Neven Biruski | Password123!

you

okay if you ready for the next presentation next in line is my colleague from infigo who internally have many nicknames but mostly we use Gandalf not because of his looks but because he magically creates one two or 15 tunnels in engagement so we can ex exfiltrate dat and stuff like that he'll talk about he'll talk about uh the art of password cracking with topic name password one 123 exclamation mark that is the probably the password we all use and uh if his laptop Works he will start the presentation so uh n oh no sorry he died someone hacked

me I do apologize so in the meantime if anyone have some bad joke now it's time hello uh just one question how did you know my password to set it as the name of this presentation as I'll show you while the laptop boots up I can try to improvise and ask all of you that have a password that aderes to the certain rules I'll just say to lift up your arm so it's one word first letter is a Capital One it's followed by few numbers most probably one to three and it ends with a special character most probably exclamation mark thank you I can see by your faces no one ever lifts their arm of

course so that will be it uh n thank [Laughter] you come

on it's starting up it worked yes but it's dead now I'll fix [Music] it yes so the lesson is you should not correct the password at the time that you should do a presentation

I hate this [ __ ]

okay and restore

pages so the the travel shooting is not intended but you should okay something's

happening okay remove the history there we go he just he just needed some time I need presenter view okay you ready here here here and full screen we go um good day everyone um thank you for attending in such large numbers um I gaed you here to talk about some passwords um for the beginning who am I and why why should you trust me you should not trust me you should not trust anyone most definitely but it seems I do have some experience in cracking passwords I started since the second half of the '90s and learned a bit about those uh what do I do I come from company called infigo I break other people's computers there they call it

pen testing and red teing and it seems I'm having fun and getting paid paid to do it so uh what do we talk about passwords in 200 20125 because during our engagements we notice that many many people including administrators still use really really bad passwords um so I I'd like to finish this topic once and for all uh what are good passwords and show you by I like to teach people uh to defend by showing them how do we attack them so I'm basically going to show you uh the ways I find found out throughout the years that are the best to guess your passwords the so uh whatever I show you you just avoid those principles and your

password will be good okay um this whole lecture wasn't a lecture in the in the original it was internal workshop at our company where we had a competition with prizes who's going to crack most password hashes so since we don't do not have time for that today I'm just going to show you the theory and afterwards you can practice that by cracking passwords on your own I'm going to show you the whole commands and examples if you need my slides to to be easier to copy paste the commands contact me after the lecture or on on my email address we'll figure something out come on so how did the whole MTH start some 20 years ago uh the U the US people

figured out hey we we should have some guidelines how to construct good passwords so they asked according to the internet they asked the guy billur which is not a comedian by the same name uh seem everyone knows about the comedian I do not I know about this guy uh they asked him hey uh could you uh could you write us a few short tips what are good passwords like quickly just just um tldr version and he wrote something we've all all heard many times before and that's the um there should be uh eight characters uh uppercase lowercase numbers and at least one special character okay does anyone here think that's good enough for passwords okay that's that's really not

good enough that's old advice so uh how the whole mess started the guys from nist nist That's The American National Institute for standards and technology and they're the guys who give advice to the various government agencies in the in the US and the industry and they uh wrote his uh recommendations as an Official Guidelines and many government US government agencies and industries and colleges started adhering to those rules and then the rest of the US said hey if it's good enough for them it's good enough is it's also good enough for us and started copying it then the rest of the world said hey if the whole us does passwords in that way that must be good

let's do it so it became like widely known knowledge or a rumor that those are the uh that's the good way to make passwords so that was uh some 20 years ago good password with eight characters

[Laughter] um okay um so uh that was 20 years ago some 10ish 15ish year years ago a great guy called Randall that has a strip uh web comic called XKCD it's great you can Google this up just by writing xkd password and it will pop up so he made a comic uh explaining what's the good password uh I can talk I can talk about this slide for half an hour uh you probably do not want that so uh who amongst you did not see uh did not yet see this comic wow that's way more than I thought okay uh we're going to spend a bit of time on this comic but we cannot afford half half an hour so I'm going to

try to do uh well the basic principle is uh how many different uh PIN numbers for an ATM machine are possible 10,000 right okay so uh that's the uh complete number of combinations that's possible for ATM pin okay so we can calculate similar similar numbers of uh combinations for passwords so if you take take a look at the screen here you can see that the typical password has one word as I told you uh first letter is usually a Capital One but not always uh it has some numbers and special characters and we can count count uh bits of let's say combinations Randomness so uh if you do a bit of math I'm skip skipping up five minutes of

math here uh you can figure out there's something like 28 bits of entropy which should be 2 to the 288 and if you can try and guess 1,000 passwords per second which is pretty reasonable even for a live web application let alone password hashing okay You' exhaust all of the space you you try out all the combinations uh in about three days well that's pretty horrible and we're talking about attacking live login form and web application okay that's bad that's really bad um how about if we chose a password which has uh for words out of a set of only two or 4,000 words that I uh give to you so I give you a

set of two to 4,000 words I say I'll construct the password out of the set I just gave you by using four words okay who thinks that's good password only a few hands let's do some math so the number of combinations using only few thousand words that I that I explained to you before that I gave you before I gave you the whole list the number of combinations is Skip five five minutes of math we've got 44 bits of entropy which if we try to guess by 1,000 guesses per second it would take us about 550 years compared to the three days so that's the ratio how stronger this password is okay now try to imagine

I envisioned a short list of only few thousand words now imagine creation language we have all those weird things we add to our words or change um skipping a lot of math again let's say we're using at least 60,000 words each one of us knows uh with all the per permutations of each word okay that would be 60,000 to the 4th you can try and uh uh make your calculator suffer by calculating 60,000 to the 4th and you'll figure figure out it's way way larger number than this one is okay so just by choosing creation language we can construct way better password okay and we're not even using capital letters numbers or uh special characters okay

these passwords especially if there some uh semi nonsensical sentence are really easy to remember and type in as opposed to this one okay so that's basically the way to go okay I I uh promised you I'll talk about more about the current days so we're getting to the 2025 uh some fiveish years ago 10ish almost uh Bill Burr gave an interview for the Wall Street Journal and he frankly admitted that his original advice was not quite good and apologized and said people hey please do not use it so uh H how do we uh make it happen so if we just say uh some weird hair guy on stage told us to make our passwords different that

does not sound too convincing but his advice was accepted by the American Institute which said okay we'll uh give out a new version well we write new rules and this is old news this is 5 to 10 years old news and they specifically wrote that uh companies should not uh force their their users to use uh capital letters small letters numbers special characters and such it's written you can show it to any auditor that that's official n guidelines that's in powered today for many years okay uh they also um it's publicly available you can download it and read it I'll give you a few hint what's in there uh they also said uh that you should check suggested

passwords when user tries to uh change a password with a blacklist of common known password so users do not choose password one to3 exclamation mark for example they also said that the password length matters uh it's similar to what we saw on the slide before a few slides before they recommended at least eight characters I'd say I'd bump it up to at least 12 to 15 characters uh the way to go is to use P phrases the capital letters and all the other nonsense it improves your password but way less than just adding word or two okay um also uh they said do not force your users to change their passwords un unless they're compromised this is a really interesting

one I I do not agree with this one I'd say forcing users to change their passwords is a good thing but not really often let's say once a year is enough if you ask me okay that's my opinion all of us have opinions and other um so that's also official uh what's what else is really good for passwords uh if you use slang for example in Croatia we have many parts of the country where people do not understand people from another parts of the country so any one of those words is great addition to passwords uh also M types non-latin characters which we call creation letters uh are especially great they're I'll not go into technical

details but they're really notoriously hard to crack because of technical limitations which do apply today they might not apply tomorrow but today that's the state of the cracking tools uh what can you also do you can also Al uh make a new account in your company which has a really simple password like password one to three exclamation mark So if anyone tries to spray the same password over over all users it will hit your Honeypot account and you can set up an alarm it's really cheap and simple whoa um password reuse is bad password managers are good uh initial passwords are really important so when someone joins your company and gets their initial password uh there's a large uh

probability that they'll use a similar principle to construct their future passwords when we crack passwords of the whole company we can see each company has their own patterns and they usually correlate to the initial password most often okay so when giving your users initial password make it a good one make it four or five words uh oh um having long past phrases is really great but um the bad thing is users are really inventive and they can figure out to make a real long password like 30 characters of number one one one one1 one11 okay they satisfi the 30 character requirement but it's really bad password that's why you need to periodically crack them or ask us to crack it I

really like like cracking so give me your passwords I'll crack them almost for free don't tell my boss so uh how are password stored uh we've got password let's say password 1 2 three you should never on your server store a password in the original form we call that original form the plain text okay so you you should store it in some garbled way now there are some encryptions and hashing algorithms and we try to teach our younger students in company the difference and they sometimes have problems with that so today we're going to talk about hashing algorithms so uh hashing is some oneway mathematical function that's supposed to turn readable password into some U seemingly

garbled State like this and in theory it should be impossible to convert this form back into the password so okay what's the point of whole deal we take readable password we convert it with to something unusable well the idea is when the user comes the next time and says hey this is my password my password is password one 12 three it goes through the same mathematical function and if the hash is match then that's the same password that was initially used to calculate that hash does anyone need this repeated or something you're all good thank you so uh you store hashes uh when you choose an algorithm which will be used to construct the hash you ask

Google or a professional which algorithm should we use today there's a big difference which one you choose choose the good ones there are good ones okay um so how do I crack password well basically uh I figure out a way to steal your hashes there are many ways I can steal your hashes now I got a bunch of your hashes and I know which hash uh corresponds to which username but I do not know the plain text yet what I do is I try a whole bunch of plain texts and see if it matches any of your hashes that's called password cracking okay so password cracking does a lot of calculations uh what machine is really good to

perform those calculations well the math is really similar as Bitcoin mining really really similar so what would you use to mine Bitcoins is probably way to correct passwords in other words you use your GPU not CPU okay so what do I do I use my GPU and I tell my GPU to to try out a whole bunch of different password to see if they match hashes how how much well this single laptop I'm I'm trying to uh use for the presentation is capable of cracking let's say 30 billion passwords attemp 30 billion passwords per second one laptop Mard is billion right right 30 billion okay 30 gig hes Mega gig giges one laptop this is not a cracking G this is

not a data center I do have an advantage okay I can try out whole lot of passwords so what could I do well first I need a tool to crack your passwords I I said I want to teach you really quickly in basically few minutes we've got uh how to create password so there are two uh most used tools uh first of which is hashcat which I prefer to use lately the other great tool was uh John the reaper Reaper uh the author of The Tool solar designer actually held a lecture last year at this conference if I'm not mistaken uh we'll talk about hashcat it's a bit easier for beginners to get into at least I think

so um so uh to use hashcat you could spend years like I did figuring out which options are best or just copy my examples and hints that's the next four slides so uh switch on the optimize flag uh tell it uh what hash type is uh being cracked or do not since is uh newer versions have some kind of autod detection that certain kids like to use um you tell it which Tech mode it will use that's the minus a and number we'll talk about those a bit later on uh the most used ones and are three six and seven we'll get them a bit later on cheat sheet number two minus I increment uh it tries longer and longer and longer

passwords in in accordance to the rules you previously gave it uh you'll know when you need it just remember it's there uh you can use a show to show correct passwords username to show corresponding usernames SD out to file is all the per permutations hash does it just outputs to file which can you again put into hashcat with more permutations to get even more password candidates that's the basic principles um what we got a session and restore that's really great especially if you want to run few cracking uh uh procedures in parallel which you should do two to three nextx uh session name restore session name and that works Uh custom character sets is great

why because if you say and special character it's going to try out many special characters some of which some of you probably do not even know where to find on the keyboard really uh seldom used ones it it tries all the special characters okay uh you can specify your own characters uh you can use uh masks uh uh U is uppercase L is lowercase and some Cas custom character types you can tell it to do a benchmark to compare two machines which one will crack certain hashing algorithm faster um we do Like Oxygen here I think uh how it all began we got uh a long long time ago we had password lists so we go on the evil internet while

worldwide web was still in the its infancy you go to go for our FTP sites you grab some password lists and you try that list of passwords as password candidates to crack hashes that's how we did it long time ago but what if the password is not in the password list we're going to get to that soon but what password list should be used today well the biggest most popular one is called Rock you use Google Google is your friend or other search engine uh how big is it well it's about 100 200 50 gabt of txt plain text file with passwords I hope at least some of you uh can imagine how huge that is okay that's

really a lot of passwords okay uh that's good first step today document to use that is here uh so what if the password is not in the password list well you can use uh you can use something called called word list what's word list well it's basically something like a dictionary but without preferably without all the special characters like one to three exclamation mark and stuff but those are just bare words okay so uh you can use word list to add certain rules so you got a bunch of words preferably customized in the language of the target it really helps people people do tend to set their passwords in their native language and you got some rules

and what are rules rules add something to the base words from the word list and then can change case especially a popular rule is to change the case of the first letter to be Capital One uh it can uh substitute some characters like putting number three instead of letter e or putting one instead of letter i uh it can insert and delete characters and it can add uh certain suffixes something to the end of the word like 2025 exclamation mark okay those are rules so uh should we write those rules well it would be ideal but it's time consuming so hashcat comes with something called best 64 it's a 1 kilobyte file with rules uh size is

comparable to the time it takes to try out all the rules so this one is really small and quick one only 1 kilobyte called best 64 because someone envisioned those are the most common rules to maximize your chances of success with hashcat you also get dive it's 800 kilobytes kilobytes old but still useful and something that does not oh sorry with hash cat also uh Rock q1 comes uh and you can use it with hashcat by using a command such as this uh as far as rules go one other you should download from the internet at least one that's one rule to rule them all in fact the newer version that's called one rule to rule them still uh

those are that's a really good good uh optimized rule set which you can apply both to word lists and pass password list this is almost cheating uh how effective this can be okay uh Kashi is another popular rule set three specialized sets some of them is for word list or passwords but don't be afraid to use them interchangeably results could uh make you happy uh you can also make your own rules but um we're we do not have time to go into much depth about it what I'd like to show you is that hashcat Wiki has a rather nice documentation what do all those characters mean it's text file you can edit with your favorite text

editor um and that's about it uh one other thing I'd like to figure out uh existing rule sets are often out of date so at least do open up your text editor and make them a bit more up to dat like adding current year okay okay mask text that's something like targeted brute force uh you basically have certain character classes like lowercase letters uppercase letters digit digits and such and you tell hashcat that it's supposed to guess a password in accordance to some mask let's see this mask for example this would mean uppercase letters these much lowercase letters digit and special characters I think it's eight of them all together this one is really popular

because in companies which say at least eight characters and all those other rules it's usually in this format okay um what can we also do we can observe the we can observe the methodology uh how to crack passwords well basically I can do many guesses per second but not infinite and I always want more and I do not have infinite time so I want to optimize my approach to maximize my chances to guess your passwords so it's a Race Against Time basically uh run at uh let's say two maximum three um parall cracking processes per GPU okay and you want your results to scroll you want revealed passwords to fly all over your screen and whenever one of your tactics gets

slowish and passwords start just dripping and not wildly scrolling you pause it take another approach and see if it can scroll way faster when that approach gets slower for example first one could be you're using the password list the second one could be you're using a word list with a certain rule set third one could be you're using a mask Tech the whole idea is you get more ideas when your current uh me method gets slowish you take another approach and the passor start flying and we get they get a bit slower you pause that one and figure another one that's the basic principle um there are many finesses like uh is the are the password using

salts and uh which algorithm is it why because C in certain algorithms it's almost the same effort for me to crack one password hash or 1,000 password hashes it's just a small overhead for each new password hash really small overhead and for some types of hashes it basically it's proportional to the number of hashes so thousand hashes is th * slower okay that's a good hint for you you you want to choose an algorithm and use those those salting ideas to make my life harder um more things you can do is you can use certain tools to make your life even more easier if you want to crack hashes one of them is Mentalist Mentalist is uh

graphical interface for creating Word lists and password lists and such you can tell it you want some base word out of some text file with certain suffixes according to certain rules clicky clicky clicky then you run run out of dis space and you say oh okay uh maybe maybe a bit less until you finally get your file saved then you use it to crack passwords okay then you've got uh one rule to EUR rule them still oh p pack is really great one so it can do some statistics so when you crack certain amount of passwords you already have the uh idea what kind of passwords that company uses so you can use automated tools to do some statistics

for you and this one can uh say that uh 23% of the correct passwords are of length eight for example and it can also say that 88% of those password are lower alpha numeric so lowercase letters and uh numbers okay the this set obviously does not have a strong password policy properly enforced by the way the password policy you think you have in your company in practice often does not reflect the passwords that the users in your company uses try to crack your hashes you'll see many passwords do not adhere to the official password policy see it in practice do not trust me um you can also see what the distribution of digits or special

characters and it can also give you certain masks which can um in accordance to the already correct passwords it can automatically write your masks by trying to predict how long would it take for computer to run through all the combinations of the Mask in comparison to the percentage of the passwords that mask would crack and it sorts them by basically the success rate you get your mask file give it to hashcat and crack a lot more passwords okay then you've got even bigger sample to analyze and figure out your next steps what can it also do so it can uh you can tell it to generate masks for let's say uh 10 minutes of cracking time and it says okay I

generated uh 779 masks uh if uh we presume your GPU is this powerful it would crack 56% of the passwords from the sample or you can say it it has a bit more time and when you give it more time it can um crack more passwords or you can say okay do not calculate how much would each mask uh take just uh sort them by the most success rate never mind how um how fast it goes Kraken Kraken is uh brilliant Kraken is really brilliant it's another tool that uh you give it your cracked passwords which you already did crack but you want to crack more uh so uh it analyzed the them by a lexical analysis

and create something called smart lists those would be words or parts of the words or common suffixes and it can also use a dictionary so for the for example for the password password one to three it would say Okay I I see three parts here I see a word from the dictionary that's password I see a suffix one to three and another one that's exclamation mark so it would create a smart list with three entries and that's the way it would analyze each password and then you can apply that to an old word list you crack way more password it's really powerful or you can combine each entry from the smart list which with each entry from

the same smart list you get for each base word each observed suffix or prefix that's really really powerful that can crack a lot more passwords because if your colleague uses some word that you think no one would guess that and another colleague use some suffix and you use the combination I crack those two passwords I can crack the password that was constructed based on the same ideas um okay we got some statistics basically if we observe uh smart list with uh 5 million entries uh would crack from the big rocku uh leaked password list really a huge amount of passwords just by using uh plain uh entries from the 5 million smart list it's really

really powerful uh so uh more chiet for you since we're we do not have a whole day uh to make this Workshop really happen this is the cheat list how how should you use Kraken uh create a smart list about 50k is okayish uh do or do not forget to generate words uh with year suffixes because people do tend to enter years uh more recent years are more common let's say last two to three and then last 20ish to 60-ish um you can also use Kraken to generate all the combinations in accordance to a certain principle and even pipe it directly into hash to use it with all the other modes uh this is how it looks to use

Kraken uh this is how uh common smart lists look out of a large password set C can also estimate entropy and say okay if I create a smart list out of those out of this password list uh we can create this much passwords by just combining each entry from the smart list with each entry from the smart list or if we append to each entry in the smart list number one and then four digits we can crack almost half that number of passwords which means people who made these passwords really like to append numbers to their passwords

um Kraken and we have hash get way so uh we're running out of time so I'm going to jump to conclusions uh what we learned today complexity all the rules for passwords upper lower case it's overrated it's it's all fashioned it's it's really do not use that if you can avoid it length is what really matters for passwords and uh guidelines are are an official document that many people consider to be really smart and something you could adhere to it's something you can show to your management or whoever you want to persuade like an official document uh I showed you uh briefly how I crack passwords try to figure out something that will make make my life

harder observe that I never showed you I combine three or four words at least not that easily even less five words it's really complicated for me if you use just five words I quit Okay uh if you use a well-known phrase okay I might guess but if you use five words uh that are not well-known phrase you win okay uh uppercase letters numbers special characters do help but they're really not necessary and try try to uh if you have permission from your company try to log in as each user in your company with something like password one 123 exclamation mark in my experience in most mid to large companies in Croatia at least one account Falls for that

you'd really be surprised so uh we got uh two minutes for questions so yeah uh maybe before questions uh someone want to share their password with us so NE can tell if it's good or not no no problem uh there's a a piece of paper in the back you just write down your passwords I'll evaluate them and post it on the bid website with the name please so uh is there any questions for

Nan so thank you for the presentation it was nice uh probably the question you had the most what was the longest password that you cracked what algorithm was it or did you had any that you failed to crack uh yes uh basically really often in first few hours we uh uh we too often crack like 70% of passwords of the whole company it's really terrible with one laptop in field uh the longest one was definitely one from some password list which is nonsensically a long thing that someone used for some obscure reason again okay okay uh basically uh if it's not a well-known really long password it's not crackable forget about it did I miss

question part no good more questions um Damo uh Damo I use Damo and few inappropriate words to quickly evaluate the quality of the password list if there's no Damo or few bad words it's a bad password list that was the only correct answer so any more

questions so we just out of curiosity which departments tend to have better passwords and which tend to have worse passwords in companies uh I've seen horrible administrator passwords in large quantities I'm really aall in these days that uh privileged accounts can have such horrible passwords like one of the worst examples out of this whole lecture for administrator accounts those are the ones I remember most I did not do a comparison by departments usually I do not go that deep into analysis which username belongs where so the answer is not

DHR so

oh this is Legion something Lenovo Lenovo Legion something it's powerful machine it's not mid-range it's high range machine but but it's one

laptop this is this is my default device I device I can put in my backpack if the workload requires more machines we have other ways including distributed cracking which could be a lecture of its own connected to the neighbor

uh we do not do cloud cloud cracking is uh expect in really really special cases because we do not want to give our customers cashes to someone known guy in the cloud sorry so uh if there is no more questions thank you Nan and that's it thank

you and sorry sorry for the lack of oxygen we cannot do better