Isys20261 lecture 13
-
Upload
wil-ferraciolli -
Category
Documents
-
view
88 -
download
0
Transcript of Isys20261 lecture 13
Computer Security Management(ISYS20261)Lecture 13 – Passwords
Module Leader: Dr Xiaoqi Ma
School of Science and Technology
Computer Security ManagementPage 2
Last week …
• Access control permits or denies the use of a particular resource by a particular entity
• To dimensions: authentication and authorisation
• Authentication– User to system
– System to user
• Authorisation– Discretional access control
– Mandatory access control
– Role-based access control
Computer Security ManagementPage 3
Today
• Passwords
• PINs
• Challenge response
Computer Security ManagementPage 4
Password authentication (1)
• Ways of authenticating a person– Knowledge based: password, PIN, etc.
– Token based: smartcard, etc.
– Biometrics: fingerprints, face recognition, etc.
• Password: two factor authentication:– Identification
– Verification
Computer Security ManagementPage 5
Password authentication (2)
• Assumption: password exists in two places only:– System
– User’s memory
• In reality also:– Under the keyboard
– On a post-it sticking to the monitor
– Shared amongst a group of colleagues/friends
– Etc.
Computer Security ManagementPage 6
Passwords
• Unaided recall
• Passwords should be meaningless
• Recall has to be 100% correct
• No feedback on failure
• Problems:– Unaided recall harder than cued recall
– Non-meaningful items are hard to recall
– Limited capacity of working memory
– Items stored in memory decay over time
– Similar items compete
– Old passwords cannot be deleted on demand
– Etc.
Computer Security ManagementPage 7
Password attacks
• General criminal economics: attacker will only invest up to 10% of the achieved profits!
• Password attacks: cheap!
• Types of password attacks:– Brute-force-attack
– Guessing attacks
– Shoulder surfing attacks
– Spyware
– Packet sniffing
– Social engineering
Computer Security ManagementPage 8
Password policies
• Aim to enforce strong passwords in an organisation
• Define the rules for:– Password length
– Content
– Frequency of change
– Number of login attempts
– How to recover/reset a password
• Ideally:– Variable length
– Meaningless
– Do not change passwords more often than necessary
– Limit login attempts
– Credential recovery: see later slide
Computer Security ManagementPage 9
Problems, problems …
• Nowadays, Joe Average has to remember a large number of passwords/PINs!
• Many of these need to be changed frequently
• Many similar items compete (including old, invalid passwords!)
• Infrequently used passwords are easily forgotten
• Recently changed passwords are forgotten or confused
• Etc.
Computer Security ManagementPage 10
Password failure
• 52% Memory failure – Confused with old password 37%
– Confused with other system’s password 15%
• 20% Wrong user ID
• 12% Typo– Missing or additional characters
– Pressing ENTER
Computer Security ManagementPage 11
User strategies
• If not given a strategy: users will make up their own!– Use same password for multiple system
– Only change passwords if forced to
– Externalise passwords
• On-the-spot decisions
Computer Security ManagementPage 12
Password quality (Sasse et al, 2001)
• Content– 28% of users’ passwords are identical
– 68% use one way to construct their passwords
– 51% of the passwords are words with a number on the end
• Change– 90% only change when forced to do so
– 45% increment number by one when change
• Writing down– 30% write down all passwords
– 32% write down infrequently used passwords
Computer Security ManagementPage 13
PINs
• Numerical passwords, eg. 4587
• Similar problems– Same PIN across many applications
– Many people give card and PIN to others to fetch cash
– Using mobile phones in public
– Etc.
• Where to find PINs:– On the card
– In the wallet
– Post-it
– Around cash machine
– Etc.
Computer Security ManagementPage 14
Countermeasures
• Help with passwords– Reactive, e.g. reminder
– Proactive, e.g. hints, writing down, …
• Not really effective
• Better:– User support and training
– Single sign-on
– Changes to password policy
– Alternative methods: Graphical or biometrics
Computer Security ManagementPage 15
Reminders
• Advantages:– No password change
– Automated, i.e. reduced workload on helpdesk or system admin
• Disadvantages:– Over the internet: security risk
– Attacker might guess or know the answer to additional security questions
• Example: “what is your mothers maiden name?”
Computer Security ManagementPage 16
Hints
• User selects reminder of password that is stored on the system together with the password
• System provides the hint if:– user forgets his/her password and requests it
– login fails
• Advantages– No password change
– Automated
• Disadvantage:– Untrained users often chose bad hints in terms of memorability
– Attacker might find out the password through social networks
Computer Security ManagementPage 17
How to improve
• Provide instructions for better memorability– Must be available when users need them
– e.g. “make up sentence to memorise” or “funny content helps to memorise”
• Provide feedback– At registration time
– Needs to be positive and constructive
– Might help an attacker!
• Pro-active password checking– Prevent weak passwords
– Checks at registration for compliance with password policy
• Helpdesks– Many people prefer to interact with other human beings
– Humans are more flexible
Computer Security ManagementPage 18
Single sign-on (SSO)
• Enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again
• Advantages:– Reduces user’s workload to a minimum
– Reduces time spend with logins
– Reduce help desk calls
– Single point of recovery
• Disadvantages:– Valuable to attacker (single point of attack!)
Computer Security ManagementPage 19
Challenge-response (1)
• Authentication technique
• An individual is prompted (the challenge) to provide some private information (the response)
• Enrolment: – Challenge-response (CR) pairs generated randomly from database
– User accepts a set of memorable CRs when enrolling
• Operation:– Individual is given one challenge from set
– If individual gives the matching response: authenticated
Computer Security ManagementPage 20
Challenge-response (2)
• When enrolling challenge can be– Selected entirely by the system, or
– Partly chosen by user, or
– Partly selected from list by user
• Response can be – Selected by the system, or
– Chosen by user, or
– Selected from list by user
• Examples– C: Name of your pet? R: [open answer chosen by user]
– C: Your mother’s maiden name? R: [input chosen by the user]
– C: What do you think of the [input chosen by the user]? R: I think the [from C][chosen by the user]
Computer Security ManagementPage 21
Challenge-response (3)
• Challenge-Response pairs (CRs) two dimensions:– Usability
– Security
• Criteria for assessing security:– Guessing difficulty
• Criteria for assessing usability:– User physical and mental workload
– Administrator physical workload