Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
August 15 click! 1 Basics Kitsap Regional Library.
Computer Security CS 426 Lecture 3
How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Welcome to the wonderful world of……. . A Quick & Easy Guide.  What IS ?  A quick, easy and convenient way to send a letter to friends, family.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
ESCCO Data Security Training David Dixon September 2014.
Staying Safe Online Keep your Information Secure.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Crimes of Negligence or Incompetence Presented By: Lisa R. Williams.
Protecting Your Personal Information November 15, 2013.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,
Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Security CS Introduction to Operating Systems.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Lecture 13 Page 1 CS 236 Online Principles for Secure Software Following these doesn’t guarantee security But they touch on the most commonly seen security.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 5 Page 1 CS 236 Online Key Management Choosing long, random keys doesn’t do you any good if your clerk is selling them for $10 a pop at the back.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
CSCE 201 Identification and Authentication Fall 2015.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
COOKIES AND SESSIONS.
1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Lecture 7 Page 1 CS 236, Spring 2008 Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Don’t click on that! Kevin Hill.  Spam: Unwanted commercial ◦ Advertising ◦ Comes from people wanting to sell you stuff. ◦ Headers may be forged.
Lecture 3 Page 1 CS 236 Online Basic Encryption Methods Substitutions –Monoalphabetic –Polyalphabetic Permutations.
Lecture 7 Page 1 CS 136, Fall 2011 Authentication CS 136 Computer Security Peter Reiher October 13, 2011.
SCHOLARSHIPS You wont get scholarships if you don’t apply for them…
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Outline The basic authentication problem
Authentication CS 136 Computer Security Peter Reiher October 18, 2012
Outline Properties of keys Key management Key servers Certificates.
Ways to protect yourself against hackers
Password Management Limit login attempts Encrypt your passwords
Outline Introduction Basic authentication mechanisms
CS 465 PasswordS Last Updated: Nov 7, 2017.
Setting up an online account
Authentication Computer Security Peter Reiher April 19, 2016
Authentication CS 136 Computer Security Peter Reiher January 28, 2010
Authentication Computer Security Peter Reiher January 31, 2017
Web Security Advanced Network Security Peter Reiher August, 2014
Authentication CS 136 Computer Security Peter Reiher April 21, 2009
Presentation transcript:

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating new passwords Password transport

Lecture 7 Page 2 CS 236 Online Limit Login Attempts Don’t allow dictionary attacks “over the wire” After some reasonable number of failed login attempts, do something –Lock account –Slow down iPhone does this, Android doesn’t –Watch more closely

Lecture 7 Page 3 CS 236 Online Encrypt Your Passwords Using the techniques we just covered One would think this advice isn’t necessary, but... –Yahoo lost half a million unencrypted passwords in 2012 Encryption is more expensive and less convenient –But a lot more secure

Lecture 7 Page 4 CS 236 Online Protecting the Password File So it’s OK to leave the encrypted version of the password file around? No, it isn’t Why make it easy for attackers? Dictionary attacks on single accounts still work And there are “popular” passwords, leading to easy dictionary attacks even with encryption Generally, don’t give access to the encrypted file, either

Lecture 7 Page 5 CS 236 Online Other Issues for Proper Handling of Users’ Passwords Sites should store unencrypted passwords as briefly as possible –Partly issue of how they store the file –Partly issue of good programming Don’t leave passwords in temp files or elsewhere Should not be possible to print or save someone’s unencrypted password Use encrypted network transport for passwords If your server is compromised, all of this might not help

Lecture 7 Page 6 CS 236 Online Wireless Networks and Passwords Wireless networks are often unencrypted Web sites used to request and transport passwords in the clear So eavesdroppers could hear passwords being transported Important to encrypt these messages

Lecture 7 Page 7 CS 236 Online Handling Forgotten Passwords Users frequently forget passwords How should your site deal with it? Bad idea: –Store plaintext passwords and send them on request Better idea: –Generate new passwords when old ones forgotten Example of common security theme: –Security often at odds with usability

Lecture 7 Page 8 CS 236 Online Generating New Passwords Easy enough to generate a random one But you need to get it to the user If attacker intercepts it, authentication security compromised How do you get it to the user?

Lecture 7 Page 9 CS 236 Online Transporting New Passwords Engineering solution is usually to send it in –To an address the user registered with you earlier Often fine for practical purposes But there are very serious vulnerabilities –E.g., unencrypted wireless networks If you really care, use something else –E.g., surface mail

Lecture 7 Page 10 CS 236 Online User Issues With Passwords Password proliferation Choosing passwords Password lifespan

Lecture 7 Page 11 CS 236 Online Password Proliferation Practically every web site you visit wants you to enter a password Should you use the same password for all of them? Or a different password for each?

Lecture 7 Page 12 CS 236 Online Using the Same Password +Easier to remember -Much less secure One password guesser gets all your authentication info Do you trust all the sites you visit equally? Compromise in one place compromises you everywhere Real attacks are based on this vulnerability

Lecture 7 Page 13 CS 236 Online Using Different Passwords +Much more secure -But how many passwords can you actually remember? -And you might “solve” this problem by choosing crummy passwords

Lecture 7 Page 14 CS 236 Online Other Options Use a few passwords –Maybe classified by type of site or degree of trust Write down your passwords –Several disadvantages –Could write down hints, instead Use algorithm customized to sites Password vaults

Lecture 7 Page 15 CS 236 Online Choosing Passwords Typically a compromise between: –Sufficient security –Remembering it Major issues: –Length –Complexity

Lecture 7 Page 16 CS 236 Online How Long Should Passwords Be? Generally a function of how easy it is for attackers to attack them Changes as speed of processors increase Nowadays, 15 character password are pretty safe –If they aren’t guessable... Old sites may demand shorter ones

Lecture 7 Page 17 CS 236 Online Some Password Choice Strategies Use first letters from a phrase you remember Use several randomly chosen words Replace letters with numbers and symbols –Helps, but less if you use common replacements (e.g., “0” for “o”) –Also less useful if you limit it to 1 st and last character of password

Lecture 7 Page 18 CS 236 Online Password Lifespan How long should you use a given password? Ideally, change it frequently Practically, will you remember the new one? Is a good, old password worse than a bad, new one? –Many issues of crypto key reuse are relevant here

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.