Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
EECS 354 Network Security PowerPoint Presentation
Download Presentation
EECS 354 Network Security

EECS 354 Network Security

87 Views Download Presentation
Download Presentation

EECS 354 Network Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. EECS 354Network Security Passwords and Cryptography

  2. Cracking a Hash • Modern hashing techniques are essentially uncrackable for unpatterned passwords of >7 characters • But, lucky for hackers: • Users choose bad passwords • Administrators don’t use modern hashing methods

  3. Some Examples • 2013 Adobe breach: At least 28 million passwords in Triple DES • 2013 Cupid Media breach: 42 million passwords in plain text • 2011 Sony Playstation breach: 77 million passwords and credit card numbers in ? • 2010 Gawker breach: 1 million passwords in DES

  4. Stolen Passwords • Eventually, someone usually notices their database has been hacked • Before: • Administrative access? Data tampering? Data collection? • After: • Users reuse passwords • Database associates password with identifying info • email, username, real name • grep for .gov, sensitive accounts • Leads to more sensitive data • Hacking email, social media

  5. Dictionary Attacks • Effective against basic hash functions • MD5, SHA1, SHA2, etc • Dictionaries vary in size • Append, prepend, mutate dictionary entries • Password lists are also common for cracking (can be in the millions) • Password salting • Users with the same password won’t be cracked simultaneously

  6. Dictionary Attacks • Here’s one word from your dictionary: password • With simple operations you can crack: • password123 • p4ssw0rd • Password • Password2014

  7. “Good” Hashing • People don’t notice if it takes one second to verify their password • Method: Use hashing. A lot. ~100,000 times, repeatedly. And a long salt. • Standard: PBKDF2 • Alternatives: bcrypt, scrypt • Strength varies in password length, character diversity • brute force: useless (huge key space)dictionary: bad passwords are still bad