Skip to content

Latest commit

 

History

History
87 lines (66 loc) · 4.24 KB

File metadata and controls

87 lines (66 loc) · 4.24 KB

Goldman-Sachs-Crack-leaked-password-database

Password Controls and Security Policies

Overview

As a governance analyst it is part of your duties to assess the level of protection offered by implemented controls and minimize the probability of a successful breach. To be successful at your job you often need to know the techniques used by hackers to circumvent implemented controls and propose uplifts to increase the overall level of security in an organization. Gaining valid credentials gives the attackers access to the organization’s IT system, thus circumventing most of perimeter controls in place.

Project Objectuve

Your job is to crack as many passwords as possible with available tools (e.g. use Hashcat).

You must determine the following:

  • What type of hashing algorithm was used to protect passwords?
  • What level of protection does the mechanism offer for passwords?
  • What controls could be implemented to make cracking much harder for the hacker in the event of a password database leaking again?
  • What can you tell about the organization’s password policy (e.g. password length, key space, etc.)?
  • What would you change in the password policy to make breaking the passwords harder?

Project Report and Observations

Here is a sample data file containing hashes dumped together: https://github.com/ketanraj15/Goldman-Sachs-Crack-leaked-password-database/blob/240d6f606b15548dc6141a3fbc6313f1018cf107/passwd_dump.txt

Observations

I was able to crack 13 passwords from the given 19 hashcodes in the password dump file very easily using https://crackstation.net/

e10adc3949ba59abbe56e057f20f883e	md5	123456
25f9e794323b453885f5181f1b624d0b	md5	123456789
d8578edf8458ce06fbc5bb76a58c5ca4	md5	qwerty
5f4dcc3b5aa765d61d8327deb882cf99	md5	password
96e79218965eb72c92a549dd5a330112	md5	111111
25d55ad283aa400af464c76d713c07ad	md5	12345678
e99a18c428cb38d5f260853678922e03	md5	abc123
fcea920f7412b5da7be0cf42b8c93759	md5	1234567
7c6a180b36896a0a8c02787eeafb0e4c	md5	password1
6c569aabbf7775ef8fc570e228c16b98	md5	password!
3f230640b78d7e71ac5514e57935eb69	md5	qazxsw
917eb5e9d6d6bca820922a0c6f7cc28b	md5	Pa$$word1
f6a0cb102c62879d397b12b62c092c06	md5	bluered
16ced47d3fc931483e24933665cded6d md5 Oranolio1994
1f5c5683982d7c3814d4d9e6d749b21e md5 Spuffyffet12
8d763385e0476ae208f21bc63956f748 md5 moodie00
defebde7b6ab6f24d5824682a16c3ae4 md5 nAbox!1 
bdda5f03128bcbdfa78d8934529048cf md5 Banda11s
9b3b269ad0a208090309f091b3aba9db md5 Flamesbria2001


Conclusions

1)What type of hashing algorithm was used to protect passwords?
Ans: Md5

2)What level of protection does the mechanism offer for passwords?
Ans:  MD5 is insecure and provides a very low level of protection and should not be used in any application.

3)What controls could be implemented to make cracking much harder for the hacker in the event of a password database leaking again?
Ans: Controls to be implemented to make cracking harder:
i) A min-length password rule should be implemented.
ii)Passwords must contain some special characters,numbers,lowercase alphabets as well as upper case alphabets. 
iii)Using a hashing algorithm which provides a high level of protection. Example:SHA-256 and SHA-3.
iv)Concept of password salting must be used.

4)What can you tell about the organization’s password policy (e.g. password length, key space, etc.)?
Ans: i)There is no rule regarding the minimum length of the password.
    ii)There is no rule regarding use of special characters in the password.
 
5)What would you change in the password policy to make breaking the passwords harder?
Ans: i) The password must be of minimum 8 characters.
    ii) Minimum 2 special characters (/,#,*,... etc)  must be used in the    password.
   iii)An external Api based tool which checks for password strength should show that the used password is strong.

Complete report is available at:

https://github.com/ketanraj15/Goldman-Sachs-Crack-leaked-password-database/blob/07427e5c79a634b42426fed8cfa22ab7e706274e/Report.docx

Resources

https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

https://howsecureismypassword.net/

https://en.wikipedia.org/wiki/Password_cracking#Software

https://en.wikipedia.org/wiki/Salt_(cryptography)

https://crackstation.net/