Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string.

Published byAshlynn James Modified over 8 years ago

Similar presentations

Presentation on theme: "Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string."— Presentation transcript:

1 Password security Dr.Patrick A.H. Bours

2 2 Password: Kinds of passwords Password A string of characters: A,B,C,…d,e,f,…1,2,3…!,”,@,… PIN-code A string of numbers Pass phrase A sentence Associative and cognitive passwords Answers to the questions Associative, cue words Black: white, strawberry: blueberry, dad: mum, day: night etc. Cognitive What is your second name? How many cats do you have? Which chocolate you like best? Pass face, pass image

3 3 Password: Password space - S S is the total set of all passwords Size of S is denoted by s 4-digit PIN codes: s = |S| = 10 4 6 character passwords: s = 26 6 s = 52 6 s = 62 6 s = 94 6

4 4 Password: The art of counting Number of possibilities with one dice: 6 Number of possibilities with two dices: Unordered: 21 Ordered: 36 Number of 5 letter combinations: 26 5 Including capitals: 52 5 Including numbers: 62 5 All keyboard symbols: 94 5

5 5 Password: Combinatorics - 1 We will count the number of 6 character passwords All is possible: letters, capitals, numbers and special characters If no restriction, then we have 94 6 possible passwords On the next slides we will introduce specific restrictions

6 6 Password: Combinatorics - 2 At least 1 number? Total number of 6 character passwords: 94 6 Number of 6 character passwords without numbers: 84 6 Answer: 94 6 – 84 6 = 338.571.749.440 Trick: All – those that are wrong

7 7 Password: Combinatorics - 3 Have 6 different characters? First character: 94 possibilities Second character: (94-1) possibilities Third character: (94-2) possibilities Answer: 94*93…*89 = 586.236.072.240 = Trick: Count every time what is still possible

8 8 Password: Combinatorics - 4 At least 1 capital and 1 number? No restrictions: 94 6 No capitals: 68 6 No numbers: 84 6 No capitals and no numbers: 58 6 Answer: 94 6 -68 6 -84 6 +58 6 = 277.772.959.360 = 2 38,02 Trick: All – wrong ones + those subtracted twice!

9 9 Password: Combinatorics – 5 Exactly 1 number? Choose position where the number will be: 6 possibilities Number on that position: 10 possibilities All other 5 positions: (94-10) possibilities Answer: (6*10) * 84 5 = 250.927.165.440 Trick: Place number first.

10 10 Password: Combinatorics - 6 Exactly 1 number and exactly 1 capital? Choose position for the number: 6 possibilities Number on that position: 10 possibilities Choose position for the capital: (6-1) possibilities Capital on that position: 26 possibilities All other 4 positions: (94-10-26) possibilities Answer: (6*10) * (5*26) * 58 4 = 88.268.668.800 Trick: Place number and capital first

11 11 Password: Combinatorics - 7 Exactly 2 numbers? Choose 2 positions for the numbers: 6*5/2 = 15 possibilities Numbers on those position: 10 possibilities All other 4 positions: (94-10) possibilities Answer: 15*10 2 * 84 4 = 74.680.704.000 =

12 12 Password: Combinatorics - 8 Choose 2 positions for the numbers gives 15 possibilities. Why? “Choose m out of n”: n*(n-1)*…*(n-m+1) / m*(m-1)*…*1 = = n! / (m! * (n-m)!) k! = 1*2*…*(k-1)*k “Choose 2 out of 6”: 6!/(2!*4!) = 15

13 13 Password: Probabilities What is the probability that a random password of 6 characters has no number in it? Answer: 84 6 / 94 6 = (84/94) 6 = 0,509 So approximately have of the 6 character passwords does not have a number in it! In general is the probability equal to the size of set of correct answers divided by the total number of answers.

14 14 Password: Statistics - Introduction Let x = (x 1,x 2,…,x n ) and y = (y 1,y 2,…,y n ) be two equally long sequence of numbers. Let p i be the probability that occasion x i occurs. p 1 + p 2 + … + p n = 1

15 15 Password: Statistics - Mean  The mean of x is the weighted average of the values of x. The weights are the probabilities. Also called “Expected value” E(x) =  x The mean  x of x is defined as:  x = p 1 x 1 + p 2 x 2 + … + p n x n

16 16 Password: Statistics - Mean  - example Values of a dice: x = (1,2,3,4,5,6) True dice: p = (1/6,1/6,1/6,1/6,1/6,1/6)  x = (1+2+3+4+5+6)/6 = 3.5

17 Patrick Bours17 Password: Statistics - Variance σ 2 The variance is a measure of how much the members of x are scattered around their mean. The variance σ x 2 of x is defined as: σ x 2 = V(x) = E( x -  x ) 2 = = E(x 2 ) – 2  x E(x) + (  x ) 2 = = E(x 2 ) - (  x ) 2

18 Patrick Bours18 Password: Statistics - Covariance  xy We use covariance to measure similarity between x and y.  xy = E( (x -  x ) * (y -  y ) )

19 Patrick Bours19 Password: Statistics - Correlation  xy  xy =  xy / (  x *  y ) If  xy = 0 then x and y are uncorrelated. The larger |  xy | is, the more x and y are correlated. Sign of  xy tells something about direction of correlation

20 Patrick Bours20 Password: Entropy - h Entropy h is a measure of the randomness Entropy h is the number of bits needed to describe the members of S In formula: h = log 2 (s) Assumption: all passwords are equally likely

21 Patrick Bours21 Password: Examples of entropy 4-digit PIN code: s = 10 4 h = log 2 (10 4 ) = 13,3 6 character password s = 94 6 h = log 2 (94 6 ) = 39,3

22 Patrick Bours22 Password: Entropy – more complicated Let S = {s 1, s 2, …, s s } Let P = {p 1, p 2,…, p s }, where p i is the probability someone uses password s i Entropy is now defined as: h = -p 1 log(p 1 ) - p 2 log(p 2 ) - … - p s log(p s )

23 Patrick Bours23 Password: Entropy – more complicated If p i = 1/s for all i then: h = -1/s log(1/s) - … - 1/s log(1/s) = = -s * 1/s * log (1/s) = -log(1/s) = log(s) So definitions are consistent

24 Patrick Bours24 Password: Good Properties Hard to guess: do not use names, dates, telephone numbers, etc. Easy to remember: no need to write it down or share with other persons Private: otherwise no authentication possible Secret: owner is the only one who knows it

25 Patrick Bours25 Password: Attacks Dictionary attack Not fooled by Capitals Change of letters into numbers Permutations What can we do?

26 Patrick Bours26 Password: To not do list - 1 PW based on user’s account name PW which match a word (or reversed word) in a dictionary, regardless if some or all of the letters are capitalized PW which match a word in a dictionary with an arbitrary letter turned into a control character

27 Patrick Bours27 Password: To not do list - 2 PW which are simple conjugations of a dictionary word (i.e. plurals, adding “ing” or “ed” to end of word, etc.) PW which do not use mixed upper and lower case, or mixed letters and numbers, or mixed letters and punctuation

28 Patrick Bours28 Password: To not do list - 3 PW base on user’s initials or given name PW which match a dictionary word with letters replaced by numbers (eg ‘3’ for ‘e’) PW which are patterns from the keyboard (eg. “aaaaa” or “qwerty”) PW which only consist of numbers

29 Patrick Bours29 Password: The PROBLEM! We have limited memory Can only remember 7±2 totally random symbols Even more problems when We have multiple passwords We need to change passwords regularly

30 Patrick Bours30 Password: What can we do – part 1? Pass phrase Yesterday I watched a nice program on television. YIwanpot or Y1wanp0t Use events on news or personal events when forced to change regularly

31 Patrick Bours31 Password: What can we do – part 2? Encryption Shift every character fixed number of positions Shift every character by increasing number of positions http://geodsoft.com/cgi-bin/pwcheck.pl

32 Patrick Bours32 Password: Pass faces and images It is easier to recognize then to remember. Setup: Memorize a set of selected or given pictures Authentication: Recognize memorized pictures

33 Patrick Bours33 Password: Pass faces Five faces are presented and need to be memorized Five 4x4 grids are presented each containing 1 memorized image

34 Patrick Bours34 Password: Pass images p (random) images selected and remembered n images presented containing m selected images Vary value of m during authentication Present more challenges

35 Patrick Bours35 Password: References R. Smith, Authentication: From Passwords to Public Keys, Addison-Wesley, 2002. J. Yan, A. Blackwell, R. Anderson, and A. Grant, Password Memorability and Security: Empirical Results, IEEE Security & Privacy Magazine, Vol. 2, No. 5, Sept/Oct 2004, pp. 25-31. L. O’Gorman, Comparing Passwords, Tokens, and Biometrics for User Authentication, Proceedings of the IEEE, Vol. 91, No. 12, Dec 2003, pp 2019-2040. http://www.passfaces.com http://www.sims.berkeley.edu/~rachna/dejavu/

Download ppt "Password security Dr.Patrick A.H. Bours. 2 Password: Kinds of passwords Password A string of characters: PIN-code A string."

Similar presentations

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
251959084756578934940271832400483985714 292821262040320277771378360436620207075 955562640185258807844069182906412495150 821892985591491761845028084891200728449.

Excursions in Modern Mathematics Sixth Edition

Excursions in Modern Mathematics Sixth Edition
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.

3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
Copyright © 2009 Pearson Education, Inc. Chapter 16 Random Variables.

Copyright © 2009 Pearson Education, Inc. Chapter 16 Random Variables.
1 Binary Arithmetic, Subtraction The rules for binary arithmetic are: 0 + 0 = 0, carry = 0 1 + 0 = 1, carry = 0 0 + 1 = 1, carry = 0 1 + 1 = 0, carry =

1 Binary Arithmetic, Subtraction The rules for binary arithmetic are: = 0, carry = = 1, carry = = 1, carry = = 0, carry =
Lecture 2: Basic Information Theory Thinh Nguyen Oregon State University.

Lecture 2: Basic Information Theory Thinh Nguyen Oregon State University.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Copyright © 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Slide 17- 1.

Copyright © 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Slide
1-1 Copyright © 2015, 2010, 2007 Pearson Education, Inc. Chapter 15, Slide 1 Chapter 15 Random Variables.

1-1 Copyright © 2015, 2010, 2007 Pearson Education, Inc. Chapter 15, Slide 1 Chapter 15 Random Variables.
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.

Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
4. Counting 4.1 The Basic of Counting Basic Counting Principles Example 1 suppose that either a member of the faculty or a student in the department is.

4. Counting 4.1 The Basic of Counting Basic Counting Principles Example 1 suppose that either a member of the faculty or a student in the department is.
Scientific Notation 0806.2.1 Recognize and use scientific notation.

Scientific Notation Recognize and use scientific notation.
Password Management PA Turnpike Commission

Password Management PA Turnpike Commission

Similar presentations

Ads by Google