Download presentation
Presentation is loading. Please wait.
Published byPiers Casey Modified over 9 years ago
1
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan
2
Outline Introduction Introduction Duh!, but rather be safe than sorry. Duh!, but rather be safe than sorry. Strong Passwords Strong Passwords Attack Scenarios Attack Scenarios Why Use Strong Passwords? Why Use Strong Passwords? Strength of User ID-Password Combination Strength of User ID-Password Combination Strength alone is not enough Strength alone is not enough Conclusion Conclusion
3
Introduction Authentication Traditionally Depends Upon Authentication Traditionally Depends Upon Something you have Something you have Badge Badge Something you are Something you are Fingerprint, voice Fingerprint, voice Something you know Something you know Password Password Authentication Most Used Method Authentication Most Used Method Something you know Something you know User ID (Account) in conjunction with a password User ID (Account) in conjunction with a password
4
Introduction (continued) User IDs User IDs Creation Creation Created for you (network administrator) Created for you (network administrator) Created by you Created by you Could be public knowledge Could be public knowledge Person who created the account for you Person who created the account for you Email address (jdoe@yahoo.com) Email address (jdoe@yahoo.com)jdoe@yahoo.com Part of standardization process (first initial + last name) Part of standardization process (first initial + last name)
5
Introduction (continued) Passwords Passwords Should not be public knowledge Should not be public knowledge To prevent “Credential Theft”, advised to: To prevent “Credential Theft”, advised to: Create Strong Passwords Create Strong Passwords Change Password Frequently Change Password Frequently Never Write Password Down Never Write Password Down
6
Introduction (continued) Threats to a user’s credentials Threats to a user’s credentials Phishing Phishing Key Logging Key Logging Brute Force Brute Force Attack on a known User ID Attack on a known User ID Bulk Guessing Bulk Guessing Attack on all accounts Attack on all accounts Special Knowledge or Access Special Knowledge or Access Shoulder Surfing Shoulder Surfing Knowledgeable Information about the user Knowledgeable Information about the user Access to Password Manager Access to Password Manager List, application, database List, application, database
7
Strong Passwords Not based upon personal information that can be guessed Not based upon personal information that can be guessed Names, dates, etc. Names, dates, etc. Not based upon a word found in the dictionary Not based upon a word found in the dictionary Subject to dictionary attacks Subject to dictionary attacks Should have a minimum length Should have a minimum length Should contain the following Should contain the following Combination of upper and lower casing Combination of upper and lower casing Special characters and numbers Special characters and numbers Problems Problems Hard to remember Hard to remember More likely to be written down More likely to be written down
8
Attack Scenarios What Strong Passwords will not prevent What Strong Passwords will not prevent Phishing Phishing Key Logging Key Logging Special Knowledge or Access Special Knowledge or Access Why? Why? User supplied information User supplied information Overt Method Overt Method Phishing, Password List/Manager Phishing, Password List/Manager Covert Method Covert Method Key Logging Key Logging
9
Attack Scenarios Brute Force Brute Force Attack on an individual account Attack on an individual account Why? Why? The account/user id is known The account/user id is known Only need to guess the password Only need to guess the password Problems Problems Strength of the Password Strength of the Password Length, Casing, Special characters and numeric values Length, Casing, Special characters and numeric values Many institutions use some type of “lock out” strategy Many institutions use some type of “lock out” strategy Can significantly increase time to crack account Can significantly increase time to crack account
10
Attack Scenarios Bulk Guessing Bulk Guessing Attack on multiple accounts Attack on multiple accounts Using the same guessed password Using the same guessed password Why? Why? Can attack all known and unknown account ids Can attack all known and unknown account ids Better chance that more than one account uses the same password Better chance that more than one account uses the same password Problems Problems Easily detected, if not a distributed attack Easily detected, if not a distributed attack Can inadvertently cause a Denial of Service (DoS) with all accounts Can inadvertently cause a Denial of Service (DoS) with all accounts
11
Why Use Strong Passwords? Takes far greater time to guess a strong password Takes far greater time to guess a strong password Brute Force and Bulk Guessing Attack Brute Force and Bulk Guessing Attack Reduces the chance that more than one account has the same password Reduces the chance that more than one account has the same password Bulk Guessing Attack Bulk Guessing Attack
12
Strength of User ID-Password Combination Successful attacks using Brute Force and Bulk Guessing requires both user id and password Successful attacks using Brute Force and Bulk Guessing requires both user id and password Stronger user id and weaker password combination Stronger user id and weaker password combination When used in combination could have the same affect as a strong password alone When used in combination could have the same affect as a strong password alone Requires attacking schemes to focus more on user ids Requires attacking schemes to focus more on user ids i.e. Less likely to be dictionary words, like passwords i.e. Less likely to be dictionary words, like passwords Easier for users to remember their passwords. But now the user id might be harder to remember Easier for users to remember their passwords. But now the user id might be harder to remember Places a larger burden on the institution for creating or enforcing stronger user ids Places a larger burden on the institution for creating or enforcing stronger user ids User ids must not be or become public knowledge, EVER! User ids must not be or become public knowledge, EVER!
13
Strength alone is not enough At some point in time, the account will be cracked At some point in time, the account will be cracked Lock out strategies Lock out strategies 3 strikes rule 3 strikes rule 3 sequential unsuccessful attempts and the account is locked 3 sequential unsuccessful attempts and the account is locked Geometrically increasing lock-out time Geometrically increasing lock-out time 2 in seconds 2 in seconds Length of time in which the lock remains is vital Length of time in which the lock remains is vital Increase the time it takes to crack the account Increase the time it takes to crack the account Must not be so long as to inconvenience the user Must not be so long as to inconvenience the user May increase customer support usage May increase customer support usage
14
Conclusions Makes attacking more difficult Makes attacking more difficult User id or the process of user id creation is more likely to be public knowledge than your password User id or the process of user id creation is more likely to be public knowledge than your password Most effective when some type of lock out strategy is being used Most effective when some type of lock out strategy is being used Not just for web, but for everything where a password is used Not just for web, but for everything where a password is used
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.