Presentation is loading. Please wait.

Presentation is loading. Please wait.

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,"— Presentation transcript:

1 Homework #4 Comments

2 Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites, ATMs, Doors, Lockers, etc. Password Recovery: –Challenge/response questions –Knowledge of previous transactions

3 Why the explosion of passwords? Need to protect configuration information –BIOS passwords, VChip, Cell Phones, etc. Web services need persistent identification of users over time No national/international identification service Microsoft Passport has failed

4 Student Recommendations Change passwords periodically –Minimum every 3 months –Minimum every year –Minimum every month… Keep passwords in separate places Use Multiple passwords Encrypt your passwords

5 New Ideas in Student Solutions Instead of typing the password, have the user answer questions about their password Some letters on the keyboard are easier to shoulder-surf than others. (xds) (,k)

6 Anderson: 3 types of password concerns Will the user break the system security by disclosing the password to a third party, whether accidentally, on purpose, or as a result of deception? Will the user enter the password correctly with a high enough probability? Will users remember the password, or will they have to either write it down or choose one that’s easy for the attacker to guess?

7 A Password Policy “The root password for each machine shall be too long to remember, at least 16 alpha and numeric characters chosen at random by the system; it shall be written on a piece of paper and kept in an envelope in the room where the machine is located; it may never be divulged over the telephone or used over the network; it may only be entered at the console of the machine that it controls.” [Anderson, p. 37]

8 Threats to Passwords What are the threats against passwords? –Guessing –Brute force search –Shoulder surfing –Discovering passwords that are written down –Passwords collected at one website used for another Kinds of attacks: –Offline –Online

9 Eavesdropping risks Physical device --- key grabber Trojan Horse Tapped lines Video Camera … The need for trusted path

10 Kinds of Attacks: Targeted attack on one account Attempt to penetrate any account on a system Attempt to penetrate any account on any system Service denial attack

11

12 Is login.ccs.neu.edu susceptible to password cracking? Yes! [denali: ~] > ypcat passwd | head -20 packardj:qXb6U9G3Io3Zc:9045:104:Joshua R. Packard:/home/packardj:/bin/tcsh tlannen:Y37EBLKOj4jvw:8332:105:Tim J. Lannen:/home/tlannen:/bin/tcsh eponine:RpYmQfWHpklUk:5220:117:Jennifer Wand:/home/eponine:/bin/tcsh accamma:Tq7vZzAufg8kA:9295:101:Accamma I. Vasantha:/home/accamma:/bin/tcsh sajitk:NXj3x1vHYHD3w:9488:101:Sajit Kunjachen:/home/sajitk:/bin/tcsh apearl:eKiqEU7sVN15Q:8340:104:Andrew R. Pearl:/home/apearl:/bin/tcsh mball:N3qhNaXujXfB2:7680:104:James T. Bennett:/home/mball:/bin/tcsh ghu:kRpRWBOjfbsUY:6653:101:guowei hu:/home/ghu:/bin/tcsh rt:*:7925:1012:Request Tracker:/home/rt:/bin/tcsh neuboy83:7MaJl3KpqZ/2Y:9512:105:Tariq N. Seifuddin:/home/neuboy83:/bin/tcsh

13 Protecting against Online Attacks: Defenses Against Guessing: –Exponential back-off; Lock out; Notification; “Cracking” –Dangers of lock-out Ebay doesn’t use it; why not?

14 Protecting against Offline Attacks Does it make sense to mandate symbols and numbers in passwords? –# of letters: 52 (26 lower + 26 UPPER) –# of symbols: 30 –# of 8 letter passwords: 52 8 –# of 7 character passwords with 1 symbol: (52 7 )(30)(8) –How about forcing 1 number and 1 symbol? (52 6 )(30)(8)(10)(7)

15 Password Generating Algorithms What’s wrong with giving advice on how to generate passwords? What’s the alternative? Programmatically picking passwords that are easy-to-remember

16 Developer Recommendations Force users to change passwords regularly Password != Username Require 8 or more characters Require a mix of alpha, numeric, and special characters Deny Access After a number of failed Attempts Do not send passwords “in the clear” Do not assign “default passwords”

17 Restrictions on Passwords: No Consistency 1-14 characters vs. 1-127 characters vs. 10-127 characters –Recommendation: Mandate minimums, but allow people to type extra characters (that might be ignored) –ATM networks used to ignore all characters after first 4 Some passwords are case-sensitive; some are not. –Recommendation: Check password with case-flipped for CAPS LOCK ON accident. Some systems allow the use of special characters, some do not. –Why does this happen? –What do we do about this?

18 Password Recovery What’s the best way to do it? Automatic vs. Manual “What is your favorite Color?” EBAI

19 Anderson’s Research Problems in Passwords: What is the best way to enforce user compliance with a password policy? Can we design interactive password systems that are better? Can we use multiple passwords? –Mother’s maiden name –Password –Amount of last purchase –Dog’s nickname –Your favorite color…

Download ppt "Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,"

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords.

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Similar presentations

Ads by Google