Password Cracking Research at FSU Sudhir Aggarwal, Matt Weir, Breno de Medeiros Florida State University Department of Computer Science E-Crimes Investigative Technologies Lab Tallahassee, Florida 32306 October 21, 2010 Our Research FORENSICS Assist Law Enforcement I’M CRACKING PASSWORDS Develop better ways to model how people actually create passwords CRACKING PASSWORDS Investigate how we can make passwords more secure The Plan 1. Obtaining the Data-sets 2. Probabilistic Password Cracking Improvements 3. Pass-Phrase Cracking Two Types of Password Cracking Online - The system is still operational - You may only be allowed a few guesses Offline - You grabbed the password hash - Computer forensics setting Cracking Passwords Generate a password guess - password123 Hash the guess - A5732067234F23B21 Compare the hash to the password hash you are trying to crack 5 Dictionary based attacks Password-cracking dictionaries may contain entries that are not natural language words, e.g., ‘qwerty’ Dictionary based attacks derive multiple password guesses from a single dictionary entry by application of fixed rules, such as ‘replace a with @’ or ‘add any two digits to the end’ Novel approach: Infer a probabilistic grammar for ‘mangling rules’ from a password dataset 6 Existing Password Crackers John the Ripper Cain & Able L0phtcrack Access Data’s PRTK etc... 7 Focus of Research Most of our research focuses on how to make better password guesses - Hash neutral. Aka you would create the same guesses regardless if you are attacking a Truecrypt or a WinRAR encrypted file We are also exploring implementing faster hashing algorithms using GPUs. - Target program specific. Aka the hashing that Truecrypt and WinRAR uses is different Obtaining the Datasets Obtaining Real Passwords Originally we were concerned that one of the main problems with our research would be collecting valid data-sets to train/test against In reality, that hasn’t been much of a problem for web- based passwords
Description: