Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Cryptography and Network Security Chapter 20 Intruders

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Internet Safety By: Brianna Brown. Index What Is Internet Safety? Passwords Cyber Bullying Safety Tips Quiz.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Password Management PA Turnpike Commission

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.

1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

CIS 450 – Network Security Chapter 8 – Password Security.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Adrian Ellison Assistant Director, IT Services Wednesday 23 November 2011.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.

User Management: Passwords cs3353. Passwords Policy: “Choose a password you can’t remember and don’t write it down”

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Session 7 LBSC 690 Information Technology Security.

Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string.

Password Management Strategies for Online Accounts Shirley Gaw, Edward W. Felten Princeton University.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

Passwords Internet Safety for grades Introduction to Passwords Become part of our everyday life –Bank cards, , chat programs, online banking,

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

For brownies this PowerPoint will help you understand computer viruses and help stop them!!!!

1 Choosing the Right Wand (or for those who like boring titles – Managing Account Passwords: Policies and Best Practices) Harvard Townsend IT Security.

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

INTERNET SAFETY FOR KIDS

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.

Passwords Keep Your Information Secure. Online Lives need Good Locks “A password is like a toothbrush: Choose a good one and don’t share it.”

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Digital Footprints Cyberbullying Passwords The Digital Community Staying Safe Online

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.

FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.

Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.

Unit 4 Protecting Your Information Section C. Chapter 1, Slide 2Starting Out with Visual Basic 3 rd EditionIntroduction to ComputersUnit 4C – Protecting.

PASSWORD SECURITY A Melbourne Athenaeum Library

Taken from Hazim Almuhimedi presentation modified by Graciela Perera

Ways to protect yourself against hackers

Password Management Limit login attempts Encrypt your passwords

Setting up an online account

Introduction to Computers

Keeping your passwords safe

Presentation transcript:

Text passwords Hazim Almuhimedi

Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human Selection of Mnemonic Phrase- based Passwords

Authentication Mechanisms Something you have ◦ cards Something you know ◦ Passwords  Cheapest way.  Most popular. Something you are ◦ Biometric  fingerprint

Password is a continuous problem Password is a series real-world problem. ◦ SANS Top Security Risks ◦ Every year, password’s problems in the list:  Weak or non-existent passwords  Users who don’t protect their passwords  OS or applications create accounts with weak/no passwords  Poor hashing algorithms.  Access to hash files Source: Jeffery Eppinger, Web application Development.

How good are the passwords people are choosing? It is hard question to answer. ◦ Data is scarce. MySpace Phishing attack

Poor, Weak Password Poor, weak passwords have the following characteristics: ◦ The password contains less than 15 characters. ◦ The password is a word found in a dictionary (English or foreign) ◦ The password is a common usage word. Source: Password Policy. SANS 2006

Strong Password Strong passwords have the following characteristics: ◦ Contain both upper and lower case characters ◦ Have digits and punctuation characters ◦ Are at least 15 alphanumeric characters long and is a passphrase. ◦ Are not a word in any language, slang, dialect, jargon. ◦ Are not based on personal information. ◦ Passwords should never be written down or stored on-line. Source: Password Policy. SANS 2006

Strong Password ?

At least 8 characters. Contain both upper and lower case characters. Have digits and punctuation characters

MySpace Phishing Attack ◦ A fake MySpace login page. ◦ Send the data to various web servers and get it later. ◦ 100,000 fell for the attack before it was shut down. ◦ This analysis for 34,000 users.

Password length Average: 8 characters.

Password length There is a 32-character password  "1ancheste23nite41ancheste23nite4“ Other long passwords:  "fool2thinkfool2thinkol2think“  "dokitty17darling7g7darling7"

Character Mix

Common Passwords Top 20 passwords in order. password1abc123myspace1password Blink182qwerty1fuckyou123abc baseball1football soccer monkey1liverpool1princess1jordan23 slipknot1superman1iloveyou1monkey

Common Passwords Top 20 passwords in order. password1abc123myspace1password Blink182qwerty1fuckyou123abc baseball1football soccer monkey1liverpool1princess1jordan23 slipknot1superman1iloveyou1monkey

Common Password “Blink 182” is a band. ◦ A lot of people use the band's name  Easy to remember.  it has numbers in its name, and therefore it seems like a good password.

Common Password "qwerty1" refers to ◦ QWERTY is the most common keyboard layout on English-language computer.

Common Password The band “Slipknot” doesn't have any numbers in its name ◦ which explains the “1”.

Common Password The password "jordan23" refers to ◦ basketball player Michael Jordan ◦ and his number 23.

Common Password I don't know what the deal is with “monkey”.

Common Password

Passwords getting better Who said the users haven’t learned anything about security?

Human Issues Social Engineering. Difficulties with reliable password Entry. Difficulties with remembering the password. Human is often the weakest link in the security chain.

Human Issues Social Engineering. ◦ Attacker will extract the password directly from the user. ◦ Attacks of this kind are very likely to work unless an organization has a well-thought-out policies. ◦ In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering.  Motorola case  (3:09) Kevin Mitnick: It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. 4http:// 4 (2:00) Source: Wikipedia. Social engineering

Human Issues Social Engineering. 336 CS students at University of Sydney  Some were suspicious:  30 returned a plausible-looking but invalid password  over 200 changed their passwords without official prompting.  Very few of them reported the to authority.

Human Issues Social Engineering. ◦ How to solve this problem?  Strong and well-known policy.

Human Issues Difficulties with reliable password Entry. ◦ if a password is too long or complex, the user might have difficulty entering it correctly. ◦ South Africa Case  20-digit number for the pre-paid electricity meters.  Any suggested solution? ◦ If the operation they are trying to perform is urgent  This might have safety or other implications.

Human Issues Difficulties with remembering the password. ◦ The greatest source of complaints about passwords is that most people find them hard to remember. ◦ When users are expected to memorize passwords  They either choose values that are easy for attackers to guess.  Write them down.  Or both.

The Memorability and Security of Passwords Many of the problems of password authentication systems arise from the limitations of human memory.

The Memorability and Security of Passwords Some passwords are very easy to remember ◦ But very easy to guess  Dictionary attack. some passwords are very secure against guessing ◦ Difficult to remember. ◦ might be compromised as a result of human limitations.  The user may keep an insecure written record.

The Memorability and Security of Passwords An experiment involving 400 first-year students at the University of Cambridge. Testing how strong the mnemonic-based password is. Testing how it is easy to remember. ◦ In contrast with control and random password.

The Memorability and Security of Passwords Methods: ◦ 4 types of attacks:  Simple Dictionary attack.  Dictionary attack with permutation  User information attack  Brute force attack. ◦ Survey.

The Memorability and Security of Passwords Conclusion : ◦ Users have difficulty remembering random passwords. ◦ Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.

The Memorability and Security of Passwords Conclusion: ◦ It isn’t true that : random passwords are better than those based on mnemonic phrases.  each type appeared to be as strong as the other. ◦ It is not true that : passwords based on mnemonic phrases are harder to remember than naively selected passwords are.  each appeared to be reasonably easy to remember, with only about 2%-3% of users forgetting passwords.

Human Selection of Mnemonic Phrase-based Passwords Hypothesis ◦ Users will select mnemonic phrases that are commonly available on the Internet ◦ It is possible to build a dictionary to crack mnemonic phrase-based passwords.

Human Selection of Mnemonic Phrase-based Passwords Survey ◦ A survey to gather user-generated passwords  Mnemonic password(144)  Control password(146)

Human Selection of Mnemonic Phrase-based Passwords Attacks: ◦ Dictionary attack  Generate a mnemonic password dictionary.  400,000-entries  John the Ripper  For control password  1.2 million entries ◦ Dictionary attack with Permutation.  Word mangling  replacing “a” with ◦ Brute force attack.

Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password Strength: ControlMnemonic Strength Score Number of Character classes Length9.99.5

Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password Cracking Results: ◦ The user generated mnemonic passwords were more resistant to brute force attacks than control passwords. ControlMnemonic Password compromised by Basic Dictionary 6%3% Basic Dictionary with Permutation5%1% Brute Force Attack8%4%

Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password based on external sources:  Majority of mnemonic password are based on external sources.  13% control password sources are based on external sources

Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password based on external sources:

Human Selection of Mnemonic Phrase-based Passwords Conclusion: ◦ The majority of users select phrases from music lyrics, movies, literature, or television shows. ◦ This opens the possibility that a dictionary could be built for mnemonic passwords.  If a comprehensive dictionary is built, it could be extremely effective against mnemonic passwords. ◦ Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.

Human Selection of Mnemonic Phrase-based Passwords Conclusion: ◦ Mnemonic phrase-based passwords are not as strong as people may believe. ◦ The space of possible phrases is large  Building a comprehensive dictionary is not a trivial task. ◦ System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.

Thank You