Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.

Published byPiers Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan."— Presentation transcript:

1 November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan

2 Outline Introduction Introduction Duh!, but rather be safe than sorry. Duh!, but rather be safe than sorry. Strong Passwords Strong Passwords Attack Scenarios Attack Scenarios Why Use Strong Passwords? Why Use Strong Passwords? Strength of User ID-Password Combination Strength of User ID-Password Combination Strength alone is not enough Strength alone is not enough Conclusion Conclusion

3 Introduction Authentication Traditionally Depends Upon Authentication Traditionally Depends Upon Something you have Something you have Badge Badge Something you are Something you are Fingerprint, voice Fingerprint, voice Something you know Something you know Password Password Authentication Most Used Method Authentication Most Used Method Something you know Something you know User ID (Account) in conjunction with a password User ID (Account) in conjunction with a password

4 Introduction (continued) User IDs User IDs Creation Creation Created for you (network administrator) Created for you (network administrator) Created by you Created by you Could be public knowledge Could be public knowledge Person who created the account for you Person who created the account for you Email address (jdoe@yahoo.com) Email address (jdoe@yahoo.com)jdoe@yahoo.com Part of standardization process (first initial + last name) Part of standardization process (first initial + last name)

5 Introduction (continued) Passwords Passwords Should not be public knowledge Should not be public knowledge To prevent “Credential Theft”, advised to: To prevent “Credential Theft”, advised to: Create Strong Passwords Create Strong Passwords Change Password Frequently Change Password Frequently Never Write Password Down Never Write Password Down

6 Introduction (continued) Threats to a user’s credentials Threats to a user’s credentials Phishing Phishing Key Logging Key Logging Brute Force Brute Force Attack on a known User ID Attack on a known User ID Bulk Guessing Bulk Guessing Attack on all accounts Attack on all accounts Special Knowledge or Access Special Knowledge or Access Shoulder Surfing Shoulder Surfing Knowledgeable Information about the user Knowledgeable Information about the user Access to Password Manager Access to Password Manager List, application, database List, application, database

7 Strong Passwords Not based upon personal information that can be guessed Not based upon personal information that can be guessed Names, dates, etc. Names, dates, etc. Not based upon a word found in the dictionary Not based upon a word found in the dictionary Subject to dictionary attacks Subject to dictionary attacks Should have a minimum length Should have a minimum length Should contain the following Should contain the following Combination of upper and lower casing Combination of upper and lower casing Special characters and numbers Special characters and numbers Problems Problems Hard to remember Hard to remember More likely to be written down More likely to be written down

8 Attack Scenarios What Strong Passwords will not prevent What Strong Passwords will not prevent Phishing Phishing Key Logging Key Logging Special Knowledge or Access Special Knowledge or Access Why? Why? User supplied information User supplied information Overt Method Overt Method Phishing, Password List/Manager Phishing, Password List/Manager Covert Method Covert Method Key Logging Key Logging

9 Attack Scenarios Brute Force Brute Force Attack on an individual account Attack on an individual account Why? Why? The account/user id is known The account/user id is known Only need to guess the password Only need to guess the password Problems Problems Strength of the Password Strength of the Password Length, Casing, Special characters and numeric values Length, Casing, Special characters and numeric values Many institutions use some type of “lock out” strategy Many institutions use some type of “lock out” strategy Can significantly increase time to crack account Can significantly increase time to crack account

10 Attack Scenarios Bulk Guessing Bulk Guessing Attack on multiple accounts Attack on multiple accounts Using the same guessed password Using the same guessed password Why? Why? Can attack all known and unknown account ids Can attack all known and unknown account ids Better chance that more than one account uses the same password Better chance that more than one account uses the same password Problems Problems Easily detected, if not a distributed attack Easily detected, if not a distributed attack Can inadvertently cause a Denial of Service (DoS) with all accounts Can inadvertently cause a Denial of Service (DoS) with all accounts

11 Why Use Strong Passwords? Takes far greater time to guess a strong password Takes far greater time to guess a strong password Brute Force and Bulk Guessing Attack Brute Force and Bulk Guessing Attack Reduces the chance that more than one account has the same password Reduces the chance that more than one account has the same password Bulk Guessing Attack Bulk Guessing Attack

12 Strength of User ID-Password Combination Successful attacks using Brute Force and Bulk Guessing requires both user id and password Successful attacks using Brute Force and Bulk Guessing requires both user id and password Stronger user id and weaker password combination Stronger user id and weaker password combination When used in combination could have the same affect as a strong password alone When used in combination could have the same affect as a strong password alone Requires attacking schemes to focus more on user ids Requires attacking schemes to focus more on user ids i.e. Less likely to be dictionary words, like passwords i.e. Less likely to be dictionary words, like passwords Easier for users to remember their passwords. But now the user id might be harder to remember Easier for users to remember their passwords. But now the user id might be harder to remember Places a larger burden on the institution for creating or enforcing stronger user ids Places a larger burden on the institution for creating or enforcing stronger user ids User ids must not be or become public knowledge, EVER! User ids must not be or become public knowledge, EVER!

13 Strength alone is not enough At some point in time, the account will be cracked At some point in time, the account will be cracked Lock out strategies Lock out strategies 3 strikes rule 3 strikes rule 3 sequential unsuccessful attempts and the account is locked 3 sequential unsuccessful attempts and the account is locked Geometrically increasing lock-out time Geometrically increasing lock-out time 2 in seconds 2 in seconds Length of time in which the lock remains is vital Length of time in which the lock remains is vital Increase the time it takes to crack the account Increase the time it takes to crack the account Must not be so long as to inconvenience the user Must not be so long as to inconvenience the user May increase customer support usage May increase customer support usage

14 Conclusions Makes attacking more difficult Makes attacking more difficult User id or the process of user id creation is more likely to be public knowledge than your password User id or the process of user id creation is more likely to be public knowledge than your password Most effective when some type of lock out strategy is being used Most effective when some type of lock out strategy is being used Not just for web, but for everything where a password is used Not just for web, but for everything where a password is used

Download ppt "November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.
13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
Information System Security and the US Military Ben Mascolo – ISC 300.

Information System Security and the US Military Ben Mascolo – ISC 300.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
ISEC0511 Programming for Information System Security

ISEC0511 Programming for Information System Security
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO-0901223488 Under the guidance of Mrs. Chinmayee Behera.

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Managing Network Security ref:www.microsoft.com. Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Similar presentations

Ads by Google