Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 14 Dec 2012 11:30:29 -0500
From: Matt Weir <cweir@...edu>
To: crypt-dev@...ts.openwall.com
Subject: Re: Intentionally Increasing Collisions in Password
 Hashing Algorithms

Steven,

> I don't know if an attacker would be interested in having a small number of
> low value accounts.  It probably depends on how much effort is required to
> turn one into a high value account.

It seems to me that just about any account will have a base value to
an attacker for use in spam. The data in your Gawker account might not
be worth anything to an attacker, but if your friends see you posting
a link hawking acai berries the attacker might be able to make some
money. Aka, your social connections have value even if your data
doesn't. I have no idea how much that is actively exploited though.
I'm almost tempted to create a 100 random accounts with the password
'123456' and check back in on them in 6 months to see which ones have
been hijacked.

> I'd be interested to know more about how stolen accounts are actually used
> and traded.  How often are the initial attackers actually using the accounts
> and how often are they selling them to a third party?  Are the attackers and
> sellers both involved in trying to compromise additional accounts with known
> credentials or is it primarily one or the other?

It's just the tip of the iceberg, but the InsidePro board is
fascinating not only with how much goes on in it, but how public it
is. There's various other public boards/forums as well but they tend
to have short lifespans. That being said, I haven't really seen any
investigation that's followed the full lifespan of an attack, such as:
hacker A breaks into a site, sells it to hashcracker B, who then sells
the plaintexts to botmaster C who then breaks into high value accounts
and then sells those to middleman D..... Heck I've seen a lot of
empirical evidence of people using botnets to verify cracked
passwords, but I haven't seen any real write-ups/investigations into
the password verifying botnets themselves. They're like the higgs
boson particle of the password cracking scene...

> The better question might be, "how many guesses *do* attackers make?"  The
> GW2 article said that they were saying targeted guessing with only one to a
> few guesses per account.  If that's the case, then the idea of truncating
> isn't helpful; you need blacklisting and/or two factor authentication.

It does imply though that the attackers are only willing to expend a
limited amount of work when verifying accounts. Aka they are willing
to spend 'x' guesses trying mangling rules on a known password before
it the laws of diminishing returns makes it not worth it to continue.
Now the question then is if they had to try 't' base passwords due to
collisions, would rate limiting force them to reduce 'x' or do they
set 'x' just based on the fact that there are a few high probability
transforms and everything else is fairly low probability?

One way we might be able to estimate an ideal 'x' for attackers would
be to simply base it on the results shown in Figure 7 in this amazing
paper on password expiration policies:

http://www.ibisc.univ-evry.fr/~fpommereau/dl/CyptoCompress/Crypto08.pdf

For example, according to that data it would make sense to try around
20 guesses per base password, so if an attacker is only trying 5
guesses per base password that would imply they are resource
constrained in some way, (either by rate limiting, basic resources,
etc). Of course going back to your earlier point, it would be nice to
have more insight into the actual buying/selling of passwords because
in that case we might find out something like, attackers use 5 guesses
per base password simply because that's the default setting in the
tool they use...

> BTW, I read your "Testing Metrics..." paper.  Have you done any testing to
> see how well blacklisting would help against offline attacks?

Yup. Everything seems to point to the fact that blacklists have a huge
effect against online attacks, but limited effect against offline
attacks. To put it another way, look at a password cracking session
after the first 1000 guesses and that's pretty much the ideal case for
how a blacklist performs against an offline attack, (it's an ideal
case since it implies that the people who have to change their
password due to the blacklist select passwords as strong on average as
people who didn't have to change their password).

Matt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.