 Patrick Gage Kelley, et al. “Guess again (and again and again): [...].” In 2012 IEEE Symposium on Security and Privacy (SP), pp. 523-537. IEEE, 2012.

Slides:



Advertisements
Similar presentations
Jillian Brown. Develop realistic, high quality case material for computer forensic investigations Suitably complex primary data Apply theoretical aspects.
Advertisements

Training Guide. `
Password Cracking Lesson 10. Why crack passwords?
The Minoans OBJECTIVE: To determine what life was like for the Minoans and how geography influenced their lives using Guided Reading questions To create.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Password Advanced Password Management. 2 Standard Password Management including tool for blocking usage of easily cracked passwords Extensive dictionary.
3d ..
Doc.: IEEE /0358r3 Submission March 2015 Daewon Lee, NEWRACOM Numerology for 11ax Date: Authors: Slide 1.
Nowlin Chair Crop Modeling Symposium November 10-11, 2000 Future Needs for Effective Model Applications James W. Jones  Users  Model Capabilities  Data.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Exploring subjective probability distributions using Bayesian statistics Tom Griffiths Department of Psychology Cognitive Science Program University of.
Chapter 01 Introduction to Probability Models Course Focus Textbook Approach Why Study This?
Wireless Security. Why is it important? Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Over.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
ECE 533 Final Project SIMPLE FACE RECOGNITION IMPLEMENTATION FOR COMPUTER AUTHENTICATION Josh Easton- Tin-Yau Lo.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
On the Security of Picture Gesture Authentication Ziming Zhao †‡, Gail-Joon Ahn †‡, Jeong-Jin Seo †, Hongxin Hu § † Arizona State University ‡ GFS Technology.
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
Link Reconstruction from Partial Information Gong Xiaofeng, Li Kun & C. H. Lai
Learning Structure in Bayes Nets (Typically also learn CPTs here) Given the set of random variables (features), the space of all possible networks.
Passwords Tom Ristenpart CS The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir.
3.1 & 3.2: Fundamentals of Probability Objective: To understand and apply the basic probability rules and theorems CHS Statistics.
Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.
Hiding Data in “Plain Sight” Computer Forensics BACS 371.
Correlation and Prediction Error The amount of prediction error is associated with the strength of the correlation between X and Y.
NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.
Influence of Mobile Devices on Password Composition and Authentication Performance Paper by: Emanuel von Zezschwitz, University of Munich, Germany Alexander.
The Project – Spreadsheet Specification Items to include in your Spreadsheet Specification 1)Scenario relating to the Spreadsheet part of the system 2)Problems.
{ Methodology of Sales Forecast Brenda Pérez Elizabeth Morales Viridiana Breceda Aimee Segovia.
Every computer along the path of your data can see what you send and receive. USERNAMES and PASSWORDS  Username can be assigned to you eg. Student ID.
Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy in Context: Contextual Integrity Peter Radics Usable Security – CS 6204.
Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight.
Connecting Themes: 5th Grade Focus Four Areas of Study History Geography Civic/Government Economics.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.
Name:________________________________________________________________________________Date:_____/_____/__________ Fill-in-the-Blanks: 1.Theoretical probability.
Biometric for Network Security. Finger Biometrics.
Graphical VS Textual Presented by Ding Li Nicholas Wright, Andrew S. Patrick, and Robert Biddle. “Do you see your password? Applying recognition to textual.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Shouling Ji, Shukun Yang, and Raheem Beyah Georgia Institute of Technology Ting Wang Lehigh University Changchang Liu and Wei-Han Lee Princeton University.
Chapter 14 : Modeling Mobility Andreas Berl. 2 Motivation  Wireless network simulations often involve movements of entities  Examples  Users are roaming.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
MODEL 1 Drag the shapes from the right to represent the situation. Write the algebraic expression (make your best guess) Show 3 groups of 1 apple and 2.
Science Process Skills. What is Science?
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
Honeywords: Making Passwords-Cracking Detectable Ari Jules, Ronald L. Rivest Presented by: Karthik Padullaparty | kpad470 October 14, Karthik Padullaparty.
PROBLEM SOLVING. STEPS IN PROBLEM SOLVING  Problem Definition.  Problem Analysis.  Generating possible Solutions.  Analyzing the Solutions.  Evaluation:
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
SECURITY A hacker uses a software program to guess the passwords in Activity 2. The program checks 600 passwords per minute. What is the greatest amount.
WEB SEARCH BASICS By K.KARTHIKEYAN. Web search basics The Web Ad indexes Web spider Indexer Indexes Search User Sec
Neighborhood - based Tag Prediction
Password Cracking Lesson 10.
DO NOW What is the economic relationship between efficiency and underutilization? Explain.
Timing Analysis of Keystrokes and Timing Attacks on SSH
David Taylor Deputy Director School of Medical Education
Protecting IT systems (2)
Hidden Markov Models (cont.) Markov Decision Processes
Dangers of Intrusion Anatomy of an Intrusion No password set
The Structure of your Simulation assessment
Find the Perimeter.
Tonight – Finishing off workshop
Presentation transcript:

 Patrick Gage Kelley, et al. “Guess again (and again and again): [...].” In 2012 IEEE Symposium on Security and Privacy (SP), pp IEEE, Timothy D. Widjaja

 Measuring password strength by simulating password- cracking algorithms  Gather passwords under various policies, then train the algorithms on various dictionaries; compare the guessability of passwords from those policies using those dictionaries  Guessability is measured by calculating how long the algorithms would take to discover a password  Password creation policies may influence a user’s choice of password in ways more “predictable” than intended  Password cracking algorithms can become very successful if tailored to a given password creation policy

 A word mangling algorithm is trained on a dictionary apple banana cherry... apple banana cherry... Word Mangling Algorithm apple1234 a.p.p.l.e aaaaapple 4PPL3 binini BaNaNa ba-na-na banananana cherry!!! cherrie che~e~erry cherrycherry... apple1234 a.p.p.l.e aaaaapple 4PPL3 binini BaNaNa ba-na-na banananana cherry!!! cherrie che~e~erry cherrycherry... e.g. Weir, Brute-Force Markov, John the Ripper

 Consider password cracking as a guided traversal through the space of all possible passwords: “educated” brute-force  How does a password policy influence users in creating passwords? How does it affect the password distribution? Password Distribution Password Cracking Perimeter

 POLICIES: two different scenarios, four different “wordings”, eight different conditions dictionary8 blacklistEasy blacklistMedium blacklistHard basic8survey basic16comprehensive8 basic8

 FINDING: Training the cracking algorithm using other passwords gathered under the same policy improves cracking significantly for stringent policies, but only slightly for lenient policies Ideal Situation Actual Situation

 FINDING: The guessability of passwords created under some policy is not equivalent to the guessability of passwords created under different policies that happen to conform to that policy No Restriction Apply Restriction X