Taken from Hazim Almuhimedi presentation modified by Graciela Perera Text passwords Taken from Hazim Almuhimedi presentation modified by Graciela Perera

Agenda How good are the passwords people are choosing? Human issues

Authentication Mechanisms Something you have cards Something you know Passwords Cheapest way. Most popular. Something you are Biometric fingerprint

Password is a continuous problem Password is a series real-world problem. SANS Top-20 2007 Security Risks Every year, password’s problems in the list: Weak or non-existent passwords Users who don’t protect their passwords OS or applications create accounts with weak/no passwords Poor hashing algorithms. Access to hash files Source: Jeffery Eppinger, Web application Development.

Poor, Weak Password Poor, weak passwords have the following characteristics: The password contains less than 15 characters. The password is a word found in a dictionary (English or foreign) The password is a common usage word. Source: Password Policy. SANS 2006

Strong Password Strong passwords have the following characteristics: Contain both upper and lower case characters Have digits and punctuation characters Are at least 15 alphanumeric characters long and is a passphrase. Are not a word in any language , slang , dialect , jargon. Are not based on personal information. Passwords should never be written down or stored on-line. Source: Password Policy. SANS 2006

Strong Password ?

Strong Password At least 8 characters. Contain both upper and lower case characters. Have digits and punctuation characters

Password length Average: 8 characters.

Password length There is a 32-character password Other long passwords: "1ancheste23nite41ancheste23nite4“ Other long passwords: "fool2thinkfool2thinkol2think“ "dokitty17darling7g7darling7"

Character Mix

Common Passwords Top 20 passwords in order. password1 abc123 myspace1 Blink182 qwerty1 fuckyou 123abc baseball1 football1 123456 soccer monkey1 liverpool1 princess1 jordan23 slipknot1 superman1 iloveyou1 monkey

Common Password "qwerty1" refers to QWERTY is the most common keyboard layout on English-language computer.

Passwords getting better Who said the users haven’t learned anything about security?

Human is often the weakest link in the security chain. Human Issues Social Engineering. Difficulties with reliable password Entry. Difficulties with remembering the password. Human is often the weakest link in the security chain.

Human Issues Social Engineering. Attacker will extract the password directly from the user. Attacks of this kind are very likely to work unless an organization has a well-thought-out policies. In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering. Motorola case http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09) Kevin Mitnick: It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. http://www.youtube.com/watch?v=8_VYWefmy34 (2:00) Source: Wikipedia. Social engineering

Human Issues Social Engineering. How to solve this problem? Strong and well-known policy.

Human Issues Difficulties with remembering the password. The greatest source of complaints about passwords is that most people find them hard to remember. When users are expected to memorize passwords They either choose values that are easy for attackers to guess. Write them down. Or both.

Human Issues Conclusion: The majority of users select phrases from music lyrics, movies, literature, or television shows. This opens the possibility that a dictionary could be built for mnemonic passwords. If a comprehensive dictionary is built, it could be extremely effective against mnemonic passwords. Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.