Cracking passwords using ONLY response times | Secure Python

preview_player
Показать описание
Security in programming is difficult to achieve.

In this video, we take a look at a class of attacks called "Timing Attacks" that use the amount of time that it takes a server to respond in order to gather secret information from the server. Not all servers are susceptible (common popular ones are not when properly configured), but if you don't know about timing attacks, one you write might be! Any secure Python code must be resistant to timing attacks. You don't need to worry, popular Python web frameworks like Flask and Django are safe to use.

Note: For those wondering why I did not include discussion of a slow_equals to thwart the attack, I decided not to because this is a bandaid on the larger problem that the server shouldn't have even stored your password in the first place. Only hashes should be stored.

SUPPORT ME ⭐
---------------------------------------------------

BE ACTIVE IN MY COMMUNITY 😄
---------------------------------------------------

CHAPTERS
---------------------------------------------------
0:00 Intro
1:08 Background and setup
3:03 Cracking the length
5:19 Cracking the characters
7:22 Try it
8:08 Outro
  1. mCoding
  2. timing attack
  3. python
  4. cracking passwords
  5. hacking passwords
Рекомендации по теме
Cracking passwords using 0:09:20

Cracking passwords using ONLY response times | Secure Python

How Easy Is 0:04:29

How Easy Is It For Hackers To Brute Force Login Pages?!

How easy is 0:01:00

How easy is it to crack your password?

AI Cracking Passwords 0:00:29

AI Cracking Passwords in Seconds

RTX4090 is a 0:10:41

RTX4090 is a Password Cracking BEAST

How Hackers Login 0:06:50

How Hackers Login To Any Websites Without Password?!

Why nobody will 0:04:35

Why nobody will ever crack my password // How long it takes for a GPU to crack passwords

Cracking SHA-1 passwords 0:50:58

Cracking SHA-1 passwords with Python (GUI)

CompTIA Security+ Exam 1:04:26

CompTIA Security+ Exam Practice Questions [Part-2] | Security+ Exam Questions and Answers

C Programming: Cracking 1:49:07

C Programming: Cracking Passwords Using Brute-Force

password cracker using 0:00:16

password cracker using python #youtubeshorts #shorts #cracking

Why We Crack 0:00:53

Why We Crack Passwords! #infosec #passwordcracking #shorts

Password Cracking using 0:12:19

Password Cracking using Rainbow Tables

4 ways hackers 0:00:50

4 ways hackers can crack passwords !!!

How to DECRYPT 0:08:41

How to DECRYPT HTTPS Traffic with Wireshark

Discrete Structures: Cracking 2:27:29

Discrete Structures: Cracking password hashes

Password spraying attacks 0:08:21

Password spraying attacks | Password Cracking Tutorial | Hakin9

What is Brute 0:18:53

What is Brute Force Attack? | Learn to Crack Passwords using Brute Force Attack | Simplilearn

C Programming: Cracking 2:18:45

C Programming: Cracking Passwords with a Dictionary

How to extract 0:05:12

How to extract NTLM Hashes from Wireshark Captures for cracking with Hashcat

How to crack 0:02:17

How to crack any password using python

Cracking passwords for 0:48:24

Cracking passwords for fun and profit - Chris Timmons

C Programming: Cracking 2:31:08

C Programming: Cracking Passwords by Pre-Hashing the Dictionary

Exploitation - Password 0:25:41

Exploitation - Password Cracking

Комментарии
Автор

"Nothing on one, click on two, four is binding..."
It's literally just lockpicking at this point.

MathMagician
Автор

That password cracking at the end was so epic 😂

nadavgolden
Автор

Data comparison in cpu cache is incredibly fast in comparison to any io, in real world scenario where network io would be involved you couldn't really find a correlation between password length and your guess using the timing, cool reminder to not store actual passwords and neat video anyway

wirtos_new
Автор

You're the only programming channel that I haven't gotten bored of. Thank you for your interesting videos!

john.dough.
Автор

This was pretty interesting. You can make a part 2. Now that we're wise, and we use hashes (or even salted ones), there's a new attack to watch out for - hash collisions!

Sonyim
Автор

Never heard of this before. Very interesting concept!

stef
Автор

These are fun attacks. My network cybersecurity professor had us craft an attack like this. I didn't want to write the HTTP code to call the password validator API so I used curl. I figured any overhead of fork()-ing a command would be common across all requests and so I could factor it out. Unfortunately, the overhead was much greater than the time differences and so I couldn't reliably tease those differences out of my results. I wrote up what I was doing and got almost full points (I think he subtracted one point since I didn't actually recover the password). Anyway, I learned a lot.

lisnter
Автор

Well done! However, I think a wise thing would be, in your server, to have your check_password() routine only responds after a fixed (or even random) amount of time (spanning a timer, etc) This way, no timing attack would be possible.

sergeboisse
Автор

Does this f"{variable=}" prints *variable="variable_value"* ?? I never knew about this🌝🤨

princex
Автор

I'm new to programming and to, particularly, Python, so that means I didn't understand a thing of this. But it was fantastic to see how you implemented this and how clever you are. Keep the great job, man.
Edit: English is not my first language so, in case there's any mistake, feel free to correct me. I'd appreciate it.

ultraman
Автор

alright, I'm only writing branchless code from now on 😤

sadhlife
Автор

Timing attacks can be used to determine valid usernames. For example, if the user doesn't exist, a fail response is returned right away, but if it does exist, then the server will also verify the password hash as well, which is slow.

multiwebinc
Автор

Most servers don't save the apparent passwords but it does save as a hash password, but I got to acknowledge u a brilliant

islamkaram
Автор

Thanks a lot. good old memories. I remember I found about this technique when I was working as a SSG member in one of former companies which happened to be a big financial institute. (this was around 2011, so more than a decade ago).
I remember reading about this in a paper, I believe this method was proposed for the first time by an Israeli security expert/researcher. and it was mind blowing at the time (still is imho)
Sometimes you just have to stand up, appreciate the beautify if this and applause the brilliant minds like this.
hope to see a world where there is no more hatred/war/etc among us, especially between Palestinians, and Israelis, and also everyone else in the world.

amortalbeing
Автор

Normally I don't care much for youtuber sponsored ads; but for once that's something super relevant to what I've been looking at developing for in my free time! I'll take a look! :)

merthyr
Автор

This video was just fabulous!
Literally, every time I watch your videos, a whole new world of possibilities opens to me.

qorbanimaq
Автор

everybody gangsta until the server ping is more than 100 ms.
It takes an hour to get the length of the password and 46+ hours to iterate through every ASCII char in 32 character password and probably around 80 hours to crack the password.
although bruteforce would be way slower.

php
Автор

This was a cool thing to look at and try out. If you stacked this with some sort of genetic algorithm, multithread, and perhaps cythonize it, you could get it to go a lot faster, theoretically speaking.

LordTails
Автор

Lol using an algorithm to uncover a "subscribe" message is an idea I may borrow. clever!

Cool vid too. I'm always impressed by the clever ways hackers narrow down possible passwords.

Mutual_Information
Автор

Other than making me a better coder, you make me feel happy. In your videos I always have that "ah-ah" moment. Thanks.

imagineabout