Upload
gertrude-webb
View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Background
A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value.
Cryptographic hash functions are used to encrypt passwords in many corporations
Password strength can be a key vulnerability in large corporations without proper policies on password security.
Password Security in Relation to Penetration testing
Penetration testing involves trying to take control over systems and obtain data
One of the ways this is accomplished is by exploiting weak password schemes
If password auditing is not a part of penetration testing you leave yourself open to the likelihood of a breach
Password Cracking, What are we trying to prevent?
There are several methods for password cracking available.
Brute-force cracking, in which a computer tries every possible key or password until it succeeds.
Dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.
Focus of this presentation: Brute Force
Http://hashsuite.openwall.net
- Hash Suite Demo
Http://www.golubev.com/blog
-ighashgpu
Another good open source program: HashCat: HashCat.net
GPU vs CPU hashing comparison
Laptop(Amd A8 3400M... 4 cores): Averages about 100 million passwords per second. (6 characters)
Desktop(GPU: ATI Radeon HD 5970... 40 cores): Averages about 2.2 billion passwords per second. (7 characters)
This is why recommendations are being made currently to have no less than 12 characters using uppercase, lowercase, digits, and special characters.
Sources:
Wikipedia, Cryptographic Hash Function:
http://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification Wikipedia, Password Cracking: