Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On 2013-11-15, at 1:33 AM, Jeffrey Goldberg jeff...@goldmark.org wrote:
So if we find (and I haven’t correlated what I’m
working on with actual passwords, so now this is hypothetical)
that ioxG6CatHBw appears for the last block of the encryption
of “password1”, then we know that that is the encryption of “1”
plus padding.
Let spell that out with real data.
Jeremi Gosney of The Stricture Group has worked out that
2fca9b003de39778d23e6fe47a8c787c
corresponds to “password1”, based on the techniques I described. (There
were 28350 instances of it in the data.) As that is a nine character
password, ending in “1” we now know that d23e6fe47a8c787c is the
encryption of “1” + padding.
So a quick (well nothing is quick with data this size) awk gives me
$ awk '$3 ~ /d23e6fe47a8c787c/ { sum += $2; ++count}; END {print sum, count}'
password-ranked.txt
1835669 927185
So we’ve got about 900K distinct nine character passwords that end with
“1” and these are used for about 1.8 million accounts. (I said “about”
because my matching would also hit 17, 25, … character passwords ending
in 1.)
I should point out that the kind of stuff I’m describing here was done
first (as far as I know) and more systematically by Steve Thomas,
https://twitter.com/Sc00bzT Indeed, he is the one who spotted that this
was ECB encrypted with a 64 bit block size. Adobe later confirmed that
it was 3DES. (Though if they are lying and it is actually just DES,
then hunting for the key might be worthwhile.)
At any rate, despite knowing that there are 56 million distinct
passwords in that dump, we don’t know what most of them are. So
this can’t be used to create a blacklist.
Cheers,
-j
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On 14 November 2013 03:29, shawn wilson ag4ve...@gmail.com wrote: This is the only thing I've seen (haven't really looked): http://stricture-group.com/files/adobe-top100.txt I have to ask: snoopy1 more popular than snoopy? wtf? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On Thu, Nov 14, 2013 at 5:57 PM, Ben Laurie b...@links.org wrote: On 14 November 2013 03:29, shawn wilson ag4ve...@gmail.com wrote: This is the only thing I've seen (haven't really looked): http://stricture-group.com/files/adobe-top100.txt I have to ask: snoopy1 more popular than snoopy? wtf? Probably people who reuse passwords and are used to sites that require a number in the password (or picked their go-to password when signing up for a site that did) -- snoopy1 works more often. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On Thu, Nov 14, 2013 at 6:07 PM, Patrick Mylund Nielsen cryptogra...@patrickmylund.com wrote: On Thu, Nov 14, 2013 at 5:57 PM, Ben Laurie b...@links.org wrote: On 14 November 2013 03:29, shawn wilson ag4ve...@gmail.com wrote: This is the only thing I've seen (haven't really looked): http://stricture-group.com/files/adobe-top100.txt I have to ask: snoopy1 more popular than snoopy? wtf? Probably people who reuse passwords and are used to sites that require a number in the password (or picked their go-to password when signing up for a site that did) -- snoopy1 works more often. The digit is obviously there because there because of today's password complexity rules used most sites that demand at least one digit or a 3 of 4 char sets of uppercase, lowercase, digits, or special characters. Besides that, (unfortunately) it's a lot easier to change 'snoopy1' to 'snoopy2' then to 'snoopy3', etc. when your password inevitably changes. Plus, it makes a lot easier to remember than to start out with 'sn00py' and then go to 'sn11py', 'sn22py', etc. :-) -kevin -- Blog: http://off-the-wall-security.blogspot.com/ NSA: All your crypto bit are belong to us. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On 2013-11-13, at 8:13 PM, Jeffrey Walton noloa...@gmail.com wrote:
Is anyone aware of a blacklist that includes those 150 million records
from Adobe's latest breach?
You are aware that these haven’t all been decrypted? (Or is there some
news I’ve missed.)
The passwords were encrypted, unsalted, using 3DES in ECB mode. But
the actual encryption key is unknown.
So the way that passwords have been “decrypted” is on a case by case basis.
For example, if we have, say, 100,000 users using the same password, and
one of them credibly ‘fesses up to what their password was, then we
know what that password was for all of those users.
These are reinforced by the fact that many of the passwords included
password hints, often simply saying what the password was.
We also can work out what some of the more popular passwords are by comparing
with other breaches. For example if al...@example.com is known to use
the password snoopy1 in both the Sony and LinkedIn breaches, and gives
the same hint in the Adobe data, that is a big clue. If we find a few dozen
other reusers that way we can say with high confidence what that particular
password is.
The ECB mode and small block size of 3DES has also been helpful. So suppose
we have about 6700 people corresponding to this password
6682 /NpNslkFN4nioxG6CatHBw==
and 3402 corresponding to this one
3402 /FkacZU/hWrioxG6CatHBw==
Even with the base64 encoding, you can see that
the second block of each of those passwords is the same as
it encrypts to ioxG6CatHBw
(I really should convert the base64 to hex)
So if we find (and I haven’t correlated what I’m
working on with actual passwords, so now this is hypothetical)
that ioxG6CatHBw appears for the last block of the encryption
of “password1”, then we know that that is the encryption of “1”
plus padding.
Even a cursory glance at the data and you see penguins.
My project is on relative frequency of passwords, so I’m not
actually trying to figure out that plaintext. I’m interested
in relative password frequency.
Several people have noticed that the popularity of passwords
resembles a power law distribution. David Malone and colleagues
have specifically looked that this.
@article{MaloneMaher11:CoRR,
Author = {Malone, David and Maher, Kevin},
Journal = {CoRR},
Title = {Investigating the Distribution of Password Choices},
Volume = {abs/1104.3722},
Year = {2011}}
And I’ve seen similar in my own work. The “problem” is that if
the power law distribution holds up with a “big” exponent (near or above 1)
then that would indicate a situation where popularity contributes to
popularity.
So I want the resemblance to a power law distribution to be
superficial. There are other distributions that can look similar.
Either that I want an explanation for why the popularity of
password choice would make it more attractive to others. Are people
really being influenced by their password choices by others?
I think that high password reuse might be able to account for some
of the power lawish distribution, but I haven’t quite worked that
out.
At any rate, this data dump is perfect for me. I’ve only just begun
working on it, but unsalted ECB encrypted passwords allow me to count
frequencies.
I tried finding a list and was not successful.
There isn’t a list of these decrypted. Jeremi Gosney has, in
collaboration with others, worked out what the passwords are for
the 100 most frequent. Troy Hunt is doing some excellent work
on correlating with other breaches.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On 15/11/13 06:35 AM, Kevin W. Wall wrote: Besides that, (unfortunately) it's a lot easier to change 'snoopy1' to 'snoopy2' then to 'snoopy3', etc. when your password inevitably changes. Plus, it makes a lot easier to remember than to start out with 'sn00py' and then go to 'sn11py', 'sn22py', etc. :-) When I last worked in a formally controlled certified security office, the password to the system was indeed securityN where N incremented every month when the system kicked back and insisted on a password change. (oops, that's probably security leak...) It reminds me of the story about the British health system that spent untold millions putting in individual smart token control systems, so as to control access to security-critical resources. Every place discovered the same correct way to drive the system. Access was sorted and aligned by seniority of staff, and every morning, the designated senior person would plug their token into a given device, then walk away and get back to work. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Password Blacklist that includes Adobe's Motherload?
Hi All, Is anyone aware of a blacklist that includes those 150 million records from Adobe's latest breach? I tried finding a list and was not successful. Bonus points if implemented as a bloom filter (I'm interested in seeing how small that list can be in practice, and I'd like to use it for its small footprint). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
On Wed, Nov 13, 2013 at 9:13 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, Is anyone aware of a blacklist that includes those 150 million records from Adobe's latest breach? This is the only thing I've seen (haven't really looked): http://stricture-group.com/files/adobe-top100.txt I tried finding a list and was not successful. Bonus points if implemented as a bloom filter (I'm interested in seeing how small that list can be in practice, and I'd like to use it for its small footprint). I did some quick searching and I don't see a PAM module to take that structure. It'd be interresting for other work we're doing if someone knows different. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Password Blacklist that includes Adobe's Motherload?
Take a look at http://dazzlepod.com/uniqpass/ Previously, I’m just kept that file as is, and did a case-insentive binary search directly on disk… took maybe 10 seeks ~ 1ms to see if something was present or not and could be done via command line. No index required, no loading required. I’m happy to post the code if you are interested. For perhaps better storage, take a look at LevelDB https://code.google.com/p/leveldb/ but the previous solution worked so well it wasn’t required. good luck! nickg 2013/11/14 12:29、shawn wilson ag4ve...@gmail.com のメール: On Wed, Nov 13, 2013 at 9:13 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, Is anyone aware of a blacklist that includes those 150 million records from Adobe's latest breach? This is the only thing I've seen (haven't really looked): http://stricture-group.com/files/adobe-top100.txt I tried finding a list and was not successful. Bonus points if implemented as a bloom filter (I'm interested in seeing how small that list can be in practice, and I'd like to use it for its small footprint). I did some quick searching and I don't see a PAM module to take that structure. It'd be interresting for other work we're doing if someone knows different. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
