Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Cryptography and Network Security Chapter 20 Intruders
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Chapter 3 Passwords Principals Authenticate to systems.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
What is E-commerce Safety Precautions Password Strengths
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
PAGE 1 Company Proprietary and Confidential Internet Safety and Security Presented January 13, 2014.
Silberschatz and Galvin  Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
CIS 450 – Network Security Chapter 8 – Password Security.
Chapter X When can I consider my personal data secure?
Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,
Lecture 11: Strong Passwords
The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.
29.1 Lecture 29 Security I Based on the Silberschatz & Galvin’s slides And Stallings’ slides.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Session 7 LBSC 690 Information Technology Security.
Information/Internet Safety. MBA Candidates at UNM Anderson School of Management This is our homework.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst
Every computer along the path of your data can see what you send and receive. USERNAMES and PASSWORDS  Username can be assigned to you eg. Student ID.
Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.
INTERNET SAFETY FOR KIDS
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Passwords and Password Policies An Important Part of IT Control – by Craig Piercy.
NC Wise Security & Passwords Revised: July 29, 2008 Developed by: Jennifer Jenkins, Cabarrus County Schools.
SCSC 455 Computer Security Chapter 3 User Security.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
Staying Safe On Social Media. Website Security  How do you know if a website is secure?  Celebrities  http vs https  http: Hypertext Transfer Protocol.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Understanding Security Policies Lesson 3. Objectives.
Digital Citizenship Unit 2 Lesson 1: Strong Passwords
7/10/20161 Computer Security Protection in general purpose Operating Systems.
PASSWORD SECURITY A Melbourne Athenaeum Library
Understanding Security Policies
Chapter One: Mastering the Basics of Security
Common Methods Used to Commit Computer Crimes
Ways to protect yourself against hackers
Password Management Limit login attempts Encrypt your passwords
Big Picture How many ways can a system be attacked? What can we do about it?
Introduction to Computers
Understanding Security Policies
Computer Security Protection in general purpose Operating Systems
Presentation transcript:

Homework #4 Comments

Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites, ATMs, Doors, Lockers, etc. Password Recovery: –Challenge/response questions –Knowledge of previous transactions

Why the explosion of passwords? Need to protect configuration information –BIOS passwords, VChip, Cell Phones, etc. Web services need persistent identification of users over time No national/international identification service Microsoft Passport has failed

Student Recommendations Change passwords periodically –Minimum every 3 months –Minimum every year –Minimum every month… Keep passwords in separate places Use Multiple passwords Encrypt your passwords

New Ideas in Student Solutions Instead of typing the password, have the user answer questions about their password Some letters on the keyboard are easier to shoulder-surf than others. (xds) (,k)

Anderson: 3 types of password concerns Will the user break the system security by disclosing the password to a third party, whether accidentally, on purpose, or as a result of deception? Will the user enter the password correctly with a high enough probability? Will users remember the password, or will they have to either write it down or choose one that’s easy for the attacker to guess?

A Password Policy “The root password for each machine shall be too long to remember, at least 16 alpha and numeric characters chosen at random by the system; it shall be written on a piece of paper and kept in an envelope in the room where the machine is located; it may never be divulged over the telephone or used over the network; it may only be entered at the console of the machine that it controls.” [Anderson, p. 37]

Threats to Passwords What are the threats against passwords? –Guessing –Brute force search –Shoulder surfing –Discovering passwords that are written down –Passwords collected at one website used for another Kinds of attacks: –Offline –Online

Eavesdropping risks Physical device --- key grabber Trojan Horse Tapped lines Video Camera … The need for trusted path

Kinds of Attacks: Targeted attack on one account Attempt to penetrate any account on a system Attempt to penetrate any account on any system Service denial attack

Is login.ccs.neu.edu susceptible to password cracking? Yes! [denali: ~] > ypcat passwd | head -20 packardj:qXb6U9G3Io3Zc:9045:104:Joshua R. Packard:/home/packardj:/bin/tcsh tlannen:Y37EBLKOj4jvw:8332:105:Tim J. Lannen:/home/tlannen:/bin/tcsh eponine:RpYmQfWHpklUk:5220:117:Jennifer Wand:/home/eponine:/bin/tcsh accamma:Tq7vZzAufg8kA:9295:101:Accamma I. Vasantha:/home/accamma:/bin/tcsh sajitk:NXj3x1vHYHD3w:9488:101:Sajit Kunjachen:/home/sajitk:/bin/tcsh apearl:eKiqEU7sVN15Q:8340:104:Andrew R. Pearl:/home/apearl:/bin/tcsh mball:N3qhNaXujXfB2:7680:104:James T. Bennett:/home/mball:/bin/tcsh ghu:kRpRWBOjfbsUY:6653:101:guowei hu:/home/ghu:/bin/tcsh rt:*:7925:1012:Request Tracker:/home/rt:/bin/tcsh neuboy83:7MaJl3KpqZ/2Y:9512:105:Tariq N. Seifuddin:/home/neuboy83:/bin/tcsh

Protecting against Online Attacks: Defenses Against Guessing: –Exponential back-off; Lock out; Notification; “Cracking” –Dangers of lock-out Ebay doesn’t use it; why not?

Protecting against Offline Attacks Does it make sense to mandate symbols and numbers in passwords? –# of letters: 52 (26 lower + 26 UPPER) –# of symbols: 30 –# of 8 letter passwords: 52 8 –# of 7 character passwords with 1 symbol: (52 7 )(30)(8) –How about forcing 1 number and 1 symbol? (52 6 )(30)(8)(10)(7)

Password Generating Algorithms What’s wrong with giving advice on how to generate passwords? What’s the alternative? Programmatically picking passwords that are easy-to-remember

Developer Recommendations Force users to change passwords regularly Password != Username Require 8 or more characters Require a mix of alpha, numeric, and special characters Deny Access After a number of failed Attempts Do not send passwords “in the clear” Do not assign “default passwords”

Restrictions on Passwords: No Consistency 1-14 characters vs characters vs characters –Recommendation: Mandate minimums, but allow people to type extra characters (that might be ignored) –ATM networks used to ignore all characters after first 4 Some passwords are case-sensitive; some are not. –Recommendation: Check password with case-flipped for CAPS LOCK ON accident. Some systems allow the use of special characters, some do not. –Why does this happen? –What do we do about this?

Password Recovery What’s the best way to do it? Automatic vs. Manual “What is your favorite Color?” EBAI

Anderson’s Research Problems in Passwords: What is the best way to enforce user compliance with a password policy? Can we design interactive password systems that are better? Can we use multiple passwords? –Mother’s maiden name –Password –Amount of last purchase –Dog’s nickname –Your favorite color…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.