What do you know about password? By Guang Ling Oct. 8 th, 2012 1.

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.

Use of a One-Way Hash without a Salt

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

1 MD5 Cracking One way hash. Used in online passwords and file verification.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

CIS 450 – Network Security Chapter 8 – Password Security.

Databases and security continued CMSC 461 Michael Wilson.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology January 17,

Lecture 11: Strong Passwords

Mark Shtern. Passwords are the most common authentication method They are inherently insecure.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.

Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

Lecture 2: Introduction to Cryptography

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.

Lecture 5 User Authentication modified from slides of Lawrie Brown.

Joshua Fuller. - Passwords keep your information private - Never tell your password to ANYONE - Change your password regularly Basic Security.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Lecture Topics: 11/29 Cryptography –symmetric key (secret key) –public/private key –digital signatures.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Understanding Security Policies Lesson 3. Objectives.

1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.

Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.

Common Methods Used to Commit Computer Crimes

Password Management Limit login attempts Encrypt your passwords

CS 465 PasswordS Last Updated: Nov 7, 2017.

Web Systems Development (CSC-215)

PHP: Security issues FdSc Module 109 Server side scripting and

An Introduction to Web Application Security

Kiran Subramanyam Password Cracking 1.

Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé

Elections Choose wisely, this is your chance to prove if election by popular vote works or not.

Exercise: Hashing, Password security, And File Integrity

Network Penetration Testing & Defense

Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé

Presentation transcript:

What do you know about password? By Guang Ling Oct. 8 th,

What password are you using? Before going to the next slide, can you guess what is the most used password? 2

3

4

Some statistics on password 4.7% of users have the password password 8.5% have the passwords password or ; 9.8% have the passwords password, or ; 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords 5

Some statistics on password thx1138 (turns out this is a movie from forty years back) gundam (actually an anime series) ncc1701 (codename for the USS Enterprise in Star Trek) 6

Some statistics on password 7

I am not concerned! 8

Wait, is your password secure? Try your password at here.here 9

What is strong password? Common misunderstand – The more complex the password, the more secure it is! 10

What is strong password? Measure strength of password using entropy – So what is the key to the strength of a password? – Length! 11

Wait, is your password secure? 12

I am not concerned! 13

You should be concerned! Recent password leakage incidents in China – In December 22 nd, 2011, a famous programmer forum CSDN has its server hacked and 6,000,000 user accounts leaked – In December 25 th, 2011, user accounts of one of the major discuss forum in China, 天涯, is leaked and 40,000,000 accounts exposed – In the following weeks, 人人网 (5m) ，多玩网 (8m), 猫扑 (10m), 开心网，世纪佳缘，百合网，美空 all have at least part of their accounts leaked 14

You should be concerned! To make things worse, passwords leaked from CSDN and 天涯 are all in clear text! 15

You should be concerned! Someone claim that 人人网 ’s database is also clear text, it turns out that this might not be true However, only 0.84% (4001/ ) password cannot be cracked0.84% 16

A peak at the leaked password files 17

Server-side password To better understand how to secure our online identity, let’s take a short detour to talk about password transmission and storage. 18

Password storage Form of password storage – Clear text – Hash – Salted hash hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash("hbllo") = c05c68dfac fad6a93f8146f337a69afe7dd238f hash("waltz") = c0e f1777c232bc6bd9ec38f616560b120fda8e90f hello Hbllo waltz hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b fe5ed3b58a75cff ed1 hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e d8338a314b8ea157c9e18477aaef226ab hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a df1b60f007 19

Password storage Clear text – Simple and easy to implement – Maybe viewed by website administrator and employee – Maybe viewed by hacker – Most insecure – Never store password in clear text hello Hbllo waltz 20

Password storage Hash – Use cryptography level hash function to hash the password and obtain a fixed length digest – MD5, SHA-1, SHA-512, WHIRLPOOL – Store the digest (hash) instead of the password – Better than clear text – Vulnerable to attack when the password length is short hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash("hbllo") = c05c68dfac fad6a93f8146f337a69afe7dd238f hash("waltz") = c0e f1777c232bc6bd9ec38f616560b120fda8e90f

Password storage Offline attack of hash – Cryptography level hash function are designed to be secure, i.e. it is hard to find phrase such that Hash(phrase) = given digest – But hash value is vulnerable to the following method of attacks Dictionary and Brute force attack Lookup tables and Rainbow Tables 22

Hash attack Dictionary attack and Brute force attack Lookup tables and Rainbow tables – Pre-compute the hash for all possible combinations up to a length limit – Free hash cracker at herehere – Hash cracker that can crack all combination up to length 8 for MD5, NTLM, LM, SHA1 exists (5711GB of data)exists Dictionary Attack Trying apple : failed Trying blueberry : failed Trying justinbeiber : failed... Trying letmein : failed Trying s3cr3t : success! Brute Force Attack Trying aaaa : failed Trying aaab : failed Trying aaac : failed... Trying acdb : failed Trying acdc : success! 23

Password storage Salted hash – Rainbow tables attack renders most short password the same as clear text – Hash the password and salt (randomly generated string) to obtain a hash, store the hash and the salt value – Cannot be pre-computed because of the salt – Can be cracked by brute force if the password strength is weak hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b fe5ed3b58a75cff ed1 hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e d8338a314b8ea157c9e18477aaef226ab hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a df1b60f007 24

Password transmission Password can be transmitted to the server in different forms and through different channels – Forms: clear text V.S. hash – Channel: unencrypted V.S. encrypted 25

Password transmission Clear text Maybe eavesdropped during transmission Hash Eavesdropper can get at most your password’s hash Looks like transmitting the hash is a good idea! – Not really – If hash instead of the clear text is transmitted, the intruder can fake the identity of the user by sending the hash 26

Password transmission Unencrypted No overhead Insecure Encrypted Some overhead, negligible by today’s hardware speed Secure A website should use encrypted connection channel for user login whenever possible 27

Best practice on a login server Store the password in salted hash form Encrypt the login page and every page if possible Transmit the password instead of the hash 28

How to manage our password? Never use the same password for different sites 29

How to manage our password? Never use the same password for different sites Use long and strong password Use rule based methods to ease the management of passwords [ 密码 ]=2* （ [ 用户名标识符（小写 / 大写） ]+[ 用户名长度 ]+[.]+[ 网站标识符（大写 / 小写） ] ）例：，密码为： gk8.GM GK8.gm 密码为： ssh10.HTSSH10.ht 30

How to manage our password? Use dedicated password manager – 1Password – LastPass 31

LastPass The last password you should remember – It saves your password and automatically fills it in when you open a website 32

LastPass The last password you should remember – It generates secure password 33

LastPass The last password you should remember – It is safe All your information store is encrypted using 256-bit AES – Even if lastpass is hacked, your information will not leak Encrypted channel is used exclusively for all communications Only you know the decryption key – Lastpass has no access to your information 34

LastPass One thing that concerned me when I first start to use lastpass – The login key and decryption key is the same???!!! – They are not Hash of your master key is used for login Combination of your username and master key (in the original form) is passed through PBKDF2-SHA256 (using a lot of iterations) to generate the decryption key However, you do need a long and strong master password so that recover it from the hash is infeasible 35

References and picture source: – password-selection.html password-selection.html – password-analysis.html password-analysis.html – – passwords/ passwords/ –