Date: Fri, 14 Dec 2012 11:30:29 -0500 From: Matt Weir <cweir@...edu> To: crypt-dev@...ts.openwall.com Subject: Re: Intentionally Increasing Collisions in Password Hashing Algorithms Steven, > I don't know if an attacker would be interested in having a small number of > low value accounts. It probably depends on how much effort is required to > turn one into a high value account. It seems to me that just about any account will have a base value to an attacker for use in spam. The data in your Gawker account might not be worth anything to an attacker, but if your friends see you posting a link hawking acai berries the attacker might be able to make some money. Aka, your social connections have value even if your data doesn't. I have no idea how much that is actively exploited though. I'm almost tempted to create a 100 random accounts with the password '123456' and check back in on them in 6 months to see which ones have been hijacked. > I'd be interested to know more about how stolen accounts are actually used > and traded. How often are the initial attackers actually using the accounts > and how often are they selling them to a third party? Are the attackers and > sellers both involved in trying to compromise additional accounts with known > credentials or is it primarily one or the other? It's just the tip of the iceberg, but the InsidePro board is fascinating not only with how much goes on in it, but how public it is. There's various other public boards/forums as well but they tend to have short lifespans. That being said, I haven't really seen any investigation that's followed the full lifespan of an attack, such as: hacker A breaks into a site, sells it to hashcracker B, who then sells the plaintexts to botmaster C who then breaks into high value accounts and then sells those to middleman D..... Heck I've seen a lot of empirical evidence of people using botnets to verify cracked passwords, but I haven't seen any real write-ups/investigations into the password verifying botnets themselves. They're like the higgs boson particle of the password cracking scene... > The better question might be, "how many guesses *do* attackers make?" The > GW2 article said that they were saying targeted guessing with only one to a > few guesses per account. If that's the case, then the idea of truncating > isn't helpful; you need blacklisting and/or two factor authentication. It does imply though that the attackers are only willing to expend a limited amount of work when verifying accounts. Aka they are willing to spend 'x' guesses trying mangling rules on a known password before it the laws of diminishing returns makes it not worth it to continue. Now the question then is if they had to try 't' base passwords due to collisions, would rate limiting force them to reduce 'x' or do they set 'x' just based on the fact that there are a few high probability transforms and everything else is fairly low probability? One way we might be able to estimate an ideal 'x' for attackers would be to simply base it on the results shown in Figure 7 in this amazing paper on password expiration policies: http://www.ibisc.univ-evry.fr/~fpommereau/dl/CyptoCompress/Crypto08.pdf For example, according to that data it would make sense to try around 20 guesses per base password, so if an attacker is only trying 5 guesses per base password that would imply they are resource constrained in some way, (either by rate limiting, basic resources, etc). Of course going back to your earlier point, it would be nice to have more insight into the actual buying/selling of passwords because in that case we might find out something like, attackers use 5 guesses per base password simply because that's the default setting in the tool they use... > BTW, I read your "Testing Metrics..." paper. Have you done any testing to > see how well blacklisting would help against offline attacks? Yup. Everything seems to point to the fact that blacklists have a huge effect against online attacks, but limited effect against offline attacks. To put it another way, look at a password cracking session after the first 1000 guesses and that's pretty much the ideal case for how a blacklist performs against an offline attack, (it's an ideal case since it implies that the people who have to change their password due to the blacklist select passwords as strong on average as people who didn't have to change their password). Matt
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.