Saturday, June 07, 2014

Password Cracking

Doing a little bit of work related reading today and learned a few things about passwords based on a 2013 Derbycon presentation:

Password rotation introduces password vulnerabilities (I actually already knew this and have complained about it at various jobs but what can you do)

*Users will invent ways to remember their password
**90 day rotation - seasonal password
**30 day rotation - month based
***Users will use the same root word for future passwords and only change numbers and special characters

Keyboard Patterns, i.e. qwe123, easily defeated by Hashcat

Special rules required?

*There is an order to which characters, numbers, special characters people will use
*There is an order to where they will place specific characters
**These patterns are universal
***Exclamation point is the most commonly used special character
***Capital letters are almost always the first letter in a password
***If the rules require a special character and a digit the special character and the digit will be at the end. 

Simple stuff but with the tools and hardware available now it makes it almost trivial to compromise a password.

(Note:  I am claiming no special expertise in password cracking just remarking on what I was reading and viewing)

Post a Comment

The Ultimate "Get Psyched" Playlist

I am busily loading up a playlist for DefCon so of course I had to turn to "The Ultimate Get Psyched" Playlist as published by Bar...