Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

Password Cracking Lesson 10. Why crack passwords?

Random Number Generation. Random Number Generators Without random numbers, we cannot do Stochastic Simulation Most computer languages have a subroutine,

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.

HOW DOES YOUR PASSWORD MEASURE UP The Effect of Strength Meters on Password Creation Rui Xie.

Routegadget analysis By: Matt Radford. Course information - The controls are labelled as if doing course A. - Control codes are next to the controls.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea

NetID Password Strength Initiative Gary Windham Senior Enterprise Systems Architect UITS Computing Services.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Memory Management 2010.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

ENTROPY OF FINGERPRINT SENSORS. Do different fingerprint sensors affect the entropy of a fingerprint? RESEARCH QUESTION/HYPOTHESIS.

Handwritten Character Recognition using Hidden Markov Models Quantifying the marginal benefit of exploiting correlations between adjacent characters and.

To quantitatively test the quality of the spell checker, the program was executed on predefined “test beds” of words for numerous trials, ranging from.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Password Management PA Turnpike Commission

CIS 450 – Network Security Chapter 8 – Password Security.

PHYS 20 LESSONS: INTRO Lesson 1: Intro to CH Physics Measurement.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 3 – User Authentication.

(Down 6) 14. sunshine (Up 1) 15. master (Down 1) (Up 4) 17. welcome (New) 18. shadow (Up 1) 19. ashley (Down 3) 20. football.

User Management: Passwords cs3353. Passwords Policy: “Choose a password you can’t remember and don’t write it down”

Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security:

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Implicit Relational Learning in a Multiple-Object Tracking Task: Do People Really Track the Objects? Tiffany Williams and Olga Lazareva (Department of.

Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

INTERNET SAFETY FOR KIDS

Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

Lecture 5 User Authentication modified from slides of Lawrie Brown.

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.

 Patrick Gage Kelley, et al. “Guess again (and again and again): [...].” In 2012 IEEE Symposium on Security and Privacy (SP), pp IEEE, 2012.

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Passwords and Password Policies An Important Part of IT Control – by Craig Piercy.

Week 6. Statistics etc. GRS LX 865 Topics in Linguistics.

Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.

Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

But first… some key terms…  Hash – Output string from a cryptographic hashing function that is hopefully impossible to go backwards to original input.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

Confidentiality, Integrity, Awareness What Does It Mean To You.

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Understanding Security Policies Lesson 3. Objectives.

CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

1. password (Unchanged) (Down 6) (Unchanged)14. sunshine (Up 1) (Unchanged)15. master (Down 1) 4. abc123 (Up.

Evaluation of count scores for weight matrix motifs Project Presentation for CS598SS Hong Cheng and Qiaozhu Mei.

Data Screening. What is it? Data screening is very important to make sure you’ve met all your assumptions, outliers, and error problems. Each type of.

1. password (Unchanged) (Down 6) (Unchanged)14. sunshine (Up 1) (Unchanged)15. master (Down 1) 4. abc123 (Up.

Understanding Security Policies

Penetration Testing Offline Password Cracking

Password Management Limit login attempts Encrypt your passwords

Investigation of Instructions for Password Generation

Password Cracking Lesson 10.

Kiran Subramanyam Password Cracking 1.

Presentation transcript:

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault

 NIST SP800-63, from 2006, presents entropy-based password strength metric ◦ Based on Shannon’s information entropy from 1948  Goal: test NIST metric’s accuracy and conventional password policies with cracking attacks against real passwords  Data sets: RockYou.com (primary, ~32 million passwords) ◦ Also FaithWriters.com, Singles.org, Neopets.com (assumed), PhpBB.com

 Torpig takeover-largest previous study on real password security  No other major results on actual security of password creation policies, e.g. the effect of password length  Also theoretical work trying to establish guessing entropy based on Shannon’s information entropy

 4 bits for first character  2 bits for 2 nd -8 th characters  1.5 bits for chars 9 th -20 th characters  1 bit for each additional character  6 extra bits for upper case and/or non- alphabetic characters  Up to 6 extra bits for blacklist check

 Split RockYou data set randomly into 32 even lists, 1 million passwords each ◦ 1 st five lists are test set, last five are training set  RockYou set from multiple sites, no one policy affects whole set-more general  Observation: in first three lists, ~85% of passwords show bits of entropy

 Use John the Ripper to simulate offline cracking attacks (also use short runs to compare to NIST thresholds) ◦ Guessing rule set is simpler, slower than default ◦ Used general base dictionary at first, later an optimized dictionary based on training data set  Assumed in all cases that attacker is aware of password creation policy ◦ E.g. digits required, blacklist in effect

 First test: one billion guesses, passwords grouped by length (7+, 8+, 9+, and 10+characters) ◦ Increased length correlated with increased strength/lower cracking success ◦ But…

 Second test: same as before, but digits required ◦ Attack less successful against shorter passwords, oddly more successful against longer passwords  As longer passwords more likely contain digits, could have eliminated wasted guesses ◦ Also, significantly decreased effectiveness on first 100 million guesses  Usage of digits not uniform, ‘1’ is by far the most common, in ~11% of cases  ~85% of passwords with digits have them at the end or are entirely digits

 Shorter attack: 50 thousand guesses (feasible for an online attack), with the same dictionary ◦ Resulted in little difference based on password length  Short attack with optimized dictionary based on training set, performance similar to first test

 Very short attack (2000 guesses) with optimized dictionary ◦ Still much more successful than NIST thresholds would allow or NIST metric predicts

 Results imply blacklists are necessary ◦ NIST paper says blacklists necessary for the entropy metric, but what about the last rule that adds entropy for blacklisting  NIST cracking speed prediction is unrealistic

 Further attack tests show blacklisting to be very effective  However, attacks are still more successful than allowed by NIST’s Level 1 or 2 standards

 Requiring upper case or special characters decreases attack success, causes a plateau in cracking rate ◦ Most passwords (nearly 90% of length 7) with uppercase characters follow one of two patterns ◦ Special characters used in more varied ways

 Other data sets were attacked using training from RockYou set ◦ Attacks were generally more effective against other password sets, even though trained on RockYou

 Dictionary derived from RockYou training set was the most effective against FaithWriters passwords ◦ Note Singles.org believed to have similar demographic to FaithWriters

 Explicit policies: clear, explicit constraints ◦ Strong explicit policy can frustrate attacks ◦ However, passwords can still be vulnerable based on poor user choices  External policies: user-selected base password is strengthened by system ◦ Users tend to choose/reuse simpler base passwords ◦ Users may also write down passwords to remember them

 Implicit policies: reject passwords that are too easy to guess ◦ Rejection can be combined with other policies, e.g. an explicit policy ◦ Assuming basis for rejection (e.g. blacklist) is accurate, reduces average guessability of passwords ◦ Feedback can be used by attacker to improve attacks