Rochester Institute of Technology RIT Scholar Works Theses 2-21-2014 Dictionary Attacks and Password Selection Tarun Madiraju Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Madiraju, Tarun, "Dictionary Attacks and Password Selection" (2014). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. R·I·T Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Thesis Report Dictionary Attacks and Password Selection By Tarun Madiraju A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Computing Security & Information Assurance Department of Computing Security Date: 02/21/2014 - __ , -..,r - -,I'!"- Committee Approval Bill Stackpole Date Thesis Committee Chairperson I I Daryl Johnson Date Thesis Committee Member 3/ 6 /2 otif- Yin Pan Date Thesis Committee Member ii ~ - - - ABSTRACT Passwords, particularly text-based, are the most common authentication mechanisms across all platforms and services like computers, mobiles, web and network services. Existing password strength evaluators and online service providers (Gmail, Yahoo, Paypal, Twitter, etc) password strength estimators determine the effectiveness of passwords chosen by user based on entropy techniques or a similar function of the parameters: length, complexity and predictability. Such implementations often ignore passwords part of publicly available password dictionaries and password leaks which are often the primary choice for malicious adversaries and particularly script kiddies. This paper presents an application that would help in preventing the use of such passwords thereby reducing the impact of dictionary based password attacks significantly. The application maintains a database of unique passwords by gathering publicly available password dictionaries and passwords leaked over the Internet. The application provides users with an interface to query the database and verify if their passwords are already available on the Internet thereby preventing them fromthe use of such passwords. iii - - - - --- --- - List of Tables Table I: Password Strength Comparison .................................................................................................... 26 iv List of Figures Figure I: Building the Password Database ................................................................................................... 9 Figure 2: Current Database Structure .......................................................................................................... 11 Figure 3: Future Database Structure ........................................................................................................... 12 Figure 4: Web Application Worktlow ........................................................................................................ 13 Figure 5: Website - Home Page .................................................................................................................. 14 Figure 6: Website - About Page .................................................................................................................. 15 Figure 7: Website - Statistics Page ............................................................................................................. 16 Figure 8: Website- FAQ Page .................................................................................................................... 17 Figure 9: Website - Terms & Conditions .................................................................................................... 18 Figure I 0: Website - Contact Page ............................................................................................................. 19 Figure 11: Usage - Input Plaintext Password .............................................................................................. 20 Figure 12: Usage - Output Password Presence ........................................................................................... 20 Figure 13: Usage - Input Password Hash .................................................................................................... 21 Figure 14: Usage - Output Password Presence ........................................................................................... 21 Figure 15: Usage- Input Password ............................................................................................................. 22 Figure 16: Usage- Output When Password Not Found............................... ............................................... 22 V Table of Contents ABSTRACT...................................................................................... ............................................................ ii List of Tables ............................................................................................................................................... iv List of Figures ............................................................................................................................................... v INTRODUCTION ................................................................................................................................ 1 2 LITERATURE REVIEW ..................................................................................................................... 3 3 APPLICATION DETAILS ................................................................................................................... 7 3.1 Application...................................................................................... .............................................. 7 3.2 Helper Components............................................. .......................................................................... 7 3.3 Working ........................................................................................................................................ 8 3.3.1 Building the password database ............................................................................................ 8 3.3.2 Application Workflow ........................................................................................................ 13 3.4 Application GUI & Usage........................................................................................................... 14 3.5 Application Deployment Models ................................................................................................ 23 3.5.1 Cloud Instance........................................................ ............................................................. 23 3.5.2 Virtual Machine .......................... : ....................................................................................... 23 3.5.3 API Model ........................................................................................................................... 23 3.5.4 Database Only Model.......................................................................................................... 23 4 STATISTICS ...................................................................................................................................... 25 5 FUTURE WORK ................................................................................................................................ 28 6 CONCLUSION ................................................................................................................................... 29 7 REFERENCES..................................................................................... ............................................... 30 8 Appendix ............................................................................................................................................. 32 8.1 Appendix: Scripts....................................................................... ................................................. 32 8.1.1 Password Importer .............................................................................................................. 32 8.1.2 Google Password Rating URL - Stats Generator. ............................................................... 41 8.1.3 PasswordMeter.com - Stats Generator. ............................................................................... 44 8.1.4 Password Database - Stats Generator (CommonDB) ......................................................... 47 8.1.5 Crackstation Dictionary - Stats Generator (CrackstationDB) ............................................. 51 8.1.6 Harvester for Datalossdb..................................................................................................... 52 8.1.7 Harvester for Twitter........................... ................................................................................ 57 8.1.8 Harvester for Skull Security...................................... ........................................................... 60 vi 1 INTRODUCTION Passwords are the primary choice for authenticating users and are likely to remain for a significant amount of time in the future [1] [2] because of the practicality and convenience aspects associated with them for service providers and end- users respectively. Qualys [3] identified password guessing attacks as a top cyber security risk after