SlideShare ist ein Scribd-Unternehmen logo

Correcthorsebatterystaple dwsg 07 09-13

Als PPTX, PDF herunterladen
D
Dallas Web Security Group

Dustin Talk presented this at Dallas Web Security Group's July meeting.

Technologie
1 von 12
Credera is a full-service management and technology consulting firm. Our clients range from Fortune 1,000 companies to emerging industry leaders. We provide expert, objective advice to help solve complex business and technology challenges. Dallas Office 15303 Dallas Parkway Suite 300 Addison, TX 75001 972.692.0010 Phone 972.692.0019 Fax Denver Office 5445 DTC Parkway Suite 1040 Greenwood Village, CO 80111 303.623.1344 Phone 303.484.4577 Fax Houston Office 800 Town & Country Blvd Suite 300 Houston, TX 77024 713.496.0711 Phone 713.401.9650 Fax Austin Office 9020 N Capital of Texas Hwy Suite 345 Austin, TX 78759 512.327.1112 Phone 512.233.0844 Fax
Discussion document – Strictly Confidential & Proprietary correcthorsebatterystaple: hacking passwords by example Dallas, TX July 9, 2013 Dallas Web Security Group Dustin Talk
Agenda … P@ssw0rdZ • Expectations and Objectives • What makes a good password? • Demo: Cracking a user list of ~1.5million users – What a leak looks like – Using rainbow tables (or google) – Using the leaked information from others – Using common passwords – Lists created by experts – Lists created by l33t h4x0r – Brute Force on the GPU – Hybrid Attacks & Key Sequences • What can be done? • Q&A 7/19/2013 Dallas Web Security Group 3
Dustin Talk (not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • Addressing Top Security Threats in Web Applications • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Introductions… 7/19/2013 Dallas Web Security Group 4
The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Provide Education to Seed Investigation • Learn how to secure yourself and those around you Expectations and Objectives … 7/19/2013 Dallas Web Security Group 5
How strong are your passwords? Let’s ask Microsoft… Microsoft has provided a free tool to ensure that your password is strong: https://www.microsoft.com/security/pc-security/password-checker.aspx How would these rate: • password12345678790 • Luvnme4aChange@$ Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 6*Figure and statistics from June 2012 WhiteHat Security Statistics Report
Perhaps we should ask someone else? Intel… Microsoft Intel has provided a free tool to ensure that your password is strong: https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html How would these rate: • AdMos185auj; • Wt4e-79P-B13^qS Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 7*Figure and statistics from June 2012 WhiteHat Security Statistics Report
http://xkcd.com/936/ What makes a good password? 7/19/2013 Dallas Web Security Group 8
Simple tips for a better password Creating a stronger password • The more random the better* • The longer the better* • A mix of numbers, letters (upper and lower), symbols • NO words! or anything L!K3 a word (the h4x0r knows) • No personal info (pin code, home address, etc.) • No keyboard tricks (!@#,123,QWE) Use some helpful tools: • https://lastpass.com/passwordhelp.php?a=1 • https://lastpass.com/generatepassword.php What makes a good password? … 7/19/2013 Dallas Web Security Group 9*Figure and statistics from June 2012 WhiteHat Security Statistics Report
DEMO: Cracking 1.5 million users 7/19/2013 Dallas Web Security Group 10
What can be done? … Attend More Meetings… What To Do Now • Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus • Don’t rely on salts to protect you • Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt What to Do Now For Fun • Download John the Ripper • Download oclHashcat-plus (and get a decent GPU) Reference Materials • http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ • http://hashcat.net/oclhashcat-plus/ • http://www.openwall.com/john/ 7/19/2013 Dallas Web Security Group 11
Q&A 7/19/2013 Dallas Web Security Group 12

Empfohlen

Securing Your Privacy
Securing Your PrivacySecuring Your Privacy
Securing Your PrivacyDallas Web Security Group
 
After the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsAfter the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsSBWebinars
 
Cyber threat trends
Cyber threat trendsCyber threat trends
Cyber threat trendsStephen Richards
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Gohsuke Takama
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc Cyber Threat Intelligence Network
 

Empfohlen

Securing Your Privacy
Securing Your PrivacySecuring Your Privacy
Securing Your PrivacyDallas Web Security Group
 
After the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsAfter the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsSBWebinars
 
Cyber threat trends
Cyber threat trendsCyber threat trends
Cyber threat trendsStephen Richards
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Hackers and Hacking a brief overview 5-26-2016
Hackers and Hacking a brief overview 5-26-2016Gohsuke Takama
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc OSINT Social Media Techniques - Macau social mediat lc
OSINT Social Media Techniques - Macau social mediat lc Cyber Threat Intelligence Network
 
Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findingsCindy Joice
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
82257421 stup
82257421 stup82257421 stup
82257421 stupVali Nedin
 
Flores
FloresFlores
Floresjamach53
 
Apprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceApprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceVega Sims
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13LawDawg___7879
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate IntroductionAnkush Gupta
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
Fundamentals of Cryptography
Fundamentals of CryptographyFundamentals of Cryptography
Fundamentals of CryptographyDallas Web Security Group
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health monthMegan Hart
 
Distribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardDistribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardCindy Joice
 
Employee engagement project statement of work
Employee engagement project statement of workEmployee engagement project statement of work
Employee engagement project statement of workCindy Joice
 
Hackathon
HackathonHackathon
HackathonAbhimanyu Arora
 
Overcoming gender oppression by mirra price
Overcoming gender oppression by mirra priceOvercoming gender oppression by mirra price
Overcoming gender oppression by mirra priceSusan Deckhart
 
Cyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsCyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsAditi Rao
 
Chapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyChapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyKhuboni Mdlambuzi
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsBunmi Sowande
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityBetterCloud
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 

Weitere ähnliche Inhalte

Andere mochten auch

Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findingsCindy Joice
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
Apprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceApprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceVega Sims
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13LawDawg___7879
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate IntroductionAnkush Gupta
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health monthMegan Hart
 
Distribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardDistribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardCindy Joice
 
Employee engagement project statement of work
Employee engagement project statement of workEmployee engagement project statement of work
Employee engagement project statement of workCindy Joice
 
Overcoming gender oppression by mirra price
Overcoming gender oppression by mirra priceOvercoming gender oppression by mirra price
Overcoming gender oppression by mirra priceSusan Deckhart
 
Cyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsCyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsAditi Rao
 
Chapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyChapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyKhuboni Mdlambuzi
 

Andere mochten auch (16)

Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findings
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2
 
82257421 stup
82257421 stup82257421 stup
82257421 stup
 
Flores
FloresFlores
Flores
 
Apprenticeships Suffolk Business Service
Apprenticeships Suffolk Business ServiceApprenticeships Suffolk Business Service
Apprenticeships Suffolk Business Service
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate Introduction
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
 
Fundamentals of Cryptography
Fundamentals of CryptographyFundamentals of Cryptography
Fundamentals of Cryptography
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health month
 
Distribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX AwardDistribution Management Training Program Overview for FMI MAXX Award
Distribution Management Training Program Overview for FMI MAXX Award
 
Employee engagement project statement of work
Employee engagement project statement of workEmployee engagement project statement of work
Employee engagement project statement of work
 
Hackathon
HackathonHackathon
Hackathon
 
Overcoming gender oppression by mirra price
Overcoming gender oppression by mirra priceOvercoming gender oppression by mirra price
Overcoming gender oppression by mirra price
 
Cyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media PlatformsCyber Safety: Privacy Options in Social Media Platforms
Cyber Safety: Privacy Options in Social Media Platforms
 
Chapter 3 recombinant dna technology
Chapter 3 recombinant dna technologyChapter 3 recombinant dna technology
Chapter 3 recombinant dna technology
 

Ähnlich wie Correcthorsebatterystaple dwsg 07 09-13

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsBunmi Sowande
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityBetterCloud
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecurityMediacurrent
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
How To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyHow To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyClickSSL
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
Data Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data ProtectionData Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data ProtectionKaren Lopez
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Trust in a Digital World
Trust in a Digital WorldTrust in a Digital World
Trust in a Digital Worlditnewsafrica
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Network secuirty & encryption techniques
Network secuirty & encryption techniquesNetwork secuirty & encryption techniques
Network secuirty & encryption techniquesmanoj kumar
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024Michael Noel
 

Ähnlich wie Correcthorsebatterystaple dwsg 07 09-13 (20)

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwords
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile Security
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a password
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
How To Plan Successful Encryption Strategy
How To Plan Successful Encryption StrategyHow To Plan Successful Encryption Strategy
How To Plan Successful Encryption Strategy
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
Data Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data ProtectionData Modeling for Security, Privacy and Data Protection
Data Modeling for Security, Privacy and Data Protection
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
 
Trust in a Digital World
Trust in a Digital WorldTrust in a Digital World
Trust in a Digital World
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Network secuirty & encryption techniques
Network secuirty & encryption techniquesNetwork secuirty & encryption techniques
Network secuirty & encryption techniques
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
 

Kürzlich hochgeladen

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Kürzlich hochgeladen (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Correcthorsebatterystaple dwsg 07 09-13

  • 1. Credera is a full-service management and technology consulting firm. Our clients range from Fortune 1,000 companies to emerging industry leaders. We provide expert, objective advice to help solve complex business and technology challenges. Dallas Office 15303 Dallas Parkway Suite 300 Addison, TX 75001 972.692.0010 Phone 972.692.0019 Fax Denver Office 5445 DTC Parkway Suite 1040 Greenwood Village, CO 80111 303.623.1344 Phone 303.484.4577 Fax Houston Office 800 Town & Country Blvd Suite 300 Houston, TX 77024 713.496.0711 Phone 713.401.9650 Fax Austin Office 9020 N Capital of Texas Hwy Suite 345 Austin, TX 78759 512.327.1112 Phone 512.233.0844 Fax
  • 2. Discussion document – Strictly Confidential & Proprietary correcthorsebatterystaple: hacking passwords by example Dallas, TX July 9, 2013 Dallas Web Security Group Dustin Talk
  • 3. Agenda … P@ssw0rdZ • Expectations and Objectives • What makes a good password? • Demo: Cracking a user list of ~1.5million users – What a leak looks like – Using rainbow tables (or google) – Using the leaked information from others – Using common passwords – Lists created by experts – Lists created by l33t h4x0r – Brute Force on the GPU – Hybrid Attacks & Key Sequences • What can be done? • Q&A 7/19/2013 Dallas Web Security Group 3
  • 4. Dustin Talk (not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • Addressing Top Security Threats in Web Applications • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Introductions… 7/19/2013 Dallas Web Security Group 4
  • 5. The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Provide Education to Seed Investigation • Learn how to secure yourself and those around you Expectations and Objectives … 7/19/2013 Dallas Web Security Group 5
  • 6. How strong are your passwords? Let’s ask Microsoft… Microsoft has provided a free tool to ensure that your password is strong: https://www.microsoft.com/security/pc-security/password-checker.aspx How would these rate: • password12345678790 • Luvnme4aChange@$ Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 6*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  • 7. Perhaps we should ask someone else? Intel… Microsoft Intel has provided a free tool to ensure that your password is strong: https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html How would these rate: • AdMos185auj; • Wt4e-79P-B13^qS Let’s see if they are strong using some simple tools: • Online MD5 creator: http://md5-hash-online.waraxe.us/ • Elite Google Password Decoder: http://www.google.com/ What makes a good password? … 7/19/2013 Dallas Web Security Group 7*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  • 8. http://xkcd.com/936/ What makes a good password? 7/19/2013 Dallas Web Security Group 8
  • 9. Simple tips for a better password Creating a stronger password • The more random the better* • The longer the better* • A mix of numbers, letters (upper and lower), symbols • NO words! or anything L!K3 a word (the h4x0r knows) • No personal info (pin code, home address, etc.) • No keyboard tricks (!@#,123,QWE) Use some helpful tools: • https://lastpass.com/passwordhelp.php?a=1 • https://lastpass.com/generatepassword.php What makes a good password? … 7/19/2013 Dallas Web Security Group 9*Figure and statistics from June 2012 WhiteHat Security Statistics Report
  • 10. DEMO: Cracking 1.5 million users 7/19/2013 Dallas Web Security Group 10
  • 11. What can be done? … Attend More Meetings… What To Do Now • Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus • Don’t rely on salts to protect you • Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt What to Do Now For Fun • Download John the Ripper • Download oclHashcat-plus (and get a decent GPU) Reference Materials • http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ • http://hashcat.net/oclhashcat-plus/ • http://www.openwall.com/john/ 7/19/2013 Dallas Web Security Group 11