Determining a algorytm used in generating sample data

Discussion in 'Programming & Software Development' started by GrandmasBoi, Mar 5, 2020.

  1. GrandmasBoi

    GrandmasBoi Member

    Joined:
    Sep 23, 2019
    Messages:
    122
    I am doing a security audit, the system seems to generate random username/password combos. I have obtained a sample data of around ~200 expired login/passwords. They were quiet easy to obtain and nobody seems too concerned this list is quiet openly available "ohh those are expired, no use to anybody"

    it is quiet obvious they all are same length and only digits! this is already weak. However my job is to expose the biggest hole in this logic. If I can work out the algorythm behind how they are generated then the whole security would be proven useless.
    1. Old expired logins should not be easily available
    2. At least use characters + digits

    Is there any tools/ways to figure out a algorythm that was used based on sample data I have?

    Most likely my sample data is too small and reverse engineering a algorythm is alot of manual work, but I have no experience with this
     
  2. theSeekerr

    theSeekerr Member

    Joined:
    Jan 19, 2010
    Messages:
    3,240
    Location:
    Broadview SA
    What makes you think they're not actually random, or at least pseudorandom?

    If they are pseudorandom, sure, there's an algorithm, but the odds of you determining (a) which algorithm and (b) what seed are astronomically poor.
     
  3. OP
    OP
    GrandmasBoi

    GrandmasBoi Member

    Joined:
    Sep 23, 2019
    Messages:
    122
    I do not know that, but it is definately one angle of attack I can either rule out or expose a security flaw
     
  4. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,778
    Location:
    Sydney
    Probably just random. Why would it not be?

    Random between 100000,1000000 gives you the same data
     
  5. OP
    OP
    GrandmasBoi

    GrandmasBoi Member

    Joined:
    Sep 23, 2019
    Messages:
    122
    Yeah probably.... Yet if there was a tool that can analyse sample data for patterns and deducts if it is random or not it would be much more helpful then probably

    Why? .... Because you would be surprised how badly coded and designed some systems are
     
  6. theSeekerr

    theSeekerr Member

    Joined:
    Jan 19, 2010
    Messages:
    3,240
    Location:
    Broadview SA
    I'm sure some people are surprised. Anyone who works in Software or IT not so much.
     
    GrandmasBoi likes this.
  7. oculi

    oculi Member

    Joined:
    Aug 18, 2004
    Messages:
    11,177
    quite
     
    ir0nhide likes this.
  8. blankpaper

    blankpaper Member

    Joined:
    Feb 1, 2013
    Messages:
    1,140
    Mathematically, unless you found the real algorithm used (by reverse engineering the software itself) it's of no use. I.e. if you found a pattern in past passwords you haven't actually proved anything about future predictability because you can't prove it's only a single (and the correct) algorithm that can produce those results.

    Is changing password policy possible with this software? Sounds like it, but if the client doesn't want to change password policy (out of laziness or whatever), then I think it'd be better just making a point of advising on your recommended password strength policy, and adding security around that (ACLs/firewalls, additional authentication before this software, user lockouts, administrator warnings on X failed attempts, etc). If the software itself is fundamentally weak and the client/vendor won't strengthen password policies then your recommendations should focus on protecting access to that software.

    Emphasis on 'recommendations'. If they don't want to take your recommendations, so be it, but all you can do is make them aware.

    FWIW I don't work in this field but if someone I knew asked my 2c this is the sort of thing I'd be contemplating.
     
  9. SLATYE

    SLATYE SLATYE, not SLAYTE

    Joined:
    Nov 11, 2002
    Messages:
    26,849
    Location:
    Canberra
    Given the known limitations of the passwords (numeric fixed-length) you might be better-off looking at whether it would be practical to break into this system with a brute force attack. Does it lock you out after a couple of attempts? If not, writing a script to just spam every possible combination may be quite practical.

    As blankpaper has said, finding a pattern in the data doesn't imply that you've found the pattern. There are infinite patterns that match a finite sequence of numbers, and most of those will fail to match the next number in the sequence. It's quite possible that you'll burn a huge amount of time and find nothing, because (for example) the password is based on the nanosecond time when a human clicks the "generate password" button.
     
  10. OP
    OP
    GrandmasBoi

    GrandmasBoi Member

    Joined:
    Sep 23, 2019
    Messages:
    122
    Thanx for the replies, some good tips I think ill follow those avenues
     
  11. mtma

    mtma Member

    Joined:
    Aug 12, 2009
    Messages:
    5,248
    If I were to guess at an intruder's toolbox, if you can chuck the data into a basic ML algorithm and it could spit out predictions that are at least an arbitrarily 'significant' probability correct, you might consider the existence of the expired data a problem - along with the generation method.

    ED- also you would want to try it with the ML learned into some bogus data of a similar profile to ensure that you're not looking at noise from another factor of insecurity, such as the lack of entropy in the first place.
     
    Last edited: Mar 21, 2020

Share This Page

Advertisement: