Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory. LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.

1. LAVA.PASSWORD.FACT
ORY
PASSWORDS ARE BAD AND YOU CAN TOO!!

2. A BRIEF INTRODUCTION

3. AGENDA
1. What is authentication?
2. Why do passwords exist?
3. Why attack authentication mechanisms?
1. Password-based attacks
4. LavaPasswordFactory
1. Demonstration
5. Conclusion / Questions

4. WHO AM I?
• Christopher Grayson
• cegrayson3@gmail.com
• @_lavalamp
• Senior Security Analyst at
Bishop Fox (Pen-Testing
FTW)
• MSCS, BSCM from GT
• Former Research Scientist
from GT
• Former president, GT
hacking club
That guy in the front…

5. WHAT IS AUTHENTICATION?

6. THE BASICS
• It’s all about identity
baby
• Something you know
• Something you have
• Something you are

7. SOMETHING YOU KNOW
• Passwords
• Personal knowledge
(security questions)
• Only those that know
X should have access.

8. SOMETHING YOU HAVE
• RSA SecurID
• Google Authenticator
• Only those that have
X should be allowed
access.

9. SOMETHING YOU ARE
• Most nebulous of the
three
• Commonly refers to
biometrics (iris scans
for instance)
• Only those who are X
should be allowed
access.

10. TAKEAWAYS
• Authentication mechanisms aim to identify
who you are for the purpose of establishing
the correct level of authority.
• Without accurately identifying someone, how
can one hope to apply any meaningful
identity-based security controls?

11. PESKY PESKY PASSWORDS

12. WHYYYYYYY?!
• Easy to implement
• Usually easy to
remember
• Requires the lowest
amount of technical
overhead
• Many other reasons…

13. PASSWORDS ARE BAD, M’KAY?
• When used properly,
passwords can provide
a decent level of
security.
• Passwords are largely
used improperly, even
within the security
community.

14. COMMON PASSWORD PROBLEMS
• Low complexity
• Password re-use
• Writing passwords
down

15. SOME TANGIBLE DATA
Credit to Karl Sigler, The Register
http://www.theregister.co.uk/2014/08/15/hundreds_of_thousands_of_corporate_passwords_cracke

16. ATTACKING PASSWORDS

17. WHY ATTACK
AUTHENTICATION?
• Automated systems
typically have different
roles meant for different
users.
• Correctly identifying a user
supplies that user with the
intended level of authority.
• Even in an incredibly
secure system, if you can
trick the system into
thinking you’re an admin,
many security controls fall
away.

18. ONLINE PASSWORD ATTACKS
• Logging into a Web site
• Logging into network
services
• Don’t have access to
hashed representation
of passwords

19. OFFLINE PASSWORD ATTACKS
• Typically a data store
has been compromised
• Have direct access to
hashed representation
of passwords
• Can break passwords at
much larger scale

20. LAVA.PASSWORD.FACTORY

21. SHINY NEW TOOL
• Generates passwords
for offline and online
attacks
• Cleans existing
password lists
• Uses a set of seed
words
• Has functionality for
matching password
policies

22. DEMONSTRATION

23. GETTING IT
• https://github.com/lavalamp-
/LavaPasswordFactory
• Still a work-in-progress, but current work is
only to add more functionality.
• Comments and feature requests welcome!

24. QUESTIONS?

25. THANK YOU!
@_LAVALAMP