Passwords

1
CIT 380 Securing Computer Systems

• Passwords

2
Topics

• Password Systems
• Password Cracking
• Hashing and Salting
• Password Selection
• Graphical Passwords
• One-time Passwords

3
Passwords

• What you know
• Sequence of characters
• Complementation Function
• Identity requires access control to protect C
• One-way Hash
• easy to compute c f(a)
• difficult to compute a f-1(c)

4
Classic UNIX Passwords

• Format Up to 8 ASCII characters
• A contains 6.9 x 1016 possible passwords
• C contains crypt hashes, strings of length 13
  chosen from alphabet of 64 characters, 3.0 x 1023
  strings
• Storage
• /etc/passwd (0644) was traditionally used
• /etc/shadow (0600) in modern systems

5
Online Hash Calculator

• http//www.fileformat.info/tool/hash.htm

6
Password Cracking
Get Hashed Password pwhash
word Next word from list
List of potential passwords.
wordhash Hash(word)
wordhash pwhash
False
True
word is pw
7
Cracking Methods

• List of common passwords
• List of English/foreign words
• Permutation rules
• Substitute numbers/symbols for letters
• Change case, pluralize, reverse words, character
  shifts, digit/symbol prefix/postfix,joining words
• Brute force
• All possible passwords

8
Making Password Guessing Easier

• Web sites will e-mail you password if you answer
  a simple secret question
• What is your favorite color?
• What is your pets name?
• What is your mothers maiden name?
• Violation of fail-safe defaults
• Failover to less secure protocol.
• How many favorite colors are there?

9
Countering Password Guessing

• Select suitably low probability P(T) of guessing
  in time T.
• P(T) gt TG / N
• G is number of guess per time unit T
• T is number of time units in attack
• N is number of possible passwords

10
Calculating Minimum Password Length

• Password System
• There are 96 allowable characters in password.
• System allows 106 guesses/second.
• Requirement probablility of success guess should
  be 0.5 over 365-day period.
• What should the minimum password length be?
• N gt TG/P
• N gt (365 x 24 x 60 x 60) x 106 / 0.5 6.31 x
  1013
• N S96i, where i ranges from 1 to length of
  password
• S96i gt N 6.31 x 1013 is true when largest i
  gt 8
• The minimum required password length is 8.

11
UNIX Password Hashing

• crypt() function used for hashing
• DES encrypts 64-bit block of 0s (25 rounds) using
  your password for the key.
• Modified DES incompatible with DES hardware
  cracking tools.
• Limited to 8 characters or less.
• If limited to 95 printable characters, only 253
  possible passwords.
• How to resist dictionary attacks? Salting

12
Salting

• Adds a 2-character (12-bit) random, public data
  to password to create key.
• Any word may be encrypted in 4096 possible ways
  (i.e., there are 4096 f ? F).
• Your password always uses same salt.
• Someone else with same password (a) probably has
  different salt, and thus different c f(a).
• Number of possible keys increased to 266
• Too small for today modern UNIX doesnt use
  crypt.

13
Salting (cont.)

• Prevents pre-calculated dictionary attack
• 266 passwords requires millions of terabytes
• crypt() 218 passwords/second
• Brute force would require 8000 machines for 48
  days.

14
Modern UNIX Passwords

• Format long ASCII string
• Hashing techniques
• MD5 (unlimited length, 12-48 bit salt)
• SHA1 (unlimited length, 12-48 bit salt)
• Bcrypt (55 chars, 128-bit salt, adjustable cost)

15
Windows 2000/XP Passwords

• Storage
• systemroot\system32\config\sam
• locked while NT running
• systemroot\repair\sam_ backup file
• may be accessible via remote registry calls
• Format
• LAN Manager (LM) Hash
• NT (MD4) Hash

16
Windows LM Hash Algorithm

• Password fitted to 14 character length by
  truncating or padding with 0s.
• Password converted to upper case.
• Password divided into two 7-byte halves.
• Each half used as DES key to encrypt same 8-byte
  constant.
• Resultant strings merged to form a 16-byte hash
  value.

17
Windows LM Hash Problems

• Last 8 bytes of c known if password lt 7 chars.
• Dividing password into halves reducing problem of
  breaking 14-character password to breaking two
  7-character passwords.
• Conversion to upper case reduces character set.
• Dictionary of password hashes can be prebuilt
• Number of possible passwords much smaller than
  DES space.
• No salt is used.

18
Windows NT Hash

• Converts to Unicode, MD4 hashes result
• Caveat Often used in conjunction with LM hash,
  which is required for backwards compatibility.
• No salt identical passwords generate identical
  hashes.

19
Password Selection

• Random Selection
• Pronounceable Passwords
• User Selection

20
Random Selection

• Yields equal distribution of passwords for
  maximum difficulty in cracking
• What about short passwords?
• Random passwords arent easy to remember
• Short term memory holds 7 /- 2 items
• People have multiple passwords
• Principle of Psychological Acceptability
• Requires a good PRNG

21
Random Selection (Bad)Example

• PDP-11 password generator
• 16-bit machine
• 8 upper-case letters and digits
• P 368 2.8 x 1012
• At 0.00156 sec/encryption, 140 years to brute
  force
• PRNG had period of 216 1
• Only 65,535 possible passwords
• Requires 102 seconds to try all passwords

22
Pronounceable Passwords

• Generate passwords from random phonemes instead
  of random characters.
• People can remember password as sequence of
  audible phonemes instead of characters, allowing
  easy recall of longer passwords.
• Fewer pronounceable passwords exist than random
  passwords.

23
User Selection

• Allow users to choose passwords.
• Reject insecure passwords based on ruleset
• Based on account, user, or host names
• Dictionary words
• Permuted dictionary words
• Patterns from keyboard
• Shorter than 6 characters
• Digits, lowercase, or uppercase only passwords
• License plates or acronyms
• Based on previously used passwords

24
Human Randomness?
25
Bad Passwords

• 123456
• letmein
• password
• 12345678
• dragon
• qwerty
• michael
• 654321
• harley
• ranger
• iwantu
• xxxxxxx
• turtle
• united

• porsche
• guitar
• black
• diamond
• nascar
• jun0389
• 06031989
• amanda
• phoenix
• mickey
• tigers
• purple
• xmen94
• aaaaaa

• prince
• beach
• amateur
• ncc1701
• tennis
• startrek
• swimming
• kitty
• rainbox
• 112233
• 232323
• giants
• enter
• 0
• cupcake

• 8675309
• marlboro
• newyork
• diablo
• sexsex
• access14
• abgrtyu
• 123123
• dragon123
• applepie
• 31415926
• 99skip
• just4fun
• xcvb
• typewriter

26
Password Generators

• http//www.pctools.com/guides/password/
• http//strongpasswordgenerator.com/

27
How to Select Good Passwords

• Long passwords, consisting of multiple words..
• Use nth letter of each word if phrase too long.
• Themes
• Word combinations 3 blind katz
• E-mail or URL yoda_at_strong-this-password-is.net
• Phone number (888) 888-eight eight
• Bracketing Starfleet -gt !-Starfleet-!
• Add a word shopping -gt Goin shopping
• Repetition Pirate--PirateShip
• Letter swapping Sour Grape -gt Gour Srape

28
Guessing via Authentication Fns

• If complements not accessible, attacker must use
  authentication functions.
• Cannot be prevented.
• Increase difficulty of auth function attack
• Backoff increasing wait before reprompting.
• Disconnection disconnect after n failures.
• Disabling disable account after n failures.
• Jailing permit access to limited system, so
  admins can observe attacker.

29
Password Aging

• Requirement that password be changed after a
  period of time or after an event has occurred
• If expected time to guess is 180 days, should
  change password more frequently than 180 days
• If change time too short, users have difficulty
  recalling passwords.
• Cannot allow users to change password to current
  one.
• Also prevent users from changing passwords too
  soon.
• Give notice of impending password change
  requirement.

30
Graphical Passwords

• Face Scheme Password is sequence of faces, each
  chosen from a grid of 9 faces.
• Story Scheme Password is sequence of images,
  each chosen from a grid of 9, to form a story.

31
Challenge-Response

• Problem passwords are reusable, and thus
  subject to replay attacks.
• Solution authenticate in such a way that the
  transmitted password changes each time.

32
One-Time Passwords

• A password thats invalidated once used.
• Challenge number of auth attempt
• Response one-time password
• Problems
• Generation of one-time passwords
• Use hash or crytographic function
• Synchronization of the user and the system
• Number or timestamp passwords

33
S/Key

• One-time password system based on a hash function
  h (MD4 or MD5).
• User initializes with random seed k.
• Key generator calculates
• h(k) k1, h(k1) k2, , h(kn-1) kn
• Passwords, in order used, are
• p1 kn, p2 kn-1, , pn-1 k2, pn k1

34
S/Key

• Attacker cannot derive pi1 from pi since
• pi kn-i1, pi1 kn-i, and h(kn-i) kn-i1
• which would require inverting h.
• Once user has used all passwords, S/Key must be
  re-initialized with a new seed.

35
S/Key

• http//en.wikipedia.org/wiki/S/KEY

36
S/Key Login

• User supplies account name to server
• Server replies with number i stored in skeykeys
  file
• User supplies corresponding password pi
• Server computes h(pi) h(kn-i1) kn-i2 pi-1
  and compares result with stored password. If
  match, user is authenticated and S/Key updates
  number in skeykeys file to i1 and stores pi

37
S/Key Login

• FreeBSD/i386 (example.com) (ttypa)
• login ltusernamegt
• s/key 97 fw13894
• Password
• Use S/Key calculator on local system to calculate
  response
• key 97 fw13894
• Enter secret password
• WELD LIP ACTS ENDS ME HAAG

38
Other One Time Password Systems

• Software OPIE
• Backwards compatible with S/Key (if same hash
  used).
• Hardware RSA SecurID card
• Displayed password changes every 60sec.
• Password constant password SecurID

39
Key Points

• Good passwords need to be
• Complex
• Unique
• Secret
• Changed on a regular basis
• Stored passwords are secured via
• Hashing (crypt, MD5, SHA1, bcrypt)
• Salting
• One-time passwords offer greater security.

40
References

• Ross Anderson, Security Engineering, Wiley, 2001.
• Matt Bishop, Introduction to Computer Security,
  Addison-Wesley, 2005.
• Mark Burnett and Dave Kleiman, Perfect Passwords,
  Syngress, 2006.
• Lorie Faith Cranor and Simson Garfinkel, Security
  and Usability, OReilly, 2005.
• Cynthia Kuo et. al., Human Selection of Mnemonic
  Phrase-based Passwords, SOUPS 2006,
  http//cups.cs.cmu.edu/soups/2006/proceedings/p67_
  kuo.pdf, 2006.
• Neils Provos and David Mazieres, A
  Future-Adaptable Password Scheme,
  http//www.openbsd.org/papers/bcrypt-paper.pdf,
  2006.
• Ed Skoudis, Counter Hack Reloaded, Prentice Hall,
  2006.
• Simson Garfinkel, Gene Spafford, and Alan
  Schwartz, Practical UNIX and Internet Security,
  3/e OReilly, 2003.