Passwords and Equivalent Strength the loophole in the DSS

Transcription

1 Passwords and Equivalent Strength the loophole in the DSS NORTH AMERICA COMMUNITY MEETING VANCOUVER 29 SEPTEMBER 1 OCTOBER 2015 Hoyt L Kesterson II Senior Security Architect Terra Verde

2 The Wisdom of Dexter

3 Fundamental Folklore Hold the steering wheel at 10 and 2 o clock Passwords can be 8 characters or greater Passwords shouldn t be words Passwords must be complex Can t have identical adjacent characters Must be changed at least every 90 days

4 New Notion in Version 3 of the DSS Requirement states entities can use equivalent strength to evaluate their alternative [approach]

5 The Attacks Brute Force Hash Table

6 Ferreting Out Passwords The attacker either works with the password as entered by the user or as stored by the authenticator. For the former, one can either social engineer for some good guesses, sniff it, or brute force by submitting passwords from a dictionary, a large list of possible passwords. THC Hydra

7 Difficulty is a Function of Entropy

8 The Math but Don t Panic, Just Multiply or just Square it 36 x 36 = = 1296

9 The Math but Don t Panic, Just Multiply or just Square it 26 x 10 = X 26 =

10 Let s Expand This to 8-Character Passwords 36 x 36 x 36 x 36 x 36 x 36 x 36 x 36 = 36 8 = 2,821,109,907, x 36 x 36 x 36 x 36 x 36 x 26 x 10 = 36 6 x 26 x 10 = 565,963,407,360

11 How long to brute force all of these? A botnet consisting of 10K systems is not that expensive to rent. A recent brute force attack from 255 source addresses attempted a million logins per server spread over a period of ninety days. Dictionaries are becoming more varied, e.g. keyboard walks

12 Hashes and Salts and Rainbows oh my! Stored user passwords are protected by hashing them, i.e. irreversibly transforming them into bit strings. Exfiltrated hashes can be compared to the hashes of passwords from a dictionary. Salting can be a defense but inexpensive hardware can compute 348 billion NTLM, 180 billion MD5, or 64 billion SHA-1 hashes in one second.

13 Something to ponder A hash table has your current password A hash table has the password you were using three months ago A hash table has the password you were using a year ago A hash table has the password you will be using three months from now A hash table has the password you will be using a year from now

14 Use Verrrry Long Passwords

15 A Sixteen Character Lower-Case Password sixteencharacter = ~43,608,742,899,000,000,000,000 different passwords

16 Use Verrrrry Long Passwords Thisisavery 11 characters

17 Use Verrrrry Long Passwords Thisisavery 11 characters

18 Use Verrrrry Long Passwords Thisisaveryverylongpassword 23 characters

19 Use Verrrrry Long Passwords Thisisaveryverylongpassword characters No complexity no upper case, numerals, or special characters

20 This is Frustrating Consider Enabling the Toggling of Masking

21 Toggling View of Password

22 This is Also Frustrating Why Clear Both Fields Upon Login Error?

23 Only Published Standard on Different Method

24 Handling the Questions What are you doing? Requiring that all passwords be sixteen characters or greater. Not requiring that the password contain a mixture of upper & lower case letters, numerals, and special characters.

25 Handling the Questions Why are you doing this? Need stronger passwords but requirement for complexity hampers construction of memorable passphrases.

26 Handling the Questions Is there additional risk? None. Because of the increased number of possible password values this method is much more resistant to brute force attack. Because of the increased length of the password it s unlikely its hash will be in a rainbow table.

27 Thank you Hoyt L Kesterson II Senior Security Architect Terra Verde Scottsdale, Arizona hoyt.kesterson@tvrms.com