| changeset 99 | 77125c0496e6 |
| parent 98 | 3d585e603927 |
| child 100 | 62b66cb088f6 |
| 98:3d585e603927 | 99:77125c0496e6 |
|---|---|
1017 \mode<presentation>{ |
1017 \mode<presentation>{ |
1018 \begin{frame}[c] |
1018 \begin{frame}[c] |
1019 \frametitle{\begin{tabular}{c}Unix Passwords\end{tabular}} |
1019 \frametitle{\begin{tabular}{c}Unix Passwords\end{tabular}} |
1020 |
1020 |
1021 \begin{itemize} |
1021 \begin{itemize} |
1022 \item passwords are \alert{\bf not} stored in clear text |
1022 \item passwords must \alert{\bf not} be stored in clear text |
1023 \item instead \texttt{/etc/shadow} contains |
1023 \item instead \texttt{/etc/shadow} contains |
1024 \end{itemize} |
1024 \end{itemize} |
1025 |
1025 |
1026 {\small |
1026 {\small |
1027 \texttt{name:\$1\$QIGCa\$/ruJs8AvmrknzKTzM2TYE.:other\_info} |
1027 \texttt{name:\$1\$QIGCa\$/ruJs8AvmrknzKTzM2TYE.:other\_info} |
1041 % http://ubuntuforums.org/showthread.php?p=5318038 |
1041 % http://ubuntuforums.org/showthread.php?p=5318038 |
1042 |
1042 |
1043 \end{frame}} |
1043 \end{frame}} |
1044 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1044 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1045 |
1045 |
1046 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1047 \mode<presentation>{ |
|
1048 \begin{frame}[c] |
|
1049 \frametitle{\begin{tabular}{@ {}c@ {}}Plain-Text Passwords\end{tabular}} |
|
1050 |
|
1051 \pause |
|
1052 \small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} |
|
1053 |
|
1054 |
|
1055 \begin{itemize} |
|
1056 \item IEEE is a standards organisation (not-for-profit) |
|
1057 \item many standards in CS are by IEEE\medskip |
|
1058 \item 100k plain-text passwords were recorded in logs |
|
1059 \item the logs were openly accessible on their FTP server |
|
1060 \end{itemize}\bigskip |
|
1061 |
|
1062 \begin{flushright}\small |
|
1063 \textcolor{gray}{\url{http://ieeelog.com}} |
|
1064 \end{flushright} |
|
1065 |
|
1066 \only<3->{ |
|
1067 \begin{textblock}{11}(3,2) |
|
1068 \begin{tikzpicture} |
|
1069 \draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] |
|
1070 {\normalsize\color{darkgray} |
|
1071 \begin{minipage}{7.5cm}\raggedright\small |
|
1072 \includegraphics[scale=0.6]{pics/IEEElog.jpg} |
|
1073 \end{minipage}}; |
|
1074 \end{tikzpicture} |
|
1075 \end{textblock}} |
|
1076 |
|
1077 \end{frame}} |
|
1078 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1079 |
|
1080 |
|
1081 |
|
1082 |
|
1046 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1083 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1047 \mode<presentation>{ |
1084 \mode<presentation>{ |
1048 \begin{frame}[c] |
1085 \begin{frame}[c] |
1049 \frametitle{\begin{tabular}{c}Password Blunders\end{tabular}} |
1086 \frametitle{\begin{tabular}{c}Other Password Blunders\end{tabular}} |
1050 |
1087 |
1051 |
1088 |
1052 \begin{itemize} |
1089 \begin{itemize} |
1053 \item in late 2009, when an SQL injection attack against online games |
1090 \item in late 2009, when an SQL injection attack against online games |
1054 service RockYou.com exposed 32 million \alert{plaintext} passwords |
1091 service RockYou.com exposed 32 million \alert{plaintext} passwords |
1060 % linkedIn password |
1097 % linkedIn password |
1061 % http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html |
1098 % http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html |
1062 \end{itemize}\medskip |
1099 \end{itemize}\medskip |
1063 |
1100 |
1064 \small |
1101 \small |
1065 Web user maintains 25 separate accounts but uses just 6.5 passwords |
1102 (web user maintains 25 separate accounts but uses just 6.5 passwords.) |
1066 |
1103 |
1067 \end{frame}} |
1104 \end{frame}} |
1068 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1105 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1069 |
1106 |
1070 %For instance, SHA512crypt, which is included in Mac OS X and most Unix-based operating systems, passes text through 5,000 iterations, a %hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally %expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the %time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits. |
1107 %For instance, SHA512crypt, which is included in Mac OS X and most Unix-based operating systems, passes text through 5,000 iterations, a %hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally %expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the %time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits. |