attacks, it is a good policy to either: 1. Lock out an account after a password has been guessed incorrectly a certain number of times. Of course, this makes it possible for an attacker to get someone locked out – a sort of “Denial of Service” attack. 2. Introduce a delay after a password has been typed incorrectly. The delay will slow down the brute force program and make it less likely that the cracker can successfully obtain the password in a reasonable amount of time. Of course, neither of those policies helps if the cracker can access the password file directly – as we are doing in this lab. The approach used by John the Ripper is a little more sophisticated than the naive approach. It takes advantage of known statistical properties of common passwords to try guessing the most likely password strings first. Then it tries less likely strings. For example, the most common letter in the English language is "e". So passwords that contain one or more "e" characters are much more common than passwords that contain only "z" and "x" characters. John takes advantage of rules like this to find passwords more quickly. Let's run john on the "fakeshadow" password file. Type: john --format=md5crypt-opencl --nolog fakeshadow and hit enter. John will find some of the simplest (and weakest) passwords right away. Let John run for about one minute and then hit CTRL-C. Note: John stores its progress in a file in your home directory. So if you stop it and continue it again, it will resume where it left off – it won't “rediscover” the ones it's already gotten. If you need to start over for some reason, remove the file named “john.pot” (which is probably in the “.john” folder of your home directory): rm ~/.john/john.pot Now edit the "report.txt" file and answer the first two questions. Step 3. Using Rainbow Tables While a brute force approach works well for finding very weak passwords, it can take hours or even days for it to find slightly stronger ones, especially on old computers like the ones in our lab. One way to avoid this is to use pre-computed tables that map each password hash back to the passwords that generate it. Creating the tables can take a very, very long time. But once they are created, they can be used over and over on different password files to find passwords quickly. Essentially, finding the password requires only a simple table lookup. This speeds up the algorithm at the cost of memory (the cracker needs to store a very large hash table in RAM). These tables are called "rainbow tables" and are particularly suitable for cracking Windows passwords. The reason for this is that one of the password systems Windows uses has a huge weakness: it works by encrypting a fixed string (the same string for every account) using the user's password as an encryption key. Because the ciphertext is always the same, a rainbow attack with a large enough table can usually find 99.9% of the passwords in just a few seconds. Furthermore, Windows passwords do not use "salt" (Linux systems do). A "salt" is a randomly selected value that is added to a password before it is hashed into the password file. The password file stores both the password and the salt so that future logins can complete successfully. The advantage of using a salt, however, is that it completely prevents rainbow table attacks. I have created an "unsalted" version of our password file in your Lab2 folder (it is called "hash.txt"). Lets use "rainbowcrack" to break the passwords in the file. First type "date" and hit enter (so that you have a record of your starting time). Then type (note – that’s a lowercase “ell”, not a one or a capital “i”, before the “hash.txt”): ./rcrack rainbow_tables/*.rt -l hash.txt and hit enter. When it finishes, hit "date" again to get a record of your ending time. Edit the "report.txt" file and answer questions C and D about rainbow crack. You will probably need to scroll up to see the results of the search. Step 4. Word Lists Notice that rainbow crack found a three character password that John the ripper missed. That is because John's search algorithm looks at alphanumeric passwords first. It takes a long time for it to get to passwords that contain just symbols. We can make John be a little more clever by telling it to use a word list instead of the brute force approach. A word list is a list of common passwords. Instead of generating random strings of a particular size, John will examine try each of the passwords in the list. John can also use "rules" to modify some of these passwords as it tries them (replacing "e" with "3" and so forth), but that is outside the scope of this lab. Check the time using "date" and then type: john --wordlist=wordlist.txt --format=md5crypt-opencl --nolog fakeshadow and hit enter. When John finishes, check the time again. Then answer the questions E and F in the "report.txt" file. Step 5. Hashcat John the ripper and rainbow crack use only the CPU. Our systems in the lab are fairly powerful, but if we want to crack passwords even faster we need to leverage a much more powerful computational device – the graphical processing unit (GPU) in your graphics card. The graphics card essentially has hundreds of very simple cores. Each of these cores can do the same task (but on a different possible password) simultaneously. Note: This was true when I first wrote this lab, but the new version of John the Ripper we are using actually supports OpenCL programming on the GPU. Since this speeds things up enormously, we used it in steps 1 and 3. The graphics cards on our lab systems can be programmed using a proprietary language from NVidia called “CUDA” or an open graphics platform called “OpenCL”. A program called “hashcat” can leverage this to try hundreds of millions of password hashes each second. Type: hashcat-6.1.1/hashcat.bin -m 0 -a 0 -O hash.txt wordlist.txt Answer questions G and H in “report.txt”. Step 6. Rules and Pattern Matching Since rainbow tables work only against unsalted passwords, the most successful technique we’ve looked at so far is using a wordlist. To be effective, a wordlist must contain enough passwords that one of them is likely to match the actual password list. Since users seldom use plain dictionary words, the rate of success is usually quite low with a standard “English dictionary”. A better alternative is to use a list of previously cracked passwords. Several of these are available online from sites like https://wiki.skullsecurity.org/index.php?title=Passwords.
Load more

Recommended publications
  • Analysis of Password Cracking Methods & Applications
    The University of Akron IdeaExchange@UAkron The Dr. Gary B. and Pamela S. Williams Honors Honors Research Projects College Spring 2015 Analysis of Password Cracking Methods & Applications John A. Chester The University Of Akron, [email protected] Please take a moment to share how this work helps you through this survey. Your feedback will be important as we plan further development of our repository. Follow this and additional works at: http://ideaexchange.uakron.edu/honors_research_projects Part of the Information Security Commons Recommended Citation Chester, John A., "Analysis of Password Cracking Methods & Applications" (2015). Honors Research Projects. 7. http://ideaexchange.uakron.edu/honors_research_projects/7 This Honors Research Project is brought to you for free and open access by The Dr. Gary B. and Pamela S. Williams Honors College at IdeaExchange@UAkron, the institutional repository of The nivU ersity of Akron in Akron, Ohio, USA. It has been accepted for inclusion in Honors Research Projects by an authorized administrator of IdeaExchange@UAkron. For more information, please contact [email protected], [email protected]. Analysis of Password Cracking Methods & Applications John A. Chester The University of Akron Abstract -- This project examines the nature of password cracking and modern applications. Several applications for different platforms are studied. Different methods of cracking are explained, including dictionary attack, brute force, and rainbow tables. Password cracking across different mediums is examined. Hashing and how it affects password cracking is discussed. An implementation of two hash-based password cracking algorithms is developed, along with experimental results of their efficiency. I. Introduction Password cracking is the process of either guessing or recovering a password from stored locations or from a data transmission system [1].
    [Show full text]
  • Hash Crack: Password Cracking Manual
    Hash Crack. Copyright © 2017 Netmux LLC All rights reserved. Without limiting the rights under the copyright reserved above, no part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission. ISBN-10: 1975924584 ISBN-13: 978-1975924584 Netmux and the Netmux logo are registered trademarks of Netmux, LLC. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor Netmux LLC, shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. While every effort has been made to ensure the accuracy and legitimacy of the references, referrals, and links (collectively “Links”) presented in this book/ebook, Netmux is not responsible or liable for broken Links or missing or fallacious information at the Links. Any Links in this book to a specific product, process, website, or service do not constitute or imply an endorsement by Netmux of same, or its producer or provider. The views and opinions contained at any Links do not necessarily express or reflect those of Netmux.
    [Show full text]
  • Password Security - When Passwords Are There for the World to See
    Password Security - When Passwords are there for the World to see Eleanore Young Marc Ruef (Editor) Offense Department, scip AG Research Department, scip AG [email protected] [email protected] https://www.scip.ch https://www.scip.ch Keywords: Bitcoin, Exchange, GitHub, Hashcat, Leak, OWASP, Password, Policy, Rapid, Storage 1. Preface password from a hash without having to attempt a reversal of the hashing algorithm. This paper was written in 2017 as part of a research project at scip AG, Switzerland. It was initially published online at Furthermore, if passwords are fed through hashing https://www.scip.ch/en/?labs.20170112 and is available in algorithms as is, two persons who happen to use the same English and German. Providing our clients with innovative password, will also have the same hash value. As a research for the information technology of the future is an countermeasure, developers have started adding random essential part of our company culture. user-specific values (the salt) to the password before calculating the hash. The salt will then be stored alongside 2. Introduction the password hash in the user account database. As such, even if two persons use the same password, their resulting The year 2016 has seen many reveals of successful attacks hash value will be different due to the added salt. on user account databases; the most notable cases being the attacks on Yahoo [1] and Dropbox [2]. Thanks to recent Modern GPU architectures are designed for large scale advances not only in graphics processing hardware (GPUs), parallelism. Currently, a decent consumer-grade graphics but also in password cracking software, it has become card is capable of performing on the order of 1000 dangerously cheap to determine the actual passwords from calculations simultaneously.
    [Show full text]
  • UGRD 2015 Spring Bugg Chris.Pdf (464.4Kb)
    We could consider using the Mighty Cracker Logo located in the Network Folder MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum Password Security • Password security is important. • Users • Weak and/or reused passwords • Developers and Admins • Choose insecure storage algorithms. • Mighty Cracker • Show real world impact of poor password security. OVERVIEW • We made a hash cracker. • Passwords are stored as hashes to protect them from intruders. • Our program uses several methods to ‘crack’ those hashes. • Networking • Spread work to multiple machines. • Cross Platform OTHER HASH CRACKING PRODUCTS • Hashcat • Cain and Abel • John the Ripper • THC-Hydra • Ophcrack • Network support is rare. WHAT IS HASHING • A way to encode a password to help protect it. • A mathematical one-way function. • MD5 hash • cf4ff726403b8a992fd43e09dd7b5717 • SHA-256 hash • 951e689364c979cc3aa17e6b0022ce6e4d0e3200d1c22dd68492c172241e0623 SUPPORTED HASHING ALGORITHMS • Current Algorithms • MD5 • SHA-1 • SHA-224 • SHA-256 • SHA-384 • SHA-512 WAYS TO CRACK • Cracking Modes • Single User • Network Mode • Methods of Cracking: • Brute Force • Dictionary • Rainbow Table • GUI or Console BRUTE FORCE • Systematically checking all possible keys until the correct one is found. • Worst case this would transverse the entire search space. • Slowest but will always find the solution if given enough time. DICTIONARY ATTACK • List of common passwords from leaks/hacks. • Many people choose common passwords • Written works of Shakespeare ~66,000 words • Oxford English Dictionary ~290,000 words • Small dictionary = 900,000 words • Medium dictionary = 14 million words • Large dictionary = 1.2 billion words RAINBOW TABLE • Can’t store all possible hash/key combinations. • 16 character key = 10^40th combinations • 10^50th atoms on earth • Rainbow tables • Reduced storage.
    [Show full text]
  • Password Cracker Tutorial
    Password cracker tutorial In cryptanalysis and computer security, password cracking is the process of recovering passwords[1] from data that has been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password.[2] The purpose of password cracking might be to help a user recover a forgotten password (installing an entirely new password is less of a security risk, but it involves System Administration privileges), to gain unauthorized access to a system, or to act as a preventive measure whereby system administrators check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence to which a judge has allowed access, when a particular file's permissions are restricted. Time needed for password searches The time to crack a password is related to bit strength (see password strength), which is a measure of the password's entropy, and the details of how the password is stored. Most methods of password cracking require the computer to produce many candidate passwords, each of which is checked. One example is brute-force cracking, in which a computer tries every possible key or password until it succeeds. With multiple processors, this time can be optimized through searching from the last possible group of symbols and the beginning at the same time, with other processors being placed to search through a designated selection of possible passwords.[3] More common methods of password cracking, such as dictionary attacks, pattern checking, word list substitution, etc.
    [Show full text]
  • Cursor.Execute(Query)
    CS 61: Database Systems Security With great power comes great responsibility… OR William Lamb, 2nd Spider Man’s Viscount Melbourne uncle Ben 2 Source: Wikipedia Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3. Password storage/salt and pepper 4. Password cracking 3 Show user permissions on sunapee 1. Connect to Sunapee 2. Click on Administration (upper left) 3. Click on Users and Privileges 4. Find cs61sp20 • Show permissions grants • Show how to grant permission on a schema 4 Can assign rights to users individually or by role Security authorization Can assign Can create rights to roles, assign individual rights to roles, users then assign users to roles Benefits: • Improved operational efficiency – new hires automatically get the rights they need • Increased security – people do not get more rights that would typically need • Increased visibility – easy to see what rights roles have RBAC: Good idea in principle but has never worked for me! • There is no generic person, each person has different responsibilities within dept • People get temporary assignments with other departments, need different rights (creates a hybrid role) • Assignment ends, but rights never changed (even if you set a calendar reminder and ask them if they still need the rights, they never say no!) 5 Adapted from: https://www.mysqltutorial.org/mysql-roles/ Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3. Password storage/salt and pepper 4. Password cracking 6 Do not trust user input 7 Consider the following Python code making a SQL call for
    [Show full text]
  • Computer Security 2020
    Computer Security 2020 Lab 1: Passwords, access control, and remote exploitation of Windows • This lab will be done in groups of 2 people. • There are preparatory assignments for this lab, read through the complete lab guide carefully, and bring your written answers to the lab. • During the lab, write down answers to all problems, so you remember them when it is time to discuss them with your lab assis- tant. Learning goals: • Get to know the Windows login proce- dure. • Know how passwords are stored in Win- dows, and how they can be cracked. • Understand the different access control settings in Windows. • Use Metasploit to remotely gain access to a vulnerable Windows host. EITA25 EITF05 Computer Security Web Security (Datas¨akerhet) (Webbs¨akerhet) EITN50 EITN41 Advanced Com- Advanced puter Security Web Security (Avancerad (Avancerad datas¨akerhet) webbs¨akerhet) EDIN01 EITF55 Cryptography Data Security (Kryptoteknik) (S¨akerhet)Helsingborg Read this earlier than one day be- fore the lab! Note that you will not have any internet access during the lab, so come prepared. You may bring as many books and printed materials as you can carry. Study the questions in this lab manual, consider what you will need to be able to solve them, and make sure you bring that information with you. Alternatively, if you feel confident in the availability of eduroam, you may bring your own laptop, smartphone, or tablet to get Internet access. There are preparatory assignments for this lab, make sure you understand them, there will be a short individual quiz in the beginning of the lab session.
    [Show full text]
  • Practical Password Cracking
    Practical Password Cracking “wannabes worry about clock speed – real computer companies worry about cooling” Jamie Riden Email: [email protected] Twitter: @pedantic_hacker Password Cracking Bad hashes and why they’re bad Good hashes and why they’re good Protecting your users from themselves Cracking tools and techniques Problem We want to store the user password in a reasonably safe way. That means, we can check it’s correct but if an attacker breaches the system, they can’t just recover the password. The solution is a one-way function, of which a hash is one example. Obviously we want a one-way function with low number of collisions. Problem II Supposedly a “one way” function should be hard to reverse. We can make lots of guesses and see whether the answer is the same. Quick function => quick guesses. Example MD5 hash: “secret” -> 5ebe2294ecd0e0f08eab7690d2a6ee69 Collisions are so unlikely they’re not worth worrying about. This is nothing to do with hash tables. Properties of Hash Functions Maps arbitrary data to fixed length – eg any input produces 256-bit output. Don’t want predictable collisions. In many branches of Computer Science, faster is better (not here). Small change in input produces large change in output. Should be difficult to reverse. Examples – MD5 MD5 is a quick hash function mapping anything to a 128-bit value. Unsalted hash, so feasible to build a lookup table. $ for w in `cat /usr/share/dict/words` ; echo –n $j ; echo –n $j | md5sum ; done > lookup.txt MD5 is very quick – so guessing is quick. Examples – Salted MD5 We don’t want people to build a lookup table, so we chuck a large random number (salt) into each hash.
    [Show full text]
  • A Multi-Source Deep Learning Model.Pdf
    This work is on a Creative Commons Attribution 4.0 International (CC BY 4.0) license, https://creativecommons.org/licenses/by/4.0/. Access to this work was provided by the University of Maryland, Baltimore County (UMBC) ScholarWorks@UMBC digital repository on the Maryland Shared Open Access (MD-SOAR) platform. Please provide feedback Please support the ScholarWorks@UMBC repository by emailing [email protected] and telling us what having access to this work means to you and why it’s important to you. Thank you. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2019.2940877, IEEE Transactions on Multimedia GENPass: A Multi-Source Deep Learning Model For Password Guessing Zhiyang Xia∗, Ping Yi∗, Yunyu Liu∗, Bo Jiang∗, Wei Wangy, Ting Zhuy ∗School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China yDepartment of Computer Science and Electrical Engineering, University of Maryland, Baltimore County, MD, 21250, USA Abstract—The password has become today’s dominant method useful for users to crack most passwords. Markov models of authentication. While brute-force attack methods such as [10] and probabilistic context-free grammar [11] are widely HashCat and John the Ripper have proven unpractical, the used techniques for password guessing. Both are based on research then switches to password guessing. State-of-the-art approaches such as the Markov Model and probabilistic context- probability models. Therefore, they are often computationally free grammar (PCFG) are all based on statistical probability.
    [Show full text]
  • Supercharged John the Ripper Techniques
    Supercharged John the Ripper Techniques Austin OWASP Spring, 2011 Rick Redman - KoreLogic Introduction Who am I: Rick Redman – Senior Security Consultant – Penetration Tester Bio: During my 11 years as a security practitioner, I have delivered numerous application and network penetration tests for a wide range of Fortune 500 and government clients. I serve as KoreLogic's subject matter expert in advanced password cracking systems. I present at a variety of security forums such as ISSA Chapters and AHA (Austin Hackers Anonymous) and provides technical security training on topics such as web application security. I has served as a member of a penetration testing tiger team supporting Sandia National Laboratories. I am a graduate of Purdue University with a degree in Computer Science in the CERIAS/COAST program taught by Gene Spafford. 2 Who is KoreLogic Who is KoreLogic: . An expert-based information security and IT risk management firm. Serve Fortune 500 and Government clients. 500+ security engagements delivered. Invited speakers: OWASP, Shmoocon, CEIC, SIM, ISSA, DoD, Universities . Winner: File Carving Challenge, Digital Forensic Research Workshop. Creator: “Crack Me If You Can” password cracking contest at DEFCON . Privately held and founder-operated allow us to practice a quality- and client-first approach. 3 Today’s Focus Today’s goal: Show default password cracking methods/tools. Pros/Cons of each. Show patterns used by users in environments that enforce password complexity (patterns observed from over 3.1 million hashes cracked by KoreLogic). Improve the methods/rules used to crack passwords, in order to crack large amounts of complex passwords. Give advice on how to create complex passwords that aren’t based on known patterns.
    [Show full text]
  • Distributed Password Cracking with BOINC and Hashcat
    Distributed password cracking with BOINC and hashcat Radek Hranicky´a,∗, Luka´sˇ Zobala, Ondrejˇ Rysavˇ y´b, Dusanˇ Kola´rˇb aBrno University of Technology, Faculty of Information Technology, Department of Information Systems, Brno, Czech Republic bBrno University of Technology, Faculty of Information Technology, Department of Information Systems, IT4Innovations Centre of Excellence, Brno, Czech Republic Abstract Considering today’s challenges in digital forensics, for password cracking, distributed computing is a necessity. If we limit the selection of password-cracking tools strictly to open-source software, hashcat tool unambiguously wins in speed, repertory of supported hash formats, updates, and community support. Though hashcat itself is by design a single-machine solution, its interface makes it possible to use the tool as a base construction block of a larger distributed system. Creating a “distributed hashcat” which supports the maximum of hashcat’s original features requires a smart controller that employs different distribution strategies in different cases. In the paper, we show how to use BOINC framework to control a network of hashcat-equipped nodes and provide a working solution for performing different cracking attacks. We also provide experimental results of multiple cracking tasks to demonstrate the applicability of our approach. Last but not least, we compare our solution to an existing hashcat-based distributed tool - Hashtopolis. Keywords: hashcat, BOINC, cracking, distributed computing, GPGPU 1. Introduction b) the range of supported formats, c) supported attack modes, and d) portability to different platforms. From existing open- With the escalating use of computers and mobile devices, source software, we chose hashcat2, a self-proclaimed “World’s forensic investigators frequently face encrypted data which fastest password cracker” which is distributed under MIT li- could hide substantial evidence.
    [Show full text]
  • Password Habits and Cracking Toolkit
    UNIVERSIDADE DA BEIRA INTERIOR Engenharia Password Habits and Cracking Toolkit Ricardo Xavier Paiva dos Santos Dissertação para a obtenção do grau de Mestre em Engenharia Informática (2º Ciclo de Estudos) Orientador: Prof. Doutor Pedro R. M. Inácio Covilhã, Outubro de 2015 Dedication "... Dedicated to my beloved Parents and Sister ..." Acknowledgements The first person to whom I would like to thank, for the realization of this dissertation, is to Professor Doutor Pedro R. M. Inácio, my supervisor, for all the tireless and precious support as also the opportunity to work and learn with him. I would like to thank to Pedro Tavares who helped me at the beginning of this project and Diogo Fernandes, for all the valuable advices for achieving the toolkit PassCrackGUI as well other projects. Another gratification is to Miguel Neto for all the talks, in which there was great value on achieving the PassCrackGUI and related works. The last and not the least, and because the dissertation is not the road traveled but the culmi- nation of the work done over the past five years in college, i want to dedicate also to my fallow friend Hugo Paulino for all the support and friendship. v vi Resumo As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação. Estas estão muitas vezes na base de mecanismos de controlo de acesso e constituem frequente- mente o primeiro factor something you know de mecanismos de autenticação. São chaves para computadores, sistemas de software, informação confidêncial e até para edifícios, e a sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de ataques informáticos e uma área de investigação muito interessante.
    [Show full text]