Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

(you must put the “s” in https to access)

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

ENTROPY OF FINGERPRINT SENSORS. Do different fingerprint sensors affect the entropy of a fingerprint? RESEARCH QUESTION/HYPOTHESIS.

Today’s Objective: I will create a strong, private password.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Online Job Applications. Course Outline Review resources & information needed to complete an online application Practice filling out a job application.

Registration & System Access SDE Support. PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION Registration System will direct you.

David Abarca, Instructor Del Mar College Computer Corner Passwords, Passwords Everywhere !

Frequently Encountered Errors Idaho State Department of Education October 20, 2011.

Password Management PA Turnpike Commission

PAGE 1 Company Proprietary and Confidential Internet Safety and Security Presented January 13, 2014.

Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.

Passwords Tom Ristenpart CS The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir.

Password Fundamentals. UMB-Dental School New Password Policy Passwords must be eight characters or longer. Password must contain characters from three.

The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.

User Management: Passwords cs3353. Passwords Policy: “Choose a password you can’t remember and don’t write it down”

1. password (Unchanged) (Down 6) (Unchanged)14. sunshine (Up 1) (Unchanged)15. master (Down 1) 4. abc123 (Up.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.

11th WATCH: Security, Privacy, and Usability: Better Together Lorrie Cranor Computer Science & Engineering Science Policy Carnegie Mellon University THURSDAY.

Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string.

SCC Student Technology Access Student Login Guide SCC College Computer Press Ctrl-Alt-Delete keys on the keyboard to access network login User name – this.

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

Migrating to Kerberos 5 Steve Devine Manager, Storage Systems Academic Computing and Network Services Michigan State University.

STRONG PASSWORDS = SELF-PROTECTION. Why are passwords essential for self protection? Passwords protect hackers from accessing personal information (birthday,

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

2 nd Grade.  ______ make passwords eight or more characters long.

Protecting Your Password

Good strong passwords are key to keeping your access and data safe.

Changing Your Password General Lesson 3. Objectives Following completion of this lesson you will be able to:. Define how often a password must be changed.

Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.

 Patrick Gage Kelley, et al. “Guess again (and again and again): [...].” In 2012 IEEE Symposium on Security and Privacy (SP), pp IEEE, 2012.

Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

By John Williams. Why Secure Passwords Matter Passwords protect everything about you online. Once those passwords are discovered and used by someone else.

Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.

Compression of a Dictionary Jan Lánský, Michal Žemlička Dept. of Software Engineering Faculty of Mathematics.

Registering as a New User on ISEE Idaho State Department of Education January 12, 2016.

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.

SCC Student Technology Access Student Login Guide Log on a SCC College Computer Press Ctrl-Alt-Delete keys on the keyboard to access network login Enter.

Declaring variables The type could be: int double char String name is anything you want like lowerCaseWord.

Saint James School of Medicine Prepared by Oscar AndradeUpdate 2014 Intended Audience – Instructors that have never used Moodle.

HOW CAN ATTACKERS READ YOUR MIND? Telepathwords: Preventing Weak Passwords By Reading Users’ Minds Saranga, K., Richard, S., lorrie, F.C., Cormac, H. and.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Robert Crawford, MBA West Middle School.  Describe ways criminals obtain passwords  Discuss ways to protect your computer from being accessed by others.

Internet: The Nursing Resource. Is the INTERNET a government association? Yes No.

Understanding Security Policies Lesson 3. Objectives.

Gmail customer service, A 3 rd party firm working to tackle and resolve technical issue faced by Gmail account users. In today’s post experts presenting.

Understanding Security Policies

Vocabulary Big Data - “Big data is a broad term for datasets so large or complex that traditional data processing applications are inadequate.” Moore’s.

Taken from Hazim Almuhimedi presentation modified by Graciela Perera

IIT Indore © Neminah Hubballi

Representing Characters

Unit 7 NT1330 Client-Server Networking II Date: 7/26/2016

Student PowerSchool Login

Start at our website at In the upper right hand corner is a link for “Office 365”

Keep It Safe! Secure Your Secrets

Guess the letter!.

Creating Passphrases Include Examples NOT REQUIRED

Lecture 12: Passwords CS /14/2018.

Keeping Our Data Secure

Presentation transcript:

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lo ́pez Carnegie Mellon University Pittsburgh, PA, USA Presentation by David Ferreras

The Problem How can we tell when a password is secure? What requirements make a password stronger to attacks?

The Problem There are many different composition policies when creating a password: – Minimum length – Numbers and Simbols – Don’t allow words from a dictionary – Etc. Which one is better?

The Problem And, of course, users have to be able to remember it!!!

Measuring password strength 2 most common methods – Information Entropy expected value (in bits) of the information contained in a string. Provides a lower bound on the expected number of guesses to find a text. – Empirically Analyze the passwords with password-guessing tools.

Measuring password strength The method in this paper: Collect a dataset of passwords under different password-composition policies Approach how long it would take for various password-guessing tools to guess each password collected Called Guess-number calculator

Test data Passwords created on different conditions – Basic8survey: at least 8 characters in a survey scenario – Basic8: at least 8 characters in a scenario – Basic16: at least 16 characters – Dictionary8: at least 8 characters and it may not contain a dictionary word (Openwall list) – Comprehensive8: at least 8 characters including an uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word (Openwall list) – BlacklistEasy: at least 8 characters and may not contain a dictionary word (UNIX dictionary) – BlacklistMedium: same as before but with the paid Openwall list) – blacklistHard: dictionary with 5 billion words

Guess-number calculator For most password-guessing algorithms, it is possible to create a function that maps a password to the number of guesses required to guess it. It’s build as Machine-Learning algorithm. The password-guessing algorithms tested are: Brute-Force Markov Weir algorithms

Results

Conclusions Best secure requirements Basic16: at least 16 characters Comprehensive8: at least 8 characters including an uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word Any questions?