Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory.
LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.
3. AGENDA
1. What is authentication?
2. Why do passwords exist?
3. Why attack authentication mechanisms?
1. Password-based attacks
4. LavaPasswordFactory
1. Demonstration
5. Conclusion / Questions
4. WHO AM I?
• Christopher Grayson
• cegrayson3@gmail.com
• @_lavalamp
• Senior Security Analyst at
Bishop Fox (Pen-Testing
FTW)
• MSCS, BSCM from GT
• Former Research Scientist
from GT
• Former president, GT
hacking club
That guy in the front…
6. THE BASICS
• It’s all about identity
baby
• Something you know
• Something you have
• Something you are
7. SOMETHING YOU KNOW
• Passwords
• Personal knowledge
(security questions)
• Only those that know
X should have access.
8. SOMETHING YOU HAVE
• RSA SecurID
• Google Authenticator
• Only those that have
X should be allowed
access.
9. SOMETHING YOU ARE
• Most nebulous of the
three
• Commonly refers to
biometrics (iris scans
for instance)
• Only those who are X
should be allowed
access.
10. TAKEAWAYS
• Authentication mechanisms aim to identify
who you are for the purpose of establishing
the correct level of authority.
• Without accurately identifying someone, how
can one hope to apply any meaningful
identity-based security controls?
12. WHYYYYYYY?!
• Easy to implement
• Usually easy to
remember
• Requires the lowest
amount of technical
overhead
• Many other reasons…
13. PASSWORDS ARE BAD, M’KAY?
• When used properly,
passwords can provide
a decent level of
security.
• Passwords are largely
used improperly, even
within the security
community.
17. WHY ATTACK
AUTHENTICATION?
• Automated systems
typically have different
roles meant for different
users.
• Correctly identifying a user
supplies that user with the
intended level of authority.
• Even in an incredibly
secure system, if you can
trick the system into
thinking you’re an admin,
many security controls fall
away.
18. ONLINE PASSWORD ATTACKS
• Logging into a Web site
• Logging into network
services
• Don’t have access to
hashed representation
of passwords
19. OFFLINE PASSWORD ATTACKS
• Typically a data store
has been compromised
• Have direct access to
hashed representation
of passwords
• Can break passwords at
much larger scale
21. SHINY NEW TOOL
• Generates passwords
for offline and online
attacks
• Cleans existing
password lists
• Uses a set of seed
words
• Has functionality for
matching password
policies