Archive for the ‘Passwords & Human Factor’ category

Why wasting time recovering passwords instead of just breaking in? Why can we crack some passwords but still have to recover the others? Not all types of protection are equal. There are multiple types of password protection, all having their legitimate use cases. In this article, we’ll explain the differences between the many types of password protection.

The password locks access

In this scenario, the password is the lock. The actual data is either not encrypted at all or is encrypted with some other credentials that do not depend on the password.

  • Data: Unencrypted
  • Password: Unknown
  • Data access: Instant, password can be bypassed, removed or reset

A good example of such protection would be older Android smartphones using the legacy Full Disk Encryption without Secure Startup. For such devices, the device passcode merely locks access to the user interface; by the time the system asks for the password, the data is already decrypted using hardware credentials and the password (please don’t laugh) ‘default_password’. All passwords protecting certain features of a document without encrypting its content (such as the “password to edit” when you can already view, or “password to copy”, or “password to print”) also belong to this category.

A good counter-example would be modern Android smartphones using File-Based Encryption, or all Apple iOS devices. For these devices, the passcode (user input) is an important part of data protection. The actual data encryption key is not stored anywhere on the device. Instead, the key is generated when the user first enters their passcode after the device starts up or reboots.

Users can lock access to certain features in PDF files and Microsoft Office documents, disabling the ability to print or edit the whole document or some parts of the document. Such passwords can be removed easily with Advanced Office Password Recovery (Microsoft Office documents) or Advanced PDF Password Recovery (PDF files).

(more…)

In Apple’s land, losing your Apple Account password is not a big deal. If you’d lost your password, there could be a number of options to reinstate access to your account. If your account is not using Two-Factor Authentication, you could answer security questions to quickly reset your password, or use iForgot to reinstate access to your account. If you switched on Two-Factor Authentication to protect your Apple Account, you (or anyone else who knows your device passcode and has physical access to one of your Apple devices) can easily change the password; literally in a matter of seconds.

But what if you do know your password and your passcode but lost access to the only physical iOS device using your Apple ID and your SIM card at the same time? This could easily happen if you travel abroad and your phone is stolen together with the SIM card. There could be an even worse situation if your trusted phone number is no longer available (if, for example, you switched carrier or used a prepaid line and that line has expired).

It’s particularly interesting if you have a child under the age of 13 registered in your Family Sharing, and the child loses their only iOS device (at that age, they are likely to have just one) and their phone number (at that age, they are likely to use prepaid service). So let us explore what happens to your Apple Account if you lose access to your secondary authentication factor, and compare the process of regaining control over your account in Apple and Google ecosystems. (more…)

The boom in personal electronic devices recording literally every persons’ step introduced a new type of forensic evidence: the digital evidence. In this day and age, significantly more forensic evidence is available in digital form compared to physical evidence of yesteryear. Are law enforcement and intelligence agencies ready to handle the abundance of digital evidence? And more importantly, do frontline officers have the skills and technical expertise required to handle and preserve this wealth of information?

Digital forensic evidence is a major challenge today, and will become even more of a challenge tomorrow. Crypto currencies and the dark net created an effective shield for criminals committing online fraud and extorting ransom, trafficking drugs and human beings, supporting and financing international terrorism.

Digital evidence that lands on end user devices is also well shielded from investigation efforts. The unilateral push for hardware-backed secure encryption by major vendors of mobile operating systems (Google and Apple) covers criminals with almost unbreakable protection, building a wall around digital evidence that could be vital for investigations. (more…)

GPU acceleration is the thing when you need to break a password. Whether you use brute force, a dictionary of common words or a highly customized dictionary comprised of the user’s existed passwords pulled from their Web browser, extracted from their smartphone or downloaded from the cloud, sheer performance is what you need to make the job done in reasonable time.

Making use of the GPU cores of today’s high-performance video cards is not something one can ignore. A single video card such as an NVIDIA GTX 1080 offers 50 to 400 times the performance of a high-end, multi-core Intel CPU on some specific tasks – which include calculations of cryptographic operations required to break encryption and brute-force passwords. The benefits are very real:

But what if you don’t have immediate access to a computer with a dedicated high-end video card? What if you are working in the field and using a laptop with its video output handled by Intel’s built-in graphic chip?

We have good news for you: you can use that built-in Intel chip to speed up password attacks. Granted, a power-sipping Intel chip won’t give you as much performance as a dedicated board dissipating 200W of heat, but that extra performance will literally cost you nothing. Besides, many ElcomSoft tools such as Elcomsoft Distributed Password Recovery will simply add that extra GPU chip to the list of available hardware resources, effectively squeezing the last bit of performance from your PC. (more…)

Thanks to its presence on Windows and Mac computers, iPhones and Android smartphones (on which it enjoys the default browser status), Google Chrome is the world’s most popular Web browser. In this article you’ll find a comprehensive guide on how to extract Google Chrome passwords from local computers and Google Account. We’ll also cover some common and some little known scenarios helping examiners put extracted passwords to good use – such as decrypting external NAS storage, unlocking BitLocker drives and attacking strong passwords. Let’s find out how to obtain Google Chrome passwords from multiple local and cloud sources such as the user’s Mac or Windows computer and their Google account.

Did you know you might be able to use Chrome passwords to decrypt BitLocker drives, download iCloud backups, break strong encryption or access the user’s comprehensive location history? Scroll down to Case Studies to find out how!

Extracting Chrome Passwords Instantly from a Local Computer (Windows)

For extracting Chrome passwords from a Windows computer, we’ll use Elcomsoft Internet Password Breaker (EINPB). Note that the extraction works on a live system only; you must be logged in under the user account whose passwords you are about to extract.

Why does one need to perform the extraction on a live system, with the user being logged on? The reason lies in Windows protection mechanisms. While it is technically possible to extract passwords from an offline system or disk image, the required encryption keys are difficult to access and extract if the user is not logged in. (more…)

iOS forensics is always a lot of fun. Say, you’ve got an iPhone of a recent generation. It’s locked, you are blank about the passcode, and the worst part is it’s more than just the four proverbial digits (the last iOS defaults to six). And you don’t have their computer, and there is not an iCloud account either. A horror story where no one, even us, can do anything about it.

However, the reality has far more than 50 shades of (insert you favorite color). Almost every case is unique. Over 1.2 billion iPhones are sold to date, and they tend to show up in every other investigation. The iPhone is the ultimate source of evidence, no doubt.

(more…)

According to surveys, the average English-speaking consumer maintains around 27 online accounts. Memorizing 27 unique, cryptographically secure passwords is nearly impossible for a person one could reasonably call “average”. As a result, the average person tends to reuse passwords, which means that a single password (or its simple variations) can be used to protect multiple online accounts and services. The same passwords are very likely to be chosen to protect access to offline resources such as encrypted archives and documents. In fact, several independent researches published between 2012 and 2016 suggest that between 59 and 61 per cent of consumers reuse passwords.

Considering how consistent the numbers are between multiple researches carried out over the course of four years, we can safely assume that around 60% of consumers reuse their passwords. How can this data help us break passwords, and how did we arrive to the value of 70% in the title? Read along to find out! (more…)

This article opens a new series dedicated to breaking passwords. It’s no secret that simply getting a good password recovery tool is not enough to successfully break a given password. Brute-force attacks are inefficient for modern formats (e.g. encrypted Office 2013 documents), while using general dictionaries can still be too much for speedy attacks and too little to actually work. In this article, we’ll discuss the first of the two relatively unknown vectors of attack that can potentially break 30 to 70 per cent of real-world passwords in a matter of minutes. The second method will be described in the follow-up article. (more…)

Legal Disclaimer

The information provided in this article is strictly for educational purposes. Therefore, you confirm that you are not going to use it to break into someone else’s Apple account. If you wish to apply ideas described in this article, you are taking full responsibility for your actions.

Non-Legal Disclaimer

Just relax. It’s not like we’re giving away tips on how to download celebrities’ photos or hack the prime minister’s iPhone.

(more…)

A Practical Guide for the Rest of Us

How many passwords does an average Joe or Jane has to remember? Obviously, it’s not just one or two. Security requirements vary among online services, accounts and applications, allowing (or disallowing) certain passwords. Seven years ago, Microsoft determined in a study that an average user  had 6.5 Web passwords, each of which is shared across about four different websites. They’ve also determined that, back then, each user had about 25 accounts that required passwords, and typed an average of 8 passwords per day.

If i got a penny every time i forgot my pwd, I'd be a millionaire

It didn’t change much in 2012. Another study determined that an average person has 26 online accounts, but uses only five passwords to keep them secure, typing about 10 passwords per day. CSID has a decent report on password usage among American consumers, discovering that as many as 54% consumers have five or less passwords, while another 28% reported using 6 to 10 passwords. Only 18% had more than 10 passwords. 61% of all questioned happily reuse their passwords over and over.

This obviously indicates a huge risk, making all these people susceptible to attacks on their passwords. Why do we have this situation, and what should one do to keep one’s life secure against hacker attacks? Let’s try to find out.

Passwords: Plagued with Problems

Passwords are the most common way of securing the many aspects of our lives. However, password-based protection is plagued with problems. Let’s have a look at why passwords are less than perfect when it comes to security. (more…)