introduction to lavapasswordfactory
DESCRIPTION
Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory. LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.TRANSCRIPT
- 1. LAVA.PASSWORD.FACT ORY PASSWORDS ARE BAD AND YOU CAN TOO!!
2. A BRIEF INTRODUCTION 3. AGENDA 1. What is authentication? 2. Why do passwords exist? 3. Why attack authentication mechanisms? 1. Password-based attacks 4. LavaPasswordFactory 1. Demonstration 5. Conclusion / Questions 4. WHO AM I? Christopher Grayson [email protected] @_lavalamp Senior Security Analyst at Bishop Fox (Pen-Testing FTW) MSCS, BSCM from GT Former Research Scientist from GT Former president, GT hacking club That guy in the front 5. WHAT IS AUTHENTICATION? 6. THE BASICS Its all about identity baby Something you know Something you have Something you are 7. SOMETHING YOU KNOW Passwords Personal knowledge (security questions) Only those that know X should have access. 8. SOMETHING YOU HAVE RSA SecurID Google Authenticator Only those that have X should be allowed access. 9. SOMETHING YOU ARE Most nebulous of the three Commonly refers to biometrics (iris scans for instance) Only those who are X should be allowed access. 10. TAKEAWAYS Authentication mechanisms aim to identify who you are for the purpose of establishing the correct level of authority. Without accurately identifying someone, how can one hope to apply any meaningful identity-based security controls? 11. PESKY PESKY PASSWORDS 12. WHYYYYYYY?! Easy to implement Usually easy to remember Requires the lowest amount of technical overhead Many other reasons 13. PASSWORDS ARE BAD, MKAY? When used properly, passwords can provide a decent level of security. Passwords are largely used improperly, even within the security community. 14. COMMON PASSWORD PROBLEMS Low complexity Password re-use Writing passwords down 15. SOME TANGIBLE DATA Credit to Karl Sigler, The Register http://www.theregister.co.uk/2014/08/15/hundreds_of_thousands_of_corporate_passwords_cracke 16. ATTACKING PASSWORDS 17. WHY ATTACK AUTHENTICATION? Automated systems typically have different roles meant for different users. Correctly identifying a user supplies that user with the intended level of authority. Even in an incredibly secure system, if you can trick the system into thinking youre an admin, many security controls fall away. 18. ONLINE PASSWORD ATTACKS Logging into a Web site Logging into network services Dont have access to hashed representation of passwords 19. OFFLINE PASSWORD ATTACKS Typically a data store has been compromised Have direct access to hashed representation of passwords Can break passwords at much larger scale 20. LAVA.PASSWORD.FACTORY 21. SHINY NEW TOOL Generates passwords for offline and online attacks Cleans existing password lists Uses a set of seed words Has functionality for matching password policies 22. DEMONSTRATION 23. GETTING IT https://github.com/lavalamp- /LavaPasswordFactory Still a work-in-progress, but current work is only to add more functionality. Comments and feature requests welcome! 24. QUESTIONS? 25. THANK YOU! @_LAVALAMP