Passwords Tom Ristenpart CS 6431

The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir et al. paper Misc and wrap-up

Password use cases OS login Website / service login PINs Encryption Authentication Confidentiality

PW-based authentication: the basic architecture Register: tom, pw Store tom, pw in some form. login: tom, pw’ Authentication service Check that pw’ = pw What are security threats?

The history of password research “Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. “ [Morris, Thompson 1979] Analysis of UNIX passwords & password-hashing system

“The results were disappointing, except to the bad guy. In a collection of 3,289 passwords gathered from many users over a long period of time, 15 were a single ASCII character; 72 were strings of two ASCII characters; 464 were strings of three ASCII characters; 477 were strings of four alphamerics; 706 were five letters, all upper-case or all lower-case; 605 were six letters, all lower-case.” [Morris, Thompson 1979] The history of password research 86% crackable

Morris, Thompson suggest: – Slow hashing (they called it encryption) – Less predictable passwords – Salt before hashing – Use custom version of DES to avoid hardware – Don’t have separate error for bad login The history of password research

The research landscape since 1979… Understanding user selection – Measuring password strength [see citations in Bonneau paper], [Li, Han `14], [CMU papers] Guiding password selection – Strength meters, requirements, etc. – Password expiration [Zhang et al. ‘12] Password transmission, login logic – Single sign-on (SSO) technologies Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15] – Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12] Improving offline brute-force attacks – Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov ‘05] – Better dictionaries [JohntheRipper], [Weir et al. ‘09], [Ma et al. ‘14] Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15] – Breaking password managers [Li et al. ‘14] [Silver et al. ’15] – Stateless password managers [Ross et al. ’05]

What do you think is the quality of password management today?

/main.php Courtesy of Belenko, Troshichev (viaForensics)

Linked in circa 2012 stored passwords as which of: pw MD5(pw) H(salt,pw) H c (salt,pw) 6.5 million hashes leaked 90% cracked in 2 weeks

Offline brute-force attacks Dictionary: List of probable passwords h 1 = H(pw 1 ) h 2 = H(pw 2 ) … h m = H(pw m ) H(guess 1 ), H(guess 2 ), … Check if any guesses equal any of h 1, …, h m

Password hashing Recall Morris, Thompson goal: slow down brute-force attacks PKCS#5 approach: HHH … pw || salt h = H c (pw || salt) H : {0,1} * -> {0,1} n is cryptographic hash function (e.g., SHA-256) salt should be random bit string large enough to be unpredictable c times

Password hashing Recall Morris, Thompson goal: slow down brute-force attacks The role of salts: – Prevents use of time-memory trade-offs (rainbow tables) – Cracking m accounts requires m times the work h 1 = H c (pw 1,salt 1 ) h 2 = H c (pw 2,salt 2 ) … h m = H c (pw m,salt m ) Proofs: See [Bellare, Ristenpart, Tessaro ‘12]

$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt) Facebook password “onion”

Brute-force attacks Offline attacks of hashed database slowed down by a constant factor -- guessing still works if passwords are bad – Nowadays, use memory-hard functions (e.g., scrypt, Argon2) Online brute-force attacks – Public login pages – Compromised web server in distributed security architecture

Rockyou data breach: 32 million social gaming accounts password iloveyou princess rockyou abc nicole daniel babygirl monkey lovely jessica michael ashley qwerty iloveu michelle tigger sunshine chocolate password soccer anthony friends butterfly purple angel jordan 9764 liverpool 9708 justin 9704 loveme 9610 fuckyou... 9 tonee 9 tonebone 9 tonatzin 9 tonatihu 9 tonaor 9 tonantzin 9 tomybill 9 tomtomgo 9 tomtom8 9 tomrules 9 tomoe 9 tommyr 9 tommylee1 9 tommyjr 9 tommydog... 5 dansbaby 5 dansar 5 danrules 5 danrox 5 danrick 5 danou 5 danota 5 danonino1 5 danone1 [Bonneau 2012] 69 million Yahoo! Passwords 1.1% of users pick same password Most common password used by almost 1%

Rockyou empirical probability mass function (Only first 5,000 points shown)

Bonneau Yahoo password study Instrument login infrastructure Hash passwords with key H(K,pw) and store result in histogram Throw away K – Can’t do brute-force attacks later on – Only learn empirical distribution of passwords Also stored some demographic information

Password strength metrics Shannon entropy: Let X be password distribution. Passwords are drawn iid from X N is size of support of X p 1, p 2, …, p N are probabilities of passwords in decreasing order

An example distribution N = 1,000,000 p 1 = 1 / 100 p 2 = (1 – 1/100)/999,999 ≈ 1 / 2 20 … p N = (1 – 1/100)/999,999 ≈ 1 / What is probability of success if attacker makes one guess? H 1 ( X ) ≈ bits of “unpredictability”. Probability of success about 1/2 19 Shannon entropy is almost never useful measure for security H ∞ ( X ) = - log p 1 ≈ 6.6 The min-entropy of X

Password strength metrics Beta-success rate: alpha-work-factor:

From [Bonneau ‘12]

Bonneau takeaways People pick lousy passwords New strength measures for password distributions What questions are left open by his paper?

Building good password guessers Brute-force guessers - try all strings of a certain length Dictionary guessers - Try only common words A better guesser would: Output list of passwords in order of likelihood JohnTheRipper: Dictionaries of common words + mangling rules Also has brute-force mode Eg: add digit to end: pw -> pw1

Train models from leaked passwords Training alg. for language model password iloveyou princess … Trivial model is just the empirical CDF of the histogram itself Model password iloveyou princess … Model defines a probability distribution over passwords. Can use to: -sample passwords according to distribution -enumerate passwords in order of likelihood Supports all the above Generalizability is quite poor ML people would say this model is overfit

Train models from leaked passwords Training alg. for language model password iloveyou princess … Model CFG with probability distribution associated to each rule Probabilistic context-free grammar We can encode a string by its parse tree, the tree represented by probabilities in PCFG CDF [Weir et al. 2009] Fix a CFG, then learn probabilities by training on passwords

S -> L 3 D 1 S 1 -> L 3 4S 1 -> L 3 4! Pr[ L 3 4! ] = 0.25 * 0.60 * 0.65 =

With good training data: Works better than JtR

Train models from leaked passwords Training alg. for language model password iloveyou princess … Model What open questions do Weir et al. leave?

Train models from leaked passwords Training alg. for language model password iloveyou princess … Model Probabilistic context-free grammar only one NLP modeling approach n-gram Markov models another popular choice.: [Ma et al. ’14] show carefully chosen Markov model beats Weir et al. PCFG

Password selection policies [Komanduri et al. ‘11], [Vu et al. ‘07], [Proctor et al. ‘02] and others studied with Amazon Mturk – General consensus that it increases resistance (but by exactly how much is not clear to me), but decreases usability Password expiration policies [Zhang et al. ’10] – High-level bit: they don’t work – Attacker with old password can crack new one very often

The research landscape since 1979… Understanding user selection – Measuring password strength [see citations in Bonneau paper], [Ma et al. `14], [Li, Han `14], [CMU papers] Guiding password selection – Strength meters, requirements, etc. – Periodic forced changes [Zhang et al. ‘12] Password transmission, login logic – Single sign-on (SSO) technologies Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15] – Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12] Improving offline brute-force attacks – Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov ‘05] – Better dictionaries [JohntheRipper], [Weir et al. ‘09], Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15] – Breaking password managers [Li et al. ‘14] [Silver et al. ’15] – Stateless password managers [Ross et al. ’05]