Monday, June 11, 2012

SHA-1 Password Cracking

In the last week, there have been several major compromises resulting in the leak of password hashes to the internet.  Some of the major sites that were hit are Linkedin, Eharmony and Last.fm. Although there are many others that have cracked more than I have or will, armed with an older video card and an extra laptop I was able to crack around 3 million of the exposed SHA1 hashes utilizing Hashcat,  John and dictionaries that I have collected over the years.  The professionals at KoreLogic tweeted this within a day of the hashes being released:



If you would like to safely check to see if your password was included in the Linkedin compromise, you can download the file "combo_not.txt".  I believe it is probably still being hosted in a few places but you'll probably have to do a bit of searching to find it.

I threw together a PowerShell function for others to check to see if their passwords were included.  It is horribly slow and could definitely be improved, but I don't think it will be useful for long.  I really don't like the idea of utilizing any online look-up services (despite the obvious speed benefit from storing the data in a true database) because of the obvious social-engineering implications.


Get-LNPasswordMatch
A special version of Hashcat was released to handle the zeroed hashes which paired with a large dictionary is very effective:


The Hashcat syntax can be tricky, but there is a lot of great documentation out there.


Next, I reran the same dictionary with a mangle rule in John which got quite a few of the longer passwords due to the 15 character limitation imposed by CudaHashcat.  There are lots of usage guides and cheat-sheets out there for John.



The final result was over 3 million hashes cracked in less than 24 hours. KoreLogic has been able to crack 4.92 million in just a few days so it seems that very few of the original passwords are safe: 


I recommend using the publicity around these major breaches to remind your managers, users, friends and family about passwords.  The following is what I try to stress, but there are certainly lots of other great ideas on how to improve password security:

1. Never reuse passwords between web sites or systems.
2. Change your passwords as often as its reasonable.
3. Choose longer passwords such as  (complex) passphrases to increase the difficulty of cracking.
4. Have a plan to quickly and securely change your passwords if they become compromised.
5. Consider a common password manager for web sites.
 
Finally, since there aren't public details as to how Linkedin was compromised, its safe to assume that they are still compromised or could be again.  Take that into consideration when you are planning on how to change your passwords.  Even if Linkedin takes steps to properly salt the hashes, its not unreasonable to think that they could be quickly cracked again.

***Update 16 June 2012***
Changed the name of the function to be inline with the PowerShell way.  Changed the way to the password is read in to be more secure as requested by the first comment below. 


-Chris

2 comments:

  1. For those that are looking for the file, it appears to be available as a torrent: http://thepiratebay.se/torrent/7334168/Linkedin_SHA1_passwords.

    Script works as advertised, but isn't there a more secure way to handle passwords with POSH?

    ReplyDelete
  2. Thanks for the link to the download and for your feedback. You are correct that there is a more secure way of handling passwords and the function has been updated per your request.

    -Chris

    ReplyDelete