Password Cracking on a Budget

Presented at DEF CON 16 (2008), Aug. 9, 2008, 11 a.m. (50 minutes)

Not every bad guy writes down passwords on sticky note by their monitor. Not every system administrator fully documents everything before they leave. There are a lot of legitimate reasons why you might need to crack a password. The problem is most people don't have a supercomputer sitting in their basement or the money to go out and buy a rack of FPGAs. This talk deals with getting the most out of the computing resources you do have when cracking passwords. Our group at Florida State University is currently working on password cracking research to aid in forensics analysis. We've analyzed disclosed password lists to try and figure out how real people actually create passwords. Not all of these lists have been in plain text so we've had to go through the pain of cracking passwords ourselves. Just like you, we are still waiting on funding for that supercomputer as well. In this talk, we'll go over some of the tools and techniques we've used to crack these password lists using only a couple of PCs, such as custom wordlist generation and choosing the right word mangling rules. We'll also talk about some of the lessons we've learned and the mistakes we've made along the way.

Presenters:

  • Sudhir Aggarwal - Security Researcher
    Sudhir Aggarwal has been Professor of Computer Science at Florida State University since the fall of 2002. He directs the E-Crime Investigative Technologies Laboratory. Previous to his current position, he was Chief Technology Officer of the Internet Content Delivery and Distribution business unit of Lucent Technologies, where he was responsible for the architecture, portfolio, and development of the Imminet product line. Dr. Aggarwal's current research interests are in building software tools and systems that support cybersecurity and digital forensics. He is also interested in computer and communication networks where he has investigated infrastructures for network games and techniques for building efficient overlay networks.
  • Matt Weir - Security Researcher
    Matt Weir is a PhD student at Florida State University. Before his journey back into academia, he worked as a network security engineer for Northrop Grumman. The projects he's been a part of have ranged from providing first responders with wireless access, to assisting the Defense Department with computer forensics. Why he decided to go back to school no one knows (including him sometimes). It wasn't the pay that's for sure!

Links:

Similar Presentations: