Presentation is loading. Please wait.

Presentation is loading. Please wait.

Testing of Password Policy Anton Dedov ZeroNights 2013.

Published byJared Shaw Modified over 9 years ago

Similar presentations

Presentation on theme: "Testing of Password Policy Anton Dedov ZeroNights 2013."— Presentation transcript:

1 Testing of Password Policy Anton Dedov ZeroNights 2013

2 Who Am I Software Developer and Security Engineer @ Parallels Automation Open source developer Mail: adedov@gmail.comadedov@gmail.com Twitter: @brutemorse

3 Motivation It is hard for application developers to choose between existing password meters reasonably. Worse, some implement their own [or customize existing] without understanding of security and psychological implications. Need some framework/criteria that would help reasonable choice. 3

4 NAÏVE SECURITY MODEL

5 100 K 10 K 100 K Untargeted Online Attacks 2.5 K 5 K 1 guess per user / day 2 days to find first password 100 days to find 50 passwords User base Common passwords 1 guess per user / day 10 days to find first password 1.5yr to find 50 passwords

6 Targeted Online Attacks 10 failed attempts  1 hour block 240 attempts per user / day 7200 attempts per user / month 86400 attempts per user / year More IP-s scale linearly

7 Offline Attacks Huge dictionaries Specialized hardware and clusters No time/complexity limitations except – Enforced password quality – Hash speed – Salt uniqueness 7

8 TESTING PASSWORD METERS

9 Candidates Plesk jquery.complexify zxcvbn libpwquality passwdqc

10 Method Apply meters to password bases Dictionary attacks with JtR Rule-based attacks with JtR Collect essential parameters

11 Apply Meters Requirement: meter should provide unambiguous signal about if password is accepted or not. Passwdqc tells straight “OK” or “Bad”. Others return score. Minimal accepted score documented. 11

12 Password Bases Real customers RockYou all CMIYC-2010 not cracked Random passphrases Random 10-char passwords 12 Red for attacks; blue for psychological acceptance.

13 Dictionaries DictionarySize, words Tiny English817 RockYou top1438 Common-passwords3546 English54316 Tiny English crossed / 8 chars72100 13

14 Rules RuleFactor JtR defaults~ 40 JtR jumbo~ 5500 m3g9tr0n-2048512= 3510 m3g9tr0n-2048517~ 860 14

15 Cracking Sessions Tiny None817 words JtR default41K words JtR jumbo4M words m3g9tr0n- 2048512 2.8M words m3g9tr0n- 2048517 707K words 15

16 Cracking Sessions 25 attacks per password base per meter Min dictionary size 817 Max dictionary size 396M 16 RockYou dictionary was not used against RockYou password base.

17 Parameters M – passwords approved by meter D – attack dictionary size C – # of guessed passwords during attack Attack effectiveness Attack economy 17

18 For dictionaries < 100K Max guess rate 0.007% Online Attacks Effectiveness 18

19 Max Attack Effectiveness 19

20 Max Attack Economy 20

21 Average Attack Economy 21

22 Guesses Totals MeterRockYouCustomer 1Customer 2 plesk 0.08%0.28% passwdqc 0.18%0.23%0.12% zxcvbn 0.54%0.26%0.06% complexify 0.54%1.06%0.40% libpwquality 1.16%0.50%0.45%

23 Guesses Totals 23

24 Psy. Acceptance: User Passwords MeterRockYouCustomer 1Customer 2 plesk 0.21%3.45%5.53% passwdqc 1.60%14.90%40.62% zxcvbn 5.43%16.29%43.16% complexify 2.03%7.05%27.18% libpwquality 4.32%11.88%34.27%

25 Psy. Acceptance: User Passwords 25

26 Psy. Acceptance: Hard Passwords 26 MeterCMYIC-2010Pass-PhrasesRandom 10 chars plesk24%0%42% passwdqc59%99.98%100% zxcvbn42%99.76%99.99% complexify3%99.94%0% libpwquality10%99.82%81%

27 Psy. Acceptance: Hard Passwords 27

28 The “editors” choice SecurityPsychology passwdqczxcvbn pleskpasswdqc zxcvbnlibpwquality jquery.complexify libpwqualityplesk 28

29 Conclusions Test your security tools for security Avoid write your own security tools All tested meters protect from online attacks Also seem protect from offline attacks (for slow hashes and unique salts) But most tend to deny more passwords than it is necessary, including known to be hard ones Passwdqc and zxcvbn look best

30 Where to go? Bigger dictionaries and brute force Testing on real people to – Learn evolution of “common passwords” lists – Test psychological acceptance empirically More meters? 30

31 Special thanks Alexander Peslyak Solar Designer 31

32 Bonus: time to process RockYou… (MBP 2011)

Download ppt "Testing of Password Policy Anton Dedov ZeroNights 2013."

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Access Control Methodologies

Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
1 Password Advanced Password Management. 2 Standard Password Management including tool for blocking usage of easily cracked passwords Extensive dictionary.

1 Password Advanced Password Management. 2 Standard Password Management including tool for blocking usage of easily cracked passwords Extensive dictionary.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
1 MySQL Passwords Password Strength and “Cracking” Presented by Devin Egan Defcon 12 - July 31, 2004 Password Strength and “Cracking” Presented by Devin.

1 MySQL Passwords Password Strength and “Cracking” Presented by Devin Egan Defcon 12 - July 31, 2004 Password Strength and “Cracking” Presented by Devin.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Similar presentations

Ads by Google