Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords.

Published byLincoln Poock Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords."— Presentation transcript:

1 CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords

2 First, Administrivia Homework: –HW#3 (forensics) collected –HW#4 (hashing) assigned. Quiz #1: –November 9 th –Covers privacy policies, security policies, HCI usability, tempest, disk forensics, network security appliances, transactional privacy, physical security, passwords, biometrics, hashing, symmetric encryption, asymmetric encryption, MD5, SHA-1, DES, AES, RSA, Diffie-Helman, PEM, PGP, S/MIME.

3 HW #3 Due today! Please comment in class and on website about what you learned. Forensics would be a good final project!

4 HW #4 Assigned today. Makes heavy use of MD5/SHA-1 –If you don’t know the basics of hashing, read WSCP Chapter 3 & Chapter 4. Easy to spend a lot of time on this. But you shouldn’t have to. Some programming is required. But not much. If you have a problem, please email the staff.

5 Identification, Authentication, and Authorization Identification: –You give your name Authentication: –You’ve proven that it’s really you. Authorization: –We’ve looked your identity up in the database and we know what you’re allowed to do. Most say “authentication” when they mean identification or authorization. You can authenticate without identifying.

6 Classical Authentication Something that you know –password –pass phrases Something that you are –fingerprint –face print Something that you have –tokens –smartcards } biometrics

7 Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to- day basis. –Email, Websites, ATMs, Doors, Lockers, etc. Password Recovery: –Challenge/response questions –Knowledge of previous transactions

8 How many passwords do must you remember?

9 Why the explosion of passwords? Need to protect configuration information –BIOS passwords, VChip, Cell Phones, etc. Web services need persistent identification of users over time No national/international identification service

10 Alternatives to many passwords Single-sign on: –Master password unlocks others –PKI: password unlocks private key Examples: –Microsoft Passport –Gnu Keyring (gnukeyring.sourceforge.net)

11 Observed Strategies “Low security” & “high security” passwords Standard password that’s changed for every host –password-ebay –password-paypall –password-fas Change password periodically –Every 3-6 months –(Problems if you don’t manage to change all of your passwords.) Always use “password reset” and get emailed a password. Write passwords down

12 Anderson: 3 types of password concerns 1.disclosure 2.reliability to enter 3.ability to remember

13 Concern #1: Disclosure Will the user break the system security by disclosing the password to a third party, whether accidentally, on purpose, or as a result of deception?

14 Concern #2: Reliability to enter Will the user enter the password correctly with a high enough probability?

15 Concern #3: Ability to remember Will users remember the password, or will they have to either write it down or choose one that’s easy for the attacker to guess?

16 Can you write down passwords? class discussion

17 Can you write down these passwords? Can you remember them? What if you had to remember 40 of them? http://gs2.sp.cs.cmu.edu/art/random/archive/archive_0104/

18 A Password Policy “The root password for each machine shall be too long to remember, at least 16 alpha and numeric characters chosen at random by the system; it shall be written on a piece of paper and kept in an envelope in the room where the machine is located; it may never be divulged over the telephone or used over the network; it may only be entered at the console of the machine that it controls.” [Anderson, p. 37]

19 Anderson’s Research Problems in Passwords: What is the best way to enforce user compliance with a password policy? Can we design interactive password systems that are better? Can we use multiple passwords? –Mother’s maiden name –Password –Amount of last purchase –Dog’s nickname –Your favorite color…

20 Threats to Passwords What are the threats against passwords? –Guessing –Brute force search –Shoulder surfing –Discovering passwords that are written down –Passwords collected at one website used for another Kinds of attacks: –Offline –Online

21 Eavesdropping risks Physical device --- key grabber Trojan Horse Tapped lines Video Camera … The need for trusted path

22 Kinds of Attacks: Targeted attack on one account Attempt to penetrate any account on a system Attempt to penetrate any account on any system Service denial attack

23 Protecting against Online Attacks: Defenses Against Guessing: –Exponential back-off –Lock out –Notification –“Cracking” Dangers of lock-out –Ebay doesn’t use it; why not?

24 Protecting against Offline Attacks What do you do?

25 Restricting Passwords Does it make sense to mandate symbols and numbers in passwords? –# of letters: 52 (26 lower + 26 UPPER) –# of symbols: 30 –# of 8 letter passwords: 52 8 –# of 7 character passwords with 1 symbol: (52 7 )(30)(8) –How about forcing 1 number and 1 symbol? (52 6 )(30)(8)(10)(7)

26 More on restrictions Different systems have different restrictions. –Some require special characters –Some forbid special characters. Why?

27 Password Generating Algorithms Multics generated passwords that were “easy to remember.” What’s wrong with giving advice on how to generate passwords? What’s the alternative? Programmatically picking passwords that are easy-to-remember

28 Developer Recommendations Force users to change passwords regularly Password != Username Require 8 or more characters Require a mix of alpha, numeric, and special characters Deny Access After a number of failed Attempts Do not send passwords “in the clear” Do not assign “default passwords” Overwrite passwords in memory as quickly as possible

29 Restrictions on Passwords: Recommendations 1-14 characters vs. 1-127 characters vs. 10-127 characters –Recommendation: Mandate minimums, but allow people to type extra characters –If you can’t handle a special character, change it to a character you can handle. –ATM networks used to ignore all characters after first 4

30 Recommendations on Password Aging: What should we do? Should we mandate password changes? Should we remember old passwords and forbid them?

31 Case Sensitivity: Recommendations Some passwords are case-sensitive; some are not. –If your passwords are not case- sensitive, they must be longer. Check password with case-flipped for CAPS LOCK ON accident.

32 Password Recovery What’s the best way to do it? Automatic vs. Manual “What is your favorite Color?”

33 Password Recovery: Recommendations Send a link that expires quickly. Specially log the IP address of the browser that clicks the link. Don’t send the password!

34 Web Password Hashing Internet Explorer plug-in that sends a hash of the password to every website. –Hash depends on your password & remote website –Defeats phishing! http://crypto.stanford.edu/PwdHash/ http://crypto.stanford.edu/PwdHash/ PwdHash.ppthttp://crypto.stanford.edu/PwdHash/ PwdHash.ppt

Download ppt "CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google