NTT Com Security's offensive security team has to simulate real-world attacker techniques including password cracking. To that end we recently purchased a GPU based password cracking system, built from off-the-shelf parts that would also be available to criminal fraud hacking groups. While we use this system during our live penetration tests to crack our clients' passwords we also wanted to take the opportunity to demonstrate how average passwords fare against today's common cracking technology, this is the basis of the talk.
We begin with a quick review of how password cracking works and how hashes get stolen in the first place for anybody who isn't familiar with the topic or believes that because their system locks out accounts after a few failed login attempts they are safe.
We then move on to an analysis of the 14.5 million plaintext passwords leaked during the RockYou breach. A statistical analysis shows us what kind of patterns people tend to use more frequently when choosing real-world passwords and allows us to develop some cracking patterns that can help us break passwords faster than would be expected through pure brute force cracking alone. By hashing these plaintext passwords ourselves we can also benchmark the speed of our cracker and figure out the fastest way to run through them.
We then take the knowledge that we gained from our analysis of the RockYou breach and use it to crack actual Windows domain passwords that we have gathered through the course of penetration tests on our clients to show what an attacker would be able to accomplish in a real-world scenario. The results show that we have a lot to be worried about.
We wrap up with an overview of more advanced password protection techniques, the types of trouble an attacker would be able to get up to once they have cracked passwords, and our recommendations for mitigating the threat posed by weak passwords.
One interesting data point that we can release as a sneak preview of what we will be covering during the talk is the amount of time it takes us to crack passwords that comply with the PCI DSS minimum complexity requirements (7 characters including letters and numbers): Even when hashed with SHA-512 these passwords can be cracked via brute force in about 6 minutes. Even 10 character passwords that meet these complexity requirements can be cracked in about 9 days, well short of the 90 change window required by PCI DSS.
We have a lot more interesting info to share and hope to see you there at RSA Conference 2016.