Text passwords - PowerPoint PPT Presentation

About This Presentation
Title:

Text passwords

Description:

The Memorability and Security of Passwords. Human ... MySpace Phishing attack. Poor, Weak Password ... MySpace Phishing Attack. A fake MySpace login page. ... – PowerPoint PPT presentation

Number of Views:124
Avg rating:3.0/5.0
Slides: 45
Provided by: cupsC
Learn more at: http://cups.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Text passwords


1
Text passwords
Usable Privacy and Security March, 2008
  • Hazim Almuhimedi

2
Agenda
  • How good are the passwords people are choosing?
  • Human issues
  • The Memorability and Security of Passwords
  • Human Selection of Mnemonic Phrase-based
    Passwords

3
Authentication Mechanisms
  • Something you have
  • cards
  • Something you know
  • Passwords
  • Cheapest way.
  • Most popular.
  • Something you are
  • Biometric
  • fingerprint

4
Password is a continuous problem
  • Password is a series real-world problem.
  • SANS Top-20 2007 Security Risks
  • Every year, passwords problems in the list
  • Weak or non-existent passwords
  • Users who dont protect their passwords
  • OS or applications create accounts with weak/no
    passwords
  • Poor hashing algorithms.
  • Access to hash files
  • Source Jeffery Eppinger, Web application
    Development.

5
How good are the passwords people are choosing?
  • It is hard question to answer.
  • Data is scarce.
  • MySpace Phishing attack

6
Poor, Weak Password
  • Poor, weak passwords have the following
    characteristics
  • The password contains less than 15 characters.
  • The password is a word found in a dictionary
    (English or foreign)
  • The password is a common usage word.

Source Password Policy. SANS 2006
7
Strong Password
  • Strong passwords have the following
    characteristics
  • Contain both upper and lower case characters
  • Have digits and punctuation characters
  • Are at least 15 alphanumeric characters long and
    is a passphrase.
  • Are not a word in any language , slang , dialect
    , jargon.
  • Are not based on personal information.
  • Passwords should never be written down or stored
    on-line.

Source Password Policy. SANS 2006
8
Strong Password
  • ?

9
Strong Password
  • At least 8 characters.
  • Contain both upper and lower case characters.
  • Have digits and punctuation characters

10
MySpace Phishing Attack
  • A fake MySpace login page.
  • Send the data to various web servers and get it
    later.
  • 100,000 fell for the attack before it was shut
    down.
  • This analysis for 34,000 users.

11
Password length
  • Average 8 characters.

12
Password length
  • There is a 32-character password
  • "1ancheste23nite41ancheste23nite4
  • Other long passwords
  • "fool2thinkfool2thinkol2think
  • "dokitty17darling7g7darling7"

13
Character Mix
14
Common Passwords
  • Top 20 passwords in order.

password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
15
Common Passwords
  • Top 20 passwords in order.

password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
16
Common Password
  • Blink 182 is a band.
  • A lot of people use the band's name
  • Easy to remember.
  • it has numbers in its name, and therefore it
    seems like a good password.

17
Common Password
  • "qwerty1" refers to
  • QWERTY is the most common keyboard layout on
    English-language computer.

18
Common Password
  • The band Slipknot doesn't have any numbers in
    its name
  • which explains the 1.

19
Common Password
  • The password "jordan23" refers to
  • basketball player Michael Jordan
  • and his number 23.

20
Common Password
  • I don't know what the deal is with monkey.

21
Common Password
22
Passwords getting better
  • Who said the users havent learned anything about
    security?

23
Human Issues
  • Social Engineering.
  • Difficulties with reliable password Entry.
  • Difficulties with remembering the password.
  • Human is often the weakest link in the security
    chain.

24
Human Issues
  • Social Engineering.
  • Attacker will extract the password directly from
    the user.
  • Attacks of this kind are very likely to work
    unless an organization has a well-thought-out
    policies.
  • In his 2002 book, The Art of Deception, Mitnick
    states that he compromised computers solely by
    using passwords and codes that he gained by
    social engineering.
  • Motorola case
  • http//www.youtube.com/watch?vJ4yH2GPiE7o
    (309)

Kevin Mitnick It's much easier to trick someone
into giving you his or her password for a system
than to spend the effort to hack
in. http//www.youtube.com/watch?v8_VYWefmy34
(200) Source Wikipedia. Social engineering
25
Human Issues
  • Social Engineering.
  • 336 CS students
  • at University of Sydney
  • Some were suspicious
  • 30 returned a plausible-looking but invalid
    password
  • over 200 changed their passwords without official
    prompting.
  • Very few of them reported the email to authority.

26
Human Issues
  • Social Engineering.
  • How to solve this problem?
  • Strong and well-known policy.

27
Human Issues
  • Difficulties with reliable password Entry.
  • if a password is too long or complex, the user
    might have difficulty entering it correctly.
  • South Africa Case
  • 20-digit number for the pre-paid electricity
    meters.
  • Any suggested solution?
  • If the operation they are trying to perform is
    urgent
  • This might have safety or other implications.

28
Human Issues
  • Difficulties with remembering the password.
  • The greatest source of complaints about passwords
    is that most people find them hard to remember.
  • When users are expected to memorize passwords
  • They either choose values that are easy for
    attackers to guess.
  • Write them down.
  • Or both.

29
The Memorability and Security of Passwords
  • Many of the problems of password authentication
    systems arise from the limitations of human
    memory.

30
The Memorability and Security of Passwords
  • Some passwords are very easy to remember
  • But very easy to guess
  • Dictionary attack.
  • some passwords are very secure against guessing
  • Difficult to remember.
  • might be compromised as a result of human
    limitations.
  • The user may keep an insecure written record.

31
The Memorability and Security of Passwords
  • An experiment involving 400 first-year students
    at the University of Cambridge.
  • Testing how strong the mnemonic-based password
    is.
  • Testing how it is easy to remember.
  • In contrast with control and random password.

32
The Memorability and Security of Passwords
  • Methods
  • 4 types of attacks
  • Simple Dictionary attack.
  • Dictionary attack with permutation
  • User information attack
  • Brute force attack.
  • Survey.

33
The Memorability and Security of Passwords
  • Conclusion
  • Users have difficulty remembering random
    passwords.
  • Passwords based on mnemonic phrases are harder
    for an attacker to guess than naively selected
    passwords are.

34
The Memorability and Security of Passwords
  • Conclusion
  • It isnt true that random passwords are better
    than those based on mnemonic phrases.
  • each type appeared to be as strong as the other.
  • It is not true that passwords based on mnemonic
    phrases are harder to remember than naively
    selected passwords are.
  • each appeared to be reasonably easy to remember,
    with only about 2-3 of users forgetting
    passwords.

35
Human Selection of Mnemonic Phrase-based Passwords
  • Hypothesis
  • Users will select mnemonic phrases that are
    commonly available on the Internet
  • It is possible to build a dictionary to crack
    mnemonic phrase-based passwords.

36
Human Selection of Mnemonic Phrase-based Passwords
  • Survey
  • A survey to gather user-generated passwords
  • Mnemonic password (144)
  • Control password (146)

37
Human Selection of Mnemonic Phrase-based Passwords
  • Attacks
  • Dictionary attack
  • Generate a mnemonic password dictionary.
  • 400,000-entries
  • John the Ripper
  • For control password
  • 1.2 million entries
  • Dictionary attack with Permutation.
  • Word mangling
  • replacing a with _at_
  • Brute force attack.

38
Human Selection of Mnemonic Phrase-based Passwords
  • Results
  • Password Strength

Control Mnemonic
Strength Score 15.7 17.2
Number of Character classes 2.9 2.7
Length 9.9 9.5
39
Human Selection of Mnemonic Phrase-based Passwords
  • Results
  • Password Cracking Results
  • The user generated mnemonic passwords were more
    resistant to brute force attacks than control
    passwords.

Control Mnemonic
Password compromised by Basic Dictionary 6 3
Basic Dictionary with Permutation 5 1
Brute Force Attack 8 4
40
Human Selection of Mnemonic Phrase-based Passwords
  • Results
  • Password based on external sources
  • Majority of mnemonic password are based on
    external sources.
  • 13 control password sources are based on
    external sources

41
Human Selection of Mnemonic Phrase-based Passwords
  • Results
  • Password based on external sources

42
Human Selection of Mnemonic Phrase-based Passwords
  • Conclusion
  • The majority of users select phrases from music
    lyrics, movies, literature, or television shows.
  • This opens the possibility that a dictionary
    could be built for mnemonic passwords.
  • If a comprehensive dictionary is built, it could
    be extremely effective against mnemonic
    passwords.
  • Mnemonic-phrase based passwords offer a
    user-friendly alternative for encouraging users
    to create good passwords.

43
Human Selection of Mnemonic Phrase-based Passwords
  • Conclusion
  • Mnemonic phrase-based passwords are not as strong
    as people may believe.
  • The space of possible phrases is large
  • Building a comprehensive dictionary is not a
    trivial task.
  • System designers and administrators should
    specifically recommend to users that they avoid
    generating mnemonic passwords from common phrases.

44
  • Thank You
Write a Comment
User Comments (0)
About PowerShow.com