Upgrade to Pro — share decks privately, control downloads, hide ads and more …

15-349 passwords

ThierrySans
September 25, 2014
Education
0
47

15-349 passwords

ThierrySans

September 25, 2014
Tweet

More Decks by ThierrySans

See All by ThierrySans
CSCD27 Social Engineering
thierrysans
0
240
CSCD27 Web Security
thierrysans
0
410
CSCD27 Malicious Software
thierrysans
0
380
CSCD27 Protection
thierrysans
0
470
CSCD27 System Insecurity
thierrysans
0
400
CSCD27 Human Authentication
thierrysans
0
340
CSCD27 Network security
thierrysans
0
540
CSCD27 Network (in)security
thierrysans
0
550
CSCD27 Cryptography Protocols
thierrysans
0
690

Other Decks in Education

See All in Education
Flip-videochat
matleenalaakso
0
14k
Web Application Frameworks - Lecture 4 - Web Technologies (1019888BNR)
signer
PRO
0
2.6k
Medidas en informática
irocho
0
300
MLH Hackcon: Keynote (2024)
theycallmeswift
0
180
Blogit opetuksessa
matleenalaakso
0
1.6k
情報処理工学問題集 /infoeng_practices
kfujita
0
120
Web 2.0 Patterns and Technologies - Lecture 8 - Web Technologies (1019888BNR)
signer
PRO
0
2.4k
Chapitre_1_-__L_atmosphère_et_la_vie_-_Partie_2.pdf
bernhardsvt
0
200
謙虚なアジャイルコーチ__アダプティブ_ムーブ_による伴走支援.pdf
antmiyabin
0
270
寺沢拓敬 2024. 09. 「言語政策研究と教育政策研究の狭間で英語教育政策を考える」
terasawat
0
200
アニメに学ぶチームの多様性とコンピテンシー
terahide
0
240
Kaggle 班ができるまで
abap34
1
190

Featured

See All Featured
Practical Orchestrator
shlominoach
186
10k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
Building Applications with DynamoDB
mza
90
6.1k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Code Review Best Practice
trishagee
64
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
100
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Automating Front-end Workflow
addyosmani
1366
200k
Ruby is Unlike a Banana
tanoku
97
11k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k

Transcript

  1. Passwords Thierry Sans

  2. Managing Passwords • How many passwords do you have? •

    What password for what kind of application? • How often do you change your password? • How do you remember your password? • How strong is your password?

  3. Using passwords • Where are passwords stored? • How are

    they stored? • How are they compared with an input? • How are they transmitted on the network?

  4. Hacking passwords • How would you steal someone’s password? •

    How would you crack someone’s password

  5. Cracking a password from the login box How to crack

    a password on challenge/response? • Guessing attack (default and common passwords) • Brute force attack • Dictionary attack What are the counter-measures? • Timing • Limit number of tries Tool : THC Hydra

  6. How passwords are stored • In clear (really bad) •

    Hashed (bad) • Salted Hash (better and easy to manage) • Encrypted (best but complex to manage)

  7. Unsalted passwords sha2 pass4security 8r#Yul@6rP sha2 pass4security + 5%pL6* kI?z90$J7k

    Salted password

  8. Getting someone’s password How to get a password in clear?

    • Social engineering - Phishing • Data mining (emails, logs) • Keyloggers (keystroke logging) How to get an encrypted or hashed password? • Know where it is stored

  9. Cracking an encrypted or hashed password How to crack a

    password knowing its stored form? • Guessing attack (default and common passwords) • Brute force attack • Dictionary attack • Rainbow tables What are the counter-measures? • Protect it well at the OS or application level • Store it somewhere else (portable device, kerberos, …) Tool : John the Ripper

  10. Password Strength How strong is your password?
 
 http://howsecureismypassword.net/ How

    long does it take to crack a password?
 
 http://www.lockdown.co.uk/?pg=combi
  11. None

  12. Stronger password (used for e-banking for instance) Visual Pad (weak)

    One time password (stronger) • Calculator • Password sheet Two-factor authentication (better) • Password (something you know) • SMS code (something you own)