Securing Passwords Against Dictionary Attacks

1
Securing Passwords Against Dictionary Attacks

• Presented By
• Chad Frommeyer

2
Introduction

• Abstract/Introduction
• Reverse Turing Test (RTT)
• User Authentication Protocols
• Security Analysis
• Authentication Method Requirements
• Other Authentication Approaches
• Conclusion

3
Abstract/Introduction

• Passwords are the most widely used authentication
  method
• More secure methods are cumbersome to use
• User chosen passwords are often weak and easy to
  guess with a dictionary
• User requires the authentication to be easy to
  use
• Goal is to build authentication that is still
  easy to use but hard for the computer to guess

4
Abstract/Introduction

• Dictionary Attack Attempting to authenticate by
  guessing all possible passwords
• Offline Attack attacking passwords when they
  are in transit
• Offline attacks are prevented by securing
  communications and protecting password files

5
Abstract/Introduction

• For this discussion we assume that communications
  are properly secured and password files are
  protected
• Online Attack Attack that requires interacting
  with the login server

6
Introduction Common Countermeasures

• Delayed Response delaying the authentication
  response
• Account Locking Locking the account with too
  many negative responses

7
Introduction Countermeasure Weaknesses

• Global Password Attacks Simultaneous attempts
  to multiple accounts
• Risks (from account locking)
• Denial of Service
• Customer Service Costs

8
Introduction Pricing via Processing

• Add minimal processing time to each request
  results in a large impact to dictionary attacks
  but negligible impact to the individual
• A drawback to this approach is that it can
  require a special user client or mobile code
• The suggested approach
• Add processing without changing the interaction
• Make the processing hard for machines to automate

9
Reverse Turing Test (RTT)

• Requirements of RTT
• Automated Generation
• Easy for Humans
• Hard for Machines
• Small probability of guessing the answer
  correctly
• RTTs can be solved by either utilizing a human
  during the attack, or some type of OCR or Audio
  analysis

10
Reverse Turing Test (RTT)

• Most well known RTT
• Distorted text image
• Production usage is typically during a
  registration process
• Accessibility Issues
• Utilize both Image and Audio based

11
User Authentication Protocols

• Combining an existing system with an RTT
• Requires passing and RTT for every authentication
  attempt
• Usability This is different than most users are
  accustomed, and would likely cause issues
• Scalability -- RTT generation on a large scale
  is not a proven concept

12
User Authentication Protocols

• Answers to the usability and scalability issues
• Require RTT only a fraction of the time
• Problem Attacks would skip the attempts when an
  RTT was required
• Require RTT only after first failure
• Problem When global password attacks are used,
  this doesnt help

13
User Authentication Protocols

• Papers Observations
• Users typically use a limited number of computers
• Requiring RTTs for only a fraction of the time
  can be helpful for an appropriate implementation
• The protocol suggested by this paper assumes the
  ability to identify client computers. The
  following implementation uses web browser cookies.

14
(No Transcript)
15
User Authentication Protocols

• The usability problems are solved because the
  RTTs are only required in a very small number of
  cases
• Scalability problems are solved because of this
  same reason and because the RTTs are generated by
  a deterministic function based on the username
  and password and a probability 1/p
• All expected RTTs could be cached

16
Security Analysis

• Implementation Requirements
• One of the following feedbacks are returned when
  a username/password pair doesnt match
• The username/password is invalid
• Please answer the following RTT
• The response must be a deterministic function
  based on the username/password
• Response delays should be the same for a success
  and failed attempt

17
Security Analysis

• The nature of the response as well as the
  response time will often key an attacker to more
  information about the system/passwords being
  attacked
• If the requirements are met, the proposed system
  will respond with RTTs on correct guesses as well
  as a subset of incorrect guesses

18
Security Analysis

• Goal Make the cost of attacking the system more
  than the benefit of a successful attack
• Some systems are so beneficial to attack that
  attackers will utilize humans to solve the RTTs
  encountered during an attack
• The probability p must be adjusted to raise the
  cost of the attack

19
Security Analysis

• What if an RTT can be broken?
• The assumption should be that they can
• In this case the system should dynamically adjust
  the probabilities
• This means that the system must be able to
  identify a successful attack
• When unsuccessful attempts with solved RTTs go
  up, this is a clear indication of an attack
• Alternative RTT solutions should be available

20
Security Analysis

• Cookie Theft
• Cookies can be stolen off of one machine, and set
  on another
• Keep a count on the server per cookie of the
  number of failed attempts
• With a high number of failures (say 100) the
  server will ignore the cookie, and act as if no
  cookie was sent

21
Security Analysis

• Account Locking Measures
• Since we can determine when an attack is
  happening, we can use account locking measures as
  long as the number of attempts failed check is
  higher than typical
• The accounts failed threshold should dynamically
  lower when an attack is happening, at least until
  a new RTT is implemented

22
Authentication Method Requirements

• Requirement Availability
• Users shouldnt be expected to have special
  software Installed
• Requirement Robust and Reliable
• Requests should always receive response
• Requirement Friendliness
• The interface should be friendly and usable

23
Authentication Method Requirements

• Requirement Low cost to implement and operate
• Take strong consideration to the effect of a
  successful attack and what impact it has on
  business and customers
• Risk is an important factor in choosing a
  authentication method

24
Other Authentication Approaches

• Most other and potentially more secure
  authentication approaches do not satisfy the
  previous stated requirements
• One time passwords (tokens)
• Client certificates/keys
• Biometrics
• Graphical Passwords

25
Conclusion

• With a scalable, low cost and usable solution
  similar to standard user/password authentication
  methods, the authors believe that their proposed
  solution is the answer to secure authentication
• Why arent solutions that are implemented today
  using similar ideologies?
• Questions?