Advanced Password Security 101

Sunday, March 27, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

"Advanced Password Security 101? But isn't 101 intro?"

Like you, I have read one too many articles concerning password security, companies being compromised because of re-using passwords [1]. Rather than get into a long discussion “passwords you're doing it wrong,” I decided to focus on a more positive “passwords... let's get it right” article.

I had already written the vast majority of what you are now reading on another forum called EthicalHacker.net, however, this has been re-hashed to make things more sensible for a bigger audience.

Let me begin by stating the biggest hard drive on the planet is your mind. Reliance on technology which has become second-nature at this point, isn't always the best option. Hopefully this article will assist you in being able to 1) create a strong password 2) remember multiple passwords (to the tune of dozens even hundreds) so password re-use never comes into play 3) Secure your passwords because after all, no one can pick your brain.

For those searching for "password storage systems" there are no shortages to find many helpful even free programs [2,3,4,5]. There are also no shortages of documents explaining why or how to create strong passwords [6]. However, what I noticed in most documents and even programs is their lack of creativity.

Let's be realistic, no one wants to remember $#.()p@%//\\- as a password. Because quite frankly it would be an interesting form of mental punishment, something we all can do without. Not only would it be mental punishment, but imagine for a moment the following scenario: You need a key safe to store your keys. You go out and buy the strongest one and lose the key to that safe... Now what?

Let's take a look at a small shop, say 20 servers. Each servers has a distinct role and ensure that all machines with a different password on each. We want to do this in the event that if someone compromises any of those machines, they're stuck to one specific machine, the passwords all differ. Or, maybe we just want to torture ourselves and have different passwords. Let's lay out the framework for this company we'll now name Forgetful Inc.

Forgetful Inc. has ten servers running database instances for 5 credit card companies with each server having a redundancy. Let's name them:

Company1.forgetfulinc.com
Company1BU.forgetfulinc.com

Company2.forgetfulinc.com
Company2BU.forgetfulinc.com

Company3.forgetfulinc.com
Company3BU.forgetfulinc.com

Company4.forgetfulinc.com
Company4BU.forgetfulinc.com

Company5.forgetfulinc.com
Company5BU.forgetfulinc.com

 

They also have 5 other servers with backups for WWW, Mail, Active Directory, ClientServer, Knowledgebase:

WWW.forgetfulinc.com
WWWBU.forgetfulinc.com

Mail.forgetfulinc.com
MailBU.forgetfulinc.com

AD.forgetfulinc.com
ADBU.forgetfulinc.com

ClientServer.forgetfulinc.com
ClientServerBU.forgetfulinc.com

KB.forgetfulinc.com
KBBU.forgetfulinc.com

Twenty servers total and we need each to have a unique password. Even with all having a strong password, we'd need to figure out how to remember them all and never have to keep those passwords stored anywhere other than our brains. Where should we start? For starters we will need (drum roll): A strong password. The rest is simple. It really boils down to creativity from here. We'll use the word “password” as our framework. No joking, we will use password as our password!

However, we will be using character substitution. We will replace the a with an @ sign, the s with a dollar $ign, the o with a zer0. Typical "leet speak" leaving us with the password of: p@$$w0rd which will be our starting point. Because many experienced security engineers, hacker and crackers will likely have a good list of variants on words, this is obviously not a good password. So lets move forward by making this password a bit more secure.

Using the fictitious domain name, we will do the same substitutions. The letter o becomes a zer0, any letter a becomes an @ sign, the letter i will become ! and so on. We now create f0rgetful!nc from forgetfulinc and we have the second piece. Third piece? You got it, the hostname. Mail becomes m@!l and we're ready for a strong password that can't be forgotten: m@!l.f0rgetful!nc.p@$$w0rd aka mail.forgetfulinc.password

We now have something that is extremely difficult, almost impossible to guess, let alone run ANY kind of wordlist against. We also have something extremely difficult to forget, after all if you forget your hostname and domain name, you need much more than a password keeper.

For each server we will go through the motions. 20 different servers, each with a unique password almost impossible to crack. The key is to find a suitable password combination. You could use MAC addresses, passwords, etc., whatever you need to do to remember it. It gets easier after a while.

Let's look at what I perceive to be the average amount of passwords a typical person would have. I'd say one for work, one for personal e-mail, one for say a social networking site, maybe another for Twitter or some other site. Let's say 4 passwords. People will always use something familiar, it is a given.

This is disastrous and is one of the big reasons why Hollywood celebs have seen an increase in leaked photos. They're using weak passwords: "no one would ever guess my password is yankees AND by date of birth!!! How clever is that!!!" I will tell you some of the things I've done to my wordlists which are GB's in size:

Reversed entire words
Massive amounts of regular expressions 's:a:A:g;s:a:@:g;s:a:4:g;s:e:E:g;s:e:3:g;s:e:/=:g' and the list goes on.
Massive amounts of compound words using paste
Massive rehashing of the above with numbers before and after. E.g.: for i in `cat MASSIVE_WORDLIST` ; do for j in `seq 1 2010` ; do echo $i$j ; done ; done

Let's see how the last line works for those curious:

Code:

strategos ~ # cat MASSIVE_WORDLIST
word-one
word-two
strategos ~ # for i in `cat MASSIVE_WORDLIST` ; do for j in `seq 1 5` ; do echo $i$j ; done ; done
word-one1
word-one2
word-one3
word-one4
word-one5
word-two1
word-two2
word-two3
word-two4
word-two5
strategos ~ # for i in `cat MASSIVE_WORDLIST` ; do for j in `seq 100 105` ; do echo $i$j ; done ; done
word-one100
word-one101
word-one102
word-one103
word-one104
word-one105
word-two100
word-two101
word-two102
word-two103
word-two104
word-two105

So imagine a 500 million wordlist with most numbered combined or appended to them. For those thinking about appending numbers and getting away with it, its not quite safe. Anyway, back to the password game here.

On the personal side of the spectrum, I stated that I needed to remember 4 distinct passwords. Using the same context, here is a fictitious list of sites I have passwords for: Hotmail, Twitter, Worksite, MyBank. Using the same principles:

Hotmail becomes h0tm@!l
Twitter becomes tw!tt3r
Worksite becomes w0rks!t3
MyBank becomes myb@nk

My password? Thisissecret: th!$!$$ecret Combined?

Code:

h0tm@!lth!$!$$3cr3t
tw!tt3rth!$!$$3cr3t
w0rk$!t3th!$!$$3cr3t
myb@nkth!$!$$3cr3t

 

Definitely an eyesore and may take some getting used to, but we can create memorable, more secure passwords for all of our individual accounts, never store them and always recall them. It's that simple.

The hardest part is sticking with a regex you can always recall. Too much complexity will leave you banging your head however, I'd even go as far as making a post-it (purposely because I'm a glutton for punishment) with the substitutions written down and keeping THAT stored somewhere. E.g.: a@, s$, i!, e3 The one thing you can never forget is a password. Meaning don't be afraid to pick your favorite sports team, do it wisely, e.g.: @$tr0$.p@$$w0rd.h0tm@!l

Remembering those passwords? Piece of cake. On my laptop, I now have a 38 character password combination just to get by TrueCrypt. My logon password is 29 characters completely different from TrueCrypt. PGP is another 29 and every single one is different.

Sure it may be a pain to type, but it is easy to remember not to mention secure as heck. EVERY SINGLE account I have access to, all have a different password. All are well over the 20 character mark and I can recall them at will. Takes some getting used to sure, but remember... You're brain is the safest storage system you have.

[1] http://www.theregister.co.uk/2011/02/10/password_re_use_study/
[2] http://passwordsafe.sourceforge.net/
[3] http://keepass.info/
[4] http://www.accessmanager.co.uk/
[5] http://www.passwordsafe.com/
[6] http://operationstech.about.com/od/informationtechnology/tp/Strong-Passwords.htm

Possibly Related Articles:
7191
Network Access Control
Passwords Access Control Information Security Infosec Password Management
Post Rating I Like this!
7ff7b9daf5a7bb448a822d95d28153a5
JT Edwards Since leet speak is very common and well known and you are using a wordlist is Thisissecret really any safer than th!$!$$ecret? Could you not just build into your list something that does a=@, e=3, s=$ etc?
1301321291
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo You missed the concept. It was based on say the "who you are, what you know something you have"

Who you are:
myself = my$elf

What you know
password = pa$$word

What you have
Gmail = gm@il

Where your password is: my$self.pa$$word.gm@il (for gmail only)

Try launching a "leeted dictionary" against that.

Who you are:
myself = my$elf

What you know
password = pa$$word

What you have
Banking Site = myloc@lb@nk$ite

Where your password is: my$self.pa$$word.myloc@lb@nk$ite (for your local bank only)

Sure, most attackers have leeted dictionaries, I have who knows how many leeted lists which was already mentioned. The concept was "leet passphrases" across the board for EVERY account.
1301322790
7ff7b9daf5a7bb448a822d95d28153a5
JT Edwards No I got the concept ;) I use a version of it now, just not site specific. I have three versions of one password and depending on the level of personal information on the site I use a password whose complexity is appropriate! However I like the site specific password option and the increase in length that you suggest!

My question was more directed to the nature of word lists as opposed to a critique of your method, which I recommend! My only issue is going to be remembering the oddball sites that don’t allow the length or some of the special characters.
1301327393
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo To those oddball sites, I go with mIxEd c4s3 combos still along the same lines:

myp4ssS3cr3tTh4tLoc4t10n

TMTOWTDI ;)
1301327828
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.