Laughter is the Best Medicine

How Easy It Is To Crack Your Password, With Kevin Mitnick

Hello everyone, I’m Kevin Mitnick, and I’m
the Chief Hacking Officer at KnowBe4, and I always get questions surrounding password
management. People always asking, “How can I choose
the best password so I don’t end up compromised?” So what do I recommend is that people get
away from passwords, and start using pass phrases, or what I like to call “pass sentences”. And those pass phrases should be 25 characters
or more. I know what you’re thinking, “Wait a second,
that’s too long! 25 characters?! How am I going to possibly remember that?” Well you know what? It’s really simple. How about a simple sentence, is “I went
to the beach today and swam in cold water.” Right? Something that’s so easy to remember, but
so hard for an attacker to crack. Now, you can make it a little bit more complex,
and misspell one of the words in the sentence. And by all means you always want to use multi-factor
authentication, so when you’re accessing cloud-based applications or websites, any of those websites
that allow you to do so, always enable multi-factor authentication. And what I recommend is using something like
a Yubikey that uses FIDO technologies. The other thing you need to do, is actually
choose another pass phrase for your password manager. And a password manager allows you to manage
the rest of your credentials, so you choose a master password to unlock the password manager,
and the password manager takes care of the rest. So what are the common password managers out
there well there’s OnePassword, that’s one of my favorites. LastPass and KeePass. And you could actually configure these password
managers to randomly create, for example, 15-character passwords. Like if you’re using sites that allow you
to use anything over 15 characters, you could actually configure your password manager to
do that for you. So, let me show you how easy it is for a for
a threat adversary to crack your passwords. Now ordinarily, what a what an attacker is
going to do is they’re gonna break into your company, and they’re gonna get to Active Directory,
and they’re going to extract all the password hashes for your users, and then they’re gonna
crack those offline. Okay, so let me actually show you how that
works! So I’m going over here to this website that
allows me to generate random words, right? So we’re gonna pick words that are 14 characters
long. Right here I put in 14. I’m going to hit “Generate”. So this — all this is doing is generating
a word list, ‘cause I just want to pick a random word, so all I’ll just uhh – I’ll
pick something long, “quadrilateral,” right? So I’m gonna pick that word, and I’m gonna
plug this into a different website, a different web form, that allows me to convert this word
to “leet-speak” right? So instead of, you know, an “I” it might
be a “1,” or instead of an “O” it might be a “zero”. I’ll show you what happens when we do so. So let’s pick a random number. Well what’s the date, today? Let me go over to the date. It’s September 12th, so I’m going to go ahead
and stick in a “12”. And then let’s pick two symbols, two random
symbols, we could use a star, we could use a dollar sign. So then what we’re going to do, is take this
string here, this word, two numbers, and two symbols, and we’re going to convert it to
leet-speak. And here we go, and if you take a look here. Right here, this actually looks quite complicated
– complex! You wouldn’t think that an attacker could
crack that password, if that is the password you’re using to log into your computer! But what the truth of the matter is, an attacker
can do so quite easily. So let me actually show you how that works. So, I’m going to copy the password. I’m gonna go over to my password cracker,
and I’m using 8 GTX GPUs, so I get billions of password tries a second, with Windows NTLM
hashes. That’s in the BILLIONS, not the millions,
the billions. So what I’m going to do, is run my program. I’m gonna put in the leet-speak credential,
that looks like complete gibberish. I’m gonna hit enter, and then what my program
does is it generates here an NTLM hash. Because Windows doesn’t store your plaintext
password in the operating system, it stores the NTLM hash, in Active Directory, and in
in the operating system. So what I’m going to do, is I’m going to hit
Enter to continue. And there’s going to be a little bit of a
pause because my — my cracker has to actually start up, so let me hit Enter. And as you can see here, we have the 8 Geforce
GTX 1080 cards, so we get an extremely fast rate of password cracking. And it started, so I’ve been get a status,
and as you can see here I’m getting quite a bit of password tries a second, Wow! It already finished! So it literally took under a minute. We started at 03:48:22, and we ended at 03:48:53. And we’re able to crack that password hash,
with my eight GPU cracker. So again, how are you gonna protect yourself
against a threat adversary cracking your password? Stop using passwords! Start using pass phrases, 25 characters or
more, a sentence with spaces. So it’s extremely easy for you to remember,
if you want to make it a little bit more difficult, you could always misspell one of the words
in the sentence. Always use multi-factor authentication wherever
you possibly can. And remember, if you have a very complex password,
you can’t stop malware (malicious software) from intercepting your password with a keylogger. You also can’t stop a sophisticated hacker
from a spear-phishing campaign. What you have to do is use KnowBe4’s new
Security Awareness Training and simulated phishing, to mitigate that type of attack. So please stay safe out there, start using
pass phrases instead of passwords, thank you so much!

Leave a Reply

Your email address will not be published. Required fields are marked *