Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Published byEugenia Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer."— Presentation transcript:

1 Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer

2 Introduction Abstract/Introduction Reverse Turing Test (RTT) User Authentication Protocols Security Analysis Authentication Method Requirements Other Authentication Approaches Conclusion

3 Abstract/Introduction Passwords are the most widely used authentication method More secure methods are cumbersome to use User chosen passwords are often weak and easy to guess with a dictionary User requires the authentication to be easy to use Goal is to build authentication that is still easy to use but hard for the computer to guess

4 Abstract/Introduction Dictionary Attack– Attempting to authenticate by guessing all possible passwords Offline Attack – attacking passwords when they are in transit –Offline attacks are prevented by securing communications and protecting password files

5 Abstract/Introduction For this discussion we assume that communications are properly secured and password files are protected Online Attack – Attack that requires interacting with the login server

6 Introduction – Common Countermeasures Delayed Response – delaying the authentication response Account Locking – Locking the account with too many negative responses

7 Introduction – Countermeasure Weaknesses Global Password Attacks – Simultaneous attempts to multiple accounts Risks (from account locking) –Denial of Service –Customer Service Costs

8 Introduction – Pricing via Processing Add minimal processing time to each request results in a large impact to dictionary attacks but negligible impact to the individual A drawback to this approach is that it can require a special user client or mobile code The suggested approach –Add processing without changing the interaction –Make the processing hard for machines to automate

9 Reverse Turing Test (RTT) Requirements of RTT –Automated Generation –Easy for Humans –Hard for Machines –Small probability of guessing the answer correctly RTTs can be solved by either utilizing a human during the attack, or some type of OCR or Audio analysis

10 Reverse Turing Test (RTT) Most well known RTT –Distorted text image –Production usage is typically during a registration process Accessibility Issues –Utilize both Image and Audio based

11 User Authentication Protocols Combining an existing system with an RTT –Requires passing and RTT for every authentication attempt –Usability – This is different than most users are accustomed, and would likely cause issues –Scalability -- RTT generation on a large scale is not a proven concept

12 User Authentication Protocols Answers to the usability and scalability issues –Require RTT only a fraction of the time Problem: Attacks would skip the attempts when an RTT was required –Require RTT only after first failure Problem: When global password attacks are used, this doesn’t help

13 User Authentication Protocols Papers Observations –Users typically use a limited number of computers –Requiring RTTs for only a fraction of the time can be helpful for an appropriate implementation The protocol suggested by this paper assumes the ability to identify client computers. The following implementation uses web browser cookies.

14

15 User Authentication Protocols The usability problems are solved because the RTTs are only required in a very small number of cases Scalability problems are solved because of this same reason and because the RTTs are generated by a deterministic function based on the username and password and a probability 1/p –All expected RTTs could be cached

16 Security Analysis Implementation Requirements –One of the following feedbacks are returned when a username/password pair doesn’t match The username/password is invalid Please answer the following RTT –The response must be a deterministic function based on the username/password –Response delays should be the same for a success and failed attempt

17 Security Analysis The nature of the response as well as the response time will often key an attacker to more information about the system/passwords being attacked If the requirements are met, the proposed system will respond with RTTs on correct guesses as well as a subset of incorrect guesses

18 Security Analysis Goal: Make the cost of attacking the system more than the benefit of a successful attack –Some systems are so beneficial to attack that attackers will utilize humans to solve the RTTs encountered during an attack –The probability p must be adjusted to raise the cost of the attack

19 Security Analysis What if an RTT can be broken? The assumption should be that they can In this case the system should dynamically adjust the probabilities This means that the system must be able to identify a successful attack –When unsuccessful attempts with solved RTTs go up, this is a clear indication of an attack Alternative RTT solutions should be available

20 Security Analysis Cookie Theft –Cookies can be stolen off of one machine, and set on another –Keep a count on the server per cookie of the number of failed attempts –With a high number of failures (say 100) the server will ignore the cookie, and act as if no cookie was sent

21 Security Analysis Account Locking Measures –Since we can determine when an attack is happening, we can use account locking measures as long as the number of attempts failed check is higher than typical –The accounts failed threshold should dynamically lower when an attack is happening, at least until a new RTT is implemented

22 Authentication Method Requirements Requirement: Availability –Users shouldn’t be expected to have special software Installed Requirement: Robust and Reliable –Requests should always receive response Requirement: Friendliness –The interface should be friendly and usable

23 Authentication Method Requirements Requirement: Low cost to implement and operate Take strong consideration to the effect of a successful attack and what impact it has on business and customers Risk is an important factor in choosing a authentication method

24 Other Authentication Approaches Most other and potentially more secure authentication approaches do not satisfy the previous stated requirements –One time passwords (tokens) –Client certificates/keys –Biometrics –Graphical Passwords

25 Conclusion With a scalable, low cost and usable solution similar to standard user/password authentication methods, the authors believe that their proposed solution is the answer to secure authentication Why aren’t solutions that are implemented today using similar ideologies? Questions?

Download ppt "Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer."

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.

Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Similar presentations

Ads by Google