Part II: Passwords. Ron van der Meyden. (University of New South Wales Sydney, Australia) March 12, R. van der Meyden Part II: Passwords

Size: px

Start display at page:

Download "Part II: Passwords. Ron van der Meyden. (University of New South Wales Sydney, Australia) March 12, R. van der Meyden Part II: Passwords"

Darleen Quinn
5 years ago
Views:

1 Part II: Passwords Ron van der Meyden (University of New South Wales Sydney, Australia) March 12, 2013 Passwords An old security mechanism: Soldiers access to camp Secret society handshakes Objective: authentication: prove that the person requesting access has the right to access

2 A systems perspective Context of use: other systems Users Authentication and Access Control Technology Assets Password Hardness A brute force attack on passwords: try all possible passwords How many times required to try? password type # instances 4 digit PIN char (lower case) alphabetical digit (lower case) alphanumeric char (upper and lower) alphabetical digit (upper and lower) alphanumeric decimal digits *=password type used for US nuclear missile launch 12 = maximum reliable length in memory under stress experiments

3 Protections Against Brute Force Attacks Detection Response Detection: Login screen displays Date and Time of last successful login Date and Time of all unsuccessful login attempts since then (less common, but more effective) Requires training of users, attentiveness Response Repeat failed password attempts suggestive of a brute force attack in progress. Possible responses: After 3 failed attempts within time T, disable the password Degrade response time with frequency of attempts Problems: Both open up a new attack: denial of service! Locking not always possible: document encrypted with password as key- attacker with encrypted text can keep trying. What if the asset being protected is safety critical? E.g. medicine cabinet.

4 Brute force may be easier than you think Passwords must be remembered. People have bad memories, so choose passwords they can easily remember. Gramp & Morris 1984 (rule six characters, at least one number) cracked all of >20 machines using database of 20 most common female names + 1 digit Schneiner 2006: analysis of attack on 100,000 Myspace users: password1 (0.22%), abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, , soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey (Oct 2009: 64 times in 10,000 Hotmail, MSN and Live.com ID s starting with A, B) Defending against common password guessing attacks Don t allow users to construct their own, give them a random pwd Impose password construction rules Check candidate password against a common password database Train users to avoid common password errors Train users in secure password construction approaches (e.g passphrase)

5 Password Construction Rules E.g. passwords must be at least six characters long and contain at least one non-alphabetical character Most common password changes from password to password1! Make the rules too hard and you may scare users away: (bad for an e-commerce site) Password Construction from a passphrase: The rain in Spain falls mainly on the plain TriSfmotp The downside of password defences Highly random passwords make it harder for people to remember passwords. So: they write their passwords on pieces of paper & stick them on the machine (beware the cleaner!) they frequently forget their passwords (so you need a password reset mechanism)

6 Password Reset A common approach to password reset: List of questions: e.g., UNSW zpass zpass.html Mother s maiden name Name of first pet etc Issues: Some of this is public information, so easily guessed These questions may not apply to everyone You can t change these in case they become public! Even when not easily guessed, so many services now use these questions that it opens up cross-site attack risk (insiders at one service attacking your account at another). Password Change Frequency A password that has been cracked is no defence. The likelihood that a password has been cracked increases with time. Defence: require password changes.

7 The downside of password defences Frequent password changes & highly random passwords make it harder for people to remember passwords. So: they write their passwords on pieces of paper they choose easily cracked passwords they change password twice (or k times) to reset to their old one: password1 password2 password1 Training Users Hard for e-commerce sites, but possible in military & corporate settings How effective is training users? J. Yan, A. Blackwell, R. Anderson, A. Grant, The memorability and security of passwords some empirical results, IEEE Security and Privacy, Oct

8 3 groups of Users: red: pick your own password, 6 characters, at least one non-alpha green: think of a passphrase and select letters to build a password yellow: force randomness: select 8 characters (mixed type) from a table, write down for learning, destroy after two weeks Crack rates/reported difficulty of remembering: red: 30%, OK green: 10%, OK ( same as red) yellow: 10%, difficult Recommendation: passphrase is the best tradeoff (Some users do not follow instructions!) Attacks against Passwords Brute Force Looking over the shoulder (Insider) attack on the system password database Sociological attacks: phishing

9 Insider Attacks on Password Database E.g. theft of password list: Defenses: encryption/hashing of entries: Store (user, f (Password)), where x such that f (x) = f (Password)) is hard to find To authenticate, check f (string entered) = f (Password) Phishing Dear Valued Customer, Due to an apparent attempt to break into your electronic banking account, we have locked your account pending reconfirmation of your password. This is urgent! You must reconfirm your login details. Please click on the following link <a href= > and log into your account to reconfirm your password. Please do not respond to this . This address is not monitored and is used for outgoing s only.

10 Training your users not to fall for phishing (not!) From: Subject: Important: Changed access to the UNSW Uniwide wireless service Date: 17 February :48:31 PM IT at UNSW is upgrading the UniWide wireless service. This upgrade will provide significant improvements including better coverage and higher throughput over the old service. What do I need to do? This service will require a new method of access which utilises zpass rather than UniPass. After the upgrade, authentication via UniPass will be disabled. Authentication is only available via z number and zpass. Staff who currently have an s staff number, simply replace the s with a z (so that s becomes z ). Staff who currently have a z number - simply use this as it is. Staff who currently have an m should contact the IT Service Centre to help create a z number for them. To set your zpass (if you have not done it yet), you can log into the Identity Manager website ( with your UniPass and set it up. Why don t you do that right now? Also instruction guides to reconfigure your device to support the use of zpass are available at CONTROL-ALT-DEL What is this (IBM PC/Windows) key sequence for? (a) rebooting the computer (b) escaping from the blue screen of death (c) protecting against an attack (d) all of the above (e) none of the above

11 Answer Answer: (d) originally intended as a reboot sequence (implemented by IBM PC designer David Bradley) Bradley: I may have invented Control-Alt-Delete, but Bill Gates made it famous. later adopted as secure attention key to protect against login spoofing Login Spoofing (phishing before the net) (Ever since multiple user terminals in 1970 s) User1 leaves a program running that displays an interface that looks just like the login screen. User2 enters their login and password. The program captures the login details, logs out, so real password screen now comes up. User2 thinks: Hmm, I must have made a typo in my password

12 Secure Attention A secure attention key (e.g. CONTROL-ALT-DEL) cannot be captured by any application program, and resets machine to offer an authentic login screen. Question: so what do you do on a MAC or Linux system? Aargh, not another password to remember! Many services require passwords: ATM PIN, Online Banking, telephone banking Share trading accounts: national, international Unipin, CSE login Bill payment Booking services (Opera House, Ticketek,..) Social Networking site Web Online Bookstore News sites (Crikey, Aust. Fin. Rev. already, News Ltd papers soon) etc... How to remember them all?

13 Same Password or Many? Use same password: Risk that compromise of one (e.g. News site) leads to compromise of others (e.g. Online Banking) Use different passwords: Risk that I will forget and be locked out! User defenses against password mania Use Browser (or system keychain) password memory but what about internet cafe use? Use password groups: easy password for all services that are protecting their content, not my secrets: online news, payment services that don t record my Credit Card number hard password(s) for critical secrets, banking etc.

14 User defenses against password mania Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell, Stronger Password Authentication Using Browser Extensions. Proc. of the 14th Usenix Security Symp., Generate the password for service/url X as a function f of X and a master password P I.e., I remember one password P At amazon.com, my password is f (P, amazon.com ) At ebay.com, my password is f (P, ebay.com ) (different from f (P, amazon.com )!) At ebay.phisherman, my password is f (P, ebay.phisherman ) (different from f (P, ebay.com )!) Conclusion When we look at passwords from a systems perspective, all sorts of non-obvious vulnerabilities appear. As a result of these, passwords have long since had their day. But they are not going to go away any time soon. So understand the risks, mitigate as best you can (e.g., two-factor authentication)!

Authentication KAMI VANIEA 1

Authentication KAMI VANIEA 1 Authentication KAMI VANIEA FEBRUARY 1ST KAMI VANIEA 1 First, the news KAMI VANIEA 2 Today Basics of authentication Something you know passwords Something you have Something you are KAMI VANIEA 3 Most recommended