Results tagged “password” from Just Another Hacker

Known hash replay attack

|
The use of client side password hashing in web application (such as http://pajhome.org.uk/crypt/md5/) may be on the rise. At least it appears that way to me as I have seen several deployments lately.

These hashing libraries usually promises to keep a user's password secure in non ssl environments.
One could argue that they perform the intended task. The problem with http traffic compared to https is that the traffic is obtainable by anyone else connected to the same network as the user (or the server). If an attacker obtains the hashed password string he or she can provide the hash to the server to authenticate as the user without knowing the users actual password.

This does mean that the user's plaintext password is safe until the hacker breaks it so for users who use the same password everywhere, there is a marginal protection when websites use hashed passwords. It's still a far cry from the relative security of submitting sensitive data over a SSL encrypted connection.

The March addition to Jason is iterate.pl, a script which iterates numeric values in passwords.
~/Jason$ ./iterate.pl password1
password1
password0
password2
password3
password4
password5
password6
password7
password8
password9

You can grab a copy from the github project page: https://github.com/wireghoul/Jason

Left or right handed passwords

|
Are you left or right handed? How about your password? English based passwords seem to be predominantly left handed. Although I haven't done the proper analysis I suspect it's simply due to the left hand side of the keyboard containing more of the "higher" letter frequency of the Englih language (AERTSD) and the lower number range, which also seems to be favoured over the upper number range.

The February password addition to Jason is handiness.pl, a script which meassures left/right hand usage when entering a password.
~/Jason$ echo -e "123456\npassword\nqwerty\naaaa\nLLLL\n" | ./handiness.pl -
Handiness! Calculates hand use in passwords. 1 is 100% left hand -1 is right hand
0.833333333333333  123456
0.5   password
0.666666666666667  qwerty
1     aaaa
-1    LLLL

You can grab a copy from the github project page: https://github.com/wireghoul/Jason

Password length matters

|
In fact, it matters so much that the term password is just plain wrong. Passphrase is better, and I did mean to start using that term instead. When it comes to user education things are often hard to quantify, but looking at the recent password breaches the message doesn't seem to register.
The issue is compounded by a users habit of having a single password and using it everywhere. As their password is used and re-used all over work, home and the internet it needs to meet the password criteria of several "password policies". Luckily for us that means that most users have a password of 6-8 characters, usually containing one or more numbers.

I won't go too much into detail about password length, but suffice to say that you should ditch your password and go for a passphrase instead. I would also recommend that you don't make it a simple sentence, but rather something obscure like your grandfathers address combined with the name of your cousins pet rabbit. That should ensure it's not too easy to crack using a dictionary attack.

This months password tool is lensort.pl. It will split a dictionary file into several smaller files based on number of characters in the file;
root@bt:~/Jason# ./lensort.pl /mnt/hgfs/Tools/wordlists/Trek
Sorting 530 passwords by length
Finished 6.txt
Finished 11.txt
Finished 3.txt
Finished 7.txt
Finished 9.txt
Finished 12.txt
Finished 15.txt
Finished 14.txt
Finished 8.txt
Finished 4.txt
Finished 13.txt
Finished 10.txt
Finished 5.txt


You can download the script from https://github.com/wireghoul/Jason
Ron Bowes did an analysis of the rockyou.com passwords to see what the number of accounts you would nab with the top X number of passwords. This shows how a bigger password list has diminishing returns.

password-coverage.png
He has made the top X password dictionary files and other password lists available in his wiki at http://www.skullsecurity.org/wiki/index.php/Passwords. I you want more details you can read the whole article at http://www.skullsecurity.org/blog/?p=516


Robert Hansen is at it again. This time he has produced a very simple exploit that will steal passwords that are stored (remembered) in the browser.The code is very simple and works a treat for Firefox.

I would recommend this over the usual XSS alert boxes the next time you are demoing cross site scripting. Try it out at http://ha.ckers.org/weird/xss-password-manager.html. I haven't tried it in any browsers besides firefox, but even if you can't read it straight out of the DOM, you could always rewrite the form action url or even hook the onsubmit call to send the username and password to a destination of your choosing.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.