Tag: Password Cracking

  • Password Series: Defeating Emerging Password Security Trends with Psudohash

    Password Series: Defeating Emerging Password Security Trends with Psudohash

    Changes in Authentication

    One interesting trend emerging among developers, which could impact the methodologies required when attempting to crack a hash, is Have I Been Pwned’s database of leaked credentials and the corresponding API that has made it easier than ever for developers to check for leaked credentials while users sign up.

    An example of this can be seen with Supabase, a leading open-source alternative to Firebase. Supabase incorporates a check for leaked credentials by default, automatically opted-in, with no additional plugins or developer time needed. A simple toggle in an administrative interface allows developers to automatically check each of their clients’ credentials against leaked passwords and prevents clients from using known leaked credentials.

    Supabase Uses HaveIBeenPwned API
    Supabase Uses HaveIBeenPwned API

    As more developers incorporate either this API or a similar one, it could eventually discourage password reuse, reducing the effectiveness of several wordlists. Traditional attacks should still work, even if the majority of organizations adopt these methods, because many people will just modify their original password slightly, making rule and mask attacks even more important for catching minor variations of the same original password. It will also make tools that are used to make supplemental lists even more important.

    Supplementing wordlists using tools like CeWL, crunch, or CUPP, is a key part of every penetration tester’s repertoire. This category is where one of my favorite new tools for password dictionary attacks appeared just two years ago.

    Psudohash is great for those times when you want to create tons of permutations of something common, such as the business name or the product name that you are testing. It will create hundreds of millions or even billions of permutations of the same word.

    Basic Psudohash Usage

    The command below shows some of the options available where -cpb -cpa adds common paddings before and after. This list of common paddings by default is a list of 108 characters such as !!! or 123 that it will add to either side of the word if given the cpb or cpa argument. It can be modified to include whatever common paddings one chooses.

    python3 psudohash.py -w -cpb -cpa -o /mnt/c/Users/Ryan/ -psudohash -an 2
    Common Paddings Before and After Plus Common Permutations
    Adding Common Forms of Padding and Permutations

    One thing to keep an eye on while using this tool is the size of the operation you are performing. I simply added years and common paddings -y 2010-2030 -cpb cpa, and, as a result, it will take over 50,000MB. This can produce output that challenges even the most contemporary password cracking rig, especially if additional permutations are applied while cracking.

    python3 psudohash.py -w -cpb -cpa -y 2010-2030 -o /mnt/c/Users/Ryan/ -psudohash -an 2
    Added One Argument and Multiplied Data Output by More Than 100x
    Added One Argument and Multiplied Data Output by More Than 100x

    Of course, there are numerous options available, and transformations can be as simple as character transformations such as a = @. Here I pass the tool multiple words to transform:

    ./ psudohash.py -w ‘david,maria,lassie,metallica’ –common-paddings-after –common-paddings-before -y 1990,2022
    Padding Several Names Using Psudohash
    Padding Several Names Using Psudohash

    However, it is only good at creating permutations of words you pass to it. This makes it a great supplemental tool for your cracking efforts, but it should remain supplemental. I personally always pass company and product names to this when I have a hash that I am trying to crack for a penetration test.

    ./psudohash.py -w Microsoft –common-paddings-after -y 2020-2023
    Using Psudohash to Create Common Company and Year Passwords
    Using Psudohash to Create Common Company and Year Passwords

    Up Next

    This tool has helped me establish some major wins. In my next posts in this series, I will share how this tool has inadvertently helped me, not only to stay ahead of changes like this with Supabase, but also to identify biases in some of our datasets. I will provide an example of how this tool can not only fill in the gaps but also illustrate common gaps that many security professionals make when cracking passwords.

  • Password Length: More than Just a Question of Compliance

    Password Length: More than Just a Question of Compliance

    Password length is a topic we’re asked about a lot, and that makes sense because it can be quite confusing. There are several different compliance models that organizations use – from PCI to NIST to OWASP and more. Each has its own standards for password strength and password length.

    When it comes to penetration testing, weak password recommendations often are more rigorous than compliance standards, and this leads to a great deal of stress, especially for organizations that have already spent time and effort in implementing password rules that meet the compliance standards they’ve chosen.

    Why So Many Different Standards?

    First, speaking from experience, penetration testers see firsthand how weak and reused passwords are often a key part of achieving access over an entire domain (i.e. having administrative powers to view, add, edit, and delete users, files, and sensitive data, including passwords, for an organization’s Active Directory environment). While this is the type of success that pentesters strive to achieve, the true goal of a penetration test is to show organizations weaknesses so that they can close exploitation paths before malicious attackers find them.

    For this reason, Raxis penetration tests recommend passwords of at least 12-16 characters for users and at least 20 characters for service accounts. Of course, we recommend more than length (see below for some tips), but Raxis password cracking servers have cracked weak passwords in minutes or even seconds on internal network penetration tests and red team tests several times this year already. We don’t want our customers to experience that outside of a pentest.

    Post-It Notes With Passwords on a Monitor

    On the other hand, compliance frameworks are just that – frameworks. While their aim is to guide organizations to be secure, they do not endeavor to force organizations out of compliance with a stringent set of rules that may not be necessary for all systems and applications. For example, a banking website should require stronger credentials and login rules than a store website that simply allows customers to keep track of the plants they’ve bought without storing financial or personal information.

    If you read the small print, compliance frameworks nearly always recommend passwords longer than they require. It’s unlikely, though, that many people read the recommendations when working on a long compliance checklist when they have several more items to complete.

    Times are Changing

    Of course, time goes on, and even compliance frameworks usually recommend at least ten-character passwords now. The PCI (Payment Card Industry) standards that are required for organizations that process credit cards now require 12 character passwords unless the system cannot accept more than eight characters. PCI DSS v4.0 requirement 8.3.6 does have some exceptions including still allowing PCI DSS v3.2.1’s seven-character minimum length that is grandfathered in until the end of March 2025.

    This is a good example of PCI giving companies time to change. It’s been well known for years that someone who has taken the time and expertise to build a powerful password-cracking system can crack a seven-character password hash in minutes. This leaves any organization that still allows seven-character passwords with a strong threat of accounts becoming compromised if the hash is leaked.

    OWASP (the Open Web Application Security Project), which provides authoritative guidance for web and mobile application security practices, accepts 10 characters as the recommended minimum in their Authentication Cheat Sheet. OWASP states that they base this on the NIST SP 800-132 standard, which was published in 2010 and is currently in the process of being revised by NIST. Keep in mind that OWASP also recommends that the maximum password length not be set to low, and they recommend 128 characters as the max.

    The Center for Internet Security, on the other hand, has added MFA to their password length requirements. In their CIS Password Policy Guide published in 2021, CIS requires 14 character passwords for password-only accounts and eight character passwords for accounts that require MFA.

    Other Factors

    This brings up a good point. There is more to a strong password than just length.  

    Digital screen showing a key

    MFA (multi-factor authentication) allows a second layer of protection such as a smartphone app or a hardware token. Someone discovered or cracked your password? Well, they have one more step before they have access. Keep in mind that some apps allow bypassing MFA for a time on trusted machines (which leaves you vulnerable if a malicious insider is at work or if someone found a way into your offices).

    Also keep in mind that busy people sometimes accept alerts on their phones without reading them carefully. For this reason, Raxis has a service – MFA Phishy – that sends MFA requests to employees and alerts them (and reports to management) if they accept the false MFA requests.

    MFA is a great security tool, but it still relies on the user to be vigilant.

    Raxis’ Recommendations

    In the end, there are a myriad of ways that hackers can gain access to accounts. Raxis recommends setting the highest security possible for each layer of controls in order to encourage attackers to move on to an easier target.

    We recommend the following rules for passwords along with requiring MFA for all accounts that access sensitive data or services:

    1. Require a 12-character minimum password length.
    2. Include uppercase and lowercase letters as well as numbers and at least once special character. Extra points for the number and special character being anywhere but the beginning or end of the password!
    3. Do not include common mnemonic phrases such as 1234567890, abcdefghijkl, your company name, or other easily guessable words. Don’t be on NordPass’s list!
    4. Do not reuse passwords across accounts, which could allow a hacker who gains access to one password to gain access to multiple accounts.

    There are two easy ways to follow these rules without causing yourself a major headache:

    1. Use a password manager (such as NordPass above, BitWarden, Keeper, or 1Password amongst others). Nowadays these tools integrate for all of your devices and browsers, so you can truly remember one (very long and complex) password in order to easily access all of your passwords
      • These tools often provide password generators that quickly create & save random passwords for your accounts.
      • They usually use Face ID and fingerprint technology to make using them even easier.
      • And they also allow MFA, which we recommend using to keep your accounts secure.
    2. Use passphrases. Phrases allow you to easily remember long passwords while making them difficult for an attacker to crack or guess. Just be sure to use phrases that YOU will remember but others won’t guess.

    And I’ll leave you with one last recommendation. On Raxis penetration tests, our team often provides a list of the most common passwords we cracked during the engagement in our report to the customer. Don’t be the person with Ihatethiscompany! or Ihatemyb0ss as your password!