Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Passwords – No Longer Viable PowerPoint Presentation
Download Presentation
Passwords – No Longer Viable

Passwords – No Longer Viable

107 Views Download Presentation
Download Presentation

Passwords – No Longer Viable

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Passwords – No Longer Viable Arvind Narayanan Vitaly Shmatikov Univ. of Texas at Austin (stuck in cowboy country)

  2. Greek mythology Kerberos is tamed by the Lyre of Orpheus

  3. Today Candy breaks computer security 70% of people will give up their password for a candy bar!

  4. Secure, Easy to Remember – Pick any one Organizations implement cumbersome password rules – require mixed case, numerals, special characters, etc. The goal is for passwords to be secure as well as easy to remember. We show that there is an inherent conflict between these goals!

  5. Words Names Numbers Alphabets Morph Randomness Password Modeling Human Password Generation

  6. Assume we had a fast algorithm that perfectly reproduces the Morph procedure. Memorability is inversely related to randomness. Cryptanalysis time is directly related to randomness. So memorability and cryptanalysis time areinversely related – if we can precisely model human password generation! Memorability vs. Security

  7. One of our techniques - Markov Modeling • wovmgrbl • vfxalnre • gnhkzdhl • ejvzhrfb • sxnsmvql • sasetcki • eshembec • ertemenu • sleeteat • methesen The words on the right were generated using MM1 They are more pronouncable than random character strings, on the left.

  8. Keyspace reduction factor Coverage With 80% coverage we can get 25-fold compression!

  9. Current state of the art – Rainbow attack • Word list size is 3 x 1012 • All alphanumeric passwords of length 8 • Compressed database size is 48 GB • Cryptanalysis time is 40 minutes • Amortized time is only 10 minutes What we did • Extend timespace tradeoff to “implicit dictionaries”. • Same efficiency as rainbow attack, increased coverage.

  10. Coverage comparison Word list size for above results was about 2 x 109 With a larger word list size of 3 x 1012, we believe we can get a 90% success rate.

  11. If not passwords, then what? • What about biometric? • Biometric identification is good. • Biometric authentication is brain-damaged. • PAKE (Password based Authenticated Key Exchange) • Good for some, but not all scenarios. • Serge will talk about it tomorrow (and Zully later today).

  12. BOFH syndrome Don’t blame users, blame poor system usability! If users stick their passwords on their monitors, it doesn’t mean they’re stupid. It means the security engineering needs rethinking.

  13. Smart cards • Reduce electronic security to • physical security. • Protection mechanisms such • as RFID based tracking exist. • Economic, legal and law enforcement infrastructure to deal with compromise.

  14. Find out more at CCS 2005. Alexandria, VA

  15. Thank you. Enjoy your beer 