Presentation is loading. Please wait.

Presentation is loading. Please wait.

What do you know about password? By Guang Ling Oct. 8 th, 2012 1.

Published byMatthew Morton Modified over 8 years ago

Similar presentations

Presentation on theme: "What do you know about password? By Guang Ling Oct. 8 th, 2012 1."— Presentation transcript:

1 What do you know about password? By Guang Ling Oct. 8 th, 2012 1

2 What password are you using? Before going to the next slide, can you guess what is the most used password? 2

3 3

4 4

5 Some statistics on password 4.7% of users have the password password 8.5% have the passwords password or 123456; 9.8% have the passwords password, 123456 or 12345678; 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords 5

6 Some statistics on password thx1138 (turns out this is a movie from forty years back) gundam (actually an anime series) ncc1701 (codename for the USS Enterprise in Star Trek) 6

7 Some statistics on password 7

8 I am not concerned! 8

9 Wait, is your password secure? Try your password at here.here 9

10 What is strong password? Common misunderstand – The more complex the password, the more secure it is! 10

11 What is strong password? Measure strength of password using entropy – So what is the key to the strength of a password? – Length! 11

12 Wait, is your password secure? 12

13 I am not concerned! 13

14 You should be concerned! Recent password leakage incidents in China – In December 22 nd, 2011, a famous programmer forum CSDN has its server hacked and 6,000,000 user accounts leaked – In December 25 th, 2011, user accounts of one of the major discuss forum in China, 天涯, is leaked and 40,000,000 accounts exposed – In the following weeks, 人人网 (5m) ,多玩网 (8m), 猫扑 (10m), 开心网,世纪佳缘,百合网,美空 all have at least part of their accounts leaked 14

15 You should be concerned! To make things worse, passwords leaked from CSDN and 天涯 are all in clear text! 15

16 You should be concerned! Someone claim that 人人网 ’s database is also clear text, it turns out that this might not be true However, only 0.84% (4001/4768600) password cannot be cracked0.84% 16

17 A peak at the leaked password files 17

18 Server-side password To better understand how to secure our online identity, let’s take a short detour to talk about password transmission and storage. 18

19 Password storage Form of password storage – Clear text – Hash – Salted hash hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366 hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542 hello Hbllo waltz hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1 hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007 19

20 Password storage Clear text – Simple and easy to implement – Maybe viewed by website administrator and employee – Maybe viewed by hacker – Most insecure – Never store password in clear text hello Hbllo waltz 20

21 Password storage Hash – Use cryptography level hash function to hash the password and obtain a fixed length digest – MD5, SHA-1, SHA-512, WHIRLPOOL – Store the digest (hash) instead of the password – Better than clear text – Vulnerable to attack when the password length is short hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366 hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542 21

22 Password storage Offline attack of hash – Cryptography level hash function are designed to be secure, i.e. it is hard to find phrase such that Hash(phrase) = given digest – But hash value is vulnerable to the following method of attacks Dictionary and Brute force attack Lookup tables and Rainbow Tables 22

23 Hash attack Dictionary attack and Brute force attack Lookup tables and Rainbow tables – Pre-compute the hash for all possible combinations up to a length limit – Free hash cracker at herehere – Hash cracker that can crack all combination up to length 8 for MD5, NTLM, LM, SHA1 exists (5711GB of data)exists Dictionary Attack Trying apple : failed Trying blueberry : failed Trying justinbeiber : failed... Trying letmein : failed Trying s3cr3t : success! Brute Force Attack Trying aaaa : failed Trying aaab : failed Trying aaac : failed... Trying acdb : failed Trying acdc : success! 23

24 Password storage Salted hash – Rainbow tables attack renders most short password the same as clear text – Hash the password and salt (randomly generated string) to obtain a hash, store the hash and the salt value – Cannot be pre-computed because of the salt – Can be cracked by brute force if the password strength is weak hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1 hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007 24

25 Password transmission Password can be transmitted to the server in different forms and through different channels – Forms: clear text V.S. hash – Channel: unencrypted V.S. encrypted 25

26 Password transmission Clear text Maybe eavesdropped during transmission Hash Eavesdropper can get at most your password’s hash Looks like transmitting the hash is a good idea! – Not really – If hash instead of the clear text is transmitted, the intruder can fake the identity of the user by sending the hash 26

27 Password transmission Unencrypted No overhead Insecure Encrypted Some overhead, negligible by today’s hardware speed Secure A website should use encrypted connection channel for user login whenever possible 27

28 Best practice on a login server Store the password in salted hash form Encrypt the login page and every page if possible Transmit the password instead of the hash 28

29 How to manage our password? Never use the same password for different sites 29

30 How to manage our password? Never use the same password for different sites Use long and strong password Use rule based methods to ease the management of passwords [ 密码 ]=2* ( [ 用户名标识符(小写 / 大写) ]+[ 用户名长度 ]+[.]+[ 网站标识符(大写 / 小写) ] ) 例: guokr123@gmail.com ,密码为: gk8.GM GK8.gm songshuhui@hotmail.com 密码为: ssh10.HTSSH10.ht 30

31 How to manage our password? Use dedicated password manager – 1Password – LastPass 31

32 LastPass The last password you should remember – It saves your password and automatically fills it in when you open a website 32

33 LastPass The last password you should remember – It generates secure password 33

34 LastPass The last password you should remember – It is safe All your information store is encrypted using 256-bit AES – Even if lastpass is hacked, your information will not leak Encrypted channel is used exclusively for all communications Only you know the decryption key – Lastpass has no access to your information 34

35 LastPass One thing that concerned me when I first start to use lastpass – The login key and decryption key is the same???!!! – They are not Hash of your master key is used for login Combination of your username and master key (in the original form) is passed through PBKDF2-SHA256 (using a lot of iterations) to generate the decryption key However, you do need a long and strong master password so that recover it from the hash is infeasible 35

36 References and picture source: – http://www.troyhunt.com/2011/07/science-of- password-selection.html http://www.troyhunt.com/2011/07/science-of- password-selection.html – http://www.troyhunt.com/2011/06/brief-sony- password-analysis.html http://www.troyhunt.com/2011/06/brief-sony- password-analysis.html – http://www.guokr.com/article/61644/ http://www.guokr.com/article/61644/ – https://xato.net/passwords/more-top-worst- passwords/ https://xato.net/passwords/more-top-worst- passwords/ – http://crackstation.net/hashing-security.htm http://crackstation.net/hashing-security.htm 36

Download ppt "What do you know about password? By Guang Ling Oct. 8 th, 2012 1."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.

By Wild King. Generally speaking, a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic.
Use of a One-Way Hash without a Salt

Use of a One-Way Hash without a Salt
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Similar presentations

Ads by Google