TL;DR: different passwords have different protection requirements, and different attackers using various attacks can only be prevented through different prevention methods. Password security is not simple. For real advise, checking the second post (in progress).
Are you sick of password advices like "change your password regularly" or "if your password is password change it to pa$$w0rd"? This post is for you!
The news sites are full of password advises nowadays due to recent breaches. When I read/watch these advise (especially on CNN), I am usually pissed off for a lot of reasons. Some advises are terrible (a good collection is here), some are good but without solutions, and others are better, but they don't explain the reasons. Following is my analysis of the problem. It works for me. It might not work for you. Comments are welcome!
Password history
Passwords have been used since ancient times.Because it is simple. When I started using the Internet, I believe I had three passwords. Windows login, webmail, and IRC. Now I have ~250 accounts/passwords to different things, like to my smartphone, to my cable company (this password can be used to change the channels on the TV), to my online secure cloud storage, to full disk encryption to start my computer,
Now, after this lengthy prologue, we will deep dive into the analysis of the problem, by checking what we want to protect, against whom (who is the attacker), and only after that, we can analyze the solutions. Travel with me, I promise it will be fun! ;)
What to protect?
There are different services online, and various services need different ways to protect. You don't use the same lock on your Trabant as you do on your BMW.
Internet banking, online money
For me, this is the most vital service to protect. Luckily, most of the internet banking services use two-factor authentication (2FA), but unfortunately, not all of them offer transaction authorization/verification with complete transactions. 2FA is not effective against malware, it just complicates the attack. Transaction authorization/verification is better, but not perfect (see Zitmo). If the access is not protected with 2FA, better choose the best password you have (long, real random, sophisticated, but we will get to this later). If it is protected with 2FA, it is still no reason not to use the best password ;) This is what I call the "very high-level password" class.
Credit card data
This system is pretty fucked up bad. Something has to be secret (your credit card number), but in the meantime that is the only thing to identify your credit card. It is like your username is your password. Pretty bad idea, huh? The problem is even worse with a lot of different transaction types, especially when the hotel asks you to fax both sides of your CC to them. Unfortunately, you can't change the password on your credit card, as there is no such thing, but Verified by VISA or 3-D Secure with 2FA might increase the chances your credit card won't get hacked. And on a side note, I have removed the CVV numbers from my credit/debit cards. I only read it once from the card when I received it, I don't need it anymore to be printed there.
And sometimes, you are your own worst enemy. Don't do stupid things like this:
And sometimes, you are your own worst enemy. Don't do stupid things like this:
Work related passwords (e.g. Windows domain)
This is very important, but because the attack methods are a bit different, I created this as a different category. Details later.
Email, social sites (Gmail/Facebook/Twitter), cloud storage, online shopping
This is what I call the "high level password" class.
Still, pretty important passwords. Some people don't understand "why would attackers put any energy to get his Facebook account?" It is simple. For money. They can use your account to spread spam all over your Facebook wall. They can write messages to all of your connections and tell them you are in trouble and send money via Western Union or Bitcoin.
They can use your account in Facebook votes. Your e-mail, cloud storage is again very important. 20 years ago you also had letters you didn't want to print and put in front of the nearest store, neither want you to do that with your private photo album. On a side note, it is best to use a cloud storage where even the cloud provider admin can't access your data. But in this case, with no password recovery option, better think about "alternative" password recovery mechanisms.
They can use your account in Facebook votes. Your e-mail, cloud storage is again very important. 20 years ago you also had letters you didn't want to print and put in front of the nearest store, neither want you to do that with your private photo album. On a side note, it is best to use a cloud storage where even the cloud provider admin can't access your data. But in this case, with no password recovery option, better think about "alternative" password recovery mechanisms.
Other important stuff with personal data (e.g. your name, home address)
The "medium level password" class. This is a personal preference to have this class or not, but in the long run, I believe it is not a waste of energy to protect these accounts. These sites include your favorite pizza delivery service, your local PC store, etc.
Not important stuff
This is the category other. I usually use one-time disposable e-mail to these services. Used for the registration, get what I want, drop the email account. Because I don't want to spread my e-mail address all over the internet, whenever one of these sites get hacked. But still, I prefer to use different, random passwords on these sites, although this is the "low level password" class.Attackers and attack methods
After categorizing the different passwords to be protected, let's look at the different attackers and attack methods. They can/will/or actively doing it now:Attacking the clear text password
This is the most effective way of getting the password. Bad news is that if there is no other factor of protection, the victim is definitely not on the winning side. The different attack methods are:- phishing sites/applications,
- social engineering,
- malware running on the computer (or in the browser),
- shoulder surfing (check out for smartphones, hidden cameras),
- sniffing clear-text passwords when the website is not protected with SSL,
- SSL MiTM,
- rogue website administrator/hacker logging clear text passwords,
- password reuse - if the attacker can get your password in any way, and you reuse it somewhere else, that is a problem,
- you told your password to someone and he/she will misuse it later,
- hardware keyloggers,
- etc.
The key thing here is that no matter how long your passwords are, no matter how complex it is, no matter how often do you change it (except when you do this every minute ... ), if it is stolen, you are screwed. 2FA might save you, or might not.
Attacking the encrypted password
This is the usual "hack the webserver (via SQL injection), dump the passwords (with SQLMap), post hashes on pastebin, everybody starts the GPU farm to crack the hashes" scenario. This is basically the only scenario where the password policies makes sense. In this case the different level of passwords need different protection levels. In some cases, this attack turns out to be the same as the previous attack, when the passwords are not hashed, or are just encoded.The current hash cracking speeds for hashes without any iterations (this is unfortunately very common) renders passwords like Q@tCB3nx (8 character, upper-lowercase, digit, special characters) useless, as those can be cracked in hours. Don't believe me? Let's do the math.
Let's say your password is truly random, and randomly choosen from the 26 upper, 26 lower, 10 digit, 33 special characters. (Once I tried special passwords with high ANSI characters inside. It is a terrible idea. Believe me.). There are 6 634 204 312 890 620 different, 8 character passwords from these characters. Assuming a 2 years-old password cracking rig, and MD5 hash cracking with 180 G/s speed, it takes a worst case 10 hours (average 5) to crack the password,
A lot of common hashing algorithms don't use protections against offline brute-force attacks. This includes LM (old Windows hashes), NTLM (modern Windows hashes), MD-5, SHA1-2-512. These hashing algorithms were not developed for password hashing. They don't have salting, iterations, etc. out of the box. In the case of LM, the problem is even worse, as it converts the lowercase characters to uppercase ones, thus radically decreasing the key space. Out of the box, these hashes are made for fast calculation, thus support fast brute-force.
Another attack is when the protected thing is not an online service, but rather an encrypted file or crypto-currency wallet.
Attacking the authentication system online
This is what happened in the recent iCloud hack (besides phishing). Attackers were attacking the authentication system, by either brute-forcing the password, or bypassing the password security by answering the security question. Good passwords can not be brute-forced, as it takes ages. Good security answers have nothing to do with the question in first place. A good security answer is as hard to guess as the password itself. If password recovery requires manual phone calls, I know, it is a bit awkward to say that your first dog name was Xjg.2m`4cJw:V2= , but on the other hand, no one will guess that!
Attacking single sign on
This type of attack is a bit different, as I was not able to put the "pass the hash" attacks anywhere. Pass the hash attack is usually found in Windows domain environments, but others might be affected as well. The key thing is single sign on. If you can login to one system (e.g. your workstation), and access many different network resources (file share, printer, web proxy, e-mail, etc.) without providing any password, then something (a secret) has to be in the memory which can be used to to authenticate to the services. If an attacker can access this secret, he will be able to access all these services. The key thing is (again) it does not matter, how complex your passwords are, how long it is, how often do you change, as someone can easily misuse that secret.
Attacking 2FA
As already stated, 2 factor authentication raises the efforts from an attacker point of view, but does not provide 100% protection.
- one time tokens (SecurID, Yubikey) can be relayed in a man-in-the-middle attack,
- smartcard authentication can be relayed with the help of a malware to the attacker machine - or simply circumvented in the browser malware,
- text based (SMS) messages can be stolen by malware on the smartphone or rerouted via SS7,
- bio-metric protection is constantly bypassed,
- SSH keys are constantly stolen,
- but U2F keys are pretty good actually, even though BGP/DNS hijack or similar MiTM can still circumvent that protection,
- etc.
Others
Beware that there are tons of other attack methods to access your online account (like XSS/CSRF), but all of these have to be handled on the webserver side. The best you can do is to choose a website where the Bug Bounty program is running 24/7. Otherwise, the website may be full of low hanging, easy-to-hack bugs.Now that we have covered what we want to protect against what, in the next blog post, you will see how to do that. Stay tuned. I will also explain the title of this blog post.Read more
- Hacking Tools For Windows Free Download
- Easy Hack Tools
- Hacker Tools Windows
- Hacker Tools Free
- Pentest Tools Website
- Hacker Tools For Pc
- World No 1 Hacker Software
- Free Pentest Tools For Windows
- Hack Website Online Tool
- Growth Hacker Tools
- Nsa Hack Tools Download
- Hacker Tools Hardware
- Pentest Tools Subdomain
- Hacking Tools
- Pentest Tools Free
- Pentest Tools Find Subdomains
- Hackers Toolbox
- Pentest Tools Website Vulnerability
- Hack Tools Online
- Hacker Tools 2019
- Hack Rom Tools
- Pentest Tools Url Fuzzer
- Hacker Tools 2020
- Top Pentest Tools
- Hacker Tools List
- Hack App
- Hacking Tools For Games
- Hacking Tools 2019
- Hacking Tools Usb
- Hacking Tools Free Download
- Free Pentest Tools For Windows
- Nsa Hack Tools
- Pentest Tools Website Vulnerability
- Black Hat Hacker Tools
- Hackrf Tools
- Hacking Tools Kit
- Pentest Tools Framework
- Hacker Tools Apk Download
- Hacks And Tools
- Pentest Tools Website Vulnerability
- Game Hacking
- Install Pentest Tools Ubuntu
- Hacker Tools Github
- Hacking Tools For Windows 7
- What Are Hacking Tools
- Pentest Tools For Windows
- Hacker Tools Online
- Pentest Box Tools Download
- Hackrf Tools
- Hack Website Online Tool
- Pentest Tools Subdomain
- Hacks And Tools
- Pentest Reporting Tools
- Hacking Tools Free Download
- Hacker Tools Free Download
- Pentest Tools
- Tools 4 Hack
- Hacks And Tools
- Hacking Tools For Mac
- Pentest Recon Tools
- Hacker Tools For Ios
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Mac
- Hack Tools Download
- Hacker Tools Windows
- Hacking Tools Windows 10
- Blackhat Hacker Tools
- Pentest Tools Subdomain
- Android Hack Tools Github
- Physical Pentest Tools
- Github Hacking Tools
- Pentest Tools Kali Linux
- Bluetooth Hacking Tools Kali
- Hacking Tools For Kali Linux
- Best Pentesting Tools 2018
- Hacking Tools Hardware
- Github Hacking Tools
- Hack Tools Pc
- Pentest Tools For Ubuntu
- Physical Pentest Tools
- Hacker Tool Kit
- Pentest Tools Framework
- Pentest Tools For Mac
- Hacking Apps
- Hack Tools For Windows
- Wifi Hacker Tools For Windows
- Best Hacking Tools 2019
- Hacking Tools
- New Hack Tools
- Hacker Tools Free
- Hacker Tools 2020
- Hack Tools
- Hack App
- Pentest Tools Android
- Hacker Tools
- Top Pentest Tools
- Hacker Tools Hardware
- Computer Hacker
- Hacking Tools Name
- Hacker Tools Online
- Nsa Hack Tools Download
- Hacking Tools Download
- Hacker Tools Mac
- Hack Website Online Tool
- Tools 4 Hack
- Hacking Tools Software
- Hacking Tools For Windows
- Hacking Tools For Mac
- Pentest Automation Tools
- Hacker Tools Mac
- Pentest Tools For Android
- Hack Tool Apk
- Hack Tools For Ubuntu
- Best Pentesting Tools 2018
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Windows Free Download
- Black Hat Hacker Tools
- Tools Used For Hacking
- Black Hat Hacker Tools
- Hacker Tools For Windows
- Hacking Tools 2019
- Hacker Tools Apk
- Hacking Tools For Beginners
- Growth Hacker Tools
- Easy Hack Tools
- Hacker Tools Apk
- Hacker Tools Hardware
- Game Hacking
- Beginner Hacker Tools
- Pentest Tools Find Subdomains
- Hacker Tools Hardware
- Pentest Box Tools Download
- Hackrf Tools
- Hacker Tools Apk Download
- Hacking Tools For Games
- Hacker Tools Github
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Website Vulnerability
- Hacker Tools For Pc
- Hak5 Tools
- Hack Tools For Mac
- Pentest Tools Url Fuzzer
- Hack Tools For Games
- How To Make Hacking Tools
- Hacker Tool Kit
- Best Hacking Tools 2019
- Hacker Tools List
- Hacker Tools Free Download
- What Are Hacking Tools
- Hacking Tools For Mac
- How To Make Hacking Tools
- Beginner Hacker Tools
- Hack Rom Tools
- Hack Tools Online
- Hak5 Tools
- Pentest Automation Tools
- How To Hack
- Hacker Hardware Tools
- Hack Tools Mac
- Hacker Tools
- Pentest Tools For Ubuntu
- Hacking Tools For Kali Linux
- Hacker Tools Free
- Pentest Recon Tools
- Hackrf Tools
- Hacking Tools Windows 10
- Pentest Tools Bluekeep
- Hack And Tools
- Nsa Hack Tools
- Black Hat Hacker Tools
- Hack Tool Apk
- Hacker Tools Github
- Top Pentest Tools
- Kik Hack Tools
- Hack Rom Tools
0 comentarios:
Publicar un comentario