Passwords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

Similar documents
Fundamentals of Linux Platform Security

Chapter 5: User Management. Chapter 5 User Management

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Password cracking. IN Ethical Hacking. Bruvoll & Sørby. Department of Informatics 1 / 46

Hands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course

Hands-On Network Security: Practical Tools & Methods

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13

Network Security Fundamentals

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

System Administration

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Proving who you are. Passwords and TLS

Security Policy Document Version 3.3. Tropos Networks

Exam4Free. Free valid exam questions and answers for certification exam prep

Users and Groups. his chapter is devoted to the Users and Groups module, which allows you to create and manage UNIX user accounts and UNIX groups.

BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security

CS 161 Computer Security

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 19

CNT4406/5412 Network Security

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

Exam Questions MA0-150

Processes are subjects.

Secure hashing, authen/ca/on

Provide general guidelines and procedures for Unix Account Management

Computer Security 3/20/18

Passwords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Linux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM. Nz Paper Linux and Web Application Security. Zeeshan Khan 4/15/2013

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

PASSWORD POLICIES: RECENT DEVELOPMENTS AND POSSIBLE APPRAISE

McAfee Certified Assessment Specialist Network

Keys and Passwords. Steven M. Bellovin October 17,

n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems

Overview. Terminology. Password Storage

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Authentication. Murat Kantarcioglu

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

O/S & Access Control. Aggelos Kiayias - Justin Neumann

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

MU2b Authentication, Authorization and Accounting Questions Set 2

Authentication System

ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login session if the user s home directory does not exist. Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0

User Authentication and Passwords

Processes are subjects.

CSE 265: System and Network Administration

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

0Activity Answers. Table A1-1: Operating system elements and security mechanisms. The Security Accounts Manager (SAM)

ABORT_LOGIN_ON_MISSING_HOMEDIR=1 Exit the login session if the user s home directory does not exist. Default value: ABORT_LOGIN_ON_MISSING_HOMEDIR=0

Project #3: Implementing NIS

Linux Network Administration

Introduction to Computer Security

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CSC 474 Network Security. Authentication. Identification

The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords

Password. authentication through passwords

Race Condition Vulnerability Lab

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.


CIT 380: Securing Computer Systems

Topics. Authentication System. Passwords

Protection and Security

Exercises with solutions, Set 2

Managing Users, Managing Security

Computer Security 4/12/19

Identity, Authentication, and Access Control

User Authentication. Modified By: Dr. Ramzi Saifan

Information Security & Privacy

SSH. Partly a tool, partly an application Features:

Lecture 3 - Passwords and Authentication

User Management. lctseng

LAB #7 Linux Tutorial

Computer Security: Principles and Practice

Authentication. Tadayoshi Kohno

Processes and authentication

Pre-Assessment Answers-1

Linux Systems Security. Access Control and Authentication NETS1028 Fall 2016

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Lecture 3 - Passwords and Authentication

On-Line Password Breaks CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

SCRAM authentication Heikki Linnakangas / Pivotal

Computer Center, CS, NCTU

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

Computer Security, Lab 2.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Cryptographic Hash Functions. Secure Software Systems

CS162 Operating Systems and Systems Programming Lecture 26. Protection and Security in Distributed Systems. Review: RPC Information Flow

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

User & Group Administration

Introduction to Cyber Security Week 2: Cryptography. Ming Chow

User accounts and authorization

CS November 2018

Single Sign-On Showdown

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

Transcription:

Passwords CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Unix Passwords In Unix, users are identified by user names Authenticated by passwords Therefore to login as a certain user, must know the password Unix never stores the password in cleartext Password is encrypted a then stored A user types in a password, it is then encrypted Encrypted passwords are then compared If the encrypted versions match, then the user is authenticated a Actually hashed, there is a difference. E. W. Fulp CSC 193 Spring 2014 1

A Few Words about Hash... Hashing and encrypting may look similar, but there are differences Both take a string (unencrypted text) and convert it to another string (encrypted) Encryption implies the reverse is possible (can convert encrypted to unencrypted) Hashes are not supposed to be reversible A few qualities we d like with our hash Takes a string and produces a unique string (hash) No reasonable way to map hash back to original string Assuming openssl is installed, here are some examples Command openssl passwd -crypt Astley openssl passwd -crypt astley Output TURHa6genvd8c 1Nrd7lLLWcF8M E. W. Fulp CSC 193 Spring 2014 2 Login and User Accounts Information about the user is stored in two files /etc/passwd and /etc/shadow /etc/passwd stores the following per user, entries are : delineated pluf:x: 500: 100 :Nirre Pluf:/home/pluf:/bin/tcsh }{{}}{{}}{{}}{{}}{{}}{{} user user group user name home shell name ID ID directory userid and groupid will be explained later IDstring is the user s full name homedirectory is the home directory location loginshell is the shell environment E. W. Fulp CSC 193 Spring 2014 3

An example passwd file root:x:0:0:root:/root:/bin/tcsh pluf:x:500:10:nirre Pluf:/home/pluf:/bin/tcsh nomed:x:510:10:nomed Nocaed:/home/nomed:/bin/bash The x (second field) is where the encrypted password used to be stored Passwords are stored in the file /etc/shadow E. W. Fulp CSC 193 Spring 2014 4 Shadow Unix stores encrypted passwords in the /etc/shadow file A shadow password file is readable, only by the superusers and serves to keep encrypted passwords safe from prying eyes and password cracking programs. Therefore access to the encrypted passwords is limited However, if an attacker can obtain a copy, possible to crack E. W. Fulp CSC 193 Spring 2014 5

/etc/shadow The /etc/shadow file contains one line per user root:$1$cqopk7zh$370xdlmegd9m4af/ciilc.:14425:0:99999:7::: bin:*:14425:0:99999:7::: daemon:*:14425:0:99999:7::: Line consists of nine fields separated by colons (:), are as follows 1. Login name 2. Encrypted password 3. Date of last password change 4. Minimum password age 5. Maximum password age 6. Password warning period 7. Password inactivity period 8. Account expiration date 9. Reserved field E. W. Fulp CSC 193 Spring 2014 6 Shadow Example Consider the following line for root user root:$1$cqopk7zh$370xdlmegd9m4af/ciilc.:14425:0:99999:7::: What we can tell is... Login name is root Encrypted password: $1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC. Date of last password change: 14425, expressed as the number of days since Jan 1, 1970 Minimum password age: 0, how long to wait before password can change, no value (or 0) then no minimum password age Maximum password age: Empty, no maximum password age Password warning period: Empty, no password warning period Password inactivity: Empty, no enforcement of an inactivity period Account expiration date: Empty, the account will never expire E. W. Fulp CSC 193 Spring 2014 7

Encrypted Password Encrypted password has three parts $id$salt$encryptedpassword The $id field identifies the encryption method ID Encryption Method 1 MD5 2a Blowfish (not part of glib, but some Unix distro s include) 5 SHA-256 (since glib 2.7) 6 SHA-512 (since glib 2.7, typically used) The $salt field help prevent precomputed hash attacks Random value added to the password before it is encrypted Salt is stored in plaintext So how does this improve security? E. W. Fulp CSC 193 Spring 2014 8 The last field $encryptedpassword is the encrypted password Consider the $encryptedpassword entry for root again $1$CQoPk7Zh$370xDLmeGD9m4aF/ciIlC. The encryption is MD5 The salt is CQoPk7Zh The encrypted password is 370xDLmeGD9m4aF/ciIlC. Still got questions? No problem, go see http://goo.gl/qmet E. W. Fulp CSC 193 Spring 2014 9

Cracking Passwords Remember passwords are encrypted such that they can t be decrypted To check a password, encrypt provided string and compare hashes So the password is never decrypted So how can someone determine (crack) a password? Guess the password, encrypt it, then compare results (hashes) If hashes match, then you determined the password It s a little more involved than that... 1. Guess password 2. Add salt 3. Encrypt using the same method as the stored password 4. If results (hashes) match, then you did it! Otherwise go to step 1 E. W. Fulp CSC 193 Spring 2014 10 Brute One way to crack passwords is to try all possible passwords Use the algorithm on the previous page Assuming passwords are n characters long and there are c possible characters, how any passwords are possible? Could take some time, so let s write a program to do this for us We d like the program to do the following Take a shadow file (/etc/shadow style) and a guess file (file full o good guesses) as inputs Print a password match, if there is a match... E. W. Fulp CSC 193 Spring 2014 11

Bad Passwrods (things to check for...) Researchers gained access to Pony Botnet and found over 2M compromised accounts and passwords Top Passwords Count 123456 15820 123456789 4875 1234 3135 password 2212 12345 2094 12345678 2045 admin 1991 123 1453 1 1224 1234567 1170 111111 1046 Hopefully you don t use these... E. W. Fulp CSC 193 Spring 2014 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback