PW - What Would Fix Passwords? Some Weekly Password Audits. Pretty Graphs to Prove it! (A Haiku) - D

rman from coic uh he's the guy running the competition at. and he also have D from col with it and they are doing this talk uh another talk that I'm really looking forward to Rick is a great guy good speaker and again no pressure take away yes so hi everyone my name is Rick you can call me MinGa uh like like I said I uh we run crack if you can so in the past uh I've given a lot of talks about password complexity uh about better ways to crack passwords uh the kinds of things that are done in the Enterprise world and how to actually go at them and part of the deal with the

contest is every year I have to come up with a new thing that I think password crackers can't do or that there's a skill that I think they should have or a skill that I think they should know Andor be able to do uh and so every year there's something different uh etc etc and there's a big trick this year which I will not be telling you uh so anyways so we are going to talk about is I actually do password recovery for a living it is what I do and the example I'm going to talk about today is a single company of certain size that has multiple domains and we audit their passwords every week so as password

crackers we're used to password cracking oh yeah I got LinkedIn and oh I'm up to you know 97.8% crack then that's fine and damy but what what would you do if you got a crack or a hash dump the next week what would you do and how often as password crackers or password researchers do we ever get that opportunity uh well e-harmony was hacked twice and last the lastfm had their stuff leaks twice multiple years apart so that was cool uh but the Enterprise is different Enterprises the you know theoretically there is password complexity that makes everything safer of course it doesn't you know but so that that's what we're here to talk about so literally I'm not going to show

you any new skills I just kind of want to show you and start thinking about I mean I'm a password cracker you know I that's that's what I do in my free time and and and that's what I do for a living and so but as the you start to get a feel for what if you got the exact same dump every week where a certain percentage of the pass users have changed their passwords so if they have a 90day password recycle that means 100% of the users have changed their password so what is your crack percentage going to do is it going to go up is it going to go down what's going to diversify etc

etc ET so that's kind of what we're talking about so for for these weekly audits we pretty much use the same set of words the same set of rules the same sort of A3 or uh topologies um you know patterns uh we also do a complete eight character Brute Force this is nlm I forgot to mention uh uh and you give or take 48 Hours on 10 10 gpus you know 797s or 2 adx is some some a you know I'm randing I'm sort of flubbing the numbers here on purpose to not reveal things so and like I said it's the same domains every week okay so that's what we're talking about so how do we uh and

this is I'm going to be a little vague here just kind of bear with me so how do we do it well we get the ndit which is where the ACT is is from a domain controller the file where the hashes are uh we securely obtain that we securely uh extract that we get the hashes the you ntlm sorry the nlm the LM we dup we re remove the ones we've already cracked previously because why do the math that doesn't matter too much send the hashes to uh our grid of GPU machines and obviously you they're not ec2 Amazon machines they're privately run privately owned privately managed uh so anyways while that's going on you

actually take the nts. datat and you build a database just standard old database just like you're used to SQL light my SQL whatever it's going to be um access database you know whatever you build that database of everything that's in there every group membership every age of every password every failed password try the last time an account was used Etc you have all that information in a database that you can easily access you then when the jobs are done your cracks are done you put those cracks back in the database now you have a full database where you could do things like this is just made up pseudo code uh you know select star from

users where the privilege is admin and the password is bigger than 90 days you select star from users or select password from users or whatever you know where the password equals whatever the most common password is and oh there's another select query that goes and it tells you what's the most common password how many users have it uh of those 400 users that have this exact same password how many of those are active and how many of those are are unactive enabled or dis enabled not enabled that's anyways so anyway so so you can see everything's in your hand you've done the job and now you can do anything you want with the data okay so

so sort of what this leads into is is why I do this okay so this is the Enterprise you know this these are you know Fortune excise companies trying to protect their own assets and so like literally you know these passwords this is not some theoretical risk if your V if your fortune excise company has a VPN that's just protected by login and password you know what's that's not theoretical it's literally if a certain x amount of your users right now are using summer 15 exclamation point because it's a length eight got up or lower special digits and it's bigger than eight if a certain amount of you know that's not a theoretical risk that is a real risk

right so we need to know these things okay as opposed you know as opposed to so another thing is it's like metrics metrics are boring you know crack percentage and blah blah blah yeah I mean I you know am daily keeping track of what percentage of what domains I've cracked because like first said you know I get an extra one crack and I'm like yeah I got one more you know who cares I care I got one more you know and and and so but like Executives management they're going to want to see metric so in other words people are paying money people are paying money for security projects people are paying money for Consultants like me to come

into Fortune excise companies and to fix things is it working they got no clue okay they need a way to track if are things even improving yay or n or what we doing is this good or bad okay and so we're able to generate that on a weekly basis long terms okay just like okay you big Enterprises they'll pay a million dollars for NE not necess doesn't cost a million dollar for vulnerability scanners and the whole point of it is literally to say how many high risks do we have this month they can be theoretical made up who cares risks but it's how many high risks it's like oh we have 400 this month we had 500 Mython

our Security's better and that's a metric like Hey we're showing Improvement give the security guy a raise it's just a metric they're just using some random number from some random tool to find out if they're improving the security well this you know this isn't just random numbers it's real you know the passwords are being used they're not arbitrary vulnerabilities now obviously I'm a password nerd so that's my opinion I just happen to know it's right so um and obviously the secondary goal or to me the primary goals is actually fix things like hey dingdong 15% of your users use summer 14 you should go and hit them you know you know and then 3 months later let's do it

again and oh by the way if your users pick a different season you should hit them again I mean it's to actually fix things it's not just a metric of oh you know we've improved password complexity by 10% this week yay you know but it's literally like no we had this certain set of users and they're morons uh because they're users and we hit them with a bat and we fix things okay and so literally it's to actually fix things but there's other sort of things and this is you know I didn't say but I'm a penetration tester I mean my job is to break in and steal things um only in khakis so so it's to the other thing you

get out of this is to find actual risk you know find ad this goes to one of the questions before but you know find you know you have a regular you know you have a user who's an admin who has two accounts the regular one they read email and their admin account they use the same password on both accounts surely if you had 40 domain admins 10% of them wouldn't do that right right you know I I run into it constantly uh uh you know default help desk patterns or the default help desk passwords you know you know which administrators are not rot news I'm a domain admin I got to change my password month I'm a domain admin I can log in do

whatever I want I'll change my password you know what I do I go right back in and change it to the one I can remember and then I can go into you get the NIS you have the last 12 passwords you know what you see you see the same damn password 12 times in a row because an administrator isn't following their own policy you know they're going back and being like I'm that's fine I got a good password it's Force bettery staple cat whatever so but then also you know account management of how how you're there's no way to to go to your administrat like Hey how do you like how do you really manage your accounts like what is your

you know how do you really do it and they just you know like if they're Unix if they're like a Unix side and they have a beard and they're just going to rub their beard and and be like you're not worthy for me to tell you you know and if they're a Windows admin you know they have a beanie on you know and they're not going to you know they're not really going to tell you what they set the default password for okay and maybe they will but you know well let's go look at it let's go see what's really done okay okay so that's just the introduction all this really left this graph uh I fled some of the numbers in

these uh the percentages are always what they always are but you know this is this is if I didn't say it this is this is real okay this is not theoretical this is not made up this is not rocku this is not LinkedIn this is a real Enterprise okay so the numbers have kind of been changed so you can't sort of know what size and and the names of it things like that so something else that's not shown is that like uh the amount of administrative users whose password cracked so the very first time we ran it you know we cracked four to the administrators and at the tail end we crack 16 you know that's not shown but it'll

be relevant in a second okay so these are actually these are pretty easy to to kind of understand you don't have to read the numbers or anything so total amount of accounts so this is every every bar is a week so this is uh six months of uh 30 weeks worth of data okay so you can see their total amount of accounts is slowly growing it's rotating around 10K okay all right you don't just just remember that here are the total number of disabled accounts it's somewhere in the 55 00 range so of their 10,000 accounts 5500 are disabled okay well the inverse of that or you know the opposite of that is obviously a total number of enabled

accounts okay so we're just I'm just laying the ground base here so they have approximately uh 4200 and as you see as it goes over time they're getting bigger they have more and more more and more enabled accounts okay these are the total number of cracks from this one domain that's approximately 10,000 people so what happened well one week came along and all of a sudden the amount of cracks went from 8 thou the upper 8000s down to 4,000 and was relatively stagged at plus or minus a few hundred okay so you know we saw this data and immediately like whoa something you know something bad's happening well this is the amount of disabled accounts

so these are accounts that have passwords they're in the ACT directory but they're actively disabled okay and they had you know and these are how many of those accounts did we crack okay so all of a sudden this week right here so what happened this week we know they didn't remove any of these accounts they just simply changed their password okay so now you can so you can say oh well they they've improved their risk or they've minimized their risk some because they had all these disabled accounts they could get accidentally enabled and now they've made their passwords uncrackable um the this is the statistics of their enabled account so they're real users who are actively

using it and you can see it's you know it's floating around 3 uh you know three 3,400 3500 Ram so you kind of get a feel for uh you know there this is where I was hoping to see it going down I mean you know you think about oh if you were to get this data every week what would you do I'd email everyone had their things I'd say hey guess what your password sucks uh here are tips for how to change it uh I've actually been to places where once every 3 months that for the administrators they had a pizza party for everyone whose passwords didn't crack that is an incredibly effective way to make people choose better

passwords you know because guess who's going to come back from the from the lunch and be like I got pizza you didn't you know your password sucks and it's you know meanwhile I spent you know $4 on Dominos so going on this are the percentages 8 9 10 11 character passwords okay so once again what happened here so we know at this particular week the eight character the amount all these disabled accounts had their passwords changed okay well immediately you see the eight stop and then are pretty stack are pretty pretty flat but you'll notice it's slightly going on so we've gotten back down the Baseline and our users as we grow and users ever so slightly the

length of eight character passwords is growing over time okay the same kind of with nine you can see right at this magic one nine character here in the red and it's unfortunately slowly going down which is not my ideal because I'm the one providing them the service and I want them to and you can also see 10 11 12 is pretty stagnant and then obviously there's 10% or 15% that I didn't grab so so you know that's over time we're talking about met is talking about Improvement and I can see long term they have definitely fixed some things but there's some other things going on these are the most popular passwords like actual and so I've gone and sanitized

them so the you know this is the most common password at this particular place you know and in this case almost 500 people of of approximately you know 9,000 or 10,000 whatever I put in there use this password whatever the password was maybe it was the name of the company followed by 1 two three exclamation I honestly do not know what it was so you can see that one week that they disabled all that stuff oh boy we sure did lose a lot I mean over about a hundred accounts use that password but then as time went over it kept going up kept going up reached to Peak and then shot back down again so theoretically something

happened here that is good that is positive this is a metric someone did something here someone should be rewarded you know whether it's an administrator or things like that um and you can see these are the other ones and so these are all you know these are the 15 most popular passwords and you can see the other ones I mean there's a whole other different scale down here oh Christ Okay Okay so we've gone through that right so that's that's that's one domain this place has other domains okay and I'm GNA I'm going to blast through these so total number of accounts for their secondary domain it's a lot smaller 6007 700 you can see oh it's

slowly increasing uh amount of disabled accounts is 300 to 400 so it's same thing 50% okay now is is having this many disabled accounts in your domains that of risk and and of itself I don't have an answer for that okay I'm G to start closing this okay total number account dis accounts okay so number of enabled accounts were at roughly 250 kind of keep that in mind so the number of c s so these are the number of successful cracks for this domain of approximately 600 700 accounts and you can see there is no drastic improvement any particular week now you can see an occasional a drop at a certain time now maybe this is

a thre Monon window maybe there's a password change window that happens to be happens to occur at a certain point I do not know but do you think that this subdomain has done anything to actively improve or mitigate any of their password things no okay maybe it's a subsidiary maybe it's a region whatever uh this is the amount of uh disabled accounts that had their password CS still had a few dips but you can see for all the disabled accounts they didn't do anything about those okay um those are the enabled so this place you know the enabled accounts so roughly 200 increases a little bit over time so overall long term they're not improving okay uh and then percentages

here we go so this other domain look at their eight characters I mean we're talking almost 70 we're talking 65% of theirs and it stays there so it's not like some random fluke it's literally staying there so what's the bare minimum it's eight characters upper low special digit uh oh password policy will protect us and then bam what percentage of the users use it it's this many dongs okay so on bad mouthing this second location these are the most common passwords this one in particular for whatever it is one week happened and it dropped off the face of the Earth okay and you can see what you can't really see is this color it pops back up

for just a few weeks and then it disappears again so these are all sort of things I mean I you know I'm bad mounting this domain because of crackability and things like that but you can see there are things being done so in this case if this was a uh you know subsidiary or another division or things there is there are things to to track there we can actually use as a metric okay so the main three just real quick uh number of accounts are roughly 2500 you can see it slowly increases uh number of disabled accounts it goes down goes back up it's a large amount of disabled accounts which is that same problem uh a number of enabled accounts

floats around 1,400 uh give or take the amount of disabled accounts that had their password cracked okay so we had roughly 1,200 and then bang we dropped that down so this domain did go through the oh we have all these disabled accounts for people who left the business we're not going to delete them because I can break things let's just change their password to something that's not you know summer 14 or whatever it was and you went drown and then you can see it's slowly increasing again because more and more accounts are getting disabled but not having their password change so it's sort of like a temporary fix that was the quickest five minutes ever so uh

enabled accounts so of the enabled accounts you can see that they fluctuated a little bit but for the most part there hasn't been some dras Improvement where we have not been able to constantly crack their passwords uh the percentages of 8 9 10 11 12 uh it did have a nice interesting bump where things went up and then the the percentages of eight and nine actually switched that's good I mean I'm glad we have less eights and more nines but then back over time here's nine it's going down it's just slowly going down how long's this trend going to go versus the eight character passwords and this is week by week by week by week for three

months it's slowly going up and then 10 11 12 are stagnant as can be so these are the same you know Unix wingies Weenies and windows nerds with their long passwords and they're saying stagma okay now the same thing is the most common password so this domain they've done some things but haven't done much but this is the same things where you have one password that's used by 280 users and it's slowly been decreasing the amount of us users that are using this one individual password so this is actually really it shows progress it shows that they've identic I you know in the reports every week they get a list of every account here's the accounts

that are using this password go slap these people okay and you can see they're actually doing so this is actually minimizing their risk on a level that you can actually see and eventually I'd like to see these all down here and for the scale of this to be between 0 and 10 okay and you can do things like to actually prevent that that's literally it that's all I have it's just presenting it's I have access to a unique set of data in that you're cracking the same thing every week and you can see progress you can see whatever the opposite of progress is uh or stagnation you can see that some of the subdomains or whatever were

terminology wise calling it you can see that some of them improve some of them don't uh we can have the we can have the exact same data Bas purely on administrative okay if a place has a 100 domain admins or 40 domain admins I'd like to see theirs improve especially okay and sure enough you go in there a place will have 40 domain admins 30 of them have 12 character passwords uh and the other 10 will have eight character passwords that haven't been changed in years uh and they're hardcoded in Shell scripts which is the kind of things you find during pen tests but you can also find it with this and then as those are

fixed you literally have a graph that shows oh our risk is getting smaller and smaller and smaller over time so so that's literally it I just I just kind of wanted to show an example of kind of things that you know and like I said at the beginning I mean this is all in a database so any sort of situation you can think of you know because all the databases in there you can just do a select star and get the data and graph it or do whatever question I have two minutes what are some of the strategies that you've seen places use that brought those dramatic drops right what were some of the strategies use to diminish

risk it's literally almost all the times like I mean there's all sorts of little things you can do increasing the length to nine training training training uh another client I'm not going to talk about but I mean they you know they it's funny when you call the help Des they say here's your random password you have to change it but the system will not let you choose years cities uh months or seasons and they tell people that on the phone like do you understand it the system told lets you do that you could totally use September 15th but they it's just they've added one line to their script and guess what their percentages are doing have you ever thought about

putting out your top 10 uh uh dictionary password uh uh the question was have you ever thought about putting out your top 10 that's that's what crack me the can was in 2010 uh here's here's everything here it's free so but no I'm saying to to the organization yeah put out what we're seeing as top 10 and just keep doing that until everybody figures it out that's exactly what this is every week they get their top five okay every week the list of users go slap these users and then we put it into a pretty there's a question back there I probably have one minute okay very quickly two questions first it looks like a as

your I PHS not change much over time change not change much over time is person

ass us or

theing the situation okay let me answer that one first uh the question was you know overall the amount of cracks I had week by week didn't really decrease in time and you're right and the reason that why is inlm where the Microsoft I go you know yeah I their minimum was eight cars and I can group force a character in tlm in the amount of time allotted so yes if they immediately dumped it made the minimum nine character I cannot Brute Force nine character in 10 hours Jeremy can wherever he is you know uh that that is the because it's if this was dollar1 or Unix side I would not be able to Brute Force 10 character if they didn't use

the common uh like pathw to apologies so good were able to crack near everyone the second question the second question given that this is the case do have a better metric that actually ass how companies do and other companies should other comp question was you know what other metrics are there yeah uh we're done by the way figure leave yeah that's why we presented everything because there are areas where there definitely were Improvement the amount of share password is a metric the amount of cracks is a metric uh the average length is a metric they're all little metrics I don't know what the best one is uh besides nobody fixes anything anyway so fix something

okay next next talk in five minutes it's m