one-time passwords

One-Time Passwords By Anthony McDougle and Loren Klingman

Upload: joanne

Post on 23-Feb-2016

69 views

Category:

Documents

1 download

Report

Download

Tags:

Embed Size (px):

DESCRIPTION

One-Time Passwords. By Anthony McDougle and Loren Klingman. Why Use One-Time Passwords?. The average user does not have secure passwords Simple passwords Reusing the same password Never changing their password Can add security when used as an additional level of authentication. - PowerPoint PPT Presentation

TRANSCRIPT

One-Time PasswordsBy Anthony McDougle and Loren Klingman

The average user does not have secure passwords◦ Simple passwords◦ Reusing the same password◦ Never changing their password

Can add security when used as an additional level of authentication

Why Use One-Time Passwords?

A new password is generated at each use The password expires after one use and

cannot be used again◦ Cannot be re-used by an interceptor

What Are One-Time Passwords?

Facebook◦ Optional method of logging into public PCs◦ Generated password is delivered via text message

Google◦ Multi-factor authentication, using standard

passwords & a one-time password in order to log in

Among many others!

Who Uses One-Time Passwords

Time-Generated on Server & Client◦ Requires Synchronization

“Seeded” Algorithm◦ One-way hash function

Passwords generated and sent to the user

How It Works

Mobile Phone App Token-Generating Device Text Message or E-mail

◦ Cheapest, but least secure Printed on Paper & Given to User

Password Distribution

When a system uses multiple levels and methods of authentication

Categories of authentication◦ Something you are (biometrics)◦ Something you have (phone, computer)◦ Something you know (standard password)

Can be as simple as having a standard password and a generated one-time password for log ins

Multi-Factor Authentication

Passwords cannot be stolen by traffic-sniffers and key loggers

Passwords cannot be cracked by traditional methods

Not very susceptible to phishing attempts/non-secure users

Passwords are, in theory, not re-usable◦ Stolen passwords are useless

Benefits

Theft of the password-generator or a list of valid passwords is still a possibility

Cracking the password-generation algorithm In cases of SMS/e-mail/other messaging, the

service provider in the middle must prevent interception

Malware that can trick a user into giving up a password before its use

Vulnerabilities

One-time passwords are generally safer than regular passwords

May be too much◦ Too many prompts can frustrate users

Cost money to implement but often cheaper than other methods such as biometrics

Other Pros & Cons

One-time passwords are a much safer alternative◦ Thwart key loggers, traffic sniffers, phishers

One-time password still have vulnerabilities, though they are harder to crack

Deciding on the password system depends on the company and the security measures necessary◦ Different systems may be more cost-effective

depending on the need◦ Find a balance between cost, simplicity, and security

Conclusion

Sergey Gordeychik and Dmitry Evteev (Positive Technologies) "One Time Passwords or Devil is in Details". Infosecurity on Softool 2008

Lecture 12: Passwords - Cornell University · Password Recipes •Recipes: rules for composing passwords •e.g., must have at least one number and one punctuation symbol and one

Some New Applications of One-Time Passwords Burt Kaliski, RSA Laboratories October 2006

BUSINESS ONLINE BANKING€¦ · corporate identification, User identification, password, one time passwords, mobile personal identification numbers etc. Non-Financial Transactions

Next Generation One Time Passwords & Enhanced Authentication · 2016-08-23 · Account Setup - A Simple 2 Step Process _____ The Patented Approach & Methodology Next Generation One

Cracking Passwords With Time-memory Trade-o s · Gildas Avoine Cracking Passwords with Time-memory Trade-o s 11. Coverage and Collisions Collisionsoccur during the precomputation

Communications Security - DSPCSP · •Using complex passwords (at least one capital, one numeral, one punctuation) •Using long passwords (thisisareasonablygoodpassword, x!A0 isn’t)

Week 2 - Wednesday. What did we talk about last time? Authentication Challenge-response Passwords

Protecting Systems with One Time Passwords · •Increase security for critical systems • This project especially helps with the problem of a compromised password • This is about

Strong Passwords - eSoftenb-wp.esoftbusiness.com/.../uploads/userfiles/file/StrongPasswords… · Passwords Always use strong passwords on the Internet. A strong password is one that

Passwords and You CREATING AND MAINTAINING SECURE PASSWORDS

1 Certificates, SSL, and One time passwords Fall 2010 David Brumley

Security Awareness Passwords - Illinois.gov · 3 Passwords Password Cracking Find weak passwords Verify the use of good passwords Characters (complex) Estimated time to crack 7 15

Creating Databases CSS example. One-way encryption. Passwords. Security issues. Work session.. Homework: Making unique posting on encryption, passwords,

Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?

Bachelor Thesis Michael Barth. 1. One-Time Passwords 2. OTPW 3. Android Plattform 4. App Entwicklung 5. OTPManager App

Do Users' Perceptions of Password Security Match Reality? · selecting terrible passwords and choose to do so intentionally, ... strong passwords. In fact, one of the most widely

Beyond passwords: time for a change

One-Time Passwords - Computer Forensic Investigations and

Independent One-Time Passwords - USENIX€¦ · Independent One-Time Passwords Aviel D. Rubin Bellcore ABSTRACT: Existing one-time password (OTP) schemes suffer several drawbacks

1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way

The Gathering Storm · 2019. 9. 12. · • One Time Passwords (OTP) • Verification Number masking • Mobile boarding pass • Use CPaaS functionality as core component in own

One Identity Safeguard for Privileged Passwords 2.7 ......2.7 Migration guidance. Overview Safeguard for Privileged Passwords version 2.7, has been simplified to allow for a separation

CSE 484 / CSE M 584 Computer Security: Passwords€¦ · Password Managers •Allows the user to use one secure password to secure all other passwords •Generate strong password

Chapter 7 Passwords - cdn.ttgtmedia.comcdn.ttgtmedia.com/.../HackingforDummiesCh07.pdf · Chapter 7 Passwords ... Therefore, passwords are one of the weakest links in ... This includes

Cracking Passwords with Time-memory Trade-o ssatoss.uni.lu/seminars/srm/pdfs/2014-Gildas-Avoine.pdf · Cracking Passwords with Time-memory Trade-o s Gildas Avoine INSA Rennes (France),

Lecture 12: Passwords · Password Recipes •Recipes: rules for composing passwords •e.g., must have at least one number and one punctuation symbol and one upper case letter •[Kelley

SurePassID Authenticator Guide · 2020-02-14 · Introduction This technical guide describes how to use the SurePassID Mobile Authenticator app to generate One-Time Passwords (OTP)

Passwords, Passwords and more Passwords

Chapter 7 Passwords · users often neglect this. Therefore, passwords are one of the weakest links in the information-security chain. Passwords rely on secrecy. After a password is

Multi-Factor Password-Authenticated Key Exchange · Twomajorsecurityproblemsontoday’sInternetarephishingand spyware. Theyaimtoextractvaluableprivateinformation. Existingsecurityapproaches,suchasSSL,passwords,andone-time

Management with Keycloak Opensource Identity & Access€¦ · • Flexible Authentication and Authorization • Multi-Factor Authentication One-time Passwords • Social Login Google,

One Secret to Many Passwords

Ch 1: Introducing Windows XP - samsclass.info · Web viewStandard passwords are typically static in nature One-time passwords (OTP) Dynamic passwords that change frequently Systems

one-time passwords

Documents

generated onetime password

password system

standard passwords

new password

usethe password

phishersonetime password

public pcsgenerated

reusablestolen passwords