1 / 44

Text passwords

Usable Privacy and Security March, 2008. Text passwords. Hazim Almuhimedi. Agenda. How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human Selection of Mnemonic Phrase-based Passwords. Authentication Mechanisms. Something you have

chacha
Télécharger la présentation

Text passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usable Privacy and Security March, 2008 Text passwords Hazim Almuhimedi

  2. Agenda • How good are the passwords people are choosing? • Human issues • The Memorability and Security of Passwords • Human Selection of Mnemonic Phrase-based Passwords

  3. Authentication Mechanisms • Something you have • cards • Something you know • Passwords • Cheapest way. • Most popular. • Something you are • Biometric • fingerprint

  4. Password is a continuous problem • Password is a series real-world problem. • SANS Top-20 2007 Security Risks • Every year, password’s problems in the list: • Weak or non-existent passwords • Users who don’t protect their passwords • OS or applications create accounts with weak/no passwords • Poor hashing algorithms. • Access to hash files Source: Jeffery Eppinger, Web application Development.

  5. How good are the passwords people are choosing? • It is hard question to answer. • Data is scarce. • MySpace Phishing attack

  6. Poor, Weak Password • Poor, weak passwords have the following characteristics: • The password contains less than 15 characters. • The password is a word found in a dictionary (English or foreign) • The password is a common usage word. Source: Password Policy. SANS 2006

  7. Strong Password • Strong passwords have the following characteristics: • Contain both upper and lower case characters • Have digits and punctuation characters • Are at least 15 alphanumeric characters long and is a passphrase. • Are not a word in any language , slang , dialect , jargon. • Are not based on personal information. • Passwords should never be written down or stored on-line. Source: Password Policy. SANS 2006

  8. Strong Password • ?

  9. Strong Password • At least 8 characters. • Contain both upper and lower case characters. • Have digits and punctuation characters

  10. MySpace Phishing Attack • A fake MySpace login page. • Send the data to various web servers and get it later. • 100,000 fell for the attack before it was shut down. • This analysis for 34,000 users.

  11. Password length • Average: 8 characters.

  12. Password length • There is a 32-character password • "1ancheste23nite41ancheste23nite4“ • Other long passwords: • "fool2thinkfool2thinkol2think“ • "dokitty17darling7g7darling7"

  13. Character Mix

  14. Common Passwords • Top 20 passwords in order.

  15. Common Passwords • Top 20 passwords in order.

  16. Common Password • “Blink 182” is a band. • A lot of people use the band's name • Easy to remember. • it has numbers in its name, and therefore it seems like a good password.

  17. Common Password • "qwerty1" refers to • QWERTY is the most common keyboard layout on English-language computer.

  18. Common Password • The band “Slipknot” doesn't have any numbers in its name • which explains the “1”.

  19. Common Password • The password "jordan23" refers to • basketball player Michael Jordan • and his number 23.

  20. Common Password • I don't know what the deal is with “monkey”.

  21. Common Password

  22. Passwords getting better • Who said the users haven’t learned anything about security?

  23. Human Issues • Social Engineering. • Difficulties with reliable password Entry. • Difficulties with remembering the password. Human is often the weakest link in the security chain.

  24. Human Issues • Social Engineering. • Attacker will extract the password directly from the user. • Attacks of this kind are very likely to work unless an organization has a well-thought-out policies. • In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering. • Motorola case • http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09) Kevin Mitnick: It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. http://www.youtube.com/watch?v=8_VYWefmy34 (2:00) Source: Wikipedia. Social engineering

  25. Human Issues • Social Engineering. • 336 CS students • at University of Sydney • Some were suspicious: • 30 returned a plausible-looking but invalid password • over 200 changed their passwords without official prompting. • Very few of them reported the email to authority.

  26. Human Issues • Social Engineering. • How to solve this problem? • Strong and well-known policy.

  27. Human Issues • Difficulties with reliable password Entry. • if a password is too long or complex, the user might have difficulty entering it correctly. • South Africa Case • 20-digit number for the pre-paid electricity meters. • Any suggested solution? • If the operation they are trying to perform is urgent • This might have safety or other implications.

  28. Human Issues • Difficulties with remembering the password. • The greatest source of complaints about passwords is that most people find them hard to remember. • When users are expected to memorize passwords • They either choose values that are easy for attackers to guess. • Write them down. • Or both.

  29. The Memorability and Security of Passwords • Many of the problems of password authentication systems arise from the limitations of human memory.

  30. The Memorability and Security of Passwords • Some passwords are very easy to remember • But very easy to guess • Dictionary attack. • some passwords are very secure against guessing • Difficult to remember. • might be compromised as a result of human limitations. • The user may keep an insecure written record.

  31. The Memorability and Security of Passwords • An experiment involving 400 first-year students at the University of Cambridge. • Testing how strong the mnemonic-based password is. • Testing how it is easy to remember. • In contrast with control and random password.

  32. The Memorability and Security of Passwords • Methods: • 4 types of attacks: • Simple Dictionary attack. • Dictionary attack with permutation • User information attack • Brute force attack. • Survey.

  33. The Memorability and Security of Passwords • Conclusion : • Users have difficulty remembering random passwords. • Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.

  34. The Memorability and Security of Passwords • Conclusion: • It isn’t true that : random passwords are better than those based on mnemonic phrases. • each type appeared to be as strong as the other. • It is not true that : passwords based on mnemonic phrases are harder to remember than naively selected passwords are. • each appeared to be reasonably easy to remember, with only about 2%-3% of users forgetting passwords.

  35. Human Selection of Mnemonic Phrase-based Passwords • Hypothesis • Users will select mnemonic phrases that are commonly available on the Internet • It is possible to build a dictionary to crack mnemonic phrase-based passwords.

  36. Human Selection of Mnemonic Phrase-based Passwords • Survey • A survey to gather user-generated passwords • Mnemonic password (144) • Control password (146)

  37. Human Selection of Mnemonic Phrase-based Passwords • Attacks: • Dictionary attack • Generate a mnemonic password dictionary. • 400,000-entries • John the Ripper • For control password • 1.2 million entries • Dictionary attack with Permutation. • Word mangling • replacing “a” with “@” • Brute force attack.

  38. Human Selection of Mnemonic Phrase-based Passwords • Results: • Password Strength:

  39. Human Selection of Mnemonic Phrase-based Passwords • Results: • Password Cracking Results: • The user generated mnemonic passwords were more resistant to brute force attacks than control passwords.

  40. Human Selection of Mnemonic Phrase-based Passwords • Results: • Password based on external sources: • Majority of mnemonic password are based on external sources. • 13% control password sources are based on external sources

  41. Human Selection of Mnemonic Phrase-based Passwords • Results: • Password based on external sources:

  42. Human Selection of Mnemonic Phrase-based Passwords • Conclusion: • The majority of users select phrases from music lyrics, movies, literature, or television shows. • This opens the possibility that a dictionary could be built for mnemonic passwords. • If a comprehensive dictionary is built, it could be extremely effective against mnemonic passwords. • Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.

  43. Human Selection of Mnemonic Phrase-based Passwords • Conclusion: • Mnemonic phrase-based passwords are not as strong as people may believe. • The space of possible phrases is large • Building a comprehensive dictionary is not a trivial task. • System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.

  44. Thank You

More Related