November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

Chapter 3 Passwords Principals Authenticate to systems.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Information System Security and the US Military Ben Mascolo – ISC 300.

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

ISEC0511 Programming for Information System Security

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

CIS 450 – Network Security Chapter 8 – Password Security.

Computer Security Preventing and Detecting Unauthorized Use of Your Computer.

Security Planning and Administrative Delegation Lesson 6.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,

The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.

Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.

Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

In the web address box enter Enter your user ID (first and last initial 7 digit ID number) Select Log in.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Passwords Internet Safety for grades Introduction to Passwords Become part of our everyday life –Bank cards, , chat programs, online banking,

Networking and Health Information Exchange Unit 9b Privacy, Confidentiality, and Security Issues and Standards.

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Passwords and Password Policies An Important Part of IT Control – by Craig Piercy.

Authentication What you know? What you have? What you are?

By John Williams. Why Secure Passwords Matter Passwords protect everything about you online. Once those passwords are discovered and used by someone else.

Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.

"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

CSCE 201 Identification and Authentication Fall 2015.

By Matt Norris. Physical Security - Threats -User Authentication Techniques Information Security - Threats -User Authentication Techniques Good Authentication.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.

Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.

Understanding Security Policies Lesson 3. Objectives.

Understanding Security Policies

System Access Authentication

Password strength Dr. X.

Authentication Schemes for Session Passwords using Color and Images

Common Methods Used to Commit Computer Crimes

Lesson 2- Protecting Yourself Online

Adaptive Authentication

Unit 1.6 Systems security Lesson 4

Introduction to Computers

Single Sign On Glen Dorton 1/18/2019.

Understanding Security Policies

Lesson 2- Protecting Yourself Online

Chapter Goals Discuss the CIA triad

Presentation transcript:

November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan

Outline Introduction Introduction Duh!, but rather be safe than sorry. Duh!, but rather be safe than sorry. Strong Passwords Strong Passwords Attack Scenarios Attack Scenarios Why Use Strong Passwords? Why Use Strong Passwords? Strength of User ID-Password Combination Strength of User ID-Password Combination Strength alone is not enough Strength alone is not enough Conclusion Conclusion

Introduction Authentication Traditionally Depends Upon Authentication Traditionally Depends Upon Something you have Something you have Badge Badge Something you are Something you are Fingerprint, voice Fingerprint, voice Something you know Something you know Password Password Authentication Most Used Method Authentication Most Used Method Something you know Something you know User ID (Account) in conjunction with a password User ID (Account) in conjunction with a password

Introduction (continued) User IDs User IDs Creation Creation Created for you (network administrator) Created for you (network administrator) Created by you Created by you Could be public knowledge Could be public knowledge Person who created the account for you Person who created the account for you address address Part of standardization process (first initial + last name) Part of standardization process (first initial + last name)

Introduction (continued) Passwords Passwords Should not be public knowledge Should not be public knowledge To prevent “Credential Theft”, advised to: To prevent “Credential Theft”, advised to: Create Strong Passwords Create Strong Passwords Change Password Frequently Change Password Frequently Never Write Password Down Never Write Password Down

Introduction (continued) Threats to a user’s credentials Threats to a user’s credentials Phishing Phishing Key Logging Key Logging Brute Force Brute Force Attack on a known User ID Attack on a known User ID Bulk Guessing Bulk Guessing Attack on all accounts Attack on all accounts Special Knowledge or Access Special Knowledge or Access Shoulder Surfing Shoulder Surfing Knowledgeable Information about the user Knowledgeable Information about the user Access to Password Manager Access to Password Manager List, application, database List, application, database

Strong Passwords Not based upon personal information that can be guessed Not based upon personal information that can be guessed Names, dates, etc. Names, dates, etc. Not based upon a word found in the dictionary Not based upon a word found in the dictionary Subject to dictionary attacks Subject to dictionary attacks Should have a minimum length Should have a minimum length Should contain the following Should contain the following Combination of upper and lower casing Combination of upper and lower casing Special characters and numbers Special characters and numbers Problems Problems Hard to remember Hard to remember More likely to be written down More likely to be written down

Attack Scenarios What Strong Passwords will not prevent What Strong Passwords will not prevent Phishing Phishing Key Logging Key Logging Special Knowledge or Access Special Knowledge or Access Why? Why? User supplied information User supplied information Overt Method Overt Method Phishing, Password List/Manager Phishing, Password List/Manager Covert Method Covert Method Key Logging Key Logging

Attack Scenarios Brute Force Brute Force Attack on an individual account Attack on an individual account Why? Why? The account/user id is known The account/user id is known Only need to guess the password Only need to guess the password Problems Problems Strength of the Password Strength of the Password Length, Casing, Special characters and numeric values Length, Casing, Special characters and numeric values Many institutions use some type of “lock out” strategy Many institutions use some type of “lock out” strategy Can significantly increase time to crack account Can significantly increase time to crack account

Attack Scenarios Bulk Guessing Bulk Guessing Attack on multiple accounts Attack on multiple accounts Using the same guessed password Using the same guessed password Why? Why? Can attack all known and unknown account ids Can attack all known and unknown account ids Better chance that more than one account uses the same password Better chance that more than one account uses the same password Problems Problems Easily detected, if not a distributed attack Easily detected, if not a distributed attack Can inadvertently cause a Denial of Service (DoS) with all accounts Can inadvertently cause a Denial of Service (DoS) with all accounts

Why Use Strong Passwords? Takes far greater time to guess a strong password Takes far greater time to guess a strong password Brute Force and Bulk Guessing Attack Brute Force and Bulk Guessing Attack Reduces the chance that more than one account has the same password Reduces the chance that more than one account has the same password Bulk Guessing Attack Bulk Guessing Attack

Strength of User ID-Password Combination Successful attacks using Brute Force and Bulk Guessing requires both user id and password Successful attacks using Brute Force and Bulk Guessing requires both user id and password Stronger user id and weaker password combination Stronger user id and weaker password combination When used in combination could have the same affect as a strong password alone When used in combination could have the same affect as a strong password alone Requires attacking schemes to focus more on user ids Requires attacking schemes to focus more on user ids i.e. Less likely to be dictionary words, like passwords i.e. Less likely to be dictionary words, like passwords Easier for users to remember their passwords. But now the user id might be harder to remember Easier for users to remember their passwords. But now the user id might be harder to remember Places a larger burden on the institution for creating or enforcing stronger user ids Places a larger burden on the institution for creating or enforcing stronger user ids User ids must not be or become public knowledge, EVER! User ids must not be or become public knowledge, EVER!

Strength alone is not enough At some point in time, the account will be cracked At some point in time, the account will be cracked Lock out strategies Lock out strategies 3 strikes rule 3 strikes rule 3 sequential unsuccessful attempts and the account is locked 3 sequential unsuccessful attempts and the account is locked Geometrically increasing lock-out time Geometrically increasing lock-out time 2 in seconds 2 in seconds Length of time in which the lock remains is vital Length of time in which the lock remains is vital Increase the time it takes to crack the account Increase the time it takes to crack the account Must not be so long as to inconvenience the user Must not be so long as to inconvenience the user May increase customer support usage May increase customer support usage

Conclusions Makes attacking more difficult Makes attacking more difficult User id or the process of user id creation is more likely to be public knowledge than your password User id or the process of user id creation is more likely to be public knowledge than your password Most effective when some type of lock out strategy is being used Most effective when some type of lock out strategy is being used Not just for web, but for everything where a password is used Not just for web, but for everything where a password is used