Presentation is loading. Please wait.

Presentation is loading. Please wait.

Passwords Tom Ristenpart CS 6431. The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir.

Published byDominic Gallagher Modified over 9 years ago

Similar presentations

Presentation on theme: "Passwords Tom Ristenpart CS 6431. The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir."— Presentation transcript:

1 Passwords Tom Ristenpart CS 6431

2 The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir et al. paper Misc and wrap-up

3 Password use cases OS login Website / service login PINs Encryption Authentication Confidentiality

4 PW-based authentication: the basic architecture Register: tom, pw Store tom, pw in some form. login: tom, pw’ Authentication service Check that pw’ = pw What are security threats?

5 The history of password research “Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. “ [Morris, Thompson 1979] Analysis of UNIX passwords & password-hashing system

6 “The results were disappointing, except to the bad guy. In a collection of 3,289 passwords gathered from many users over a long period of time, 15 were a single ASCII character; 72 were strings of two ASCII characters; 464 were strings of three ASCII characters; 477 were strings of four alphamerics; 706 were five letters, all upper-case or all lower-case; 605 were six letters, all lower-case.” [Morris, Thompson 1979] The history of password research 86% crackable

7 Morris, Thompson suggest: – Slow hashing (they called it encryption) – Less predictable passwords – Salt before hashing – Use custom version of DES to avoid hardware – Don’t have separate error for bad login The history of password research

8 The research landscape since 1979… Understanding user selection – Measuring password strength [see citations in Bonneau paper], [Li, Han `14], [CMU papers] Guiding password selection – Strength meters, requirements, etc. – Password expiration [Zhang et al. ‘12] Password transmission, login logic – Single sign-on (SSO) technologies Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15] – Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12] Improving offline brute-force attacks – Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov ‘05] – Better dictionaries [JohntheRipper], [Weir et al. ‘09], [Ma et al. ‘14] Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15] – Breaking password managers [Li et al. ‘14] [Silver et al. ’15] – Stateless password managers [Ross et al. ’05]

9 What do you think is the quality of password management today?

10 https://github.com/hackappcom/ibrute https://github.com/Pr0x13/iDict/blob/master /main.php Courtesy of Belenko, Troshichev (viaForensics)

11

12 Linked in circa 2012 stored passwords as which of: pw MD5(pw) H(salt,pw) H c (salt,pw) 6.5 million hashes leaked 90% cracked in 2 weeks

13 Offline brute-force attacks Dictionary: List of probable passwords h 1 = H(pw 1 ) h 2 = H(pw 2 ) … h m = H(pw m ) H(guess 1 ), H(guess 2 ), … Check if any guesses equal any of h 1, …, h m

14 Password hashing Recall Morris, Thompson goal: slow down brute-force attacks PKCS#5 approach: HHH … pw || salt h = H c (pw || salt) H : {0,1} * -> {0,1} n is cryptographic hash function (e.g., SHA-256) salt should be random bit string large enough to be unpredictable c times

15 Password hashing Recall Morris, Thompson goal: slow down brute-force attacks The role of salts: – Prevents use of time-memory trade-offs (rainbow tables) – Cracking m accounts requires m times the work h 1 = H c (pw 1,salt 1 ) h 2 = H c (pw 2,salt 2 ) … h m = H c (pw m,salt m ) Proofs: See [Bellare, Ristenpart, Tessaro ‘12]

16 $cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt) Facebook password “onion”

17 Brute-force attacks Offline attacks of hashed database slowed down by a constant factor -- guessing still works if passwords are bad – Nowadays, use memory-hard functions (e.g., scrypt, Argon2) Online brute-force attacks – Public login pages – Compromised web server in distributed security architecture

18 Rockyou data breach: 32 million social gaming accounts 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess 21725 1234567 20901 rockyou 20553 12345678 16648 abc123 16227 nicole 15308 daniel 15163 babygirl 14726 monkey 14331 lovely 14103 jessica 13984 654321 13981 michael 13488 ashley 13456 qwerty 13272 111111 13134 iloveu 13028 000000 12714 michelle 11761 tigger 11489 sunshine 11289 chocolate 11112 password1 10836 soccer 10755 anthony 10731 friends 10560 butterfly 10547 purple 10508 angel 10167 jordan 9764 liverpool 9708 justin 9704 loveme 9610 fuckyou... 9 tonee 9 tonebone 9 tonatzin 9 tonatihu 9 tonaor 9 tonantzin 9 tomybill 9 tomtomgo 9 tomtom8 9 tomrules 9 tomoe 9 tommyr 9 tommylee1 9 tommyjr 9 tommydog... 5 dansbaby 5 dansar 5 danrules 5 danrox 5 danrick 5 danou 5 danota 5 danonino1 5 danone1 [Bonneau 2012] 69 million Yahoo! Passwords 1.1% of users pick same password Most common password used by almost 1%

19 Rockyou empirical probability mass function (Only first 5,000 points shown)

20 Bonneau Yahoo password study Instrument login infrastructure Hash passwords with key H(K,pw) and store result in histogram Throw away K – Can’t do brute-force attacks later on – Only learn empirical distribution of passwords Also stored some demographic information

21 Password strength metrics Shannon entropy: Let X be password distribution. Passwords are drawn iid from X N is size of support of X p 1, p 2, …, p N are probabilities of passwords in decreasing order

22 An example distribution N = 1,000,000 p 1 = 1 / 100 p 2 = (1 – 1/100)/999,999 ≈ 1 / 2 20 … p N = (1 – 1/100)/999,999 ≈ 1 / 2 20.01 2 -20 What is probability of success if attacker makes one guess? H 1 ( X ) ≈ 19 19 bits of “unpredictability”. Probability of success about 1/2 19 Shannon entropy is almost never useful measure for security H ∞ ( X ) = - log p 1 ≈ 6.6 The min-entropy of X

23 Password strength metrics Beta-success rate: alpha-work-factor:

24 From [Bonneau ‘12]

25

26 Bonneau takeaways People pick lousy passwords New strength measures for password distributions What questions are left open by his paper?

27 Building good password guessers Brute-force guessers - try all strings of a certain length Dictionary guessers - Try only common words A better guesser would: Output list of passwords in order of likelihood JohnTheRipper: Dictionaries of common words + mangling rules Also has brute-force mode Eg: add digit to end: pw -> pw1

28 Train models from leaked passwords Training alg. for language model 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess … Trivial model is just the empirical CDF of the histogram itself Model 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess … Model defines a probability distribution over passwords. Can use to: -sample passwords according to distribution -enumerate passwords in order of likelihood Supports all the above Generalizability is quite poor ML people would say this model is overfit

29 Train models from leaked passwords Training alg. for language model 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess … Model CFG with probability distribution associated to each rule Probabilistic context-free grammar We can encode a string by its parse tree, the tree represented by probabilities in PCFG CDF [Weir et al. 2009] Fix a CFG, then learn probabilities by training on passwords

30 S -> L 3 D 1 S 1 -> L 3 4S 1 -> L 3 4! Pr[ L 3 4! ] = 0.25 * 0.60 * 0.65 = 0.0975

31 With good training data: Works better than JtR

32 Train models from leaked passwords Training alg. for language model 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess … Model What open questions do Weir et al. leave?

33 Train models from leaked passwords Training alg. for language model 290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess … Model Probabilistic context-free grammar only one NLP modeling approach n-gram Markov models another popular choice.: [Ma et al. ’14] show carefully chosen Markov model beats Weir et al. PCFG

34 Password selection policies [Komanduri et al. ‘11], [Vu et al. ‘07], [Proctor et al. ‘02] and others studied with Amazon Mturk – General consensus that it increases resistance (but by exactly how much is not clear to me), but decreases usability Password expiration policies [Zhang et al. ’10] – High-level bit: they don’t work – Attacker with old password can crack new one very often

35 The research landscape since 1979… Understanding user selection – Measuring password strength [see citations in Bonneau paper], [Ma et al. `14], [Li, Han `14], [CMU papers] Guiding password selection – Strength meters, requirements, etc. – Periodic forced changes [Zhang et al. ‘12] Password transmission, login logic – Single sign-on (SSO) technologies Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15] – Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12] Improving offline brute-force attacks – Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov ‘05] – Better dictionaries [JohntheRipper], [Weir et al. ‘09], Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15] – Breaking password managers [Li et al. ‘14] [Silver et al. ’15] – Stateless password managers [Ross et al. ’05]

Download ppt "Passwords Tom Ristenpart CS 6431. The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Tom Parker Project Manager Identity Management Team IT Security Group.

Tom Parker Project Manager Identity Management Team IT Security Group.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

Similar presentations

Ads by Google