A panel on password cracking, "The Past, Present, and Future of 'Something You Know'," highlighted recent tools being developed, and a DEFCON contest focused on cracking passwords. The panel was made up of four security professionals with experience cracking passwords during security audits and penetration testing. Each panelist spoke shortly about his or her recent experiences with password cracking, followed by a question-and-answer session.
We've all known for a long time that passwords alone are insufficient for high-security environments and protection of sensitive data. The panel's examples of new tools, some accelerated by graphics cards, really drove that point home.
One of the panel members, Martin "purehate" Bos, is a member of Team Hashcat and won the "Crack Me If You Can" contest run by Kore Logic at DEFCON. He stated during the panel that people most often create pattern-based passwords, many of which are driven by the company or website's password policy. If the policy requires mixed case, numbers, and a special character, then the passwords often end up with the first letter being capitalized followed by a date and a special character at the end.
I've mentioned the usefulness of the password lists hosted by Ron Bowes on his SkullSecurity blog before, and Martin referenced them during the panel, saying they are a goldmine providing insight into how people choose passwords. Using the wordlists, Martin has been able to refine the HashCat tools and develop password masks that speed up password cracking by using password combinations that match patterns users tend to use, like the example above.
I have to say, I enjoyed the panel and the panelists' humor, especially Bruce Potter's lively moderation. It introduced me to a few tools I hadn't heard of before. If there were any sysadmins in the audience, I imagine the speed and effectiveness of the tools discussed will likely light a fire under them to move forward with a multifactor solution and eliminate single-factor passwords.
It usually takes a couple months, but eventually the videos from ShmooCon will be posted online. Be on the lookout for them at ShmooCon.org.
John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at [email protected]