One interesting ethical issue that I hadn't really thought of before is the legality of breaking and/or analyzing illegally obtained password dumps. Some criminal obtains a database containing an organizations user information, including usernames, emails, and passwords, and releases this information online. While the original database files are likely still out there, there are many websites that host only the hashed/password portions, eliminating all other personal information.
The question I asked myself was is even releasing the hashes legal, even if it seems to be commonly accepted. I've seen many websites hosting the password lists and there have been many discussions that involve them, even one of my scholarly articles has analyzed them for trends about password use. I didn't find any hard yes or no answers, but the ambiguity of many digital rights laws and the common acceptance and use of these lists indicates that there will likely be no legal trouble.
Because this sort of information is routinely leaked and helps to bolster the capabilities of password crackers worldwide; I think it would be a step backwards to prohibit their use for educational and professional use as well, especially if it can help produce stronger password authentication in the future. There are some websites that act as public services, such as haveibeenpwned, that take the username/email portion of these dumps and make them searchable, letting anyone check to see if their accounts have been compromised in the past.
The most important thing we can do with these password dumps is to use them to educate ourselves on password authentication today, to analyze and address any weaknesses and technicalities exposed. Because of the seriousness of the problem it is important that the IT community is made aware of any issues, and that we design and implement strong authentication systems in the future.
Sunday, April 30, 2017
Friday, April 28, 2017
Week 4 - Progress Report
As I near the midpoint of this research project it will become increasingly important to keep track of my efforts and organize them to ensure that I can attain my original schedule goals. The first three weeks were probably the easiest; selecting the topic and surveying its landscape and finding relevant sources and information.
This past week (week 4) I spent some time verifying my research scope (via mind map) and concluded that there was one additional area that I would need to address in my paper, at least briefly; the area of hashing algorithms. I don't expect to get into all the technical details but rather provide a quick summary of the current state of prominent hashing algorithms covering aspects such as; key lengths, time costs, collisions, recommendations, etc. Hashing algorithms have tremendous impact in password authentication implementations and attacks, a bit of time spent here will be well spent. It is important to build a strong foundation for any research paper; one should aim to address all areas relevant to a topic or consider restraining the topic.
Another activity that I have undertaken this week is to start reading and organizing my sources for relevant information. I think I have some very solid sources that are relevant to my work so finding enough supporting material should be no problem, I just need to be sure that I understand the entire context of each piece to help avoid focusing on individual fragments that are interesting. I will continue to do this through the next week to help prepare me for outlining the research paper, something that is scheduled to start at week 6.
This past week (week 4) I spent some time verifying my research scope (via mind map) and concluded that there was one additional area that I would need to address in my paper, at least briefly; the area of hashing algorithms. I don't expect to get into all the technical details but rather provide a quick summary of the current state of prominent hashing algorithms covering aspects such as; key lengths, time costs, collisions, recommendations, etc. Hashing algorithms have tremendous impact in password authentication implementations and attacks, a bit of time spent here will be well spent. It is important to build a strong foundation for any research paper; one should aim to address all areas relevant to a topic or consider restraining the topic.
Another activity that I have undertaken this week is to start reading and organizing my sources for relevant information. I think I have some very solid sources that are relevant to my work so finding enough supporting material should be no problem, I just need to be sure that I understand the entire context of each piece to help avoid focusing on individual fragments that are interesting. I will continue to do this through the next week to help prepare me for outlining the research paper, something that is scheduled to start at week 6.
Wednesday, April 26, 2017
Week 4 - Mind Map
Mind mapping is a quick exercise that can help you to visually see the scope of something and is useful in the brainstorming process. In fact, at the beginning of this project when I was selecting my topic I made a mind map of security, and circled the zones that I found the most interesting. This process helped me focus my efforts in the decision making process.
At this stage in my research where I have the topic selected and have many of my sources lined up, mind mapping can be used to expand or focus my projects scope, depending on what it exposes.
Here are five of my primary sources that I've discovered so far:
At this stage in my research where I have the topic selected and have many of my sources lined up, mind mapping can be used to expand or focus my projects scope, depending on what it exposes.
- Measuring effect of password complexity policies
- Password Memorability and Security: Empirical Results
- Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords
- Passwords and the Evolution of Imperfect Authentication.
- Password Managers: Attacks and Defenses
Comparing my sources to the mind map image can help to indicate if there are areas that would be unaddressed in my research so far. If any there is disparity between the topic and my research I could either expand my research scope to more fully encapsulate the topic or I could refocus the topic to fit within the research. As an example, I can see that I don't yet have any research that considers hashing algorithms or salting, so I will try to find something that helps to cover that area in the next few days.
Sunday, April 23, 2017
Week 3 - Journal
- How did you select your research topic? What resources did you use, which selection criteria did you follow?
Beyond simply wanting to do something with computer security (as I stated on the first day of my class), I needed to focus it down into something that would be interesting for the class, translate into a research paper well, and also enhance my understanding of computer security. Because this topic is generally high profile among the tech world, I was never worried that I would paint myself into a corner and choose something that didn't have a wealth of supporting information out there. Being free to choose what I wanted made the whole process so much smoother that previous projects that I've worked on (and those being much smaller than this one).
Videos like this one are what cemented my idea to research password authentication.
Friday, April 21, 2017
Week 3 - Progress Report
It is probably time to take another look at the schedule for this project; to help visualize where my current progress needs to be made and to set goals for the next few weeks. I'm fortunate that my research topic hasn't changed much over the past few weeks, and I believe that I've narrowed it down into something interesting. In short, my paper will ask and answer the question: Is password authentication up to the challenge? This will be broken down into three parts: an overview of what password authentication is and how it works, a look into password cracking methods, and an analysis of public password dumps to determine trends in password composition. Even without creating a document yet I can feel the rough draft coming together in my head.
Borrowing from one of our lab documents, this plan shows my position right now.
Borrowing from one of our lab documents, this plan shows my position right now.
- week 1: topic (done)
- week 2: thesis (done)
- weeks 3-4: searching (now)
- weeks 4-5: reading and evaluating
- weeks 6-8: outlining and drafting
- week 9: draft, presentation
- week 10: paper, publication
I have a good selection of main sources to cover right now, having gathered them over the last few weeks on my own and with the help of the school library. Over the next couple weeks I intend to thoroughly read and evaluate these articles and start on the outline/draft of the paper.
Wednesday, April 19, 2017
Libraries?
Yes, I know, libraries may seem outdated with all the technological advances we have made that allow information gathering, such as services like Google Scholar that let us find research articles online. I was of the same mindset and hadn't really considered utilizing any library resources until prompted by my research class.
So I contacted one of my schools librarians, gave her a rundown of what my research project was and a short explanation of my topic and let her see what references I had already found. She found the topic very interesting and let me know of additional ways to find articles online, such as Academic Search Premier and Science Direct. She even went out and found a useful article Passwords and the Evolution of Imperfect Authentication on the subject.
I found this all very helpful and has both widened my search area and helped to supplement my source pool, I was not expecting to get this level of dedication and helpfulness to my project. I would recommend that more students take advantage of their school libraries, and I will be using them more as my research project progresses.
So I contacted one of my schools librarians, gave her a rundown of what my research project was and a short explanation of my topic and let her see what references I had already found. She found the topic very interesting and let me know of additional ways to find articles online, such as Academic Search Premier and Science Direct. She even went out and found a useful article Passwords and the Evolution of Imperfect Authentication on the subject.
I found this all very helpful and has both widened my search area and helped to supplement my source pool, I was not expecting to get this level of dedication and helpfulness to my project. I would recommend that more students take advantage of their school libraries, and I will be using them more as my research project progresses.
Sunday, April 16, 2017
Week 2 - Journal
Researching is critical to filling in your understanding of an idea; it helps you to understand the scope of something and provides verification. The importance of going out into the world, consulting professional experts and amateur communities alike, cannot really be understated if your intent is to find out the objective truth, or something close to it. With that said, it will always be helpful to consider what you know, or think you know, about a subject prior to embarking on the research journey. In the rest of this post I will discuss three parts of password authentication that I knew going into this project.
1: People will choose weak passwords if given the chance. Probably a given to anyone even slightly technologically savvy, people tend to be lazy and will generally choose the quick easy unsafe option over the complex and difficult hard option, especially in password security where the implications of their choices may never confront them. Password requirements can help to alleviate this problem but only if properly implemented.
2: Password dumps have changed the game for password crackers. With the sheer number of real world password dumps publicly available, clever individuals have been able to craft hybrid password cracking software that intelligently combines dictionary and brute force attacks. For example, if one trend is that passwords tend to be two words followed by a four digit date (probably 19xx), rules can be developed to take advantage of that {word1}{word2}{19xx}. These sorts of intelligent attacks will only improve with time as more passwords become available.
3: Software developers MUST be sure that their products remain updated with current standards. As hashing algorithms and password authentication systems become obsolete it is on the developers to bring their software up to date. I would never use a piece of software if I knew that it used outdated/vulnerable systems, but that information is hard to find (and should be).
1: People will choose weak passwords if given the chance. Probably a given to anyone even slightly technologically savvy, people tend to be lazy and will generally choose the quick easy unsafe option over the complex and difficult hard option, especially in password security where the implications of their choices may never confront them. Password requirements can help to alleviate this problem but only if properly implemented.
2: Password dumps have changed the game for password crackers. With the sheer number of real world password dumps publicly available, clever individuals have been able to craft hybrid password cracking software that intelligently combines dictionary and brute force attacks. For example, if one trend is that passwords tend to be two words followed by a four digit date (probably 19xx), rules can be developed to take advantage of that {word1}{word2}{19xx}. These sorts of intelligent attacks will only improve with time as more passwords become available.
3: Software developers MUST be sure that their products remain updated with current standards. As hashing algorithms and password authentication systems become obsolete it is on the developers to bring their software up to date. I would never use a piece of software if I knew that it used outdated/vulnerable systems, but that information is hard to find (and should be).
Friday, April 14, 2017
Week 2 - Progress Report
I am writing this report near the conclusion of the second week of this project, and I'll describe in some detail what direction I'm going in and how my research is coming together. I admit that there was a period of time where I was being pulled in two similar but distinct directions during my research; between the broader topic of generic password security as it pertains to large scale data breaches and specific examples of bypassing security to get access onto a Windows/OSX workstation. I've experimented with extracting and hacking login passwords before, and I am still very interested in how viable that can be as a method to bypass security (extracting and cracking password hashes being something of a 'holy grail' of computer security because you don't change anything on the host machine).
I plan to head more towards the general use of password authentication and how it measures up to current attacks. I'll ask and answer the question: 'are we doing enough to strengthen password authentication in light of recent data breaches, and how might authentication change to help alleviate problems that we might be experiencing?'. Two factor authentication (2FA) will likely be a part of that discussion, especially given how that field has been quickly expanding recently (many popular services now use 2FA, helping to ease its entry into mainstream markets).
During the third week I expect to have my sources mostly nailed down and the general idea for the flow of the paper to be thought through. I think that my current pace will prove to be sufficient to complete this project well ahead of schedule if need be; this past week I refined my idea and gathered a few more sources, similar to what I did previously. With my topic nailed down I think that next week I will be able to focus on finding sources generating a rough outline of my research going forward.
I did find some studies that discussed the conflict between password memorability and strength, as well as one that evaluated publicly available password lists to determine how vulnerable they are to attack. I will hopefully be addressing both of these issues, and I expect to find out more over the next few weeks.
I plan to head more towards the general use of password authentication and how it measures up to current attacks. I'll ask and answer the question: 'are we doing enough to strengthen password authentication in light of recent data breaches, and how might authentication change to help alleviate problems that we might be experiencing?'. Two factor authentication (2FA) will likely be a part of that discussion, especially given how that field has been quickly expanding recently (many popular services now use 2FA, helping to ease its entry into mainstream markets).
During the third week I expect to have my sources mostly nailed down and the general idea for the flow of the paper to be thought through. I think that my current pace will prove to be sufficient to complete this project well ahead of schedule if need be; this past week I refined my idea and gathered a few more sources, similar to what I did previously. With my topic nailed down I think that next week I will be able to focus on finding sources generating a rough outline of my research going forward.
I did find some studies that discussed the conflict between password memorability and strength, as well as one that evaluated publicly available password lists to determine how vulnerable they are to attack. I will hopefully be addressing both of these issues, and I expect to find out more over the next few weeks.
Wednesday, April 12, 2017
Managing Sources
During any research process it will be important for the researcher to keep their sources organized and available. In my own experience I usually have simply used a Google Spreadsheet document to keep my sources organized, it fulfills the purpose and allows me to easily organize them and add other relevant information if needed.
I've spent most of my time recently looking into the specifics of Windows and OSX login password security, where the hashes are stored and how to extract them. The website onlinehashcrack.com shows how all recent versions of Windows and OSX store their passwords and offers tools and examples of how to extract and crack them. It's interesting that this one stop shop exists and holds all of this information that helps to get around the security measures that the vast majority of people use.
I think that there is a conflict between Windows developers and those who want to bypass its security; that making Windows 100% secure is not what is really wanted. There will always be methods to get around security, some likely built in for technical purposes (we don't want to have to throw a computer away because the user forgot their password, for example). Striking the balance between perfect security and usable functionality will probably always leave room for nefarious actors to work.
I think that there is a conflict between Windows developers and those who want to bypass its security; that making Windows 100% secure is not what is really wanted. There will always be methods to get around security, some likely built in for technical purposes (we don't want to have to throw a computer away because the user forgot their password, for example). Striking the balance between perfect security and usable functionality will probably always leave room for nefarious actors to work.
Sunday, April 9, 2017
Week 1 - Journal
- Consider possible topics for your research project in this course. What interests you about these topics and why do you think they would be a good fit for the course? Which research methodologies do you think will likely serve you well as you begin your research (experiments, literature review, surveys, etc.)?
A few days ago I discussed how I intend to explore the world of password authentication. Today I will talk about why I chose this specific area if IT to research; why it interests me and how it will bring a lot to the table as my class researches and discusses a wide range of IT related topics.
I have used password authentication since I was introduced to computers, but it only became an interest of mine when I was really starting to get into building pc's and had one of my own to tinker with. As happens to everyone once in a while, there was one event where I forgot the windows login password to a computer I was tinkering with (I probably changed it, then forgot it was changed). Locked out of this machine, I started googling how to reset/remove user account passwords and found the results a bit shocking.
The sheer number of hits, and the variety of methods available to get around locked accounts on Windows systems opened my eyes and I started to question just how secure this specific authentication method was. This piqued my interest in password security and I soon learned that it is possible to reset/remove passwords, extract password hashes, get access to administrator command prompts when locked out, and more. Ever since I have been keeping an eye on interesting developments in the password cracking scene, a field that doesn't disappoint.
Regarding how exploring this will bring value to my class, there are three parts of this field that I think will bring interesting ideas to the table. These are:
- Password hashing and authentication methods: Knowing the technical details about how this process works will help to make the class more aware of its strengths and weaknesses.
- Statistical analysis of password complexity: I intend to offer the class a look into how password authentication plays out in the real world. By looking at existing password lists collected from actual companies through hacking and data breaches we will be able to get a better picture of where we currently stand in ensuring password security.
- Discussion (and possibly demonstration) of current password cracking techniques and software: Knowing how password attacks are made will help to educate everyone on how they can be defeated. Seeing how trivial it can be to crack weak passwords will hopefully make the whole class aware of the problems with password security, hopefully something we can all take forward as we enter into our specific fields in IT.
During this exercise I expect that I will find most of my information through articles and journals online. Because IT security is a high profile field that sees lots of action I expect that finding the information and analysis I need to be fairly easy.
Friday, April 7, 2017
Week 1 - Progress Report
I've decided to conduct my research on the current state of password security, taking a look at any historical trends present and also making projections about the likely future of password based authentication. This will require some analysis of the current/recent state of password security; unfortunately there have been many events where massive numbers of real world passwords/hashes have been leaked/stolen, so I don't expect this information to be too difficult to find.
(In fact, I've just come across the website https://hashes.org/public.php which has lists of current hash dumps and their cracked progress, which makes it possible for me to do my own analysis of the numbers if it comes down to it).
Beyond looking at the numbers, I should also research how capable a password authentication could be under ideal circumstances, and then discuss what issues we are currently experiencing. There are essentially two main factors that will effect the strength of any password authentication system; the size/complexity of the password and the proper implementation of modern hashing algorithms. I will look into the modern approaches of password cracking methods and try to evaluate which are the most likely from a cost/benefit perspective.
This has given me plenty to work with so far this week, and I expect that by next week I will have a portion of the above done, I think I will primarily be looking at statistical information about password security and also performing some analysis of the tables available at hashes.org (a side note, I did open a few of the 'found' tables and scrolled down to 'pa******', ... and of course, loads of passwords using variations of 'password')
To do:
(In fact, I've just come across the website https://hashes.org/public.php which has lists of current hash dumps and their cracked progress, which makes it possible for me to do my own analysis of the numbers if it comes down to it).
 |
| As expected |
This has given me plenty to work with so far this week, and I expect that by next week I will have a portion of the above done, I think I will primarily be looking at statistical information about password security and also performing some analysis of the tables available at hashes.org (a side note, I did open a few of the 'found' tables and scrolled down to 'pa******', ... and of course, loads of passwords using variations of 'password')
To do:
- Gather/perform analysis of common password usage
- Research current hashing algorithms and determine which ones are in use
- Research password requirements
- Determine if password authentication is phasing out or not
- Gather information about recent/large password compromises (i.e. Linkedin, Sony, etc)
Wednesday, April 5, 2017
Greetings all,
I am Samuel, currently an Information Systems student at Olympus College, WA. Ever since I was introduced to computers and their systems I have been interested in their security and vulnerabilities. Early on I realized how trivial certain security systems are to compromise, and how that information freely circulates the web and is accessible to anyone who looks.
This blog will be used to collect, sort through, and discuss ideas and information relating to some aspect of Information Systems security. I have yet to decide firmly on a particular field that I will dive into; I'm currently entertaining the ideas of password security/cracking, encryption methods, hacking vulnerabilities, and possibly a few others.
I am Samuel, currently an Information Systems student at Olympus College, WA. Ever since I was introduced to computers and their systems I have been interested in their security and vulnerabilities. Early on I realized how trivial certain security systems are to compromise, and how that information freely circulates the web and is accessible to anyone who looks.
This blog will be used to collect, sort through, and discuss ideas and information relating to some aspect of Information Systems security. I have yet to decide firmly on a particular field that I will dive into; I'm currently entertaining the ideas of password security/cracking, encryption methods, hacking vulnerabilities, and possibly a few others.
Subscribe to:
Comments (Atom)