Advantage of Salt Without salt -Same hash functions on all machines Compute hash of all common strings once Compare hash with all known password hashes With salt -One password hashed 212 different ways Precompute hash file? -Need much larger file to cover all common strings Dictionary attack on known password file -For each salt found in file,try all common strings CSE825 6
6 Advantage of Salt Without salt ─ Same hash functions on all machines ● Compute hash of all common strings once ● Compare hash with all known password hashes With salt ─ One password hashed 212 different ways ● Precompute hash file? – Need much larger file to cover all common strings ● Dictionary attack on known password file – For each salt found in file, try all common strings CSE825
Passwords in the Real World [PasswordResearch.com] From high school pranks... -Student in Tyler changes school attendance records 一 Students in California change grades Different authentication for network login and grade system,but teachers were using the same password (very common) ■..to serious cash -English accountant uses co-workers'password to steal $17 million for gambling ...to identity theft -Helpdesk employee uses passwords of a credit card database to sell credit reports to Nigerian scammers 7
7 Passwords in the Real World From high school pranks… ─ Student in Tyler changes school attendance records ─ Students in California change grades ● Different authentication for network login and grade system, but teachers were using the same password (very common) …to serious cash ─ English accountant uses co-workers’ password to steal $17 million for gambling …to identity theft ─ Helpdesk employee uses passwords of a credit card database to sell credit reports to Nigerian scammers [PasswordResearch.com]
Passwords and Computer Security First step after any successful intrusion:install sniffer or keylogger to steal more passwords Second step:run cracking tools on password files Usually on other hijacked computers In Mitnick's "Art of Intrusion",8 out of 9 exploits involve password stealing and/or cracking -Excite@Home:usernames and passwords stored in the clear in troubleshooting tickets -"Dixie bank"hack:use default router password to change firewall rules to enable incoming connections 8
8 Passwords and Computer Security First step after any successful intrusion: install sniffer or keylogger to steal more passwords Second step: run cracking tools on password files ─ Usually on other hijacked computers In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking ─ Excite@Home: usernames and passwords stored in the clear in troubleshooting tickets ─ “Dixie bank” hack: use default router password to change firewall rules to enable incoming connections
Password Security Risks Keystroke loggers -Hardware KeyGhost,KeyShark,others -Software(spyware) Shoulder surfing Same password at multiple sites Broken implementations Social engineering 9
9 Password Security Risks Keystroke loggers ─ Hardware ● KeyGhost, KeyShark, others ─ Software (spyware) Shoulder surfing Same password at multiple sites Broken implementations Social engineering
Default Passwords Examples from Mitnick's“Art of Intrusion” -U.S.District Courthouse server:“public?”/“public?” -NY Times employee database:pwd last 4 SSN digits -"Dixie bank":break into router(pwd="administrator"),then into IBM AS/400 server(pwd-"administrator"),install keylogger to snarf other passwords ●“g9%of people there used‘password123'as their password' 10
10 Default Passwords Examples from Mitnick’s “Art of Intrusion” ─ U.S. District Courthouse server: “public” / “public” ─ NY Times employee database: pwd = last 4 SSN digits ─ “Dixie bank”: break into router (pwd=“administrator”), then into IBM AS/400 server (pwd=“administrator”), install keylogger to snarf other passwords ● “99% of people there used ‘password123’ as their password