Perimeter
2/1/2011
12:08 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

ShmooCon Panel Discusses Ease, Speed Of Password Cracking

Panel of security professionals discussed new tools and techniques to accelerate password cracking, highlighting need for multifactor authentication

On Jan., 28, approximately 1,300 information security professionals and hackers converged on Washington, D.C., for the annual ShmooCon conference. The topics ranged from data security models and hacking printers to Android phone security and analyzing malware.

A panel on password cracking, "The Past, Present, and Future of 'Something You Know'," highlighted recent tools being developed, and a DEFCON contest focused on cracking passwords. The panel was made up of four security professionals with experience cracking passwords during security audits and penetration testing. Each panelist spoke shortly about his or her recent experiences with password cracking, followed by a question-and-answer session.

We've all known for a long time that passwords alone are insufficient for high-security environments and protection of sensitive data. The panel's examples of new tools, some accelerated by graphics cards, really drove that point home.

One of the panel members, Martin "purehate" Bos, is a member of Team Hashcat and won the "Crack Me If You Can" contest run by Kore Logic at DEFCON. He stated during the panel that people most often create pattern-based passwords, many of which are driven by the company or website's password policy. If the policy requires mixed case, numbers, and a special character, then the passwords often end up with the first letter being capitalized followed by a date and a special character at the end.

I've mentioned the usefulness of the password lists hosted by Ron Bowes on his SkullSecurity blog before, and Martin referenced them during the panel, saying they are a goldmine providing insight into how people choose passwords. Using the wordlists, Martin has been able to refine the HashCat tools and develop password masks that speed up password cracking by using password combinations that match patterns users tend to use, like the example above.

I have to say, I enjoyed the panel and the panelists' humor, especially Bruce Potter's lively moderation. It introduced me to a few tools I hadn't heard of before. If there were any sysadmins in the audience, I imagine the speed and effectiveness of the tools discussed will likely light a fire under them to move forward with a multifactor solution and eliminate single-factor passwords.

It usually takes a couple months, but eventually the videos from ShmooCon will be posted online. Be on the lookout for them at ShmooCon.org.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.