Password Protection

Tutorials and guides for Plazma Burst and community features.

Password Protection

Postby Incompetence » 30 September 2016, 03:46

This is my first tutorial, but it's also a tutorial on something that may or may not be considered a serious issue: password protection. It may seem as if this tutorial is unnecessary but given my experiences and observations on the Internet, password protection seems to be a topic worth raising. Also typing properly to maintain professionalism, don't expect me to make more of my posts in this way. I may have some information wrong; I wrote this tutorial based off what I know regarding passwords and memory is not always the same. In that case, correct me and I'll fix it.

You'll see edits in this post as time goes on. They'll be highlighted in yellow.

Also I am not associated with the other tutorials that share a similar nature to this nor am I the same person as anyone else.

Firstly, what is a password?

Spoiler: Show More
This is a straightforward question which I'm sure a lot of people may know but there's more to it than just the surface. At its core, a password is an input, usually a word or a phrase, used to request access to an account. It serves as an obstacle in the way of logging into a certain account. If the password is correct, the account is free to access and is usually used as a level of trust between the system and the user; passwords are confidential. Passwords themselves are vital to the security of accounts, especially accounts which may hold key or valuable information.


What constitutes a safe password?

Spoiler: Show More
The term "safe" is ambiguous but there are some basic recommendations one can take to ensure a stronger password and therefore, a more harder to decrypt and access account. Most websites will recommend a combination of letters, usually a mix of case sensitive characters, i.e lowercase and uppercase, and numbers rather than a simple password which may be a word or simply letters by itself. This alone makes it harder to simply access an account through manual trial and error as characters are more randomized within a password. The password itself becomes less common.

You can extend this security further and include more than just numbers and letters. Most websites will allow the usage of symbols, such as forward slashes, which can be accepted in passwords. Including these will in turn strengthen your password much better than a simple combination of numbers and letters as the password becomes more rare and therefore much harder to crack. Longer passwords as well can contribute towards having a safer account, therefore a combination of the former options - symbols, letters, numbers, and length itself - can help strengthen your password and ultimately your account.


What are some basic ways passwords are encrypted? Do they come with any encryption by default?

Spoiler: Show More
Of course they do. The most common form of encryption that I know of that is being used currently is MD5 and SHA-1. Although MD5 has already been succeeded by MD6 in 2008, MD5 is still seeing widespread use. However, MD5 has its flaws. Its exploits on the field have been infamously exposed by the Flame malware in 2012.

In 2012, modular malware code by the name of Flame/sKyWIper was discovered. It attacks computers running on Windows and is used for cyber espionage in the Middle East. So far, Flame is the most complex malware found, though this is debatable. Its method of spread is via LAN or through USB sticks. Its capabilities are extensive: it can record audio, screenshots, keystrokes, network traffic, as well as Skype conversations. Infected devices can be converted into Bluetooth beacons which in turn will attempt to download contact information from local Bluetooth devices. Data such as this is then sent to one of many contact and command servers in which it simply waits for its next command. It lacks the ability to cease functioning itself though a kill command is readily available which clears all traces of the malware. Flame itself is believed to be modules that perform specific attack functions.

Its effect against MD5 was noticeable in which a collision attack in 2008 against a certificate proved to be successful. The malware, however, used a variation of the prefix collision attack and it forged a fake Microsoft digital signature.

Collision attacks against MD5 have been proven to be successful in which cryptographers recommended that SHA-1 or a different alternative be used. Projects such as MD5CRK were started to prove the vulnerability of MD5; MD5CRK used a birthday attack to prove that MD5 was insecure. Security for MD5 is ultimately considered to be compromised despite its widespread use.

MD6 has flaws as well, such as a past buffer overflow. Buffer overflows occur when a program overwrites memory locations and overruns the buffer's boundaries. However, MD5 and SHA-1 still outnumber MD6 in terms of usage.

Basic encryption can be done by creating a key derivation function (KDF). These are used to stretch keys into longer ones. Its most common use is password hashing; despite sharing the traits of a password hashing function, KDFs were not originally made for this purpose. KDFs are recommended to be made intentionally slow in order to frustrate brute force and dictionary attacks.

Key strengthening is the practice of extending a key with salt; however, the salt eventually becomes securely deleted. This forces attackers and users to initiate a brute force in order to find the salt value.


Why aren't numbers and symbols alone just fine when x website says my password is strong enough?

Spoiler: Show More
As stated, you can make your password even stronger by following these steps. Numbers and letters alone do have a level of risk that come with it.

For example, in a brute-force attack, which I will explain in a further section, passwords such as "xyz," "xyz123," and such are far easier to crack than "xyz//123//." This is because brute force attacks will attempt to formulate all and every possibilities as to what the password could be. Since numbers and letters are used together much more frequently, these attacks will target combinations of this kind more. More accounts are at risk as a result and these accounts could eventually be breached. Symbols can make it harder for attacks to perfectly guess your password quicker; in fact, longer and/or more complex passwords will take a longer time to decrypt compared to short and basic passwords.

Websites like Google may say your password is strong, but you must always assume that your password isn't strong enough, and extend it as far as you can for your own account's safety.


What's a brute force attack? How do they work?

Spoiler: Show More
I explained this a little in the previous section but this is where I will expand the subject further. A brute force attack is a type of cryptanalytic attack in which an attempt is made to decrypt any sort of encrypted data. This includes passwords. Brute force attacks function by systematically checking all possibilities as to what the encrypted data (in this case, passwords) could be, by combining certain possibilities in an attempt to match the correct password. In simpler terms, it's basically an automatic trial and error method.

Bruteforcing is extremely effective against short and basic passwords but become exponentially less effective as passwords become longer and more complex. What does this mean? It means that having a long password or even a complex one can give you more breathing space against bruteforce attacks as it will take much more time to breach your account compared to if you had a short and extremely basic password.

For example, I'll use the "xyz" and "xyz//123//" examples again. "xyz" is shorter and also more basic, therefore it's easier for the attacker to piece together the possibilities that the password could in fact be "xyz." Because "xyz//123//" has symbols, a less frequent inclusion in passwords, it is complex in that brute force attacks will not expect the possibilities of symbols first before letters and numbers. Because of the randomization in this password, it is harder to guess and therefore harder to decrypt.

Bruteforces can be made less effective by obscuring the data and therefore making it more unrecognizable or making the attacker do more work in their attempt to decrypt the data. This can be done by simply encoding the data. One way of seeing the success of any encryption system is by theoretically plotting how long it would take for an attacker to successfully complete a brute force against the data. Generally, longer times are what should be sought after.

Limiting the amount of attempts possible to decrypt a password can also slow down bruteforcing. PB2 itself has a limit such as this in which the site will ban those who try to breach an account more than 70-80 times.

There are limits to bruteforcing however. Of course, this involves math as well so I will outline the more basic ones to make this tutorial easier to understand. First of all, the resources needed for these attacks grow exponentially and not linearly. Capabilities for brute forcing has also grown, as modern day GPUs, which are well suited for constant and repetitive tasks, are capable of handling brute force attacks. Attacks themselves are repetitive; it is trial and error after all, so lack of capability to handle such tasks is also a limit.

Credential recycling is also a topic within brute forcing. Here, credential recycling is what the name suggests: past obtained username and password combinations acquired in past attacks are re-used. Passing the hash is the practice of using unsalted (salt is additional random data added to a function used as a method to hash data) credentials, which are stolen and then re-used without prior bruteforcing.

Edit: I'm terrible at paraphrasing things as simple as possible so here's a simpler definition of what a salt is, given by ZapruderFilm: "A salt is basically, when a password is hashed, a string is added prior or after the actual password. Then, that makes the hash harder to crack, because it is inherently longer, and more unique, because even a basic password is changed from the hash it normally is, and would result from a different database. A hash is a one-way encryption so when someone goes to log in, they type their password, the website adds the string to it, hashes it, and if it gets the same result, it lets the person in."

The opposite of a brute force attack is the reverse brute force attack. Generally in these attacks, the attacker isn't after one specific user. It is the practice of inputting one password across different users or encrypted files. Slowing these down can be as simple as enacting a password policy against common passwords. Less common passwords make it harder for certain passwords to work against certain users, especially if multiple users or files share the same password.


I'm too lazy to use different passwords so I re-use the same one. It's fine though, right?

Spoiler: Show More
This section wasn't previously in the original version of the post. I will admit that I forgot to consider this originally.

It's not a good idea to use the same password over and over again across different websites. Even if you have a complex password, if you use it on multiple sites and one of the sites you use happens to be breached and its database leaked, your password to those other sites are also exposed. Now along with your account on the breached site, your accounts on the other sites you use are vulnerable.

A simple way to counter this is simply using different passwords at different sites. Record down these passwords on a password manager or perhaps a document on WordPad; it's not recommended to use the password managers that browsers have. Malware will target these built-in databases which will in turn expose your passwords and ultimately make your account easier to break into.


Why is this important and why should I care?

Spoiler: Show More
Unless you don't care about your account security, you shouldn't be reading this tutorial anymore at this point.

My observations across the internet has shown that vulnerabilities as simple as having a basic password still exist in accounts. On my adventures online, I've counted up to at least 60-70+ accounts having weak passwords on social media sites such as Facebook and Twitter primarily but also accounts on services such as Instagram from methods such as bruteforcing and even simple guess and checks, which I've provided advice such as the advice here in strengthening passwords to the account holders in question. This was in a timeframe spanning from January 2016 up to present day. Even today, this number isn't constant. It slowly is increasing by the minute and as a result, accounts get breached due to lack of proper security measures such as having a weak password or even two factor authentication.

Edit: I didn't expand more into two-factor authorization since I wanted to focus more on passwords but given how I mentioned account security quite a lot, this deserves expansion too.

Two factor authentication is extremely helpful in preserving account security. Even if your account is fully compromised, attackers still won't be able to get in. Two factor authentication is a two step failsafe meant to protect your account; sites like Google utilize it for their users by asking for phone numbers to 1.) alert people of sign ins to an account, and 2.) provide a failsafe by using the linked phone as a second method of access (this is the part where you can ask to send a text message in which it provides a code, etc).

Although there isn't much benefit to breaking into accounts here in PB2 other than accessing staff accounts for fun and to ban everyone and breaking into the accounts of people you don't like, this doesn't mean account breaching will never happen here. It has happened in the past and most certainly will in the future, hence why it's important to prepare ahead of time.

It's optional to follow the methods I've provided here but it may be in your benefit to consider these options.

I have more tutorials that I could make such as the practice of steganography and how to detect and counter malicious uses of such, which may be vital given signatures were disabled as a result of this.
Last edited by Incompetence on 30 September 2016, 04:50, edited 2 times in total.
User avatar
Incompetence
Civil Security Heavy [300]
 
Posts: 331
Joined: 3 February 2016, 03:55
Location: Definitely not behind you

Re: Password Protection

Postby ZapruderFilm » 30 September 2016, 04:27

Great tutorial, has a lot of meat in it. Definitely as good of quality as mine, though these ideas are pretty complex, and hard to explain, so you had to jump through hoops to make it comprehendable. (That isn't necessarily a bad thing :P)

I would add a few things-
Most malware, scratch that, almost every malware immediately pulls all saved passwords from Chrome, Firefox, Opera, and other common browsers. Add something about not using these built-in password managers, and start using a more secure one (I recommend LastPass, which has a random password generator, and can automatically update your password on more popular websites, with the click of a button.)

I would put more emphasis on how if you use the same password on multiple websites, your password is more likely to be compromised.
I personally used to have a netlix and hulu account business. I never attempted to bruteforce using dictionary attacks or bruteforce attacks. What I always did was hacked a website, or found a database online, decompiled it, and pulled the hashes and emails, then used hashcat to crack the hashes, resulting in a huge email:password text file. I then took this file, plugged it into a bruteforce program, and tested these combinations on other websites.
I made a lot of money doing this, so clearly people are still falling for it.
Maybe refer to my database thread, whatever you wanna do.

I would also more strongly emphasize the use of two-facto authorization, with that, even if your account is completely compromised, a lot of people can't get in.

Great tutorial man! Will be looking forward to future ones, which I expect you to write!

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA

Re: Password Protection

Postby Incompetence » 30 September 2016, 04:57

ZapruderFilm wrote:Great tutorial, has a lot of meat in it. Definitely as good of quality as mine, though these ideas are pretty complex, and hard to explain, so you had to jump through hoops to make it comprehendable. (That isn't necessarily a bad thing :P)

I would add a few things-
Most malware, scratch that, almost every malware immediately pulls all saved passwords from Chrome, Firefox, Opera, and other common browsers. Add something about not using these built-in password managers, and start using a more secure one (I recommend LastPass, which has a random password generator, and can automatically update your password on more popular websites, with the click of a button.)
I would put more emphasis on how if you use the same password on multiple websites, your password is more likely to be compromised.
I would also more strongly emphasize the use of two-facto authorization, with that, even if your account is completely compromised, a lot of people can't get in.

Great tutorial man! Will be looking forward to future ones, which I expect you to write!

Thanks, i tried to make this easier to understand while still using specific vocabulary related to the subject but couldn't really get there given english is my 2nd language + i'm bad at paraphrasing certain things

I've included the things you suggested as edits but i didn't add the recommendation for lastpass as to avoid "advertising"
User avatar
Incompetence
Civil Security Heavy [300]
 
Posts: 331
Joined: 3 February 2016, 03:55
Location: Definitely not behind you

Re: Password Protection

Postby MI6 AGENT 007 » 11 October 2016, 03:54

Good job Incompetence really helps from account thieves from stealing others passwords.
User avatar
MI6 AGENT 007
Civil Security Heavy [300]
 
Posts: 339
Joined: 3 June 2016, 00:35
Location: USA


Return to Tutorials

Who is online

Users browsing this forum: No registered users