Effective Password Cracking

(1)

Effective Password Cracking

An Offline Attack on Norwegian Passwords

Nicklas Mortensen Hamang

Thesis submitted for the degree of

Master in Network and system administration 60 credits

Department of Informatics

Faculty of mathematics and natural sciences

UNIVERSITY OF OSLO

(2)

(3)

Effective Password Cracking

An Offline Attack on Norwegian Passwords

Nicklas Mortensen Hamang

(4)

Printed: Reprosentralen, University of Oslo

(5)

Abstract

This thesis focuses on studying characteristics of Norwegian passwords as a means to find the best way of attacking them. This was done by using a password-cracking tool to attack offline copies of several password data breaches. We found that a majority of Norwegian passwords use long passwords but equally as many of them still use passwords found in known password leaks. In conclusion we recommend that Norwegians can strengthen their passwords by increasing their passwords length, add more special Norwegian characters and most importantly check their passwords against lists of leaked passwords.

(6)

(7)

List of Figures

2.1 MULTICS Scrambler notation [16] . . . 6

2.2 Hash Salting [17] . . . 7

2.3 Shadow File Entry. . . 7

2.4 Generic Shadow File Entry. . . 7

3.1 Principle of a symmetric-key cipher [26] . . . 11

3.2 Caesar cipher Shift [28] . . . 12

3.3 DES with round function components; the key splitter KS, the bit expansion E, the S-boxes S, and the bit permutation P [29]. . 13

3.4 encrypting and decrypting using Triple DES [30] . . . 14

3.5 A asymmetric key cipher [26] . . . 15

3.6 An illustration of a Hash function [33] . . . 16

3.7 Illustration of the properties of a hash function . . . 16

3.8 bcrypt [40] . . . 19

4.1 Examples of some common patterns [42]. . . 22

4.2 Authenticators. . . 22

4.3 Biometrics . . . 23

4.4 Summery of AAL requirements [41] . . . 26

5.1 Simple Rainbow reduction [56] . . . 34

5.2 A password reset attack with CAPTCHA and a security question [57] . . . 35

5.3 Example of phising email, claiming to be PayPal [60] . . . 37

5.4 A couple of tools to identify possible password leaks . . . 42

5.5 Brutus on Windows [81] . . . 44

5.6 Cain & Abel on Windows [82] . . . 45

5.7 John the Ripper on Linux [86] . . . 46

5.8 THC Hydra on Unix [88] . . . 47

5.9 RainbowCrack on Windows [90] . . . 47

5.10 Raibow table generation with RainbowCrack [90] . . . 48

5.11 HashCat MD5 Benchmark on Windows . . . 49

5.12 Start monitoring wireless adapter in aircrack using backtrack [93] 49 5.13 Wireshark sniffing packets [95] . . . 50

5.14 Gophish result template [96]. . . 51

5.15 Social Engineer Toolkit main manu [98] . . . 52

6.1 Breakdown of Numbers Recovered . . . 61

6.2 Breakdown of Names recovered. . . 69

6.3 Breakdown of Norwegian Words . . . 76

6.4 Breakdown of Names Recovered . . . 80

6.5 Breakdown of English Attack . . . 85

6.6 A Breakdown of all Attacks . . . 86

(12)

8.1 Hash iterations . . . 90

(13)

List of Tables

2.1 Hash examples . . . 6

2.2 UK top 10 passwords . . . 9

3.1 The search space of a Hash. . . 17

3.2 SHA Properties [36]. . . 17

5.1 Password combinations, Time with our machine in mind . . . . 31

5.2 examples of using mangling rules. . . 32

5.3 Hash suite supported Hashes . . . 46

6.1 Attack Options . . . 55

6.2 A selection of supported encryption scheme. . . 56

6.3 The Debug Option For Hashcat . . . 57

6.4 Simple rules used rockyou.txt . . . 64

8.1 Hashcat Word Mangling Rules . . . 91

(14)

(15)

Chapter 1

Introduction

1.1 Motivation and Background

The Internet has become part of our daily lives, and encompasses more and more of our activities. This includes things like how we read about current events trough blogs and news sites, how we socialize using social media and web forums, as well as to how we conduct our finances with online banking websites and payment apps like vipps. All these services require some form of user authentication, which usually takes the form of user names and passwords. As people register to new websites this can lead to the need for each person to maintain a relatively large number of passwords. The password-manager developer Dashlane reported in 2018 that the average user has over 200 different digital accounts using passwords [1], which can lead to negligent password hygiene. With this many accounts a user is likely to fall into one or more of the common pitfalls of password management:

• Reuse passwords across sites and services.

• Make passwords too short.

• Make predictable passwords based on easily obtained or guessed information such as:

– Meaningful dates.

– Names of themselves, family members, pets etc.

The Internet security firm SplashData publishes an annual report of the 25 most common password, and according to their 2018 report the most common passwords is "123456" [2]. This bad password hygiene puts a person’s digital identity at risk whenever a password data-breach occurs. In this thesis we investigate the password strength of Norwegians by studying two well-known password breaches.

1.2 Research Questions

The focus of this thesis is on Norwegians passwords, in terms of their strength and how they can be effectively attacked. To evaluate this we would like to answer a set of questions:

(16)

1. In regard to rge recent recommendation for password strength putting the focus on length, what is the length of passwords we are able to recover?

2. How many passwords of Norwegians can be recovered in existing lists of leaked passwords, or variations of them?

3. How many Norwegian passwords can be recovered using a brute-force approach with a manageable number of characters?

4. How good are Norwegians in incorporating what is specific to the Norwegian language into their passwords? Do they go to English or to Norwegian when they use predicable information or do they lean to something more neutral?

5. To what degree are Norwegians aware that character sets with

’ÆØÅæøå’ are supported in passwords?

6. How can conclusions from our experiment be used in guidelines to improve the strength of Norwegian passwords?

We attempt to answer these questions in this thesis by reporting the results of attacking some leaked datbases of Norwegian passwords.

1.3 Structure of Thesis

Before we can conduct any attack on a database of passwords we need to go over the theoretical background about passwords and the security measures implemented to protect them. We also need an understanding of password weaknesses, as well as knowledge about the tools that can help us attack them. Therefor the first few chapters are dedicated to aspects of password security information. Chapter 2: The Principles of Passwords explains the relevant information on how the password has evolve in regards to it storage and creation. In Chapter3: Cryptography we explore the different ways used to obscure or encrypt digital information. Chapter 5: Attacking Passwords supply information on how we can attack the way a password. Then, the second parts focuses on the experiment done on a database of passwords.

1.4 Research Method

The research method used in this project consists of four steps. The first step consists of reading up on relevant information about passwords, how they have been and how they are currently encrypted and stored. The second, third and fourth steps are somewhat intertwined. The second step is to explore and evaluate the tools that can attack a password database, before choosing the best one for our plan of attack. The third step is finding and acquiring a database of Norwegian passwords that we can attack and answer our research questions.

The fourth step consists of looking for and compiling the dictionaries that can help with the most effective attacks on the passwords of Norwegians. The fifth and final part is to conduct an experiment by performing several attacks on the database of passwords that was found, using the best tool for us and the dictionaries we had collected.

(17)

Chapter 2

The Principle of Passwords

This chapter explains the knowledge-based authentication credential known as passwords or alternatively as passphrases. We go through the history of passwords from biblical times all the way to the Internet age, describing how they are stored and used. We also cover how they are created in regards to the policies set by standards and touch upon the psychology of the people who create them.

2.1 History of the Password

2.1.1 Passwords and Cryptography Prior to Computers

Some people might think that the password arrived around the time of the first computer and has only had the purpose of securing computers. As the name "password" for a knowledge-based or memorized secret might be relatively new, the concept is probably as old as mankind itself or at least that of "civilised" man. The first mention of something similar to a password is in the seventh book of the Hebrew Bible and the Christian Old Testament, Book of Judges [3].

And the Gileadites took the passages of Jordan before the Ephraim- ites: and it was so, that when those Ephraimites which were es- caped said, Let me go over; that the men of Gilead said unto him, Art thou an Ephraimite? If he said, Nay;

Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

Later, the Roman Legions used a passphrase distributed by a Tesserarius [4] as a method of distinguishing friend from foe. This is not the only case of Romans using passwords; the emperor Caesar is known for having used a cipher named after him, he may not be the creator of the cipher itself, but he is the first know user of it.

In more recent times, passwords or keys were used for ciphers such as Vigenere from the mid 1500’s, the ADFGVX cipher used by the Germans in WWI and theEnigma and other rotor-based cryptographic machines. These are just some of a few well-known examples among many.

(18)

2.1.2 In the information age

Around the 1970’s a new age of man began, this is now know as theInformation Ageor theDigital Age. In this new era the way mankind shares and stores its information and knowledge changes and evolves in the form of computers.

With this new form of information processing the password also gains a new role and becomes more prevalent in the lives of the common man. In this section we explore the password from the earlyDigital Agetill the present day.

The 1960’s and 1970’s

The first known case of the use for passwords —to protect a user’s files, information or to grant access —is disputed. However, most experts suggest that it stems from MIT’s CTSS (Compatible Time-Sharing System) in the early 60’s and credit its creation to Fernando J. Corbató who told Wired in 2012 "Putting a password on for each individual user as a lock seemed like a very straightforward solution"[5]. Corbató was hesitant to take the credit for the creation of the password and meant that IBM’s Sabre (Semi-Automatic Business Research Environment) already had passwords, although IBM is unsure if the system had this feature at that time. The CTSS system stored its user’s passwords on the system in plain-text without any security features.

The next step in password storage comes with MULTICS (Multiplexed Information and Computing Service) in the late 60’s and early 70’s. MULTICS was the successor to CTSS, which introduces a non-cryptographic hash known as the Multics Scrambler that stored passwords in the PNT (Person Name Table). Tom Van Vleck —one of the developers on MULTICS —describes this with"Joe had suggested I store the square of the password, but I knew people could take square roots, so I squared each password and ANDed with a mask to discard some bits"[6], Joe is referring to Joe Weizenbaum, a computer science professor working for MIT at the time of development. This early version of a hash function is then cracked by the USAF (United States Air Force) during an evaluation of the MULTICS security in the period of 1972-1974.

The 3rd edition of the UNIX operation system implements a weak cryptographic hash function under the namecrypt(3)that is based on theM-209 cipherdeveloped during WWII [7], this is used for UNIX systems all the way up to the 6th edition. This scheme uses the the plain-text password as a key instead of encrypting the password text. When it is discovered that encrypting the key can be done in approximately 1 millisecond this scheme is no longer considered secure. As encrypting a key and testing it to a stored password takes very little time and the fact that passwords of the time were rather short it would only take a few of days or a few years at the most to run a brute-force attack [8] to crack any passwords.

Knowing the weaknesses of the3rd - 6th ed.of UNIX’scrypt (3)thecrypt(3) of 7th ed. is altered to implement a 56-bit DES (Data Encryption Standard) block cipher for its hash function [9]. This gives a rather significant security improvement, as DES was quite hard to break and at that time was slow in software (this too used the password as a key to encrypt a known string). This version ofcrypt(3)also introduces a salt to the bits and iterates the DES 25 times [10], this is the first know case of password stretching. With the invention of hardware to assist the issue of slow DES and the limit of 8 character passwords puts passwords at higher risk again. The crypto(3) combats this by adding a 12- bit random number, this would not work with the DES-chip’s internal wiring making it useless in a brute-force attack againstcrypt(3)encrypted password.

Other mitigations to the DES-chip included increasing the DES key length,

(19)

salting and re-iterating multiple times.

The 1980’s and 90’s

Through most of the 1980’s there is very little advancement or development in password security or defence until the launch of System V (System 5) and BSD 4.3 (Berkeley Software Distribution version 4.3). To mitigate the security risks of the DES hashed passwords the developers of System V and BSD 4.3 releases these with what is known as password shadowing. Password shadowing is where the username and passwords are stored separately, this allows for the system to restrict user access to the password files [11] [12].

Microsoft’s NTLM (New Technology Local Area Network Manager) implements the MD4 (Message-Digest) hash scheme instead of DES. Unlike UNIX systems at that time the NTLM did not utilize salts nor did it iterated the hash [13].Which therefore made it weak.

In the early- to mid-nineties the BSDi (Berkeley Software Design Inc) Version of the BSD OS uses an extended version of the DES crypto scheme.

This extended version supports a 24-bit random salt, configurable number of iterations, explained in section 8.5, and allows for a password length longer than 8 characters.

FreeBSD introduces —in the 1994 release ofversion 1.1.5.1—the MD5 based crypto(3) algorithm created by Ronald Rivest [14]. This hash scheme would then allow for a longer password length and a salt of 48-bit and up to 1000 iterations. At the end of the 1990’s openBSD launches thebryptcrypto scheme to combat the rising developments in the"cracking"of hash-based passwords.

This new scheme is based on theblowfishalgorithm [15] and it also uses a larger salt of 128-bit.

During this time, due to the rise in the popularity of the Internet and its need for passwords, a lot of time and development went into the creation of secure methods for transferring the password information over unsecured channels. The solution is mainly based on encrypting the traffic using SSL/TLS, but this will not be covered in this thesis.

2000’s to the present (and beyond)

Windows NT Windows 2000 starts to store passwords in a specific file called the SAM file (Security Accounts Manager). This file is then also encrypted using something called the SYSKEY as its encryption key. Very little has truly happened in the security of how we store passwords since the early 2000’s. Much like in the 90’s the development of securely transmitting passwords were quite important in this decade as well. Although with the emergence of modern technologies and devices in this burgeoning millennium, we have started to create new forms of user authentication. Among the new authentications aretwo-factor,graphical,biometricsandone-time logins.

2.2 Password storage

2.2.1 Plain-Text

Plain-text is the earliest and simplest form of password storage. In this case the password is, as the name suggests, stored in readable text. There is in this case no encryption to protect what the actual password is. This would then grant anyone with access to the password file the ability to read it.

(20)

2.2.2 MULTIC Scrambler and PNT

The MULTICS system stored user passwords on what was called a PNT, they were stored there in an encrypted format and thus not in plain-text. In PNT, this was then further secured from unauthorized usage by utilizing an ACL (Access Control List).

The password is ecrypted by the MULTICS scrambler. This scrambler works by first compressing an 8-character MULTICS—ASCII password from 72-bits down to 56-bits by removing the two higher order bits from each character. Blanks are added if the password’s length is less then 8, the resulting compressed password —from now called p —is then multiplied by its own low-order 16-bits, then it is reduced by modulo 10¹⁹⁻¹. The equation is illustrated in Figure2.1.

Figure 2.1: MULTICS Scrambler notation [16]

2.2.3 Hash

Hash functions represent one of the safest known methods of password storage. Hash function come in many forms, which will explained in further detail in Section3.3. The schemes used over the years are DES-based, MD4, MD5, bcrypt, SHA-1 and SHA2. In Table2.1you can see the hash value of the string"password"using these schemes.

Type value

Plain password

standard DES stqZw66BRck1U

extended DES JW8FtKdEkNM

MD4 8a9d093f14f8701df17732b2bb182c74

MD5 5f4dcc3b5aa765d61d8327deb882cf99

bcrypt uTWAJ9Crug/6rTMe920hS.ALZlKGsmlXkUyKmgYXoxxUyWWIuq8MW SHA-1 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

SHA-2 (256) 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 Table 2.1: Hash examples

(21)

2.2.4 Salted Hash

A salted hash is quite simply a hash where a "salt" is added to the front of the plain-text before it is sent trough the hash function as seen in Figure2.2.

This salt is usually some random string of a fixed length and for maximum efficiency it should be different for every password stored, but it is not necessary for the salt to be a secret. Adding salt is done to safeguard against certain types of attack on passwords or password file(s) such as look-up tables and rainbow tables to name a few. An additional effect is that even if two people have the same password their password’s hash values will be different.

Figure 2.2: Hash Salting [17]

2.2.5 Shadowed Files

As the /etc/passwdfile —which contains the information of the users —of a UNIX system is readable by any logged on user, the password that used to be stored there was moved to a separate and more secure file. The name of these files are different depending on the systems, but they are referred to as ashadowed password file. These files contain an entry for each user listed in the /etc/passwdfile [18]. Even though the passwords were already encrypted in the original/etc/passwdfile this reduces the dangers and possibility of attacks on the passwords.

Even though the the name and the structure of the shadowed file vary depending on theUNIXsystem it usually resemble that of the/etc/passwdfile.

A typical structure of theshadowed password filecan be seen in Figure2.3or a more generic form in Figure2.4.

Figure 2.3: Shadow File Entry

Figure 2.4: Generic Shadow File Entry

(22)

As seen in the Figures2.3and2.4the entries are a string where the fields are separated by a colon. These fields are

• Username: the user’s login name.

• Password: The password of the user, in encrypted —created bycrypt(C)

—form usually setup as $id$salt$hash digest. The $id$ indicates which hash algorithm that was used [19].

– $1$ is MD5 – $2a$ is Blowfish – $5$ is SHA-256 – $6$ is SHA-512

• Last changed: Days since the password was changed.

• May change: the minimum amount of days between password changes.

• Must change: The amount of days before the password must be changed.

• Warn days: The amount of days before the previous entry that the system starts to ask the user to change their password.

• Disable: The amount of days after the expiration of the password that the account is disabled.

• Reserved: reserved for a future use.

2.2.6 SAM File

Just like the Unix systems store their passwords in a separated an encrypted file so does Microsoft Windows as well. This file is known as theSecurity Account Managerfile, it was first introduced inWindows 2000’s Service Pack 4. The file itself contains the information of the local user and group accounts such as the password, it also includes information regarding account groups, access rights and special privileges [20].

The SAM file can be found stored in the Windows registry, and to increase the security it cannot be moved or copied while the system is running. Another feature of security is the ability to use the Windows SYSKEY to partially encrypt the file itself [21]. LM or NTLM Hashes are used to obscure the password before it is stored in this file to increase its security.

The SAM file is used in cooperation with the Local Security Authority (LSA) to validate a user’s logon attempt in order to authenticate the user’s credentials. This function is initialized on startup and runs in the background.

2.2.7 Password Managers

The last method of password storage mentioned here is unique from the others as this one is for the user themselves to store their password. This method is called apassword manager, they are applications or browser plug-ins that store all of a users online credentials. The purpose is so that the users really only need to remember onemasterpassword, that of the manager.

These managers can help with password security as it would allow for longer, more unique passwords for each of the user’s web page or service accounts. As the passwords could be longer to mitigate the weakest link in

(23)

password security —the human element —it is thus stronger. More so is the then reduction of password reuse over services.

To protect the password the managers encrypt them using an encryption scheme. Which encryption that is used is up to the provider of these applications and might then differ from provider to provider. An example is the providerwww.1password.comwhich uses a 256-bit AES encryption in GCM mode, with a key derivation generated locally using PBKDF2.

Other features these might posses in order to increase their usefulness and security are for example:

• Identifying weak passwords

• Identifying duplicate passwords

• Help in createing a strong password

• Synchronize between systems and devices to maximize area of coverage.

• Use biometrics as master password

• Share logins without sharing passwords.

2.3 Password Guidelines

In this section we will go through the password creation rules, policies and guidelines we have had over the years. In the beginning of modern times

—or at least since the early 1960’s —the only password requirements were length and what alphanumerical characters that could be used. This was mostly due to the restrictions that came with the limitations of the key length of the hash functions used to secure passwords at that time. Some of these functions —such as Microsoft’s LANMAN—also converted all the characters to lower-case this made the use of uppercase characters to be merely for ease of memorization.

Humans tend to create passwords they can easily remember and as the human memory is relatively flawed and the average person tend to find it difficult to remember a large string of random character [22], these passwords then end up being short and simple, usually a word, a name or a birthday.

Table2.2shows the UK’s top-ten used passwords of 2019 [23].

123456 123456789 qwerty password 111111 12345678

abc123 1234567 password1 12345

Table 2.2: UK top 10 passwords

The setup of rules and guidelines of the passwords was usually up to the administrator of each system. After the arrival of the Internet, the use of passwords becomes part of our daily lives and a more standardized password policy was needed. NIST (National Institute of Standards and Technology) published their special publication 800-63-1 —written by Bill Burr —where appendix A contains a short list of guidelines of how to make passwords [24]. The first edition of the NIST guidelines suggested to use a minimum of 8 character, at least one uppercase and avoid common words. Over the years these guidelines have been expanded to add such rules/suggestions as

(24)

to replace letters with numbers, change password after a specific time and using special characters such as " & #". Other safeguards should be added to the password creation such as password blacklists and the inability to use anything that can be found in the user’s personal information provided during registration.

2.4 Psychology of Password Creation

The perfect password should contain the maximum entropy and use as many characters as the system would allow, as well as using a random selection, to achieve the best possible security. This password should also be well protected and unguessable to maximize its security. Unfortunately a person would not be able to remember it or even type it. The crux of any security system is the human element. The human mind can be said to be flawed when it comes to the ability of memorization of random combinations [22]. A person leans towards something that is easy not only to remember but also easy to type.

Why do people choose these insecure passwords? Is it really a problem to remember? A study shows that people are able to memorize a complex password but choose not to out of convenience [25]. Why may this be? The same study showed that this may be due to an issue of ignoring the threat that comes from insecure passwords. People are typically more afraid of their private information being disseminated among their family and friends and less on the threat of theft by strangers.

The reason for bad password management is not the lack of understanding the need for good and strong passwords, nor the misunderstanding of the policies of constraints in the creation of the password. An important reason is the naive belief that"Password attack and compromise won’t happen to me.

The need for convenience over security steers the human mind into creating its own —bad —rules for password creation. People typically use similar passwords over different sites of varying trustworthiness, passwords that are in some variation a word or a place —in the person’s native language or in their native land —or simply a name of someone they know. It would be easy to put this blame on the common user and think that they are the only ones guilty of bad password practices. Unfortunately this is not really the case, as we are all —or at least most of us —culpable of this to some extent.

(25)

Chapter 3

Cryptography

In the age of information technology where information is sent over the Internet —at times using insecure networks —we are in need of a way to protect information as it passes through these networks. Since we cannot know or decide who can see the content of the communications over these networks we must find other ways of hiding this information. To accomplish this we use cryptography, this is a method of hiding the information from anyone other than the intended recipients. These methods hide the content by encrypting the ordinary plain-text into an unintelligible text before sending it to its destination. Even if a possible adversary or snooper is able to intercept the message, they cannot read it without the cryptographic key.

3.1 Symmetric Cryptography

Symmetric cryptography also know as secret-key cryptography is a method of cryptography that utilises the same cryptographic key for both the encryption and the decryption of a message. This key is then a representation of a shared secret between the two parties of the communication to ensure a private information transmission and to keep the message protected from prying eyes. An algorithm built on symmetric keys takes a plain-text messagemand encrypts it using the secret shared keykto create a cipher textc=E(k,m). To regain the original text all that needs to be done is to decrypt the cipher textc using the same key, written asm=D(k,c)_orD_k:=E⁻¹_k .

Figure 3.1: Principle of a symmetric-key cipher [26]

(26)

For symmetric cryptography to work properly and to decrypt back to a readable text it is a requirement to use the same key. Without the right key the message will be lost unless the key can be recovered with cryptoanalysis or by the use of brute-force key search. Depending on the encryption scheme used this can be very costly in time and resources. Symmetric cryptography is the oldest know method of encrypting information with schemes such as the Caesar cipher being a simple substitution cipher [27]. The cipher is named after the ancient emperor of Rome Julius Caesar who used it to secretly communicate with his military forces, his key wask = 3. The Caesar cipher works by shifting the letters of the alphabet in use by a certain number of places

—which is specified by the key —and then encrypting a plain-text using this shift-substitution. Encryption can be written out asE_k(a) = (a+k)modxand decryption asD_k(a) = (a−k)modx. In these formulaskis the key or times to shift,ais the position of the original letter andxis the number of letters in the used alphabet, this is illustrated in Figure3.2.

Figure 3.2: Caesar cipher Shift [28]

The advantages of a symmetric cryptography scheme is that it is fast in regards to encryption and decryption. A major disadvantage of the symmetric cryptographic system is that the keys must be securely distributed prior to the communication. As there is no real secure way of transferring the keys electronically these have to be exchanged through a secure independent channel. Additionally symmetric crypto systems cannot be used to provide adigital signatureas there is only one key, so there would not be any way of knowing which party that signed.

3.1.1 DES

One of the most well-known symmetric-key cryptographic methods is DES (Data Encryption Standard) created by IBM (International Business Machines) and adopted in 1977 by the United States government as a standard for encryption of their sensitive yet unclassified data. The algorithm was the first attempt of making a universal standard for encryption and was extremely successful and revolutionary. DES is a block cipher of a 64-bit (8 byte).

Encryption is illustration in Figure 3.3. The key was deliberately made relativaly short —only 56-bit —to allow the NSA the ability of cracking. The DES algorithm is based on ad-hoc mixing operations instead of complicated mathematical problems and uses a Feistel Structure, explained in Section8.4, which means it uses rounds to encrypt or decrypt the data blocks. The 56-bit key is padded with 8 bits to make a 64-bit key structure. There are a total of 16 rounds where the key is divided into 16 sub keys of 48-bits each.

(27)

Figure 3.3: DES with round function components; the key splitter KS, the bit expansion E, the S-boxes S, and the bit permutation P [29]

3.1.2 Triple DES

In the early 1990’s the ease and speed of which a computer could run a key search on the DES algorithm caused a lot of discomfort among the users. To mitigate this threat a new system was needed, however the users where concerned about the cost —both in time and money —of replacing the DES encryption/decryption scheme as it had been widely adopted and implemented in security architectures. So to both mitigate the security threats against the now insecure DES and to avoid the cost of replacing it,Triple DES, 3-Key DES or 3DESwere devised.

This scheme is simply to run the DES algorithm on a data block three times.

To do this, the key can be increased to 112-bit or 168-bits where used. There are three standards of defining the 3 keys.

1. All the keys are independent.

2. Key 1 and key 2 are independent and keys 1 and 3 are identical.

3. All keys are identical.

Of these three options the first option grants the strongest security as this would make the key 3∗56=168 independent bits long. whilst option number two would only give 2∗56 = 112 independent bits. The third option only gives 56 independent bits, just like the original DES.

To encrypt a plain-text the Triple DES algorithm uses DES to encrypt using the first key, then decrypt using the second key and lastly encrypt using the third key. to decrypt using Triple DES this would then be done in reverse by

(28)

decrypting with key three, encrypting with key two and decrypting again with key one as can be seen in Figure3.4.

cipher=E_k3(D_k2(E_k1(plain))) plain=Dk1(Ek2(Dk3(cipher)))

Figure 3.4: encrypting and decrypting using Triple DES [30]

3.1.3 AES

The Advanced Encryption Standard is a block cipher that was created in response to the fact that DES was becoming vulnerable to brute-force attacks due to its short key. It was submitted to NIST by Vincent Rijmen and Joan Daemen during NIST’s search for a new encryption standard. NIST had few but clear requirements to the new algorithm. [31]:

• The cipher should be a single block cipher.

• The cipher should be available royalty-free worldwide.

• The cipher should have a public and flexible design.

• The cipher should offer the security of two-key triple-DES as a minimum It is a block cipher that encrypts data in 128-bit blocks using key of three different lengths, 128-, 192 and 256-bit. The algorithm is based on a substitution-permutation network instead of a Feistel network and is effective in both software and hardware. The number of rounds in AES depends on the key length:

• 10 rounds with a 128-bit key.

(29)

3.2 Asymmetric Cryptography

To solve the growing problem of key distribution of symmetric keys, a new for of encryption was needed. This is where asymmetric cryptography

—also known as public-key cryptography —comes in, the concept was first presented by Martin Hellman and Whitfield Diffie at Stanford in 1976. A similar concept was also covertly proposed by Clifford Cocks —an employ at GCHQ (Government Communications Headquarters) in the UK —who based his work on papers written about "The Possibility of Secure Non-Secret Digital Encryption"by James Ellis. This new form of cryptography is based on using two different keys, onepublic keyfor encryption and oneprivate keyfor decryption as can be seen in Figure3.5.

Figure 3.5: A asymmetric key cipher [26]

The idea for the public key scheme is to allow for a public disclosure of algorithm and encryption key. The keys are two rather large non-identical numbers that are paired together through a mathematical function.

There are many asymmetric cryptographic algorithms out there, including but not limited to RSA, DSA and ElGamal. Asymmetric cryptography is used mainly in Web-protocols and digital signatures to name a few, but are not really utilized for password storage, which is why these algorithms are not described in detail here.

3.3 Cryptographic Hash Functions

A Hash Function is a one-way cryptographic function that obscures the original text. This should be done as it is irresponsible in regards to security to store passwords in plain-text. The hash function takes an input also known asthe message of finite arbitrary length and returns a string —also known as a hash-code, hash-result, hash-value or simplyhash —of fixed length [32], this length is different depending on the Hash scheme used. An mathematical representation of a hash function is show bellow, wherenis the length of the output. A illustration of this function can be seen in Figure3.6.

h:{0, 1}^∗→ {0, 1}ⁿ,m→h(m)

(30)

Figure 3.6: An illustration of a Hash function [33]

The main purpose of a hash function is to authenticate data. For a cryptographic hash function to be useful for password storage protection it has to fulfill a few important properties, such aspre-image resistance, second preimage resistanceandcollision resistance[34] as is illustrated in Figure3.7.

1. Pre-image resistanceis the property of a hash function that it is hard to invert, that is, given an element in the range of a hash function, it should be computationally infeasible to find an input that maps to that element.

In other words if hash function h produces hash value v it should be infeasible to find an inputxsuch thath(x) =v.

2. Second pre-image resistance is the property of a hash function that it is computationally infeasible to find any second input that has the same output as a given input. Again in other words it should be infeasible for a hashhthat has the inputxto find a inputyso thath(y) =h(x).

3. Collisionresistance is the property of a hash function that it is computationally infeasible to find two colliding inputs, although many such collisions exist. This property is related to second preimage resistance, which is also known as weak collision resistance. It should be infeasible for hash functionhto find two inputsxandysuch thath(x) =h(y).

Figure 3.7: Illustration of the properties of a hash function

Hash functions allow for a certain level of security when it comes to password storage, this is because even if someone gains access to the hashed password or password file(s) it is difficult to recover the original plain-text password. Considering the computational complexity of the hash function and

(31)

the policies of password length it should take some time to perform a brute- force attack on a hash. A brute force on a hash would be xⁿ wherex would be the amount of different characters that can be used andnis the number of digits in the password. A few of the calculations of this can be seen in Table 3.1. There are several Hash functions available and which have been used for the storing of passwords. Although they do the work differently their function is pretty much the same.

string search space length search space size

a 29 (a−å) 29¹=29

aa 29 (a−å) 29²=841

Aa 58 (a−å, A−Å) 58²=3364

Aa1 68 (a−å, A−Å, 0−9) 68³=314432 Aa1! 101 (a−å, A−Å, 0−9, 33 symbols) 101⁴=104060401 P4$$word 101 (a−å, A−Å, 0−9, 33 symbols) 101⁸=1.0828567e+16

Table 3.1: The search space of a Hash

3.3.1 SHA X

Among the many cryptographic hash functions that are used to safeguard our passwords are those of the SHA(Secure Hash Algorithms) series. This series of Hashes include SHA-0, SHA-1, SHA-2 —containing SHA-256 and SHA-512

—and SHA-3. The first of which were created by the NSA back in 1993 but it was withdrawn shorty after its publication and replaced with SHA-1 which was considered to be a US Federal Information Processing Standards (FIPS) [35].

There are some differences between these algorithms some which are show in Table3.2. Hash functions differ quite significantly when it comes to the level of security they provide. Even so they can all be described to work in two stages: PreprocessinganHash computation. Preprocessinghas three steps, first it pads the message(m) to make sure thatmis a multiple of a specific number of bits, depending on which algorithm is in use. Second it parsesminto blocks of predetermined bits again based on the algorithm in use, from here is the final step of setting an initial hash value, and then to compute the hash in steps.

Table 3.2: SHA Properties [36]

3.3.2 MD4 and MD5

The MD4 hash function designed —by Ronald Rivest back in 1990 —focused on security, simplicity and speed, specifically fast in a 32 bit microprocessor

(32)

architecture as this was the dominant standard of the time. It took amessage of arbitrary length and returned a string of 128-bits [37] it sent themessage through 3 rounds of 16 steps to accomplish its goal. As the MD4 proves to be too fast and it is possible to find two differentmessageswith the same hash it was replaced by MD5. The MD5 function is based on the MD4 but it puts more focus on security than on efficiency. MD5 differs from MD4 on 6 points [38]:

1. A forth round was added.

2. Each step has a unique additive constant.

3. The functiongin round 2 was changed from(XYvXZvYZ)to(XZvY¬Z) to makegless symmetric.

4. Each step now adds in the result of the previous step. This promotes a faster"avalanche effect".

5. The order in which input words are accessed in rounds 2 and 3 is changed, to make these patterns less like each other.

6. The shift amounts in each round have been approximately optimized, to yield a faster"avalanche effect".The shifts indifferent rounds are distinct.

However, attacks against MD5 also exist, so it is possible to find collisions

3.3.3 LMHash and NTHash

LAN Manager (LM) Hash or LMHash is the oldest known method of password storage used by Windows. It is quite simple and can be explained in 5 easy steps by their own website [39]:

1. Convert all lower case characters in the password to upper case

2. Pad the password with NULL characters until it is exactly 14 characters long

3. Split the password into two 7-character chunks

4. Use each chunk separately as a DES key to encrypt a specific string 5. Concatenate the two cipher texts into a 128-bit string and store the result

As the method uses a DES encryption it is not really a hash function but is used as one, and the resulting hash output is stored in the SAM file. This hash is very easily cracked and therefor is now turned off as a default in the newer versions of Windows.

The successor of the LMHash is the NTHash aslo known as the unicode hash as it supports the entire unicode character set. This hash function simply hashes the password using the MD4 scheme [39]. This resulting hash is also stored in the SAM file.

3.3.4 Crypt

Crypt(c) is the function in Unix systems that is responsible for hashing the passwords within the system. It utilizes many different algorithms to accomplish this. These algorithms areDES-ext, MD5, Blowfish, NT-hash, SHA- 256andSHA-512which have already been explained here.

(33)

bcrypt with Blowfish

Thebcrypthash is based on the blowfish block cipher cryptographic algorithm [15]. This function is an adaptive hash that uses a technique known as key stretching, explained in Section8.6. It introduces a work factor that is used to decide the cost of the function, this determines how slow the function is at hashing plain-text. This can makebcryptvery resistant to brute-force attacks, it also means that the function can be utilized for some time even as machines become more powerful. A representation of bcrypt can be seen on Figure3.8.

Figure 3.8: bcrypt [40]

(34)

(35)

Chapter 4

User Authentication

One of the most important things when it comes to the use of computers and networks isuser authentication. In this chapter we explain the main aspects of user authentication, what it is, what forms it may have, some examples of its uses and most importantly why it is needed.

4.1 What is user authentication?

When using a service like email, online banking or a e-health —to name a few

—there can be a certain level of uncertainty as to the digital identity of an entity that is trying to engage in the online transaction. This transaction can be something as simple logging into a streaming service or something more complex like an bank transaction. This is where user authentication comes in to solve the problem and give a level of assurance as to the validity of the claim. In simpler terms, any form where a person is required to log on as a way of proving their identity so as to interact with a system, is a case of user authentication. As there are some services that would need a higher level of certainty as to whom is attempting to log on to their system there would have to exist a way of doing this. As a solution to this is to define several levels of user authentication, these levels are known asAuthentication Assurance Levels or AAL. These levels are defined and outlined in NIST’s special publication 800- 63 appendix B [41] and explained in Section4.3.1. The European eIDAS also defines similar authentication assurance levels.

4.2 The types of User Authentication

Just as there are levels of user authentication, there are several different types of user authentication. These types are categorized into three different categories;

• Knowledge/memorization-based: something you know.

• Possession-based: something you have.

• Inheritance-based: something you are.

4.2.1 Knowledge/memorization-based authentication

Knowledge or memorization-based authentication is any form of user authentication that require the user to remember something. Examples of this type

(36)

of authentication is passwords and usernames, PIN code and pattern such as those found on Android devices which can be seen in Figure4.1. These forms are some of the simplest cases of authenticating the user’s identity; but are also considered the weakest in terms of security. This is of course as they are easier to share than the other types of authentication.

Figure 4.1: Examples of some common patterns [42]

4.2.2 Possession-Based Authentication

Possession-based authentication is where something you can own and control can be used as proof of identity. Some examples of this are smart cards and authenticator devices. Authenticator devices, also known as security tokens, are a physical devices or a smartphone applications that creats a token that can be used to login to a service. There are several types of these authenticators, among them is a one-time-password (OTP) device that create a one-time-use password using an embedded secret as a seed. These OTPs are predictable based on this seed, which allows for the receiving system to know what the next OTP should be to authenticate it. Another type of device is a lookup secret, this is a device or even a physical object like a card that stores a predetermined number of one-use secrets. Figure4.2aand Figure4.2bshow samples of these two examples respectively.

(a) BankId [43] (b) Code card [44]

Figure 4.2: Authenticators

(37)

4.2.3 Inheritance-Based Authentication

The last category of authentication is that of Inheritance-based, in this case we are talking about anything that you are. In other words a characteristic that only you have and no one else can imitate. Another more known terminology for this is biometrics which includes a fingerprint (Figure4.3a), retina (Figure 4.3b), iris, voice, DNA and face.

Biometrics are based on the fact that characteristics as a fingerprint is highly unique. No one else is in possession of exactly the same fingerprint not even identical twins, this may be because a fingerprint is developed as a reisult of the environment we encounter while in our mother womb and not a genetic factor [45]. This can also be said about methods involving the retina and the iris. While our DNA in some cases are not completely unique, as in the case of identical twins, it is still a rather strong form of authentication. This cannot truly be said for our face or voices, these are still used as as a method of authentication, usually on personal devices such as smartphones. This is not to say that all forms of biometrics are a guaranteed constant throughout a persons lifetime, these characteristics can change during a persons life. Some may alter over time while others usually change via some sort of trauma.

(a) Fingerprint [46] (b) Retina [47]

Figure 4.3: Biometrics

4.2.4 Multi Factor

To increase the level of security of these different methods of authentication another form can be implemented, this is known as multi-factor authentication.

This is any authentication system where two or more of the above mentioned are used as proof of your digital identity.

4.3 NIST

NIST was founded by request from congress in 1901 and established in Washington D.C as the National Bureau of Standards, this was to fill a need for nationalized standards. At that time in the US there were for exampledifferent gallons and four different feet in use [48]. In the late 40’s NIST moved into the world of computing with the Standards Eastern Automatic Computer (SEAC).

Over the years NIST has established ten separate laboratories [49], six of these are still operating [50]:

(38)

• Communications Technology Laboratory (CTL)

• Engineering Laboratory (EL)

• Information Technology Laboratory (ITL)

• Center for Neutron Research (NCNR)

• Material Measurement Laboratory (MML)

• Physical Measurement Laboratory (PML)

After a few decades of working in the standards of computer security and cryptography, the work on standards within information technology was turned over to one of NIST laboratories, Information Technology Laboratory (ITL). ITL is measurement and testing laboratory that handles a broad spectrum of computer science, mathematics, statistics and systems engineering fields [51]. One of their main priorities is that of cybersecurity, this is where the special publication 800-63-3 comes in which is theDigital Identity Guidelines.

This publication is a report that contains details of their research, guidelines and their collaborations with other government agencies, academic institutions and corporations. The publication also contains three additional appendixes,

• SP 800-63-3A Enrollment & Identity Proofing.

• SP 800-63-3B Authentication & Lifecycle Management.

• SP 800-63-3C Federation & Assertions.

In a newer edition of the publication ITL has retired the concept of Level of Assurance (LOA) as one single measurement of authentication implementation. Instead it was divided into three distinct parts that provides a higher level of flexibility for agencies in choosing identity solution. These three parts are [52]:

• IAL:refers to the identity proofing process.

• AAL:refers to the authentication process.

• FAL: refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information (if applicable) to a relying party (RP).

4.3.1 SP 800-63B Authentication & Lifecycle Management

This appendix of the SP 800-63 handles the details about the authentication process and the management of an authenticated sessions lifecycle. It is written to give agencies a guideline for how to implement a digital authentication online [41]. As some login are not really required to be traceable back to a single entity, while other cases may need this to be the case, the AAL are created and outlined by NIST int his publication and explained further bellow. Other topics that are explained in great detail within this publication is the lifecycle and recovery of an authenticator, the threats and security considerations to the authentication processsuch as an attack on the sessionas well as mitigation to these threats [41].

(39)

Authenticator Assurance Level

Authentication Assurance Level numbers from 1 to 3, with 1 being the lowest and 3 being the highest. These levels are defined as such, and a summary can by found in Figure4.4from NIST [41]:

• Authenticator Assurance Level 1: AAL1 provides some assurance that the claimant controls an authenticator bound to the subscriber’s account. AAL1 requires either single-factor or multi-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol

This level suggests that reauthentication should occur periodically and at least once per 30 days, meaning that a user should be logged out and required to log back in, no matter the activity of the user.

• Authenticator Assurance Level 2: AAL2 provides high confidence that the claimant controls an authenticator(s) bound to the subscriber’s account. Proof of possession and control of two different authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.

As for reauthentication at this level should happen every 12 hours no matter the level of user activity for extended sessions. This should also happen for any period of inactivity exceeding 30 minutes. In regards to a reauthentication after a short period of inactivity may only require the use of a memorized secret or a bio-metric to accompany a still valid session secret.

• Authenticator Assurance Level 3:AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Au- thentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires a hardware-based authenticator and an authenticator that provides verifier impersonation resistance; the same device may fulfill both these requirements. In order to authenticate at AAL3, claimants are required to prove possession and control of two distinct authentication factors through secure authentication protocol(s). Approved cryptographic techniques are required.

Reauthentication again should be repeated once per 12 hours during an extended session regardless of activity, as well as after a period of 15 minutes or longer of inactivity. Here it would be necessary to provide both factors of authentication to reinstate the session

(40)

Figure 4.4: Summery of AAL requirements [41]

In the following list is an outline and short explanation of the different authenticator types that are described in this document and are used in the authentication levels [41].

• Memorized SecretIs a secret that you have to remember, usually known as a password, a PIN or a pattern

• Look-up Secret is a physical or electronic device that comes prestored with a set of secrets that is shared between the device and the Credential Service Provider aka CSP

• Out-of-Bandis a physical device that can communicate securely between the verifier over a distinct communication channel.

• Single-Factor one-time-password Device is a device that generates a OTP. This can be a hardware device or a software installed on another device,i.ea smartphone.

• Multi-factor one-time-password Deviceis like a single-factor that generates the OTP after it is activated throug another form of authentication.

• Single-Factor Crypto Software is a software-based cryptographic authenticator that stores a chryptographic key on some sort of soft media.

• Single-Factor Crypto Deviceis a hardware device that performs cryptographic operations using a protected cryptographic key.

(41)

• Multi-factor Crypto Software is like single-factor crypto software that only performs it job after it has been activated with another authentication

• Multi-factor Crypto Deviceis a hardware device that performs cryptographic operations using one or more protected cryptographic keys and requires activation through a second authentication factor[41]

(42)

(43)

Chapter 5

Attacking Passwords

Whenever anybody creates a strong defence, someone else will create an even stronger attack. This has been true throughout the history of humans’ strive for security. Be it stronger metals to break the sword of an enemy, a mightier bullet to penetrate vests or even a more intelligent virus to wear down the immune system. So why should password/cyber security be any different from these?

They are also created to provide security and are therefor subject to the same battle between attack and defence.

The first attack on the use of digital passwords is almost as old as the first use of passwords in informatics [5]. Some of the methods of attack against password security and password storage might be discovered by accident while others are created on purpose. As long as there are smart peoples that work hard to ensure our security, there will someone very creative on the other side to destroy their work or to exploit it. This is not to say that all attacks or exploits are created or used by those with ill intentions, there are some that also use them to improve on the way we implement and develop our security measures. Other noble uses for a password attacks could be in the attempted recovery of a lost password.

In this chapter we explore some of theattacks or data breaches that have happened throughout time —focusing on the information age —and even take a look at their implications. We explain some of the attack methods that exist against passwords of today, and mantion some of the tools, software and applications that can carry out such attacks.

5.1 Password Attacks

Today there exist a myriad of ways to obtains someone’s password. Some of these password attacks are based on the computational power of computers.

These consist of dictionary attacks, brute force attacks, fingerprint attack, phrase attackand the use of arainbow table. Some are more based on the manner in which we transfer the passwords across the system or systems, whilst others rely more on the human factor, such as the possible weaknesses of the owner of said password, known as social engineering.

Anther factor for deciding the best approach is if wheter will be anonline attackor anoffline attack.

(44)

5.1.1 Password cracking

Password cracking is when somebody tries to guess or brute-force the search for passwords. It can be either for nefarious or noble causes. This can as earlier stated be achieved by using the computational power of computers.

Most computers nowadays can run from a billion to tens of billion hash computations per second. This gives an attacker the ability to test an almost unimaginable amount of possible passwords in a very short time. There are a few different types of password cracking techniques to use on a single login or an entire database, some of these are explained further bellow. The most efficient method of cracking is dependent on a few factors of the password as well as the system and protocols used.

• Unpredictability:How easy would it be to guess it.

• Length:The length of the password to crack.

• Complexity:Its use of characters: does it contain letters, numbers and/or symbols, and how they may be combined.

Unfortunately these password factors are usually unknown for larger datasets and knowing which method to use can end up being an educated guess at best. Luckily we can depend on other factors that can be more known or even some that can tell us something about the password structure.

• Character set allowed

• Password complexity requirement or lack thereof.

• Protocols used by the service.

• Other password safeguards like blacklisting words or personal information.

Brute Force

A brute-force attack is A few calculation rates of this is shown in Table5.1, this is considering a Norwegian alphabet and testing 11,051,000,000 passwords per second, which today is a rather medium rate.

as simple and unrefined as it sounds, it is the practice of trying every conceivable combinations until the attacker gets it correct or possibly gives up. It is a trial-and-error method that is usually done by systematically trying a passwords until the correct password is recovered or all the combinations have been exhausted.

Important variables in starting a brute-force attack on a password or a set of passwords is what are the minimum and maximum password lengths. As well as which character sets should be tested in the password possibilities. An example and explanation for a brute-force attack would be if we start with the password having at least 4 characters long and shorter than 10. It can contain onlya-åandA-Åthen it would start ataaaathen toaaabtoaaacand so on until it ends, either as the password is recovered, all passwords are recovered or it reachesÅÅÅÅÅÅÅÅÅÅ.

The attack’s biggest strength is that it is relatively easy to set up and perform. Given enough time, space and/or computer power it is in reality the only attack that can find 100% of passwords, assuming of course all possible character sets are in use. The attack is best suited for an offline attack against a leaked, stolen or legally obtained database as an attack online allows the

(45)

service to restrict attempts per second. A problem with this technique though is that it can be slow, this comes from the fact of running through all possible combinations has a proportionate growth to the space of possible passwords.

A few calculation rates of this is shown in Table 5.1, this is considering a Norwegian alphabet and testing 11,051,000,000 passwords per second, which today is a rather medium rate. This can also be done as aMask attack, where it is possible to set any "rule" to reduce the number of possibilities. Let us say that the attacker knows that the password is capitalized, and that there are numbers at the end. Then they can set up amaskthat tells the program how to compile the possible passwords to test.

Length characters combinations computing time

4 a-å, A-Å, 0-9 68⁴=21,381,376 0.042 seconds

4 a-å, A-Å, 0-9, 33 symbols 101⁴=104,060,401 1.9 milliseconds 8 a-å, A-Å, 0-9 68⁸=4.5716324×10¹⁴ 11.5 hours 8 a-å, A-Å, 0-9, 33 symbols 101⁸=1.0828567×10¹⁶ 11.34 days

10 a-å, A-Å, 0-9 68¹⁰=2.1139228×10¹⁸ 6 years

10 a-å, A-Å, 0-9, 33 symbols 101¹⁰=1.1046221×10²⁰ 317 years 12 a-å, A-Å, 0-9 68¹²=9.7747791×10²¹ 28 millennia 12 a-å, A-Å, 0-9, 33 symbols 101¹²=1.126825×10²⁴ 3.2 million years 16 a-å, A-Å, 0-9 68¹⁶=2.0899823×10²⁹ 60 billion years 16 a-å, A-Å, 0-9, 33 symbols 101¹⁶=1.1725786×10³² 336 trillion years

Table 5.1: Password combinations, Time with our machine in mind

Mask Attack

AMask Attackis in essence an intelligent form of brute force. But instead of just running all possible combinations of characters we tell the attack what character sets to try at which position. Take the passwords "Joakim123", if this was to be attacked using a traditional brute-force attack it would take about 3 years for this password to be recovered using the math given above. But lets say we know that the password starts with a capital letter and contains numbers at the end. We could then give our tool the amaskthat is structured to attack this. With this maskthe attack would take about 90 minutes instead, considering the same math. A mask attack would also allow to add more specific information to the password and test combinations around this. Lets say we are looking for the password "student2011" and we know that it contains the "student" part. We can then add this to ourmaskand attack the subsequent missing part. An example mask for this inn hashcat would be student?a?a?a?a, thismaskwould then test the partial string "student" with all four character combinations, adding the function –increment would start from one character and work its way up to four.

Dictionary

A Dictionary Attackis a type of brute-force attack, although it is a bit more refined in its approach to cracking a password or passphrase. This attack is a rather significant improvement on pure brute-force when it comes to longer passwords, as searching for passwords that are 8 characters or longer, is very costly —in terms of time —if we were to try all possible combinations. It is a password guessing technique that tries a list of words from a dictionary

Effective Password Cracking

Effective Password Cracking

An Offline Attack on Norwegian Passwords

Nicklas Mortensen Hamang

Thesis submitted for the degree of

Master in Network and system administration 60 credits

Department of Informatics

Faculty of mathematics and natural sciences

UNIVERSITY OF OSLO

Effective Password Cracking

An Offline Attack on Norwegian Passwords

Nicklas Mortensen Hamang

Abstract

Contents

List of Figures

List of Tables

Chapter 1

Introduction

1.1 Motivation and Background

1.2 Research Questions

1.3 Structure of Thesis

1.4 Research Method

Chapter 2

The Principle of Passwords

2.1 History of the Password

2.1.1 Passwords and Cryptography Prior to Computers

2.1.2 In the information age

2.2 Password storage

2.2.1 Plain-Text

2.2.2 MULTIC Scrambler and PNT

2.2.3 Hash

2.2.4 Salted Hash

2.2.5 Shadowed Files

2.2.6 SAM File

2.2.7 Password Managers

2.3 Password Guidelines

2.4 Psychology of Password Creation

Chapter 3

Cryptography

3.1 Symmetric Cryptography

3.1.1 DES

3.1.2 Triple DES

3.1.3 AES

3.2 Asymmetric Cryptography

3.3 Cryptographic Hash Functions

3.3.1 SHA X

3.3.2 MD4 and MD5

3.3.3 LMHash and NTHash

3.3.4 Crypt

Chapter 4

User Authentication

4.1 What is user authentication?

4.2 The types of User Authentication

4.2.1 Knowledge/memorization-based authentication

4.2.2 Possession-Based Authentication

4.2.3 Inheritance-Based Authentication

4.2.4 Multi Factor

4.3 NIST

4.3.1 SP 800-63B Authentication & Lifecycle Management

Chapter 5

Attacking Passwords

5.1 Password Attacks

5.1.1 Password cracking