13. 1234567 (down 6) 14. sunshine (up 1) 15. master (down 1) 16. 123123 (up 4) 17. welcome (new) 18....
Post on 30-Dec-2015
219 Views
Preview:
TRANSCRIPT
Passwords
Access Controls and Authentication
Readings Password Vulnerabilities
Why passwords have never been weaker…
Storing passwords A salt free diet is bad for your security… Threshold Cryptography….
Password Usage An analysis of ID-password usage…
Why do we keep doing this? Why it Pays to Submit to Hackers
New kinds of authentication Active Authentication Learn a password subconsciously… Risk-Based Authentication
Password Vulnerabilities
Password Cracking The practice of inputting plaintext through an hashing algorithm and comparing
with a compromised hash compromised hash = computed hash You know the password (Input)
Dictionary attacks Comparing known words and their hashes to compromised hashes Exploit becomes 2 step process
Generate word lists Time and storage problem
Table Look-up
Known password lists 60% of newly compromised passwords are already in tables/cracked Exploit becomes a 1 step process
Generating word lists is less necessary Table Loop-up only
Hybrid attack Combines dictionary with intelligence gathered from know passwords
For Example: Gather all names from Facebook and combine with dictionary words
Storage Problem You can run all possible combinations of any
size password through any hashing algorithm and store the results but… It takes terabytes of storage space
Hellman/Rainbow tables reduce the space requirement by storing only 1st password and last generated hash
GPU-assisted cracking has reduced the need for rainbow tables
Hacker Password Analysis
Most capitalized letters are at the beginning of a password
Most numbers and special characters are at the end
Quite a lot of first name followed by year
Add number or special characters at the beginning or (usually) end
Mangling Super – sup34 Princess = Prince$$
Mirror images mypassworddrowssapym
SplashData’s25 Most Popular Passwords for 2012
1. password (Unchanged)2. 123456 (Unchanged)3. 12345678 (Unchanged)4. abc123 (Up 1)5. qwerty (Down 1)6. monkey (Unchanged)7. letmein (Up 1)8. dragon (Up 2)9. 111111 (Up 3)10. baseball (Up 1)11. iloveyou (Up 2)12. trustno1 (Down 3)
13. 1234567 (Down 6)14. sunshine (Up 1)15. master (Down 1)16. 123123 (Up 4)17. welcome (New)18. shadow (Up 1)19. ashley (Down 3)20. football (Up 5)21. jesus (New)22. michael (Up 2)23. ninja (New)24. mustang (New)25. password1 (New)
compiled from files containing millions of stolen passwords posted online by hackers.
Lets look at numbers
Steven1961 10 characters 52 letters 10 numbers so,
6210 /8 billion second = 104,912,420.73 (1,748,540.35 minutes; 29,142.34 hours; 1,214.26 days;)
3.33 Years to crack but….
Hackers know our patterns so… 10 character, last 4 are numbers, 1st may be capitalized 52 x 26 x 26 x 26 x 26 x 26 x 10 x 10 x 10 x 10 / 8 billion =
772.29 seconds 12.87 minutes to crack
But what if Hacker goes to my Facebook page? 10 character, last 4 are numbers and they’re probably 1961 so… 52 x 26 x 26 x 26 x 26 x 26 +1961/ 8 billion =
.07 seconds to crack
Just the facts John…
PC running with 1 AMD Radeon HD7970 GPU Process 8.2 billion password’s per second
The biggest boon to cracking passwords however is Theft of non-secure credential files Rockyou.com
32 million plaintext passwords 14 million after duplicates were removed Now there exists a database of commonly used
passwords If you can “crack” 8.2 billion per second how
fast do you think you can look one up?
Copyright Pearson Prentice-Hall 2010
Password-Cracking Programs Brute-force password guessing
Try all possible passwords of Length 1, Length 2, etc. Thwarted by passwords that are long and complex
(using all keyboard characters) N is the password length, in characters
Alphabet, no case: N26 possible passwords Alphabet, upper and lower case (N52) Alphanumeric (letters and digits) (N62) All keyboard characters (~N80)
9
Server Password Cracking
Copyright Pearson Prentice-Hall 2010 10
Password Complexity and Length are
both CrucialPassword Length in
Characters
Low Complexity:
Alphabetic, No Case (N=26)
Alphabetic, Case-Sensitive
(N=52)
Alphanumeric: Letters and
Digits (N=62)
High Complexity:
All Keyboard Characters
(N=80)
1 26 52 62 802 676 2,704 3,844 6,4004 456,976 7,311,616 14,776,336 40,960,0006 308,915,776 19,770,609,66
456,800,235,58
42.62144E+11
8 2.08827E+11 5.34597E+13 2.1834E+14 1.67772E+1510 1.41167E+14 1.44555E+17 8.39299E+17 1.07374E+19
Note: On average, an attacker will have to try half of all combinations.
GPU Cracking What is it?
Using a graphics card to brute-force passwords
How fast does it work? Millions of attempt per second GPU Bruteforcer 450 million per second, but…
It depends on hash How long would a 12 character password using , U, l, 0-9,
&^% take? 94⌃8 = 6,095,689,385,410,816
MD5 = 166 days? SHA-512 = 5,427 days? ~15 years Even 6 character password would take: ~15 hours
Easy Audit Question for SOX Compliance How are you hashing your passwords
Copyright Pearson Prentice-Hall 2010
Other Password Threats Keystroke Capture Software
Trojan horse displays a fake login screen, reports its finding to attackers
Shoulder Surfing Attacker watches as the victim types a
password Even partial information can be useful
Part of the password: P_ _sw_ _d Length of the password (reduces time to do brute-force
cracking) iPhone/smartphone keylogging (reported
10/18/2011) Decoding Vibrations From Nearby Keyboards Us
ing Mobile Phone Accelerometers Solution, keep smartphone away from your
keyboard12
Server Password Cracking
Storing Passwords (Salting Hashes)
Start with the Obvious Passwords should not be stored ‘in the clear’
The LinkedIn Hack over six million passwords belonging to LinkedIn users have been compromised A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on
the internet, and hackers are working together to crack them.
Stored passwords as SHA-1, but without ‘Salt’ So, password123 stored as: cbfdac6008f9cab4083784cbd1874f76618d2a97
Need for Salting Hash Rainbow Tables Salting means appending random characters at the beginning of a password and
than hashing it: So, password123 might be KiJqpassword123 51472f680dc6cc5ce44366d765ca71148f68e36c will be stored as: KiJq51472f680dc6cc5ce44366d765ca71148f68e36c Now any 2 password123 will have unique hashes not found in rainbow tables
Or at least it will be harder to create rainbow tables
Threshold Cyrptography
Complex math but simple idea
Take a password Divide it Hash the pieces Store the pieces on separate servers
Increases the exploits that have to be carried out to get the pieces
Need a way to determine how to put the pieces together again
RSA Distributed Credential Protection
Play Video…
Why all this fuss? An Analysis of ID-password usage (Bank,
Lee, Bae and Ahn, 2012)
What were the highlight of this article?
Analysis of ID-Password
Usage Users are usually the weakest link
Choose weak/simple passwords Password memorability can be difficult Can anyone remember the password from the wiki
cartoon? Reuse the passwords on multiple sites Even if your site has strong security (?) a weaker
site with the same password could compromise your site
Study examines: Re-use of login credentials Creation of Vulnerability Index
Re-useItem Mean
Number of Sites 105.7
Number of Unique IDs 6.6
Number of Unique passwords 4.7
Number of Unique log-in credentials
11.8
ID re-use ratio 19.1
Password re-use ratio 29.2
Log-in credentials re-use 10.5
% of used unique log-in credentials
45.6%
Class Results
Reuse ratio =2.9, hmm I wonder how accurate this is?
Vulnerability Index
Network Theory Sites with same log-in
credentials (node) Connected nodes use
same log-in credentials (component)
Unique log-in credentials (isolate)
Inclusiveness - # of connected nodes / total nodes (12/14 = 85.7%) Largest:Network (5/14
= 35.7%) 2nd Largest:Network
(28.6%) 3rd Largest:Network
(21.4%)
VI – Result from Study
Item Mean
Inclusiveness 0.94 Use the same log-in credentials
Largest component 0.54
2nd largest component
0.18 0.72 (cumulative)
3rd largest component
0.09 0.81 (cumulative)
Vulnerability Index
0.38
•3 most frequently used log-in combinations use in 81% of sites vs. 11.8 unique log-in credentials•VI = expected proportion of sites subject to potential breaches if a breach at one site occurs• Larger values of VI indicate higher levels of vulnerability
Reducing VI Reducing the number of sites where log-in
credential combinations are used (reduce component size)
Increasing the number of different log-in credentials
Thus, vulnerability can be decreased without increasing: ID’s, PW’s or log-in credential combinations
Implications Firms need a network perspective
Firms can be compromised due to outside company security lapses
Firms should implement different log-in credentials procedures other than (ID/PW)
Policy makes need to enforce log-in credential implementation critical
Public awareness of the problem needs to be improved Discrepancy-enlarging feedback loop
Cybernetic Theory Discrepancy-enlarging feedback
used to explain avoidance behavior Compare your present state to undesired
state
Present
State
Avoidance State
Why do we choose weak passwords?
We know we need strong passwords
We know we need to back-up our computers
In general We don’t do it, why? Economics:
Cost (Time & Energy) Now
Benefit, sometime in the future – maybe!
Black Swan incident – what is this?
Hyperbolic discounting – what is this?
Fixes: Binding Mechanisms
Allow a new site/app to remind in the future to update my credentials
Secure Defaults I say use a password manger
User Friendliness Make credentials easier for
humans Face recognition vs
character string memorization
Incentives Discount for using strong
passwords Costs for not – Why are CC
companies responsible for your lack of a strong password?
Can we strengthen security of
passwords? Use Password Manager
1Password Roboform
Password Based Key Derivation Function Version 2 (PBKDFV2) Systems using PBKDFV2
Copyright Pearson Prentice-Hall 2010 26
I have two pets named Fred and Alice Ihave2pets:Fred&Alice Looks pretty secure but…
Use Spaces to help you remember I have 2 pets: Fred & Alice
Don’t tell the truth: I have 3 pets: LeBron, Dwane & Chris
Don’t make sense: I have 35 pets: LeBron, Dwane & Chris
Avoid predictable phrases I have 35 pets: Lebron, Dwane & Amy
But this is still predicatable
1Passwords password system
Copyright Pearson Prentice-Hall 2009 27
Introduce randomness into passwords
Roll dice to select word
Roll dice again to select next word
Continue
Diceware Passwords (Arnold Reinhold)
Copyright Pearson Prentice-Hall 2010 28
How Many words? Password vs. Passphrase
Password Usually 4-10 characters (2 Diceware words) Insert random special character between 2 words
Passphrase 20-40 characters (4-5 Diceware words) Entropy
How hard will it be for an attacker to know the passphrase given the method of selection, measured in bits Flip of a coin = 1 bit of entropy
Diceware word = 12.9 bits of entropy 4 words: 51.6 (use at least 11 characters) 5 words: 64.6 6 words:77.5 (use at least 17 characters) 7 words:90.4 (use at least 20 charcters) 10 word: 128
For passphrases for encryption, 6 is recommended
Finally… Even Stronger
Insert your own word into the set of Diceware words P35:LD&A + Diceware words
How many characters?
Active Authentication
What is it?
How will it work?
AA – What is it? Authentication based on how you perform
tasks Distinct Behavioral Characteristics Cognitive fingerprint
Keyboard Dynamics Length of time to hold down a key, and time to
move to another key Mice movement
These repetitive movement are not controlled by deliberate thought and therefore hard to mimic
AA – How will it work?
Lets Play a Game Pro’s
Con’s
Risk Based Authentication
top related