“Elcomsoft Distributed Password Recovery 3.40 now supports four major password manager apps including 1Password, KeePass, LastPass and Dashlane. The tool allows experts attacking a single master password and gaining access to the content of the encrypted vault, exposing any passwords, authentication credentials and other sensitive information (identity documents, credit card data etc.)”

The debate is on going about the legitimacy of the article many saying ElmcomSoft is spreading FUD and cheesy marketing. Open source project, Hashcat, has supported cracking of all the those password managers listed except Dashlane for a while now. The length of time to crack said password managers, if you are using a long enough password or passphrase, would make cracking not feasible. Especially a program such KeePass, the key transformation iteration count would greatly effect the speed of brute force attack.

In the comments of their article one of the developers of 1Password had this to say:

It would still take a number of months/days/years to crack most password managers, the use of password managers can increase overall security by relieving users from having to memorize a number of passwords. So keep on using yours as long as you have a good password/passphrase, keep your computer updated, and dont click shit, you shouldn’t be too worried anytime soon.

Filippo lost his OpenBSD Full Disk Encryption password and is taking the time to figure out a way to extract and bruteforce the password, it’s currently a work in progress but a great way to learn.

Source: https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/

GitHub: https://github.com/FiloSottile/openbsd-fde-crack

The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever.
The passwords were originally hashed with the SHA1 algorithm, which is known to be weak and easy to crack, and they were not salted. “Salting” makes decrypting passwords exponentially harder when dealing with large numbers of passwords such as these.
Below are the top 55 passwords that LeakedSource cracked so far.

Rank	Password	Frequency
1	homelesspa	855,478
2	password1	585,503
3	abc123	569,825
4	123456	487,945
5	myspace1	276,915
6	123456a	244,641
7	123456789	191,016
8	a123456	165,132
9	123abc	159,700
10	(POSSIBLY INVALID)	158,462
11	qwerty1	141,110
12	passer2009	130,740
13	fuckyou1	125,302
14	iloveyou1	123,668
15	princess1	114,107
16	12345a	111,818
17	monkey1	106,424
18	football1	101,149
19	babygirl1	90,685
20	love123	88,756
21	a12345	85,874
22	iloveyou	85,001
23	jordan23	81,028
24	hello1	80,218
25	jesus1	78,075
26	bitch1	78,015
27	password	77,913
28	iloveyou2	76,970
29	michael1	75,878
30	soccer1	74,926
31	blink182	73,145
32	29rsavoy	71,551
33	123qwe	70,476
34	angel1	70,271
35	myspace	69,019
36	fuckyou2	68,995
37	jessica1	67,644
38	number1	65,976
39	baseball1	65,400
40	asshole1	63,078
41	1234567890	62,855
42	ashley1	62,611
43	anthony1	62,295
44	money1	61,639
45	asdasd5	60,810
46	123456789a	60,441
47	superman1	59,565
48	sunshine1	57,522
49	nicole1	56,039
50	password2	55,754
51	charlie1	54,432
52	shadow1	54,398
53	jordan1	54,004
54	1234567	51,131
55	50cent	50,719

Earlier this week passwords that were jacked from LinkedIn from 2012 were offered for sale online. What initially thought to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords. The cache of stolen accounts were hashed with the recently deprecated SHA-1 algorithm. leakedsource.com was able to get their hands on the dump the passwords weren’t salted and easily cracked. Below are their results.

Rank	Password	Frequency
1	123456	753,305
2	linkedin	172,523
3	password	144,458
4	123456789	94,314
5	12345678	63,769
6	111111	57,210
7	1234567	49,652
8	sunshine	39,118
9	qwerty	37,538
10	654321	33,854
11	000000	32,490
12	password1	30,981
13	abc123	30,398
14	charlie	28,049
15	linked	25,334
16	maggie	23,892
17	michael	23,075
18	666666	22,888
19	princess	22,122
20	123123	21,826
21	iloveyou	20,251
22	1234567890	19,575
23	Linkedin1	19,441
24	daniel	19,184
25	bailey	18,805
26	welcome	18,504
27	buster	18,395
28	Passw0rd	18,208
29	baseball	17,858
30	shadow	17,781
31	121212	17,134
32	hannah	17,040
33	monkey	16,958
34	thomas	16,789
35	summer	16,652
36	george	16,620
37	harley	16,275
38	222222	16,165
39	jessica	16,088
40	ginger	16,040
41	michelle	16,024
42	abcdef	15,938
43	sophie	15,884
44	jordan	15,839
45	freedom	15,793
46	555555	15,664
47	tigger	15,658
48	joshua	15,628
49	pepper	15,610

Lastpass team discovered suspicious activity on their network 6/12. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses. Although they harden your authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, you should change your password and add some multifactor authentication to be on the safe side.

Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash.

If you are using an easily guessed dictionary based password as described by Errata Security you should change your password. Although on a NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash using the password algorithm:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // what’s stored in the auth db

Security firm Praetorian analyzed 34 million passwords that were jacked from the LinkedIn, eHarmony and Rockyou breaches, and found that 50% of all the passwords followed 13 basic structures. Over 20 million passwords in the sample have a structure within the top 13 masks. This lack of entropy makes it possible to use statistical analysis to make cracking faster and more effective. Part of the problem is with the websites themselves, as they just require one upper case letter or number. The result is that many sites falsely mark passwords as “strong” that could be cracked in a matter of minutes.

Source: http://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure

DPAPIck is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API). The tool was updated to support Windows versions all the way to 8.1.

list of recoverable secrets are :

• EFS certificates
• MSN Messenger credentials
• Internet Explorer form passwords
• Outlook passwords
• Google Talk credentials
• Google Chrome form passwords
• Wireless network keys (WEP key and WPA-PMK)
• Skype credentials

Src: dpapick.com

Bernardo Damele compiled a list of password dumping tool into a google spreadsheet:

https://docs.google.com/spreadsheet/ccc?key=0Ak-eXPencMnydGhwR1VvamhlNEljVHlJdVkxZ2RIaWc#gid=0

The rankings were created by SplashData who compiled from files containing millions of stolen passwords posted online by hackers in 2012 and ranked them in order of popularity. It’s all similar to year’s past but we’ve got some new additions at the end of the list in Jesus and password1. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” Slain said. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”

 

Here’s the full list: (more…)

When you type a password into your webbrowsers, they are often hidden behind bullets or asterisks, which is fine when you know the password, but if you can’t remember and it’s being filled in automatically, you have to look in the browser options or use a 3rd party utility to reveal it. We covered a way to use it using a simple javascript back in 2008. Here’s a simple way to reveal the password using built-in functionality of the browser developer tools. We’re going to show you how to do it on Firefox 12 and Internet Explorer 9. This is also tested and working in Google Chrome 18 and Opera 11.
(more…)