Upload
ami-nicholson
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Text passwordsText passwordsHazim Almuhimedi
AgendaAgendaHow good are the passwords
people are choosing?
Human issuesThe Memorability and Security of
PasswordsHuman Selection of Mnemonic
Phrase-based Passwords
Authentication Authentication MechanismsMechanismsSomething you have
◦cardsSomething you know
◦Passwords Cheapest way. Most popular.
Something you are◦Biometric
fingerprint
Password is a continuous Password is a continuous problemproblemPassword is a series real-world
problem.◦SANS Top-20 2007 Security Risks◦Every year, password’s problems in the
list: Weak or non-existent passwords Users who don’t protect their passwords OS or applications create accounts with
weak/no passwords Poor hashing algorithms. Access to hash files
Source: Jeffery Eppinger, Web application Development.
How good are the passwords How good are the passwords people people are choosing?are choosing?
It is hard question to answer.◦Data is scarce.
MySpace Phishing attack
Poor, Weak PasswordPoor, Weak PasswordPoor, weak passwords have the
following characteristics:◦The password contains less than 15
characters.◦The password is a word found in a
dictionary (English or foreign)◦The password is a common usage
word.
Source: Password Policy. SANS 2006
Strong PasswordStrong PasswordStrong passwords have the
following characteristics:◦Contain both upper and lower case
characters◦Have digits and punctuation characters◦Are at least 15 alphanumeric characters
long and is a passphrase.◦Are not a word in any language ,
slang , dialect , jargon.◦Are not based on personal information.◦Passwords should never be written
down or stored on-line. Source: Password Policy. SANS 2006
Strong PasswordStrong Password?
Strong PasswordStrong PasswordAt least 8 characters.Contain both upper and lower
case characters.Have digits and punctuation
characters
MySpace Phishing AttackMySpace Phishing Attack◦A fake MySpace login page.◦Send the data to various web servers
and get it later.◦100,000 fell for the attack before it
was shut down.◦This analysis for 34,000 users.
Password lengthPassword length
Average: 8 characters.
Password lengthPassword lengthThere is a 32-character password
"1ancheste23nite41ancheste23nite4“
Other long passwords: "fool2thinkfool2thinkol2think“ "dokitty17darling7g7darling7"
Character MixCharacter Mix
Common PasswordsCommon PasswordsTop 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
Common PasswordsCommon PasswordsTop 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
Common PasswordCommon Password“Blink 182” is a band.
◦A lot of people use the band's name Easy to remember. it has numbers in its name, and therefore
it seems like a good password.
Common PasswordCommon Password"qwerty1" refers to
◦QWERTY is the most common keyboard layout on English-language computer.
Common PasswordCommon PasswordThe band “Slipknot” doesn't have
any numbers in its name◦which explains the “1”.
Common PasswordCommon PasswordThe password "jordan23" refers
to◦basketball player Michael Jordan◦and his number 23.
Common PasswordCommon PasswordI don't know what the deal is with
“monkey”.
Common PasswordCommon Password
Passwords getting betterPasswords getting better• Who said the users haven’t
learned anything about security?
Human IssuesHuman IssuesSocial Engineering.Difficulties with reliable password
Entry.Difficulties with remembering the
password.
Human is often the weakest link in the security chain.
Human IssuesHuman IssuesSocial Engineering.
◦ Attacker will extract the password directly from the user.
◦ Attacks of this kind are very likely to work unless an organization has a well-thought-out policies.
◦ In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering. Motorola case http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09)
Kevin Mitnick:It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in.http://www.youtube.com/watch?v=8_VYWefmy34 (2:00)
Source: Wikipedia. Social engineering
Human IssuesHuman IssuesSocial Engineering.
336 CS students at University of Sydney
Some were suspicious: 30 returned a plausible-looking but invalid
password over 200 changed their passwords without
official prompting. Very few of them reported the email to authority.
Human IssuesHuman IssuesSocial Engineering.
◦How to solve this problem? Strong and well-known policy.
Human IssuesHuman IssuesDifficulties with reliable password
Entry.◦if a password is too long or complex, the
user might have difficulty entering it correctly.
◦South Africa Case 20-digit number for the pre-paid electricity
meters. Any suggested solution?
◦If the operation they are trying to perform is urgent
This might have safety or other implications.
Human IssuesHuman IssuesDifficulties with remembering the
password.◦The greatest source of complaints
about passwords is that most people find them hard to remember.
◦When users are expected to memorize passwords They either choose values that are easy
for attackers to guess. Write them down. Or both.
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsMany of the problems of
password authentication systems arise from the limitations of human memory.
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsSome passwords are very easy to
remember ◦But very easy to guess
Dictionary attack. some passwords are very secure
against guessing ◦Difficult to remember. ◦might be compromised as a result of
human limitations. The user may keep an insecure written
record.
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsAn experiment involving 400
first-year students at the University of Cambridge.
Testing how strong the mnemonic-based password is.
Testing how it is easy to remember.◦In contrast with control and random
password.
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsMethods:
◦4 types of attacks: Simple Dictionary attack. Dictionary attack with permutation User information attack Brute force attack.
◦Survey.
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsConclusion :
◦Users have difficulty remembering random passwords.
◦Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsConclusion:
◦It isn’t true that : random passwords are better than those based on mnemonic phrases. each type appeared to be as strong as the
other.◦It is not true that : passwords based
on mnemonic phrases are harder to remember than naively selected passwords are. each appeared to be reasonably easy to
remember, with only about 2%-3% of users forgetting passwords.
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsHypothesis
◦Users will select mnemonic phrases that are commonly available on the Internet
◦It is possible to build a dictionary to crack mnemonic phrase-based passwords.
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsSurvey
◦A survey to gather user-generated passwords Mnemonic password (144) Control password (146)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsAttacks:
◦Dictionary attack Generate a mnemonic password dictionary.
400,000-entries
John the Ripper For control password 1.2 million entries
◦Dictionary attack with Permutation. Word mangling
replacing “a” with “@”
◦Brute force attack.
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password Strength:
Control Mnemonic
Strength Score 15.7 17.2
Number of Character classes
2.9 2.7
Length 9.9 9.5
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password Cracking Results:
◦The user generated mnemonic passwords were more resistant to brute force attacks than control passwords.
Control Mnemonic
Password compromised by Basic Dictionary
6% 3%
Basic Dictionary with Permutation
5% 1%
Brute Force Attack 8% 4%
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password based on external sources: Majority of mnemonic password are
based on external sources. 13% control password sources are based
on external sources
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password based on external sources:
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsConclusion:
◦The majority of users select phrases from music lyrics, movies, literature, or television shows.
◦This opens the possibility that a dictionary could be built for mnemonic passwords. If a comprehensive dictionary is built, it could
be extremely effective against mnemonic passwords.
◦Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsConclusion:
◦Mnemonic phrase-based passwords are not as strong as people may believe.
◦The space of possible phrases is large Building a comprehensive dictionary is not a
trivial task.
◦System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.
Thank You