Browsing by Author "Santos, Ricardo Xavier Paiva dos"
Now showing 1 - 1 of 1
Results Per Page
Sort Options
- Password Habits and Cracking ToolkitPublication . Santos, Ricardo Xavier Paiva dos; Inácio, Pedro Ricardo MoraisPasswords comprise important pieces of information nowadays. They are on the basis of many access control systems and are often the first, something-you-know factor of authentication mechanisms. They comprise keys to computer systems, confidential information or even physical facilities, and their widespread adoption makes of their discovery one of the main objectives of the initial phase of computer attacks and an interesting research topic. On the one hand, since passwords are sequences of characters with which the input of users have to be compared to, their representations have to be stored in computer systems; on the other, given their sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves, it is common and preferable to save transformations of these sequences of characters, which should be obtained using functions with stringent properties such as the ones of cryptographically secure hash or encryption functions. There are many known methods available and documented nowadays for such task, scrutinized in the literature and considered secure, though they are not always correctly employed. Obtaining a password from a representation is thus, normally, a computationally unfeasible task. Cracking a password often refers to the procedure of submitting several known passwords (using dictionaries or compendiums) or patterns (using brute force attacks) to the transformation procedure and compare the result with a representation, until a match is obtained, if ever. As such, the security of the mechanism used to obtain the representations is also dependent of how guessable the passwords are. This dissertation addresses the topics of habits for construction of passwords and tools for cracking them. Several specialized tools for cracking are available nowadays, most of them free or open source, designed for command line interaction only. One of the main contributions of this work comprised the development of a Graphical User Interface (GUI) for several cracking tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI, was then used in the cracking attempt of several Databases (DBs) with password representations that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they were to the procedure, and also the contemporary habits of people in terms of construction of passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared and delivered to 64 participants. This analysis of password habits constitutes another contribution of this work. PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional, easy to use and made freely available as an open-source project. It was written in Java and tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak passwords also contributed for this number (e.g., a significant number of 4 digits long passwords was found in one of the DBs). The results from the survey corroborate other works in the area, namely in terms of stereotypes. For example, the answers suggest that men use longer and more diverse (in terms of character sets) passwords than women. Nonetheless, several contracting aspects lead to the conclusion that the participants may be claiming to construct stronger passwords than they really use.