Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Slides:

Advertisements

Similar presentations

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.

Advertisements

“I regretted the minute I pressed share”: A Qualitative Study of Regrets on Facebook Presenter: Arvie Carpio Y. Wang, S. Komanduri, P.G. Leon, G. Norcie,

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Tom Parker Project Manager Identity Management Team IT Security Group.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Online Job Applications. Course Outline Review resources & information needed to complete an online application Practice filling out a job application.

Password Management PA Turnpike Commission

On the Security of Picture Gesture Authentication Ziming Zhao †‡, Gail-Joon Ahn †‡, Jeong-Jin Seo †, Hongxin Hu § † Arizona State University ‡ GFS Technology.

1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.

Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Password Fundamentals. UMB-Dental School New Password Policy Passwords must be eight characters or longer. Password must contain characters from three.

1 G.R. Gangadharan 1, Hong-Linh Truong 2, Martin Treiber 2, Vincenzo D‘Andrea 1, Schahram Dustdar 2, Renato Iannella 3, Michael Weiss 4

The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.

User Management: Passwords cs3353. Passwords Policy: “Choose a password you can’t remember and don’t write it down”

1 Project  By group (1-4 students, formed on your own)  Each group  select 1 topic  hand in 1 report (page limit: 5 pages; due: July 10)  give 1 presentation.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.

11th WATCH: Security, Privacy, and Usability: Better Together Lorrie Cranor Computer Science & Engineering Science Policy Carnegie Mellon University THURSDAY.

Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string.

Accuracy-Constrained Privacy-Preserving Access Control Mechanism for Relational Data.

SCC Student Technology Access Student Login Guide SCC College Computer Press Ctrl-Alt-Delete keys on the keyboard to access network login User name – this.

A New Time-Memory-Resource Trade-Off Method for Password Recovery Communications and Intelligence Information Security (ICCIIS), 2010 International Conference.

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

STRONG PASSWORDS = SELF-PROTECTION. Why are passwords essential for self protection? Passwords protect hackers from accessing personal information (birthday,

1 Choosing the Right Wand (or for those who like boring titles – Managing Account Passwords: Policies and Best Practices) Harvard Townsend IT Security.

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

2 nd Grade.  ______ make passwords eight or more characters long.

Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?

WEBSITES AND ADDRESS RELATIONSHIP By: Nahed Alnahash Dr. Wenjin Zhou.

Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.

 Patrick Gage Kelley, et al. “Guess again (and again and again): [...].” In 2012 IEEE Symposium on Security and Privacy (SP), pp IEEE, 2012.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Authentication and access control.

m-Privacy for Collaborative Data Publishing

1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.

Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.

Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Honeywords: Making Passwords-Cracking Detectable Ari Jules, Ronald L. Rivest Presented by: Karthik Padullaparty | kpad470 October 14, Karthik Padullaparty.

HOW CAN ATTACKERS READ YOUR MIND? Telepathwords: Preventing Weak Passwords By Reading Users’ Minds Saranga, K., Richard, S., lorrie, F.C., Cormac, H. and.

Understanding Security Policies Lesson 3. Objectives.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Protection of Data 31 Protection of Data 31. Protection of Data 31 Having looked at threats, we’ll now look at ways to protect data: Physical Barriers.

Understanding Security Policies

TriggerScope: Towards Detecting Logic Bombs in Android Applications

Information Systems Desktop Support

PASSWORDS Unique is Good.

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

Flavio Toffalini, Ivan Homoliak, Athul Harilal,

Timing Analysis of Keystrokes and Timing Attacks on SSH

Secretary of the State's Conference and Training

Digital Citizenship EIT, Author Gay Robertson, 2017.

Guess the letter!.

Attack and defense on learning-based security system

Lecture 12: Passwords CS /14/2018.

Presentation transcript:

Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. In 2012 IEEE Symposium on Security and Privacy (SP), pp. 523-537. IEEE, 2012 Presented by Rain Qin

Paper Summary In this paper, the authors analyzed a dataset of 12,000 plaintext passwords collected under different password-composition policies through using Amazon’s Mechanical Turk crowdsourcing service. They implemented two guess-number calculators Weir algorithm calculator BFM algorithm calculator They found the dictionary effectiveness check depends on the choice of dictionary effective attacks on passwords created under complex policies require access to closely matched training data In these different password-composition policies, one called basic16 is the best choice

Policies basic8survey:Password must have at least 8 characters (e.g. awordpswd) dictionary8:Password must have at least 8 characters.It may not contain a dictionary word (e.g. asdfghjk) comprehensive8: Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.(e.g. *IK<;lo9) basic16:Password must have at least 16 characters. (e.g. qwertyuioplkjhgf)

Cracked Result Use weir calculator

Cracked Result Use BFM calculator

Conclusion Basic16 is superior against large numbers of guesses. Two guess-number calculators reveal basic16 is the best policy choice.

Thank you~

Concepts Amazon Mechanical Turk (ref https://en.wikipedia.org/wiki/Amazon_Mechanical_Turk) Policies: basic8: Participants were given the email scenario and the composition policy “Password must have at least 8 characters.” Only the scenario differs from basic8survey. blacklistEasy: Password must have at least 8 characters. It may not contain a dictionary word. blacklistMedium: Same as the blacklistEasy condition, except the authors used the paid Openwall list blacklistHard: Same as the blacklistEasy condition, except the authors used a five-billion-word dictionary created using the algorithm outlined by Weir Two guess-number calculators Brute-force algorithm loosely based on the Markov model Heuristic algorithm proposed by Weir

Poor Practicality hard to remember

Poor Practicality (cont.) " gi1%isbrt,90%psbrt. " motto / dictum "Genius is one percent inspiration, ninety-nine percent perspiration."