CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Passwords.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Lecture 5: Cryptographic Hashes
Password Cracking Lesson 10. Why crack passwords?
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CSC 474 Information Systems Security
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
Chapter 12: Authentication
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Sanjay Goel University at Albany, School of Business NYS Center for Information Forensics and Assurance 1 Password Protection.
Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
1 Lab Session-III CSIT-120 Fall 2000 Revising Previous session Data input and output While loop Exercise Limits and Bounds Session III-B (starts on slide.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
Passwords CSC 482/582: Computer Security. Topics 1. Password Systems 2. Password Attacks 3. Mitigating Attacks 4. Graphical passwords 5. One-time passwords.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
Process by which a system verifies the identity of a user wishes to access it. Authentication is essential for effective security.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
Exercises Information Security Course Eric Laermans – Tom Dhaene.
CIT 500: IT Fundamentals Users. Topics 1.Identity 2.User Accounts 3./etc/{passwd,shadow} 4.User Commands 5.Passwords 6.Groups 2.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Passwords.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
CSC 382/582: Computer SecuritySlide #1 CSC 382/582: Computer Security Passwords.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Authentication What you know? What you have? What you are?
Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Authentication.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Understanding Security Policies Lesson 3. Objectives.
CIT 480: Securing Computer Systems
Authentication Schemes for Session Passwords using Color and Images
I have edited and added material.
Password Cracking Lesson 10.
Authentication.
CS 465 PasswordS Last Updated: Nov 7, 2017.
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Passwords

CIT 380: Securing Computer SystemsSlide #2 Topics 1.Password Systems 2.Password Cracking 3.Hashing and Salting 4.Password Selection 5.Graphical Passwords 6.One-time Passwords

CIT 380: Securing Computer SystemsSlide #3 Passwords What you know Sequence of characters Complementation Function –Identity: requires access control to protect C –One-way Hash easy to compute c = f(a) difficult to compute a = f -1 (c)

CIT 380: Securing Computer SystemsSlide #4 Classic UNIX Passwords Format: Up to 8 ASCII characters –A contains 6.9 x possible passwords –C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings Storage –/etc/passwd (0644) was traditionally used –/etc/shadow (0600) in modern systems

Online Hash Calculator CIT 380: Securing Computer SystemsSlide #5

CIT 380: Securing Computer SystemsSlide #6 Password Cracking Get Hashed Password pw hash word = Next word from list word hash = Hash(word) word hash == pw hash False True word is pw List of potential passwords.

CIT 380: Securing Computer SystemsSlide #7 Cracking Methods 1.List of common passwords 2.List of English/foreign words 3.Permutation rules –Substitute numbers/symbols for letters –Change case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining words 4.Brute force –All possible passwords

CIT 380: Securing Computer SystemsSlide #8 Making Password Guessing Easier Web sites will you password if you answer a simple “secret” question: 1.What is your favorite color? 2.What is your pet’s name? 3.What is your mother’s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there?

CIT 380: Securing Computer SystemsSlide #9 Countering Password Guessing Select suitably low probability P(T) of guessing in time T. P(T)  TG / N –G is number of guess per time unit T –T is number of time units in attack –N is number of possible passwords

CIT 380: Securing Computer SystemsSlide #10 Calculating Minimum Password Length Password System –There are 96 allowable characters in password. –System allows 10 6 guesses/second. –Requirement: probablility of success guess should be 0.5 over 365-day period. What should the minimum password length be? –N >= TG/P –N >= (365 x 24 x 60 x 60) x 10 6 / 0.5 = 6.31 x –N =  96 i, where i ranges from 1 to length of password –  96 i >= N = 6.31 x is true when largest i >= 8 –The minimum required password length is 8.

CIT 380: Securing Computer SystemsSlide #11 UNIX Password Hashing crypt() function used for hashing –DES encrypts 64-bit block of 0s (25 rounds) using your password for the key. Modified DES incompatible with DES hardware cracking tools. –Limited to 8 characters or less. –If limited to 95 printable characters, only 2 53 possible passwords. –How to resist dictionary attacks? Salting

CIT 380: Securing Computer SystemsSlide #12 Salting Adds a 2-character (12-bit) random, public data to password to create key. Any word may be encrypted in 4096 possible ways (i.e., there are 4096 f  F). –Your password always uses same salt. –Someone else with same password (a) probably has different salt, and thus different c = f(a). Number of possible keys increased to 2 66 –Too small for today; modern UNIX doesn’t use crypt.

CIT 380: Securing Computer SystemsSlide #13 Salting (cont.) Prevents pre-calculated dictionary attack –2 66 passwords requires millions of terabytes crypt() 2 18 passwords/second –Brute force would require 8000 machines for 48 days.

CIT 380: Securing Computer SystemsSlide #14 Modern UNIX Passwords Format: long ASCII string Hashing techniques: –MD5 (unlimited length, bit salt) –SHA1 (unlimited length, bit salt) –Bcrypt (55 chars, 128-bit salt, adjustable cost)

CIT 380: Securing Computer SystemsSlide #15 Windows 2000/XP Passwords Storage –%systemroot%\system32\config\sam –locked while NT running –%systemroot%\repair\sam_ backup file –may be accessible via remote registry calls Format –LAN Manager (LM) Hash –NT (MD4) Hash

CIT 380: Securing Computer SystemsSlide #16 Windows LM Hash Algorithm 1.Password fitted to 14 character length by truncating or padding with 0s. 2.Password converted to upper case. 3.Password divided into two 7-byte halves. 4.Each half used as DES key to encrypt same 8-byte constant. 5.Resultant strings merged to form a 16-byte hash value.

CIT 380: Securing Computer SystemsSlide #17 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt –Number of possible passwords much smaller than DES space. –No salt is used.

CIT 380: Securing Computer SystemsSlide #18 Windows NT Hash Converts to Unicode, MD4 hashes result Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility. No salt: identical passwords generate identical hashes.

CIT 380: Securing Computer SystemsSlide #19 Password Selection 1.Random Selection 2.Pronounceable Passwords 3.User Selection

CIT 380: Securing Computer SystemsSlide #20 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking –What about short passwords? Random passwords aren’t easy to remember –Short term memory holds 7 +/- 2 items –People have multiple passwords –Principle of Psychological Acceptability Requires a good PRNG

CIT 380: Securing Computer SystemsSlide #21 Random Selection (Bad)Example PDP-11 password generator –16-bit machine –8 upper-case letters and digits –|P| = 36 8 = 2.8 x –At sec/encryption, 140 years to brute force PRNG had period of 2 16 – 1 –Only 65,535 possible passwords –Requires 102 seconds to try all passwords

CIT 380: Securing Computer SystemsSlide #22 Pronounceable Passwords Generate passwords from random phonemes instead of random characters. –People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords. –Fewer pronounceable passwords exist than random passwords.

CIT 380: Securing Computer SystemsSlide #23 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1.Based on account, user, or host names 2.Dictionary words 3.Permuted dictionary words 4.Patterns from keyboard 5.Shorter than 6 characters 6.Digits, lowercase, or uppercase only passwords 7.License plates or acronyms 8.Based on previously used passwords

CIT 380: Securing Computer SystemsSlide #24 Human Randomness?

CIT 380: Securing Computer SystemsSlide #25 Bad Passwords letmein password dragon qwerty michael harley ranger iwantu xxxxxxx turtle united porsche guitar black diamond nascar jun amanda phoenix mickey tigers purple xmen94 aaaaaa prince beach amateur ncc1701 tennis startrek swimming kitty rainbox giants enter 0 cupcake marlboro newyork diablo sexsex access14 abgrtyu dragon123 applepie skip just4fun xcvb typewriter

Password Generators CIT 380: Securing Computer SystemsSlide #26

CIT 380: Securing Computer SystemsSlide #27 How to Select Good Passwords 1.Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2.Themes: 1.Word combinations: 3 blind katz 2. or URL: 3.Phone number: (888) 888-eight eight 4.Bracketing: Starfleet -> *!-Starfleet-!* 5.Add a word: shopping -> Goin’ shopping 6.Repetition: Pirate--PirateShip 7.Letter swapping: Sour Grape -> Gour Srape

CIT 380: Securing Computer SystemsSlide #28 Guessing via Authentication Fns If complements not accessible, attacker must use authentication functions. Cannot be prevented. Increase difficulty of auth function attack: Backoff: increasing wait before reprompting. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker.

CIT 380: Securing Computer SystemsSlide #29 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1.If change time too short, users have difficulty recalling passwords. 2.Cannot allow users to change password to current one. 3.Also prevent users from changing passwords too soon. 4.Give notice of impending password change requirement.

CIT 380: Securing Computer SystemsSlide #30 Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story.

CIT 380: Securing Computer SystemsSlide #31 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time.

CIT 380: Securing Computer SystemsSlide #32 One-Time Passwords A password that’s invalidated once used. Challenge: number of auth attempt Response: one-time password Problems –Generation of one-time passwords Use hash or crytographic function –Synchronization of the user and the system Number or timestamp passwords

CIT 380: Securing Computer SystemsSlide #33 S/Key One-time password system based on a hash function h (MD4 or MD5). User initializes with random seed k. Key generator calculates: h(k) = k 1, h(k 1 ) = k 2, …, h(k n-1 ) = k n Passwords, in order used, are p 1 = k n, p 2 = k n-1, …, p n-1 = k 2, p n = k 1

CIT 380: Securing Computer SystemsSlide #34 S/Key Attacker cannot derive p i+1 from p i since p i = k n-i+1, p i+1 = k n-i, and h(k n-i ) = k n-i+1 which would require inverting h. Once user has used all passwords, S/Key must be re-initialized with a new seed.

S/Key CIT 380: Securing Computer SystemsSlide #35

CIT 380: Securing Computer SystemsSlide #36 S/Key Login 1.User supplies account name to server 2.Server replies with number i stored in skeykeys file 3.User supplies corresponding password p i 4.Server computes h(p i ) = h(k n-i+1 ) = k n-i+2 = p i-1 and compares result with stored password. If match, user is authenticated and S/Key updates number in skeykeys file to i+1 and stores p i

CIT 380: Securing Computer SystemsSlide #37 S/Key Login FreeBSD/i386 (example.com) (ttypa) login: s/key 97 fw13894 Password: Use S/Key calculator on local system to calculate response: % key 97 fw13894 Enter secret password: WELD LIP ACTS ENDS ME HAAG

CIT 380: Securing Computer SystemsSlide #38 Other One Time Password Systems Software: OPIE –Backwards compatible with S/Key (if same hash used). Hardware: RSA SecurID card –Displayed password changes every 60sec. –Password = constant password + SecurID

CIT 380: Securing Computer SystemsSlide #39 Key Points Good passwords need to be –Complex –Unique –Secret –Changed on a regular basis Stored passwords are secured via –Hashing (crypt, MD5, SHA1, bcrypt) –Salting One-time passwords offer greater security.

CIT 380: Securing Computer SystemsSlide #40 References 1.Ross Anderson, Security Engineering, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O’Reilly, Cynthia Kuo et. al., “Human Selection of Mnemonic Phrase-based Passwords,” SOUPS 2006, Neils Provos and David Mazieres, “A Future-Adaptable Password Scheme,” Ed Skoudis, Counter Hack Reloaded, Prentice Hall, Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.