Title: Text passwords
1Text passwords
Usable Privacy and Security March, 2008
2Agenda
- How good are the passwords people are choosing?
- Human issues
- The Memorability and Security of Passwords
- Human Selection of Mnemonic Phrase-based
Passwords
3Authentication Mechanisms
- Something you have
- cards
- Something you know
- Passwords
- Cheapest way.
- Most popular.
- Something you are
- Biometric
- fingerprint
4Password is a continuous problem
- Password is a series real-world problem.
- SANS Top-20 2007 Security Risks
- Every year, passwords problems in the list
- Weak or non-existent passwords
- Users who dont protect their passwords
- OS or applications create accounts with weak/no
passwords - Poor hashing algorithms.
- Access to hash files
- Source Jeffery Eppinger, Web application
Development.
5How good are the passwords people are choosing?
- It is hard question to answer.
- Data is scarce.
- MySpace Phishing attack
6Poor, Weak Password
- Poor, weak passwords have the following
characteristics - The password contains less than 15 characters.
- The password is a word found in a dictionary
(English or foreign) - The password is a common usage word.
Source Password Policy. SANS 2006
7Strong Password
- Strong passwords have the following
characteristics - Contain both upper and lower case characters
- Have digits and punctuation characters
- Are at least 15 alphanumeric characters long and
is a passphrase. - Are not a word in any language , slang , dialect
, jargon. - Are not based on personal information.
- Passwords should never be written down or stored
on-line.
Source Password Policy. SANS 2006
8Strong Password
9Strong Password
- At least 8 characters.
- Contain both upper and lower case characters.
- Have digits and punctuation characters
10MySpace Phishing Attack
- A fake MySpace login page.
- Send the data to various web servers and get it
later. - 100,000 fell for the attack before it was shut
down. - This analysis for 34,000 users.
11Password length
12Password length
- There is a 32-character password
- "1ancheste23nite41ancheste23nite4
- Other long passwords
- "fool2thinkfool2thinkol2think
- "dokitty17darling7g7darling7"
13Character Mix
14Common Passwords
- Top 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
15Common Passwords
- Top 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
16Common Password
- Blink 182 is a band.
- A lot of people use the band's name
- Easy to remember.
- it has numbers in its name, and therefore it
seems like a good password.
17Common Password
- "qwerty1" refers to
- QWERTY is the most common keyboard layout on
English-language computer.
18Common Password
- The band Slipknot doesn't have any numbers in
its name - which explains the 1.
19Common Password
- The password "jordan23" refers to
- basketball player Michael Jordan
- and his number 23.
20Common Password
- I don't know what the deal is with monkey.
21Common Password
22Passwords getting better
- Who said the users havent learned anything about
security?
23Human Issues
- Social Engineering.
- Difficulties with reliable password Entry.
- Difficulties with remembering the password.
- Human is often the weakest link in the security
chain.
24Human Issues
- Social Engineering.
- Attacker will extract the password directly from
the user. - Attacks of this kind are very likely to work
unless an organization has a well-thought-out
policies. - In his 2002 book, The Art of Deception, Mitnick
states that he compromised computers solely by
using passwords and codes that he gained by
social engineering. - Motorola case
- http//www.youtube.com/watch?vJ4yH2GPiE7o
(309)
Kevin Mitnick It's much easier to trick someone
into giving you his or her password for a system
than to spend the effort to hack
in. http//www.youtube.com/watch?v8_VYWefmy34
(200) Source Wikipedia. Social engineering
25Human Issues
- Social Engineering.
- 336 CS students
- at University of Sydney
- Some were suspicious
- 30 returned a plausible-looking but invalid
password - over 200 changed their passwords without official
prompting. - Very few of them reported the email to authority.
26Human Issues
- Social Engineering.
- How to solve this problem?
- Strong and well-known policy.
27Human Issues
- Difficulties with reliable password Entry.
- if a password is too long or complex, the user
might have difficulty entering it correctly. - South Africa Case
- 20-digit number for the pre-paid electricity
meters. - Any suggested solution?
- If the operation they are trying to perform is
urgent - This might have safety or other implications.
28Human Issues
- Difficulties with remembering the password.
- The greatest source of complaints about passwords
is that most people find them hard to remember. - When users are expected to memorize passwords
- They either choose values that are easy for
attackers to guess. - Write them down.
- Or both.
29The Memorability and Security of Passwords
- Many of the problems of password authentication
systems arise from the limitations of human
memory.
30The Memorability and Security of Passwords
- Some passwords are very easy to remember
- But very easy to guess
- Dictionary attack.
- some passwords are very secure against guessing
- Difficult to remember.
- might be compromised as a result of human
limitations. - The user may keep an insecure written record.
31The Memorability and Security of Passwords
- An experiment involving 400 first-year students
at the University of Cambridge. - Testing how strong the mnemonic-based password
is. - Testing how it is easy to remember.
- In contrast with control and random password.
32The Memorability and Security of Passwords
- Methods
- 4 types of attacks
- Simple Dictionary attack.
- Dictionary attack with permutation
- User information attack
- Brute force attack.
- Survey.
33The Memorability and Security of Passwords
- Conclusion
- Users have difficulty remembering random
passwords. - Passwords based on mnemonic phrases are harder
for an attacker to guess than naively selected
passwords are.
34The Memorability and Security of Passwords
- Conclusion
- It isnt true that random passwords are better
than those based on mnemonic phrases. - each type appeared to be as strong as the other.
- It is not true that passwords based on mnemonic
phrases are harder to remember than naively
selected passwords are. - each appeared to be reasonably easy to remember,
with only about 2-3 of users forgetting
passwords.
35Human Selection of Mnemonic Phrase-based Passwords
- Hypothesis
- Users will select mnemonic phrases that are
commonly available on the Internet - It is possible to build a dictionary to crack
mnemonic phrase-based passwords.
36Human Selection of Mnemonic Phrase-based Passwords
- Survey
- A survey to gather user-generated passwords
- Mnemonic password (144)
- Control password (146)
37Human Selection of Mnemonic Phrase-based Passwords
- Attacks
- Dictionary attack
- Generate a mnemonic password dictionary.
- 400,000-entries
- John the Ripper
- For control password
- 1.2 million entries
- Dictionary attack with Permutation.
- Word mangling
- replacing a with _at_
- Brute force attack.
38Human Selection of Mnemonic Phrase-based Passwords
- Results
- Password Strength
Control Mnemonic
Strength Score 15.7 17.2
Number of Character classes 2.9 2.7
Length 9.9 9.5
39Human Selection of Mnemonic Phrase-based Passwords
- Results
- Password Cracking Results
- The user generated mnemonic passwords were more
resistant to brute force attacks than control
passwords.
Control Mnemonic
Password compromised by Basic Dictionary 6 3
Basic Dictionary with Permutation 5 1
Brute Force Attack 8 4
40Human Selection of Mnemonic Phrase-based Passwords
- Results
- Password based on external sources
- Majority of mnemonic password are based on
external sources. - 13 control password sources are based on
external sources
41Human Selection of Mnemonic Phrase-based Passwords
- Results
- Password based on external sources
42Human Selection of Mnemonic Phrase-based Passwords
- Conclusion
- The majority of users select phrases from music
lyrics, movies, literature, or television shows. - This opens the possibility that a dictionary
could be built for mnemonic passwords. - If a comprehensive dictionary is built, it could
be extremely effective against mnemonic
passwords. - Mnemonic-phrase based passwords offer a
user-friendly alternative for encouraging users
to create good passwords.
43Human Selection of Mnemonic Phrase-based Passwords
- Conclusion
- Mnemonic phrase-based passwords are not as strong
as people may believe. - The space of possible phrases is large
- Building a comprehensive dictionary is not a
trivial task. - System designers and administrators should
specifically recommend to users that they avoid
generating mnemonic passwords from common phrases.
44