Security Audit - Breaking hash with intelligence

Our story begins in the 1970s. In those days, passwords were a small thing, considered a useless constraint that everyone had to endure and treated with carelessness, even disdain. In those far-off days, it was usually empty or identical to the user's login or first name, and rarely more elaborate. With the rapid spread of digitalization and the progress of hacking techniques and attempts, it is now increasingly coveted, omnipresent as it has become, and no longer able to remain simplistic in terms of the power it conveys. We've gone from having one password for everything to having one for every use, with an obligatory minimum of quality.

In the early years of local area networks, and later the Internet, passwords were encoded in storage devices using algorithms that would make people smile today. But, at the time, cryptographic attack techniques required computing power unavailable to the general public. What's more, these passwords were so simple - no one yet understood their importance - that a simple dictionary attack, even if carried out manually, was often all that was needed. Today, specialized graphics processing units (GPUs) provide, at modest cost, more than enough computing power to attack most cryptographic algorithms within a reasonable timeframe. Software technology also follows, enabling you to build your own "password-cracking" machine or, more generally, a hash-cracking machine.

In addition to these purely technical aspects, passwords are most often defined by individuals governed by stereotyped psychological behaviors stemming from their personal background, whether educational, cultural or emotional. These influencing factors will considerably shape the words chosen at the outset, as well as any transformations that may be imposed by a security policy, depending on the very terms of that policy and its presentation on the input form. A study of thousands of international users has enabled us to establish hypotheses, the validation of which is progressing rapidly, as to the final form the password will take, enabling us to greatly improve the performance of brute force attacks.

Nowadays, passwords are still the unloved creature of the IT world, and there are no plethora of ways of guaranteeing their quality and therefore the protection of access to information.

Upstream, at the time of entry, it is possible to specify quality constraints and control the proposed passwords, with unacceptable proposals simply being blocked.

Another downstream solution is to ensure the quality of the chosen password. Unfortunately, this solution poses a problem because the cryptographic algorithm used to store the password is not reversible. Indeed, the algorithm does not allow the hash to...