Token authentication for Gmail using a eZ430 Chronos watch

Two-factor authentication allows you to use your chosen password, as well as a one-time password to help keep your services secure. The one-time passwords traditionally come from a dedicated piece of hardware, but there are also solutions for smart phones. [Patrick Schaumont] shows how a TI eZ430 Chronos Watch can be used to generate authentication tokens. After walking through the process he uses it to beef up his gmail login.

This method of token authentication is often called Time-based One Time Passwords (TOTP). It’s part of the Open Authentication (OATH) initiative, which seeks to sort out the password-hell that is modern computing. A portable device generates a password by applying an algorithm and a private encryption key to an accuarte time-stamp. On the server side of things a public key is used to verify the one-time password entered based on the server’s own time-stamp. In this case the portable device is the Chronos watch and the server is Google’s own TOTP service.

You can do this with other simple microcontrollers, we’ve even seen an Arduino implementation. But the wrist-watch form factor seen here is by far the most convenient — as long as you always remember to wear the watch.

[Thanks Oxide]

Investigating the strength of the 4-digit PIN

If we wanted to take a look at the statistics behind 4-digit pin numbers how could we do such a thing? After all, it’s not like people are just going to tell you the code they like to use. It turns out the databases of leaked passwords that have been floating around the Internet are the perfect source for a little study like this one. One such source was filtered for passwords that were exactly four digits long and contained only numbers. The result was a set of 3.4 million PIN numbers which were analysed for statistical patterns.

As the cliché movie joke tells us, 1234 is by far the most commonly used PIN to tune of 10% (*facepalm*). That’s followed relatively closely by 1111. But if plain old frequency were as deep as this look went it would make for boring reading. You’ll want to keep going with this article, which then looks into issues like ease of entry; 2580 is straight down the center of a telephone keypad. Dates are also very common, which greatly limits what the first and last pair of the PIN combination might be.

We’ll leave you with this nugget: Over 25% of all PINs are made of just 20 different number (at least from this data set).

[Thanks Awjlogan]

Time-based One-Time Passwords with an Arduino

Get your feet wet with Time-based One-Time Password (TOTP) security by building your own Arduino OATH system. OATH is an open standard authentication system that provides a platform to generate tokens, making your login more secure than a password alone would.

The TOTP approach is what is used with many companies that issue hardware-based dongles for logging in remotely. This security may have been compromised but it’s still better than passwords alone. Plus, if you’re building it around an Arduino we’d bet you’re just trying to learn and not actually responsible for protecting industrial or state secrets.

The hardware setup requires nothing more than the Arduino board with one button and a screen as a user interface. Since the board has a crystal oscillator it keeps fairly accurate time (as long as it remains powered). It will push out a new token every thirty seconds. The video after the break shows that the Arduino-calculated value does indeed match what the test box is displaying.

[Read more...]

Brute forcing the password on a terribly insecure hard drive

While at work one day, [Marco] was approached by a colleague holding a portable USB hard drive. This hard drive – a Freecom ToughDrive – has a built-in security system requiring a password every time the drive is mounted. Somewhat predictably, the password on this hard drive had been lost, so [Marco] brute forced the password out of this drive.

The Freecom ToughDrive requires a password whenever the drive is plugged in, but only allows 5 attempts before it needs to be power cycled. Entering the passwords was easy to automate, but there was still the issue of unplugging the drive after five failed attempts. [Marco] called upon his friend [Alex] to build a small USB extension cable with a relay inserted into the 5 V line. An easy enough solution after which the only thing needed was the time to crack the password.

The rig successfully guessed the password after 500 attempts, or after cycling the power 100 times. This number is incredibly low for getting a password via brute force, but then again the owner of the hard drive was somewhat predictable as to what passwords they used.

Brute force a password protected PDF using the BeagleBone

The biggest benefit to using the BeagleBone is it’s 700 MHz ARM processor. If you’re just messing around with basic I/O that power is going unused, but [Nuno Alves] is taking advantage of its power. He built a PDF password cracker based on the $85 development board.

We recently saw how easy it is to perform basic I/O using the BeagleBone. Those techniques are in play here, used to drive a character LCD and sample a button input from the breadboard circuit. [Nuno] even published separate posts for each of these peripheral features.

The password protected PDF file is passed to the device on a thumb drive. Since the BeagleBone is running embedded Linux you don’t need to mess around with figuring out how to read from the device. A click of the button starts the process. Currently the code just uses a brute force attack which can test more than 6000 four-character passwords per second.  This is quite slow for any password more than four or five characters long, but [Nuno] does mention the possibility of running several ARM processors in parallel, or using a dictionary (or rainbow table) to speed things up. Either way it’s an interesting project to try on the hardware. You can see his video demo of the device after the break.

[Read more...]

USB dongle generates and enters your passwords so you don’t have to

usb-password-dongle

Like many businesses out there, [Joonas Pihlajamaa’s] employer requires him to change his password every few months. Instead of coming up with a complex, yet easy to remember password again and again, he built a small USB device to do the work for him.

He dismantled an old USB memory stick, fitting it with an ATtiny85 with its required components on a small piece of perfboard. Using the knowledge he gleaned from his previous USB HID tinkering, he programmed the ATtiny to act as a USB keyboard which enters his password for him whenever he plugs it in.

The USB dongle not only types his password in for him, it can generate a new password with a few simple keystrokes whenever he desires. Obviously it merely takes someone getting their hands on his USB stick to compromise security, but it does beat a Post-It under the keyboard any day.

Continue reading to see a short video of his USB password dongle in action, and be sure to swing by his site for more details on how it was all put together.

[Read more...]

GPU password cracking made easy

The power that a Graphics Processing Unit presents can be harnessed to do some dirty work when trying to crack passwords. [Vijay] took a look at some of the options out there for cracking passwords and found that utilizing the GPU produces the correct password in a fraction of the time. On a Windows machine he pitted the Cain password recovery tool which uses the CPU for its calculations against ighashgpu which uses ATI or Nvidia graphics cards to do the deed. Hands down ighashgpu is the fastest; with Cain taking about one year to crack an eight character password while ighashgpu can do it in under nineteen hours.

We were very interested to see how easy it is to use this package. We looked in on GPU cracking in September but didn’t focus on the software packages that are out there. Now that you know how easily your password can be unearthed perhaps you will get some use out of this article discussing the usability and security of longer passwords which we ran across over on Reddit.

Follow

Get every new post delivered to your Inbox.

Join 92,119 other followers