Passwords Tom Ristenpart CS 6431. The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir.

Slides:



Advertisements
Similar presentations
Lecture 5: Cryptographic Hashes
Advertisements

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Tom Parker Project Manager Identity Management Team IT Security Group.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
CIS 450 – Network Security Chapter 8 – Password Security.
Cracking-Resistant Password Vaults Using Natural Language Encoders
Lecture 11: Strong Passwords
Password Security Everything (well… a lot, anyway) you didn’t know, or want to, but really actually need to.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Cracking-Resistant Password Vaults using Natural Language Encoders Presented by: Shengye Wan Some slides come from authors and Tuan Ari Juelsz, Thomas.
Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.
Honey Encryption: Security Beyond the Brute-Force Bound
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.
D´ej`a Vu: A User Study Using Images for Authentication Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人:張淯閎.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.
Lecture 2: Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.
Authentication What you know? What you have? What you are?
Wireless & password security Mark Theeuwes. 2 Wireless basics.
Shouling Ji, Shukun Yang, and Raheem Beyah Georgia Institute of Technology Ting Wang Lehigh University Changchang Liu and Wei-Han Lee Princeton University.
Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.
PASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Password Management Limit login attempts Encrypt your passwords
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
CS 465 PasswordS Last Updated: Nov 7, 2017.
Security.
Kiran Subramanyam Password Cracking 1.
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Elections Choose wisely, this is your chance to prove if election by popular vote works or not.
Security.
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Passwords Tom Ristenpart CS 6431

The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir et al. paper Misc and wrap-up

Password use cases OS login Website / service login PINs Encryption Authentication Confidentiality

PW-based authentication: the basic architecture Register: tom, pw Store tom, pw in some form. login: tom, pw’ Authentication service Check that pw’ = pw What are security threats?

The history of password research “Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. “ [Morris, Thompson 1979] Analysis of UNIX passwords & password-hashing system

“The results were disappointing, except to the bad guy. In a collection of 3,289 passwords gathered from many users over a long period of time, 15 were a single ASCII character; 72 were strings of two ASCII characters; 464 were strings of three ASCII characters; 477 were strings of four alphamerics; 706 were five letters, all upper-case or all lower-case; 605 were six letters, all lower-case.” [Morris, Thompson 1979] The history of password research 86% crackable

Morris, Thompson suggest: – Slow hashing (they called it encryption) – Less predictable passwords – Salt before hashing – Use custom version of DES to avoid hardware – Don’t have separate error for bad login The history of password research

The research landscape since 1979… Understanding user selection – Measuring password strength [see citations in Bonneau paper], [Li, Han `14], [CMU papers] Guiding password selection – Strength meters, requirements, etc. – Password expiration [Zhang et al. ‘12] Password transmission, login logic – Single sign-on (SSO) technologies Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15] – Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12] Improving offline brute-force attacks – Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov ‘05] – Better dictionaries [JohntheRipper], [Weir et al. ‘09], [Ma et al. ‘14] Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15] – Breaking password managers [Li et al. ‘14] [Silver et al. ’15] – Stateless password managers [Ross et al. ’05]

What do you think is the quality of password management today?

/main.php Courtesy of Belenko, Troshichev (viaForensics)

Linked in circa 2012 stored passwords as which of: pw MD5(pw) H(salt,pw) H c (salt,pw) 6.5 million hashes leaked 90% cracked in 2 weeks

Offline brute-force attacks Dictionary: List of probable passwords h 1 = H(pw 1 ) h 2 = H(pw 2 ) … h m = H(pw m ) H(guess 1 ), H(guess 2 ), … Check if any guesses equal any of h 1, …, h m

Password hashing Recall Morris, Thompson goal: slow down brute-force attacks PKCS#5 approach: HHH … pw || salt h = H c (pw || salt) H : {0,1} * -> {0,1} n is cryptographic hash function (e.g., SHA-256) salt should be random bit string large enough to be unpredictable c times

Password hashing Recall Morris, Thompson goal: slow down brute-force attacks The role of salts: – Prevents use of time-memory trade-offs (rainbow tables) – Cracking m accounts requires m times the work h 1 = H c (pw 1,salt 1 ) h 2 = H c (pw 2,salt 2 ) … h m = H c (pw m,salt m ) Proofs: See [Bellare, Ristenpart, Tessaro ‘12]

$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt) Facebook password “onion”

Brute-force attacks Offline attacks of hashed database slowed down by a constant factor -- guessing still works if passwords are bad – Nowadays, use memory-hard functions (e.g., scrypt, Argon2) Online brute-force attacks – Public login pages – Compromised web server in distributed security architecture

Rockyou data breach: 32 million social gaming accounts password iloveyou princess rockyou abc nicole daniel babygirl monkey lovely jessica michael ashley qwerty iloveu michelle tigger sunshine chocolate password soccer anthony friends butterfly purple angel jordan 9764 liverpool 9708 justin 9704 loveme 9610 fuckyou... 9 tonee 9 tonebone 9 tonatzin 9 tonatihu 9 tonaor 9 tonantzin 9 tomybill 9 tomtomgo 9 tomtom8 9 tomrules 9 tomoe 9 tommyr 9 tommylee1 9 tommyjr 9 tommydog... 5 dansbaby 5 dansar 5 danrules 5 danrox 5 danrick 5 danou 5 danota 5 danonino1 5 danone1 [Bonneau 2012] 69 million Yahoo! Passwords 1.1% of users pick same password Most common password used by almost 1%

Rockyou empirical probability mass function (Only first 5,000 points shown)

Bonneau Yahoo password study Instrument login infrastructure Hash passwords with key H(K,pw) and store result in histogram Throw away K – Can’t do brute-force attacks later on – Only learn empirical distribution of passwords Also stored some demographic information

Password strength metrics Shannon entropy: Let X be password distribution. Passwords are drawn iid from X N is size of support of X p 1, p 2, …, p N are probabilities of passwords in decreasing order

An example distribution N = 1,000,000 p 1 = 1 / 100 p 2 = (1 – 1/100)/999,999 ≈ 1 / 2 20 … p N = (1 – 1/100)/999,999 ≈ 1 / What is probability of success if attacker makes one guess? H 1 ( X ) ≈ bits of “unpredictability”. Probability of success about 1/2 19 Shannon entropy is almost never useful measure for security H ∞ ( X ) = - log p 1 ≈ 6.6 The min-entropy of X

Password strength metrics Beta-success rate: alpha-work-factor:

From [Bonneau ‘12]

Bonneau takeaways People pick lousy passwords New strength measures for password distributions What questions are left open by his paper?

Building good password guessers Brute-force guessers - try all strings of a certain length Dictionary guessers - Try only common words A better guesser would: Output list of passwords in order of likelihood JohnTheRipper: Dictionaries of common words + mangling rules Also has brute-force mode Eg: add digit to end: pw -> pw1

Train models from leaked passwords Training alg. for language model password iloveyou princess … Trivial model is just the empirical CDF of the histogram itself Model password iloveyou princess … Model defines a probability distribution over passwords. Can use to: -sample passwords according to distribution -enumerate passwords in order of likelihood Supports all the above Generalizability is quite poor ML people would say this model is overfit

Train models from leaked passwords Training alg. for language model password iloveyou princess … Model CFG with probability distribution associated to each rule Probabilistic context-free grammar We can encode a string by its parse tree, the tree represented by probabilities in PCFG CDF [Weir et al. 2009] Fix a CFG, then learn probabilities by training on passwords

S -> L 3 D 1 S 1 -> L 3 4S 1 -> L 3 4! Pr[ L 3 4! ] = 0.25 * 0.60 * 0.65 =

With good training data: Works better than JtR

Train models from leaked passwords Training alg. for language model password iloveyou princess … Model What open questions do Weir et al. leave?

Train models from leaked passwords Training alg. for language model password iloveyou princess … Model Probabilistic context-free grammar only one NLP modeling approach n-gram Markov models another popular choice.: [Ma et al. ’14] show carefully chosen Markov model beats Weir et al. PCFG

Password selection policies [Komanduri et al. ‘11], [Vu et al. ‘07], [Proctor et al. ‘02] and others studied with Amazon Mturk – General consensus that it increases resistance (but by exactly how much is not clear to me), but decreases usability Password expiration policies [Zhang et al. ’10] – High-level bit: they don’t work – Attacker with old password can crack new one very often

The research landscape since 1979… Understanding user selection – Measuring password strength [see citations in Bonneau paper], [Ma et al. `14], [Li, Han `14], [CMU papers] Guiding password selection – Strength meters, requirements, etc. – Periodic forced changes [Zhang et al. ‘12] Password transmission, login logic – Single sign-on (SSO) technologies Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15] – Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12] Improving offline brute-force attacks – Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov ‘05] – Better dictionaries [JohntheRipper], [Weir et al. ‘09], Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15] – Breaking password managers [Li et al. ‘14] [Silver et al. ’15] – Stateless password managers [Ross et al. ’05]