CRACKING MORE PASSWORD HASHES WITH PATTERNS

NAME :
ENROLL NO:
INTRODUCTION

• Authentication is one of the most important requirements for information security. There
exist various methods for authentication based on what we know (e.g. passwords, PINs),
what we have (e.g. security hardware tokens) and who we are (e.g. biometric
fingerprints).
• Among the existing methods, password-based systems are easier to implement and
therefore the most frequently used method for authentication. Being very critical for
security, passwords are often targeted during cyber-attacks as well.
• An attacker that hacks a system and reveals user passwords stored within the database
gets unauthorized access to accounts of all users
HARDWARE NAD SOFTWARE USED
HARDWARE SPECIFICATION

 System : Intel i3 Core Processor

 Hard Disk : 500 GB

 Ram : 4GB.
SOFTWARE SPECIFICATION:

 Operating system : Windows 8.

 Coding Language: Java , Visual Studio.net

EXISTING SYSTEM:

•In the existing methods, password-based systems are easier to implement and therefore the
most frequently used method for authentication. Being very critical for security, passwords are
often targeted during cyber-attacks as well. An attacker that hacks a system and reveals user
passwords stored within the database gets unauthorized access to accounts of all users. In the past
many enterprise companies and organizations were victims of such attacks.

• Attackers use frequently SQL injection vulnerabilities that exist within applications in order
to access database tables. They send arbitrary SQL queries to retrieve passwords and other sensitive
data from tables and manipulate stored data, even by using automated tools such as sqlmap or
Havij.
DISADVANTAGES:

•Brute Force: The most time-consuming type of attack is a brute-force attack, which tries
every possible combination of uppercase and lowercase letters, numbers, and symbols.

•Wire Sniffing: The majority of Sniffer tools are ideally suited to sniff data in hub
environment. These tools are also known as passive sniffers as they passively wait for data to be
sent before capturing the information. User account passwords are commonly hashed or encrypted
when sent on the network to prevent unauthorized access and use. In such cases hacker uses his
special tools to crack password.
PROPOSED SYSTEM:

• We propose a new method for increasing success rates of dictionary attacks. For our method we
analyzed leaked real-life user passwords and identified several patterns which are commonly chosen by
many users to create a complex and strong password from a dictionary word. We developed a software
tool, namely pbp-generator (pattern based password generator), that implements our identified patterns
and creates a new pattern-based large dictionary file from a given dictionary file. We generated a
pattern-based dictionary file with ca. 2.3 billion passwords to crack password hashes belonging to
fifteen different datasets which consist of real-life leaked password hashes.Ṁ
•  
ADVANTAGES:

 Our pattern-based method would help forensic investigators for more efficient password cracking.

 Our Proposed Method used in Banking Transactions for high password security.

 This method provides protection against online guessing attacks and related denial-of-service
attacks, including attacks by ex-users, and other security benefits.
 

SYSTEM ARCHITECTURE

Start

New Register
Home

No
Yes
Exit Login

Admin
Login Select Image
Password

Upload Images Login Drag and Drop Select Image Password

Welcome SBI Register Information

Bank

Stop Select Image Password

Drag and Drop Select Image Password

Home
DATA FLOW DIAGRAM
LEVEL 0:

Login with
Register / Login
Username & Password

Password Register with

View Registered
Admin Hashes with Image Type & Select Users
User Details
Patterns Image

Drag & Drop the Selected

Uploading Images with
Image Position as
Category type
Password
Stores the
User Info & Password Pattern

Database
 
LEVEL 1:

Type the
Login Upload
Admin Login Category of
Successfull Images
Image

Incorrect Username
Password

Save
Stores Images in
Uploaded
Databse
Images

Database

View User View Registered

Details User Details
 
LEVEL 2:

Login with
Register with
User Register Correct Type
Type & Image
of Image

Drag & Drop Registered Database

the Position of Image will
Image Display

Drag & Drop

the Correct Checks from Login
Database
Position Database Successfull
Registerd
UML DIAGRAM:
CLASS DIAGRAM:

Upload Images Register Information

image_name user name Select Image Password
Location password image_name
File_value age Image_byte
Admin_control Uplod_file dob username
Image_type Byte_Value phone_number x_value
Image_url address Y_value
image_type Page_url
Read_Byte() user_type
Image_url() image_database()
Sql_image_File() Sql_function()

Drag and Drop Select Image Password

imagename
username
imagevalue
Drag_value
Select_value

Drag_and_drop_password()
USE CASE DIAGRAM:

Uploadimage

Register Information

Select Image Password

Drag and Drop

Admin
User
Drag and Drop Select Image
Password

Login Select Image Password

Login Drag and Drop Select Image

Password

Welcome SBI Bank

SAMPLE SCREENS
LOGIN PAGE:
ABOUT PAGE:
ADMIN LOGIN:
 
ADMIN UPLOADING FILE:
SELECTING TYPE OF THE IMAGE:
UPLOADED IMAGES:
NEW REGISTRATION:
SELECTING IMAGE AS PASSWORD:
SELECTED IMAGE WILL GET DISPLAYED:
ONLINE TRANSACTION:
AFTER TRANSACTION ACCOUNT DETAILS:
CONCLUSION

•  

• In our paper frequently used patterns can be identified and misused to generate pattern-based password
dictionaries. These common patterns can be afterward exploited to crack more password hashes compared with
traditional dictionary attacks. In order to identify common password patterns, we performed both manual and
automated analysis on a large set of leaked real-life passwords of rockyou.com gaming portal. After identifying the
patterns, we developed a software tool, namely the pbp-generator, which creates many pattern-based passwords from
a given traditional dictionary. We utilized the generated pattern-based dictionary to perform cracking tests against
real-life leaked password hashes from 15 different datasets. According to the test results, we could crack with pattern-
dictionaries many more password hashes, which cannot be cracked by using the rock you password list.
REFERENCES

• [1] L. O’Gorman, “Comparing passwords, tokens, and biometrics for user authentication,” Proc. IEEE, vol. 91, no. 12, pp. 2021–2040, Dec. 2003.

• [2] (2011). PlayStation Network Hack: Why it Took Sony Seven Days to Tell the World. [Online]. Available: http://
www.theguardian.com/technology/gamesblog/2011/apr/27/playstationnetwork- hack-sony

• [3] (2009). RockYou Hack Compromises 32 Million Passwords. [Online]. Available: http://www.scmagazine.com/rockyou-hack-compromises-32-
million-passwords/article/159676/

• [4] (2013). Software Company Tom Sawyer Hacked, 61,000 Vendors Accounts Leaked. [Online]. Available: http://www.databreaches.net/

• software-company-tom-sawyer-hacked-61000-vendors-accounts-leaked/

• [5] (2013). Hackers Leak Data Allegedly Stolen from Chinese Chamber of Commerce Website. [Online]. Available: http://news.softpedia.com/

• news/Hackers-Leak-Data-Allegedly-Stolen-from-Chinese-Chamber-of-Commerce-Website-396936.shtml
•THANK YOU