A Convenient Method for Securely Managing Passwords - PowerPoint PPT Presentation

About This Presentation
Title:

A Convenient Method for Securely Managing Passwords

Description:

A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton jhalderm_at_princeton.edu Brent Waters Stanford Edward W. Felten Princeton – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 18
Provided by: sud82
Category:

less

Transcript and Presenter's Notes

Title: A Convenient Method for Securely Managing Passwords


1
A Convenient Method for Securely Managing
Passwords
  • J. Alex Halderman
  • Princeton
  • jhalderm_at_princeton.edu

Brent Waters Stanford
Edward W. Felten Princeton
2
ing Passwords!
  • Web site password overload
  • Generating, keeping secret, and recalling
    passwords for scores of sites
  • Leads to insecure coping techniques
  • Writing passwords down
  • Reusing same passwords
  • Difficult to enforce better behavior
  • We need to make password security easy

3
In This Talk
  1. Approaches to password management
  2. Our construction and its security
  3. Comparison with other techniques
  4. Demonstration of our implementation
  5. Future work and conclusions

4
Approaches to Password Mgmt
  • Local encrypted storage
  • e.g., Password Safe (1998)
  • Cumbersome to access from multiple locations
  • Centralized remote authentication
  • e.g., Microsoft Passport (1999)
  • Needs server-side changes, trusted third party
  • Cryptographic password generation
  • e.g., LPWA (1997), PwdHash (2004),
  • our scheme (2004)

5
Password Generators
  • E.g. LPWA, PwdHash
  • Client software derives individual site passwords
    using deterministic one-way function
  • Users sets all site passwords to function output
  • Only need to remember master password to recreate
    all site passwordshighly transportable

Master Password
amazon.com
Hash()
wrbPzdqS
Use as your Amazon password
A simple idea, but hard to get right!
6
Stealing the Master Password
Password Guess
spot
yahoo.com
rover
lassie
spot
fido
Hash()
RWwsYlTi
LZIniBNd
H2VeusSq
CJPZfAKx
amazon.com ? wrbPzdqS gmail.com ?
obIDmogl citibank.com ? sX4rLlO1

?
LZIniBNd
LZIniBNd
Adversary learns password from low-security site
Dictionary attack to learn master password
Can access all otherpassword-managedsites
Easy to execute because scheme use fast hashes
7
Thwarting Brute Force Attacks
  • attack cost ½ dictionary size cost per
    guess
  • Hard to increase dictionary size
  • User habits hard to change, limits on human
    memory
  • Increase cost per guess by using slower hash
  • Used elsewhere to protect password verification
    routines (UNIX crypt)
  • Our approach iterated hash
  • Security vs. usability tradeoff
  • User has to wait too! Cache intermediate
    results

8
Our Construction
Master password MyD06ReX
User identity jhalderm_at_princeton.edu
Initialization Phase
(k1 gtgt k2)
Hk1()
Local Cache
Target site amazon.com
Hk2()
Master password (again)
Generation Phase
Mapping
Users site passwordfor amazon.com
wrb8zdqS
9
Security Analysis
  • Four attack scenarios
  • No information
  • Stolen site password
  • Stolen cache data
  • Stolen cache site password
  • Primary concern is offline attacks.

?
Increasing external difficulty
?
?
?
10
Security of Our Scheme
Attack scenario Hashes/guess Time/guess
1. No information N/A N/A
2. Stolen site password k1k2 100.1s
3. Stolen cache data k1 100s
4. Stolen cache site password k2 0.1s
11
Relative Attack Resistance
Estimated time to test 100,000 guesses Estimated time to test 100,000 guesses Estimated time to test 100,000 guesses Estimated time to test 100,000 guesses
Scheme Stolen password Stolendata Stolen pwand data
Password Safe N/A 74.6 secs 74.6 secs
LPWA 0.5 secs N/A N/A
PwdHash 0.1 secs N/A N/A
Our Scheme 116 days 116 days 2.8 hours
12
Equally Secure Password Length



13
Password Multiplier
  • Extension for Mozilla Firefox
  • Windows, Mac OS X, and Linux
  • Tightly integrated with browser
  • Double-click any password field to fill in
  • Balanced security and convenience
  • Initialization 108 iterations, 100
    seconds(Only once per installation)
  • Password generation 105 iterations, 0.1
    secs(Before every password operation)

14
Password Multiplier Demo
15
Future Improvements
  • Flexible password formatting
  • Cope with sites that require numbers,
    punctuation, special patterns
  • Easier password changes
  • Manually and at regular intervals
  • Improved anti-spoofing
  • Adopt techniques from PwdHash
  • Port to Internet Explorer, others

Require additional state
16
Summary Our scheme
  • Is limited to passwords that
  • The user can select
  • Are alphanumeric
  • Change infrequently
  • Dont need to be accessed from locations where
    our software is unavailable

17
Summary Our scheme
  • Has the advantages that it
  • Asks users to remember only one short password
  • Requires no server-side changes
  • Does not require trusting a third-party service
  • Is nearly as secure as independent random pwds
  • Is likely much more secure than what you do now
  • Is practical, available today, and free
  • http//www.cs.princeton.edu/jhalderm/projects/pas
    sword/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A Convenient Method for Securely Managing Passwords" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!