Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Published byAnis Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "CSC 386 – Computer Security Scott Heggen. Agenda Authentication."— Presentation transcript:

1 CSC 386 – Computer Security Scott Heggen

2 Agenda Authentication

3 What’s the most common form of authentication today? Why do we need authentication? The user identity is a parameter in access control decisions. The user identity is recorded when logging security relevant events in an audit trail.

4 Identification and Authentication What’s the difference? ? mYP4$$w0rd!

5 Passwords Passwords are a secret shared between the user and the system. How does the user initially get the password? The mere process of distributing a password is a security issue!

6 Devil’s Advocate Could I guess someone’s password? Exhaustive search (brute force): try all possible combinations of valid symbols up to a certain length. Intelligent search: search through a restricted name space, e.g. passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number,…, or try passwords that are generally popular. Typical example for the second approach: dictionary attack trying all passwords from an on-line dictionary. You cannot prevent an attacker from accidentally guessing a valid password, but you can try to reduce the probability of a password compromise.

7

8 Defense What can you do to reduce the probability of someone guessing your password? Set a password: if there is no password for a user account, the attacker does not even have to guess it. Change default passwords: often passwords for system accounts have a default value like “manager”. Avoid guessable passwords Length Variety Randomness

9 Good Passwords Which password is best? PasswordBrute ForceDictionary AttackIntelligent Search passwordSum(46) from 1 to 8(# of words)^1 MyPasswordSum(46) from 1 to 10(# of words)^2 MyP@$$w0rdSum(46) from 1 to 10? P@$$MYw0rdSum(46) from 1 to 10? dr0wMY$$@PSum(46) from 1 to 10? RedHatBrownCatYouFatSum(46) from 1 to 20(# of words)^6 ?

10 Good Passwords

11 Additional Defenses Password ageing: set an expiry dates for passwords to force users to change passwords regularly. Prevent users from reverting to old passwords, e.g. keep a list of the last ten passwords used. Limit login attempts: the system can monitor unsuccessful login attempts and react by locking the user account (completely or for a given time interval) to prevent or discourage further attempts. Inform user: after successful login, display time of last login and the number of failed login attempts since, to warn the user about recently attempted attacks.

12 Good Passwords Which password is best? Can you memorize it? Do you need to write it down? Does it change too often? Are you reusing a favorite password? Password password MyPassword MyP@$$w0rd P@$$MYw0rd dr0wMY$$@P RedHatBrownCatYouFat

13 Devil’s Advocate Say you are authenticating with a remote system (e.g., a website). What ways can someone learn your username and password? Spoofing Phishing Social Engineering

14 Spoofing “Hi, I’m your bank. There was a bank error in your favor. Click here to see the error.”Click here

15 Countermeasures Display number of failed logins: may indicate to the user that an attack has happened. Trusted path: guarantee that user communicates with the operating system and not with a spoofing program; e.g., Windows has a secure attention key CTRL+ALT+DEL for invoking the operating system logon screen. Mutual authentication: user authenticated to system, system authenticated to user.

16 Phishing “Hi, I’m a Kenyan prince. I want to send you $2,000,0000,00 dollars. Send me your SSN, birth date, address, full legal name, driver’s license number, ….”

17 Countermeasures Take care to enter your passwords only at the “right” site (but how do you know?) No legitimate business will ask you for your password via e-mail Why would they need it? They can access all of your information already!

18 Social Engineering Attacker impersonates the user to trick someone else into releasing information: http://www.healthsecuritysolutions.com/2012/12/kate-middleton-prank- faciliated-by-simple-social-engineering/#.U_3x0cVdWs0 http://www.healthsecuritysolutions.com/2012/12/kate-middleton-prank- faciliated-by-simple-social-engineering/#.U_3x0cVdWs0

Download ppt "CSC 386 – Computer Security Scott Heggen. Agenda Authentication."

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening email.

P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Help! I Forgot My Password for ADP Self Service!

Help! I Forgot My Password for ADP Self Service!
Your NEW Social Services Verification Tool

Your NEW Social Services Verification Tool
Education Professional Standards Board Password Recovery Process.

Education Professional Standards Board Password Recovery Process.
Web Pricing User Manual https://www.commissaries.com/webpricing.

Web Pricing User Manual
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Similar presentations

Ads by Google