Password Recovery Service FAQ
What does KoreLogic's Password Recovery Service provide and not provide?
The service provides the following outputs:
- A delimited text file containing the cracking results.
- A formal findings report (if one was purchased).
- A balance statement (indicating the number of cracking units and support hours expended/remaining).
Below are some examples of what the service cannot provide:
- Brute forcing incredibly long passphrases with certainty in a short period of time.
- Guarantee any percentage for password or document recovery.
- Support for all possible hash types used by operating systems or
- Support for all possible password-protected file formats.
- Use of unsecured or shared (e.g., cloud-based) computing resources.
This Service will not support any potentially illegal or unethical activities.
How does KoreLogic's Password Recovery Service work?
KoreLogic works with the client to determine their password recovery service needs. Using this information, KoreLogic provides an initial proposal that includes a recommended number of cracking units, technical (or service) support hours and service options. KoreLogic will then meet with the client to review the recommendations and, if needed, refine the service package. Finally, an official Statement of Work (SOW) for the client to review and execute is provided.
Going forward, KoreLogic works with the client to establish a workflow to meet the terms of the SOW. For instance, a secure communication mechanism (typically PGP-encrypted email) is established. KoreLogic uses this mechanism to submit client inquiries, answer questions, send service-related instructions, and transfer updates and/or results. The client uses it to submit work order inquiries, answer questions, respond to service-related instructions and transfer candidate data for the cracking grid.
Once a secure communication mechanism has been established, KoreLogic works with the client to submit their candidate hashes and/or documents. After the candidates are received, they are vetted, formatted (as necessary) and subsequently deployed onto KoreLogic's proprietary password cracking grid where they will be attacked for the specified number of cracking units or until all candidates are recovered.
Unlike many services that rely upon leased infrastructure, KoreLogic's proprietary cracking grid is owned and operated by KoreLogic, hardened and secured to KoreLogic standards, and maintained by KoreLogic engineers. Additionally, any client data deployed to the grid are encrypted in transit using encrypted protocols. These data are also encrypted at rest using AES-encrypted drives.
If the client purchased custom tuning, KoreLogic's engineers will analyze client-provided information (e.g., corporate password policy, hash formats used, etc.) along with recovered passwords and documents to identify patterns or anomalies that can be leveraged to maximize results. Once a suitable pattern or anomaly has been found, KoreLogic's engineers will craft custom attacks and proactively apply them to the client's work order.
If the client purchased a formal findings report, KoreLogic's engineers will analyze the results, make observations, draw conclusions, and document a set of client-specific findings and recommendations. This type of report is often useful for organizations that need to perform due diligence or show compliance with state and/or federal regulations.
What is the customer expected to do?
- Establish and/or use a secure protocol/mechanism (typically PGP-encrypted email) to communicate with KoreLogic for the duration of the engagement.
- Collect candidate hashes and/or documents, optionally package them in a common archive format (e.g., ZIP file), and submit them toKoreLogic using the established protocol/mechanism.
Password Recovery Service Case Studies
Case Study #1
As part of a larger yearly security audit for a Fortune 500 company, KoreLogic performed a password complexity audit against 30,000+ hashes taken from an Active Directory domain and a Single Sign On (SSO) environment. Using its proprietary cracking grid, KoreLogic was able to recover 92% of the passwords. Consequently, the company established password complexity requirements based on KoreLogic's findings and recommendations.
Case Study #2
During a recent assessment of a large technical company that provides forensic services and IT support, two Active Directory domains, containing 11,000+ hashes, were compromised. Using its proprietary cracking grid, KoreLogic was able to recover 82% of the passwords within a 5-day window even though 100% of the passwords met or exceeded the company's password policy, which required passwords to be at least 8 characters long and include at least one number and one special character. KoreLogic was able to provide the client with a list of accounts that used a common, shared password. Using that list, the client subsequently required all identified users to immediately change their password. Additionally, multiple enterprise-wide administrators were found to have weak passwords. After being informed of the finding, the administrators were required to receive training on how to create stronger, more complex passwords and then, they were required to change their passwords.
Case Study #3
During a recent assessment of a large telecommunications company, KoreLogic engineers obtained password hashes for 30 administrator accounts that were shared across 1000+ UNIX systems. The client wished to know which administrator accounts had weak passwords. Using its proprietary cracking grid, KoreLogic was able to recover 40% of the passwords within a 5-day window. As a result, KoreLogic found that multiple accounts had exactly the same password. Additionally, a small subset of accounts were using date-based passwords that were trivial to crack and two accounts were found to have passwords based on a variation of the client's name. KoreLogic provided a list of accounts with weak passwords along with a summary of password demographics to the client.