Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Controls and Authentication

Published byDwight Morton Modified over 5 years ago

Similar presentations

Presentation on theme: "Access Controls and Authentication"— Presentation transcript:

1 Access Controls and Authentication
Passwords Access Controls and Authentication

2

3 Readings Password Vulnerabilities Storing passwords Password Usage
Why passwords have never been weaker… Storing passwords A salt free diet is bad for your security… Threshold Cryptography…. Password Usage An analysis of ID-password usage… Password Composition Policies Why do we keep doing this? Why it Pays to Submit to Hackers New kinds of authentication Active Authentication Learn a password subconsciously… Risk-Based Authentication Solutions to the Common Password Diceware Password Managers (1Password demo)

4 Password Vulnerabilities
Password Cracking The practice of inputting plaintext through an hashing algorithm and comparing the result with a compromised hash compromised hash = computed hash You know the password (Input) Dictionary attacks Comparing known words and their hashes to compromised hashes Exploit becomes 2 step process Generate word lists Time and storage problem Table Look-up Known password lists 60% of newly compromised passwords are already in tables/cracked Exploit becomes a 1 step process Generating word lists is less necessary Table Loop-up only Hybrid attack Combines dictionary with intelligence gathered from know passwords For Example: Gather all names from Facebook and combine with dictionary words

5 Storage Problem You can run all possible combinations of any size password through any hashing algorithm and store the results but… It takes terabytes of storage space Hellman/Rainbow tables reduce the space requirement by storing only 1st password and last generated hash GPU-assisted cracking has reduced the need for rainbow tables

6 Hacker Password Analysis
Most capitalized letters are at the beginning of a password Most numbers and special characters are at the end Quite a lot of first name followed by year Add number or special characters at the beginning or (usually) end Mangling Super – sup34 Princess = Prince$$ Mirror images mypassworddrowssapym

7 SplashData’s25 Most Popular Passwords for 2012
1. password (Unchanged) (Down 6) (Unchanged) 14. sunshine (Up 1) (Unchanged) 15. master (Down 1) 4. abc123 (Up 1) (Up 4) 5. qwerty (Down 1) 17. welcome (New) 6. monkey (Unchanged) 18. shadow (Up 1) 7. letmein (Up 1) 19. ashley (Down 3) 8. dragon (Up 2) 20. football (Up 5) (Up 3) 21. jesus (New) 10. baseball (Up 1) 22. michael (Up 2) 11. iloveyou (Up 2) 23. ninja     (New) 12. trustno1 (Down 3) 24. mustang (New) 25. password1 (New) compiled from files containing millions of stolen passwords posted online by hackers.

8 Just the facts John… PC running with 1 AMD Radeon HD7970 GPU
Process 8.2 billion password’s per second The biggest boon to cracking passwords however is Theft of non-secure credential files Rockyou.com 32 million plaintext passwords 14 million after duplicates were removed Now there exists a database of commonly used passwords If you can “crack” 8.2 billion per second how fast do you think you can look one up?

9 Lets look at some numbers
Steven1961 10 characters 52 letters Password length = 10 so, 6210 = 839,299,365,868,340,224* /8 billion second** = 104,912, (1,748, minutes; 29, hours; 1, days;) 3.33 Years to crack but…. Hackers know our patterns so… 10 character, last 4 are numbers, 1st may be capitalized 52 x 26 x 26 x 26 x 26 x 26 x 10 x 10 x 10 x 10 / 8 billion = seconds minutes to crack But what if Hacker goes to my Facebook page? 10 character, last 4 are numbers and they’re probably 1961 so… 52 x 26 x 26 x 26 x 26 x / 8 billion = .07 seconds to crack  *eight hundred thirty nine quadrillion, two hundred ninety nine trillion, three hundred sixty five billion, eight hundred sixty eight million, three hundred forty thousand, two hundred twenty four

10 Server Password Cracking
Password-Cracking Programs Brute-force password guessing Try all possible passwords of Length 1, Length 2, etc. Thwarted by passwords that are long and complex (using all keyboard characters) N is the password length, in characters Alphabet, no case: N26 possible passwords Alphabet, upper and lower case (N52) Alphanumeric (letters and digits) (N62) All keyboard characters (~N80) Copyright Pearson Prentice-Hall 2010

11 Password Complexity and Length are both Crucial
Password Length in Characters Low Complexity: Alphabetic, No Case (N=26) Alphabetic, Case-Sensitive (N=52) Alphanumeric: Letters and Digits (N=62) High Complexity: All Keyboard Characters (N=80) 1 26 52 62 80 2 676 2,704 3,844 6,400 4 456,976 7,311,616 14,776,336 40,960,000 6 308,915,776 19,770,609,66 4 56,800,235,58 4 E+11 8 E+11 E+13 2.1834E+14 E+15 10 E+14 E+17 E+17 E+19 Note: On average, an attacker will have to try half of all combinations. Copyright Pearson Prentice-Hall 2010

12 GPU Cracking What is it? How fast does it work?
Using a graphics card to brute-force passwords How fast does it work? Millions of attempt per second GPU Bruteforcer 450 million per second, but… It depends on hash How long would a 12 character password using , U, l, 0-9, &^% take? 94⌃8 = 6,095,689,385,410,816 MD5 = 166 days? SHA-512 = 5,427 days? ~15 years Even 6 character password would take: ~15 hours Easy Audit Question for SOX Compliance How are you hashing your passwords

13 Server Password Cracking
Other Password Threats Keystroke Capture Software Trojan horse displays a fake login screen, reports its finding to attackers Shoulder Surfing Attacker watches as the victim types a password Even partial information can be useful Part of the password: P_ _sw_ _d Length of the password (reduces time to do brute-force cracking) iPhone/smartphone keylogging (reported 10/18/2011) Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Solution, keep smartphone away from your keyboard Copyright Pearson Prentice-Hall 2010

14 Storing Passwords (Salting Hashes)
Start with the Obvious Passwords should not be stored ‘in the clear’ The LinkedIn Hack over six million passwords belonging to LinkedIn users have been compromised A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them. Stored passwords as SHA-1, but without ‘Salt’ So, password123 stored as: cbfdac6008f9cab cbd1874f76618d2a97 Need for Salting Hash Rainbow Tables Salting means appending random characters at the beginning of a password and than hashing it: So, password123 might be KiJqpassword123 51472f680dc6cc5ce44366d765ca71148f68e36c will be stored as: KiJq51472f680dc6cc5ce44366d765ca71148f68e36c Now any 2 password123 will have unique hashes not found in rainbow tables Or at least it will be harder to create rainbow tables

15 Threshold Cyrptography
Complex math but simple idea Take a password Divide it Hash the pieces Store the pieces on separate servers Increases the exploits that have to be carried out to get the pieces Need a way to determine how to put the pieces together again

16 RSA Distributed Credential Protection
How Does it Work

17 Why all this fuss? An Analysis of ID-password usage (Bank, Lee, Bae and Ahn, 2012) What were the highlight of this article?

18 Analysis of ID-Password Usage
Users are usually the weakest link Choose weak/simple passwords Password memorability can be difficult Can anyone remember the password from the wiki cartoon? Reuse the passwords on multiple sites Even if your site has strong security (?) a weaker site with the same password could compromise your site Study examines: Re-use of login credentials Creation of Vulnerability Index

19 Re-use Item Mean Number of Sites 105.7 Number of Unique IDs 6.6
Number of Unique passwords 4.7 Number of Unique log-in credentials 11.8 ID re-use ratio 19.1 Password re-use ratio 29.2 Log-in credentials re-use 10.5 % of used unique log-in credentials 45.6%

20 Class Results

21 Vulnerability Index Network Theory
Sites with same log-in credentials (node) Connected nodes use same log-in credentials (component) Unique log-in credentials (isolate) Inclusiveness - # of connected nodes / total nodes (12/14 = 85.7%) Largest:Network (5/14 = 35.7%) 2nd Largest:Network (28.6%) 3rd Largest:Network (21.4%)

22 VI – Result from Study Item Mean Inclusiveness 0.94
Use the same log-in credentials Largest component 0.54 2nd largest component 0.18 0.72 (cumulative) 3rd largest component 0.09 0.81 (cumulative) Vulnerability Index 0.38 3 most frequently used log-in combinations use in 81% of sites vs unique log-in credentials VI = expected proportion of sites subject to potential breaches if a breach at one site occurs Larger values of VI indicate higher levels of vulnerability

23 Reducing VI Reducing the number of sites where log-in credential combinations are used (reduce component size) Increasing the number of different log-in credentials Thus, vulnerability can be decreased without increasing: ID’s, PW’s or log-in credential combinations

24 Implications Firms need a network perspective
Firms can be compromised due to outside company security lapses Firms should implement different log-in credentials procedures other than (ID/PW) Policy makes need to enforce log-in credential implementation critical Public awareness of the problem needs to be improved Discrepancy-enlarging feedback loop

25 Cybernetic Theory Discrepancy-enlarging feedback
used to explain avoidance behavior Compare your present state to undesired state Avoidance State Present State

26 Password Composition Policies
What is a password composition policy? What is the UCF policy for NIDs? How do password composition policies effect user behavior?

27 Different Policies Basic8Survey Basic8 Baskc16 Dictionary8
Comprehensive8

28 Major Findings 16 character minimum provides greatest entropy with realitvely low levels of usability issues Dictionary checks reduced cracking of most passwords via a heuristics Most participants write down or store their passwords electronically Users created passwords that exceeded the minimum requirements

29 Why do we choose weak passwords?
We know we need strong passwords We know we need to back-up our computers In general We don’t do it, why? Economics: Cost (Time & Energy) Now Benefit, sometime in the future – maybe! Black Swan incident – what is this? Hyperbolic discounting – what is this? Fixes: Binding Mechanisms Allow a new site/app to remind in the future to update my credentials Secure Defaults I say use a password manger User Friendliness Make credentials easier for humans Face recognition vs character string memorization Incentives Discount for using strong passwords Costs for not – Why are CC companies responsible for your lack of a strong password?

30 Can we strengthen security of passwords?
Use Password Manager 1Password Roboform Password Based Key Derivation Function Version 2 (PBKDFV2) Systems using PBKDFV2 Copyright Pearson Prentice-Hall 2010

31 1Passwords password system
I have two pets named Fred and Alice Ihave2pets:Fred&Alice Looks pretty secure but… Use Spaces to help you remember I have 2 pets: Fred & Alice Don’t tell the truth: I have 3 pets: LeBron, Dwane & Chris Don’t make sense: I have 35 pets: LeBron, Dwane & Chris Avoid predictable phrases I have 35 pets: Lebron, Dwane & Amy But this is still predicatable Copyright Pearson Prentice-Hall 2009

32 Diceware Passwords (Arnold Reinhold)
Introduce randomness into passwords Roll dice to select word Roll dice again to select next word Continue Copyright Pearson Prentice-Hall 2010

33 How Many words? Password vs. Passphrase Password Passphrase
Usually 4-10 characters (2 Diceware words) Insert random special character between 2 words Passphrase 20-40 characters (4-5 Diceware words) Entropy How hard will it be for an attacker to know the passphrase given the method of selection, measured in bits Flip of a coin = 1 bit of entropy Diceware word = 12.9 bits of entropy 4 words: 51.6 (use at least 11 characters) 5 words: 64.6 6 words:77.5 (use at least 17 characters) 7 words:90.4 (use at least 20 charcters) 10 word: 128 For passphrases for encryption, 6 is recommended

34 Finally… Even Stronger
Insert your own word into the set of Diceware words P35:LD&A + Diceware words

35 How many characters?

36 Active Authentication
What is it? How will it work?

37 AA – What is it? Authentication based on how you perform tasks
Distinct Behavioral Characteristics Cognitive fingerprint Keyboard Dynamics Length of time to hold down a key, and time to move to another key Mice movement These repetitive movement are not controlled by deliberate thought and therefore hard to mimic

38 AA – How will it work?

39

40 Lets Play a Game Pro’s Con’s

41 Risk Based Authentication

Download ppt "Access Controls and Authentication"

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Authentication and Constructing Strong Passwords.

Authentication and Constructing Strong Passwords.
251959084756578934940271832400483985714 292821262040320277771378360436620207075 955562640185258807844069182906412495150 821892985591491761845028084891200728449.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Password Management PA Turnpike Commission

Password Management PA Turnpike Commission
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.

Similar presentations

Ads by Google