Text passwords

1
Text passwords
Usable Privacy and Security March, 2008

• Hazim Almuhimedi

2
Agenda

• How good are the passwords people are choosing?
• Human issues
• The Memorability and Security of Passwords
• Human Selection of Mnemonic Phrase-based
  Passwords

3
Authentication Mechanisms

• Something you have
• cards
• Something you know
• Passwords
• Cheapest way.
• Most popular.
• Something you are
• Biometric
• fingerprint

4
Password is a continuous problem

• Password is a series real-world problem.
• SANS Top-20 2007 Security Risks
• Every year, passwords problems in the list
• Weak or non-existent passwords
• Users who dont protect their passwords
• OS or applications create accounts with weak/no
  passwords
• Poor hashing algorithms.
• Access to hash files
• Source Jeffery Eppinger, Web application
  Development.

5
How good are the passwords people are choosing?

• It is hard question to answer.
• Data is scarce.
• MySpace Phishing attack

6
Poor, Weak Password

• Poor, weak passwords have the following
  characteristics
• The password contains less than 15 characters.
• The password is a word found in a dictionary
  (English or foreign)
• The password is a common usage word.

Source Password Policy. SANS 2006
7
Strong Password

• Strong passwords have the following
  characteristics
• Contain both upper and lower case characters
• Have digits and punctuation characters
• Are at least 15 alphanumeric characters long and
  is a passphrase.
• Are not a word in any language , slang , dialect
  , jargon.
• Are not based on personal information.
• Passwords should never be written down or stored
  on-line.

Source Password Policy. SANS 2006
8
Strong Password

• ?

9
Strong Password

• At least 8 characters.
• Contain both upper and lower case characters.
• Have digits and punctuation characters

10
MySpace Phishing Attack

• A fake MySpace login page.
• Send the data to various web servers and get it
  later.
• 100,000 fell for the attack before it was shut
  down.
• This analysis for 34,000 users.

11
Password length

• Average 8 characters.

12
Password length

• There is a 32-character password
• "1ancheste23nite41ancheste23nite4
• Other long passwords
• "fool2thinkfool2thinkol2think
• "dokitty17darling7g7darling7"

13
Character Mix
14
Common Passwords

• Top 20 passwords in order.

password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
15
Common Passwords

• Top 20 passwords in order.

password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
16
Common Password

• Blink 182 is a band.
• A lot of people use the band's name
• Easy to remember.
• it has numbers in its name, and therefore it
  seems like a good password.

17
Common Password

• "qwerty1" refers to
• QWERTY is the most common keyboard layout on
  English-language computer.

18
Common Password

• The band Slipknot doesn't have any numbers in
  its name
• which explains the 1.

19
Common Password

• The password "jordan23" refers to
• basketball player Michael Jordan
• and his number 23.

20
Common Password

• I don't know what the deal is with monkey.

21
Common Password
22
Passwords getting better

• Who said the users havent learned anything about
  security?

23
Human Issues

• Social Engineering.
• Difficulties with reliable password Entry.
• Difficulties with remembering the password.
• Human is often the weakest link in the security
  chain.

24
Human Issues

• Social Engineering.
• Attacker will extract the password directly from
  the user.
• Attacks of this kind are very likely to work
  unless an organization has a well-thought-out
  policies.
• In his 2002 book, The Art of Deception, Mitnick
  states that he compromised computers solely by
  using passwords and codes that he gained by
  social engineering.
• Motorola case
• http//www.youtube.com/watch?vJ4yH2GPiE7o
  (309)

Kevin Mitnick It's much easier to trick someone
into giving you his or her password for a system
than to spend the effort to hack
in. http//www.youtube.com/watch?v8_VYWefmy34
(200) Source Wikipedia. Social engineering
25
Human Issues

• Social Engineering.
• 336 CS students
• at University of Sydney
• Some were suspicious
• 30 returned a plausible-looking but invalid
  password
• over 200 changed their passwords without official
  prompting.
• Very few of them reported the email to authority.

26
Human Issues

• Social Engineering.
• How to solve this problem?
• Strong and well-known policy.

27
Human Issues

• Difficulties with reliable password Entry.
• if a password is too long or complex, the user
  might have difficulty entering it correctly.
• South Africa Case
• 20-digit number for the pre-paid electricity
  meters.
• Any suggested solution?
• If the operation they are trying to perform is
  urgent
• This might have safety or other implications.

28
Human Issues

• Difficulties with remembering the password.
• The greatest source of complaints about passwords
  is that most people find them hard to remember.
• When users are expected to memorize passwords
• They either choose values that are easy for
  attackers to guess.
• Write them down.
• Or both.

29
The Memorability and Security of Passwords

• Many of the problems of password authentication
  systems arise from the limitations of human
  memory.

30
The Memorability and Security of Passwords

• Some passwords are very easy to remember
• But very easy to guess
• Dictionary attack.
• some passwords are very secure against guessing
• Difficult to remember.
• might be compromised as a result of human
  limitations.
• The user may keep an insecure written record.

31
The Memorability and Security of Passwords

• An experiment involving 400 first-year students
  at the University of Cambridge.
• Testing how strong the mnemonic-based password
  is.
• Testing how it is easy to remember.
• In contrast with control and random password.

32
The Memorability and Security of Passwords

• Methods
• 4 types of attacks
• Simple Dictionary attack.
• Dictionary attack with permutation
• User information attack
• Brute force attack.
• Survey.

33
The Memorability and Security of Passwords

• Conclusion
• Users have difficulty remembering random
  passwords.
• Passwords based on mnemonic phrases are harder
  for an attacker to guess than naively selected
  passwords are.

34
The Memorability and Security of Passwords

• Conclusion
• It isnt true that random passwords are better
  than those based on mnemonic phrases.
• each type appeared to be as strong as the other.
• It is not true that passwords based on mnemonic
  phrases are harder to remember than naively
  selected passwords are.
• each appeared to be reasonably easy to remember,
  with only about 2-3 of users forgetting
  passwords.

35
Human Selection of Mnemonic Phrase-based Passwords

• Hypothesis
• Users will select mnemonic phrases that are
  commonly available on the Internet
• It is possible to build a dictionary to crack
  mnemonic phrase-based passwords.

36
Human Selection of Mnemonic Phrase-based Passwords

• Survey
• A survey to gather user-generated passwords
• Mnemonic password (144)
• Control password (146)

37
Human Selection of Mnemonic Phrase-based Passwords

• Attacks
• Dictionary attack
• Generate a mnemonic password dictionary.
• 400,000-entries
• John the Ripper
• For control password
• 1.2 million entries
• Dictionary attack with Permutation.
• Word mangling
• replacing a with _at_
• Brute force attack.

38
Human Selection of Mnemonic Phrase-based Passwords

• Results
• Password Strength

Control Mnemonic
Strength Score 15.7 17.2
Number of Character classes 2.9 2.7
Length 9.9 9.5
39
Human Selection of Mnemonic Phrase-based Passwords

• Results
• Password Cracking Results
• The user generated mnemonic passwords were more
  resistant to brute force attacks than control
  passwords.

Control Mnemonic
Password compromised by Basic Dictionary 6 3
Basic Dictionary with Permutation 5 1
Brute Force Attack 8 4
40
Human Selection of Mnemonic Phrase-based Passwords

• Results
• Password based on external sources
• Majority of mnemonic password are based on
  external sources.
• 13 control password sources are based on
  external sources

41
Human Selection of Mnemonic Phrase-based Passwords

• Results
• Password based on external sources

42
Human Selection of Mnemonic Phrase-based Passwords

• Conclusion
• The majority of users select phrases from music
  lyrics, movies, literature, or television shows.
• This opens the possibility that a dictionary
  could be built for mnemonic passwords.
• If a comprehensive dictionary is built, it could
  be extremely effective against mnemonic
  passwords.
• Mnemonic-phrase based passwords offer a
  user-friendly alternative for encouraging users
  to create good passwords.

43
Human Selection of Mnemonic Phrase-based Passwords

• Conclusion
• Mnemonic phrase-based passwords are not as strong
  as people may believe.
• The space of possible phrases is large
• Building a comprehensive dictionary is not a
  trivial task.
• System designers and administrators should
  specifically recommend to users that they avoid
  generating mnemonic passwords from common phrases.

44

• Thank You