Click me
Transcript

Hashes to Ashes - don't get burned by leaked passwords

HASHES to ASHES Don't get burned by leaked passwords Once the hashes are leaked How it is possible to rapidly recover the password text through several methods using freely available tools. Do They Do It? 3D Graphic cards (GPU) can run hash functions very quickly in parallel. In some cases guessing billions of passwords a second. Specialized Rainbow tables pre-calculate password hashes and store them efficiently for future look-up. Over time, they can include a huge number of password combinations. hardware like FPGA's and cloud services have dramatically increased cracking speeds. Dictionary attacks guess passwords using a very large file of known words, phrases, quotes, and other rules used in password creation like substituting a 3 for the letter E or capitalizing first letter. SHA512CRYPT A FEW THOUSAND GUESSES PER SECOND After passwords are recovered, attackers will use the leaked email address and MD5 or SHA-1 BCRYPT or SCRYPT Brute force tries all possible letters, BILLIONS OF GUESSES PER SECOND A FEW THOUSAND GUESSES PER SECOND numbers and symbols. Using modern hardware and a fast hash function, every combinations of a 6 character password can be guessed in seconds. plain text passwords to attempt access to webmail, social networks and other Slow it Down By design, some hash functions can be calculated quickly. These are not good for storing passwords as attackers can guess many combinations per second. common sites. Users who resuse passwords are often unaware of how a breach on Better to use a slow hash function which vastly reduces the number of guesses per second, making the recovery process much harder. one site can allow access to What several others. Can you do? As a User In a recent study* Passwords are leaked when • Don't reuse passwords on multiple sites • Don't use established common password tricks • Don't use dictionary words or known phrases • Use two-factor authentication where available • Use a password manager an attacker gains access to a database through SQL Injection, XSS, or another vulnerability. 59% of users were found to be using the same password on multiple sites, including The passwords are often stored as a hash, an encrypted representation of the text. their webmail accounts. As a Web Developer • Use slow hash function made for passwords • Audit code for XSS and SQLİ vulnerabilities • Use IPS, Web Application Firewall or similar *http://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html

Hashes to Ashes - don't get burned by leaked passwords

shared by security on Sep 24
392 views
0 shares
1 comment
Password security is making headlines. When passwords are leaked, they are often easily recovered by attackers. Learn how passwords are recovered from encrypted hashes, and how web developers can do a...

Publisher

IBM X-Force

Category

Technology
Did you work on this visual? Claim credit!

Get a Quote

Embed Code

For hosted site:

Click the code to copy

For wordpress.com:

Click the code to copy
Customize size