text passwords l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Text passwords PowerPoint Presentation
Download Presentation
Text passwords

Loading in 2 Seconds...

play fullscreen
1 / 44

Text passwords - PowerPoint PPT Presentation


  • 173 Views
  • Uploaded on

Usable Privacy and Security March, 2008. Text passwords. Hazim Almuhimedi. Agenda. How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human Selection of Mnemonic Phrase-based Passwords. Authentication Mechanisms. Something you have

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Text passwords' - chacha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
text passwords

Usable Privacy and Security

March, 2008

Text passwords

Hazim Almuhimedi

agenda
Agenda
  • How good are the passwords people are choosing?
  • Human issues
  • The Memorability and Security of Passwords
  • Human Selection of Mnemonic Phrase-based Passwords
authentication mechanisms
Authentication Mechanisms
  • Something you have
    • cards
  • Something you know
    • Passwords
      • Cheapest way.
      • Most popular.
  • Something you are
    • Biometric
      • fingerprint
password is a continuous problem
Password is a continuous problem
  • Password is a series real-world problem.
    • SANS Top-20 2007 Security Risks
    • Every year, password’s problems in the list:
      • Weak or non-existent passwords
      • Users who don’t protect their passwords
      • OS or applications create accounts with weak/no passwords
      • Poor hashing algorithms.
      • Access to hash files

Source: Jeffery Eppinger, Web application Development.

how good are the passwords people are choosing
How good are the passwords people are choosing?
  • It is hard question to answer.
    • Data is scarce.
  • MySpace Phishing attack
poor weak password
Poor, Weak Password
  • Poor, weak passwords have the following characteristics:
    • The password contains less than 15 characters.
    • The password is a word found in a dictionary (English or foreign)
    • The password is a common usage word.

Source: Password Policy. SANS 2006

strong password
Strong Password
  • Strong passwords have the following characteristics:
    • Contain both upper and lower case characters
    • Have digits and punctuation characters
    • Are at least 15 alphanumeric characters long and is a passphrase.
    • Are not a word in any language , slang , dialect , jargon.
    • Are not based on personal information.
    • Passwords should never be written down or stored on-line.

Source: Password Policy. SANS 2006

strong password9
Strong Password
  • At least 8 characters.
  • Contain both upper and lower case characters.
  • Have digits and punctuation characters
myspace phishing attack
MySpace Phishing Attack
  • A fake MySpace login page.
  • Send the data to various web servers and get it later.
  • 100,000 fell for the attack before it was shut down.
  • This analysis for 34,000 users.
password length
Password length
  • Average: 8 characters.
password length12
Password length
  • There is a 32-character password
      • "1ancheste23nite41ancheste23nite4“
  • Other long passwords:
      • "fool2thinkfool2thinkol2think“
      • "dokitty17darling7g7darling7"
common passwords
Common Passwords
  • Top 20 passwords in order.
common passwords15
Common Passwords
  • Top 20 passwords in order.
common password
Common Password
  • “Blink 182” is a band.
    • A lot of people use the band's name
      • Easy to remember.
      • it has numbers in its name, and therefore it seems like a good password.
common password17
Common Password
  • "qwerty1" refers to
    • QWERTY is the most common keyboard layout on English-language computer.
common password18
Common Password
  • The band “Slipknot” doesn't have any numbers in its name
    • which explains the “1”.
common password19
Common Password
  • The password "jordan23" refers to
    • basketball player Michael Jordan
    • and his number 23.
common password20
Common Password
  • I don't know what the deal is with “monkey”.
passwords getting better
Passwords getting better
  • Who said the users haven’t learned anything about security?
human issues
Human Issues
  • Social Engineering.
  • Difficulties with reliable password Entry.
  • Difficulties with remembering the password.

Human is often the weakest link in the security chain.

human issues24
Human Issues
  • Social Engineering.
    • Attacker will extract the password directly from the user.
    • Attacks of this kind are very likely to work unless an organization has a well-thought-out policies.
    • In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering.
      • Motorola case
      • http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09)

Kevin Mitnick:

It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in.

http://www.youtube.com/watch?v=8_VYWefmy34 (2:00)

Source: Wikipedia. Social engineering

human issues25
Human Issues
  • Social Engineering.
    • 336 CS students
      • at University of Sydney
    • Some were suspicious:
          • 30 returned a plausible-looking but invalid password
          • over 200 changed their passwords without official prompting.
        • Very few of them reported the email to authority.
human issues26
Human Issues
  • Social Engineering.
    • How to solve this problem?
      • Strong and well-known policy.
human issues27
Human Issues
  • Difficulties with reliable password Entry.
    • if a password is too long or complex, the user might have difficulty entering it correctly.
    • South Africa Case
      • 20-digit number for the pre-paid electricity meters.
      • Any suggested solution?
    • If the operation they are trying to perform is urgent
        • This might have safety or other implications.
human issues28
Human Issues
  • Difficulties with remembering the password.
    • The greatest source of complaints about passwords is that most people find them hard to remember.
    • When users are expected to memorize passwords
      • They either choose values that are easy for attackers to guess.
      • Write them down.
      • Or both.
the memorability and security of passwords
The Memorability and Security of Passwords
  • Many of the problems of password authentication systems arise from the limitations of human memory.
the memorability and security of passwords30
The Memorability and Security of Passwords
  • Some passwords are very easy to remember
    • But very easy to guess
      • Dictionary attack.
  • some passwords are very secure against guessing
    • Difficult to remember.
    • might be compromised as a result of human limitations.
      • The user may keep an insecure written record.
the memorability and security of passwords31
The Memorability and Security of Passwords
  • An experiment involving 400 first-year students at the University of Cambridge.
  • Testing how strong the mnemonic-based password is.
  • Testing how it is easy to remember.
    • In contrast with control and random password.
the memorability and security of passwords32
The Memorability and Security of Passwords
  • Methods:
    • 4 types of attacks:
      • Simple Dictionary attack.
      • Dictionary attack with permutation
      • User information attack
      • Brute force attack.
    • Survey.
the memorability and security of passwords33
The Memorability and Security of Passwords
  • Conclusion :
    • Users have difficulty remembering random passwords.
    • Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.
the memorability and security of passwords34
The Memorability and Security of Passwords
  • Conclusion:
    • It isn’t true that : random passwords are better than those based on mnemonic phrases.
      • each type appeared to be as strong as the other.
    • It is not true that : passwords based on mnemonic phrases are harder to remember than naively selected passwords are.
      • each appeared to be reasonably easy to remember, with only about 2%-3% of users forgetting passwords.
human selection of mnemonic phrase based passwords
Human Selection of Mnemonic Phrase-based Passwords
  • Hypothesis
    • Users will select mnemonic phrases that are commonly available on the Internet
    • It is possible to build a dictionary to crack mnemonic phrase-based passwords.
human selection of mnemonic phrase based passwords36
Human Selection of Mnemonic Phrase-based Passwords
  • Survey
    • A survey to gather user-generated passwords
      • Mnemonic password (144)
      • Control password (146)
human selection of mnemonic phrase based passwords37
Human Selection of Mnemonic Phrase-based Passwords
  • Attacks:
    • Dictionary attack
      • Generate a mnemonic password dictionary.
        • 400,000-entries
      • John the Ripper
        • For control password
        • 1.2 million entries
    • Dictionary attack with Permutation.
      • Word mangling
        • replacing “a” with “@”
    • Brute force attack.
human selection of mnemonic phrase based passwords39
Human Selection of Mnemonic Phrase-based Passwords
  • Results:
    • Password Cracking Results:
    • The user generated mnemonic passwords were more resistant to brute force attacks than control passwords.
human selection of mnemonic phrase based passwords40
Human Selection of Mnemonic Phrase-based Passwords
  • Results:
    • Password based on external sources:
      • Majority of mnemonic password are based on external sources.
      • 13% control password sources are based on external sources
human selection of mnemonic phrase based passwords41
Human Selection of Mnemonic Phrase-based Passwords
  • Results:
    • Password based on external sources:
human selection of mnemonic phrase based passwords42
Human Selection of Mnemonic Phrase-based Passwords
  • Conclusion:
    • The majority of users select phrases from music lyrics, movies, literature, or television shows.
    • This opens the possibility that a dictionary could be built for mnemonic passwords.
      • If a comprehensive dictionary is built, it could be extremely effective against mnemonic passwords.
    • Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.
human selection of mnemonic phrase based passwords43
Human Selection of Mnemonic Phrase-based Passwords
  • Conclusion:
    • Mnemonic phrase-based passwords are not as strong as people may believe.
    • The space of possible phrases is large
      • Building a comprehensive dictionary is not a trivial task.
    • System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.