Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues...
-
Upload
ami-nicholson -
Category
Documents
-
view
217 -
download
0
Transcript of Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues...
![Page 1: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/1.jpg)
Text passwordsText passwordsHazim Almuhimedi
![Page 2: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/2.jpg)
AgendaAgendaHow good are the passwords
people are choosing?
Human issuesThe Memorability and Security of
PasswordsHuman Selection of Mnemonic
Phrase-based Passwords
![Page 3: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/3.jpg)
Authentication Authentication MechanismsMechanismsSomething you have
◦cardsSomething you know
◦Passwords Cheapest way. Most popular.
Something you are◦Biometric
fingerprint
![Page 4: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/4.jpg)
Password is a continuous Password is a continuous problemproblemPassword is a series real-world
problem.◦SANS Top-20 2007 Security Risks◦Every year, password’s problems in the
list: Weak or non-existent passwords Users who don’t protect their passwords OS or applications create accounts with
weak/no passwords Poor hashing algorithms. Access to hash files
Source: Jeffery Eppinger, Web application Development.
![Page 5: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/5.jpg)
How good are the passwords How good are the passwords people people are choosing?are choosing?
It is hard question to answer.◦Data is scarce.
MySpace Phishing attack
![Page 6: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/6.jpg)
Poor, Weak PasswordPoor, Weak PasswordPoor, weak passwords have the
following characteristics:◦The password contains less than 15
characters.◦The password is a word found in a
dictionary (English or foreign)◦The password is a common usage
word.
Source: Password Policy. SANS 2006
![Page 7: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/7.jpg)
Strong PasswordStrong PasswordStrong passwords have the
following characteristics:◦Contain both upper and lower case
characters◦Have digits and punctuation characters◦Are at least 15 alphanumeric characters
long and is a passphrase.◦Are not a word in any language ,
slang , dialect , jargon.◦Are not based on personal information.◦Passwords should never be written
down or stored on-line. Source: Password Policy. SANS 2006
![Page 8: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/8.jpg)
Strong PasswordStrong Password?
![Page 9: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/9.jpg)
Strong PasswordStrong PasswordAt least 8 characters.Contain both upper and lower
case characters.Have digits and punctuation
characters
![Page 10: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/10.jpg)
MySpace Phishing AttackMySpace Phishing Attack◦A fake MySpace login page.◦Send the data to various web servers
and get it later.◦100,000 fell for the attack before it
was shut down.◦This analysis for 34,000 users.
![Page 11: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/11.jpg)
Password lengthPassword length
Average: 8 characters.
![Page 12: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/12.jpg)
Password lengthPassword lengthThere is a 32-character password
"1ancheste23nite41ancheste23nite4“
Other long passwords: "fool2thinkfool2thinkol2think“ "dokitty17darling7g7darling7"
![Page 13: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/13.jpg)
Character MixCharacter Mix
![Page 14: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/14.jpg)
Common PasswordsCommon PasswordsTop 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
![Page 15: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/15.jpg)
Common PasswordsCommon PasswordsTop 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
![Page 16: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/16.jpg)
Common PasswordCommon Password“Blink 182” is a band.
◦A lot of people use the band's name Easy to remember. it has numbers in its name, and therefore
it seems like a good password.
![Page 17: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/17.jpg)
Common PasswordCommon Password"qwerty1" refers to
◦QWERTY is the most common keyboard layout on English-language computer.
![Page 18: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/18.jpg)
Common PasswordCommon PasswordThe band “Slipknot” doesn't have
any numbers in its name◦which explains the “1”.
![Page 19: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/19.jpg)
Common PasswordCommon PasswordThe password "jordan23" refers
to◦basketball player Michael Jordan◦and his number 23.
![Page 20: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/20.jpg)
Common PasswordCommon PasswordI don't know what the deal is with
“monkey”.
![Page 21: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/21.jpg)
Common PasswordCommon Password
![Page 22: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/22.jpg)
Passwords getting betterPasswords getting better• Who said the users haven’t
learned anything about security?
![Page 23: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/23.jpg)
Human IssuesHuman IssuesSocial Engineering.Difficulties with reliable password
Entry.Difficulties with remembering the
password.
Human is often the weakest link in the security chain.
![Page 24: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/24.jpg)
Human IssuesHuman IssuesSocial Engineering.
◦ Attacker will extract the password directly from the user.
◦ Attacks of this kind are very likely to work unless an organization has a well-thought-out policies.
◦ In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering. Motorola case http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09)
Kevin Mitnick:It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in.http://www.youtube.com/watch?v=8_VYWefmy34 (2:00)
Source: Wikipedia. Social engineering
![Page 25: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/25.jpg)
Human IssuesHuman IssuesSocial Engineering.
336 CS students at University of Sydney
Some were suspicious: 30 returned a plausible-looking but invalid
password over 200 changed their passwords without
official prompting. Very few of them reported the email to authority.
![Page 26: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/26.jpg)
Human IssuesHuman IssuesSocial Engineering.
◦How to solve this problem? Strong and well-known policy.
![Page 27: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/27.jpg)
Human IssuesHuman IssuesDifficulties with reliable password
Entry.◦if a password is too long or complex, the
user might have difficulty entering it correctly.
◦South Africa Case 20-digit number for the pre-paid electricity
meters. Any suggested solution?
◦If the operation they are trying to perform is urgent
This might have safety or other implications.
![Page 28: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/28.jpg)
Human IssuesHuman IssuesDifficulties with remembering the
password.◦The greatest source of complaints
about passwords is that most people find them hard to remember.
◦When users are expected to memorize passwords They either choose values that are easy
for attackers to guess. Write them down. Or both.
![Page 29: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/29.jpg)
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsMany of the problems of
password authentication systems arise from the limitations of human memory.
![Page 30: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/30.jpg)
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsSome passwords are very easy to
remember ◦But very easy to guess
Dictionary attack. some passwords are very secure
against guessing ◦Difficult to remember. ◦might be compromised as a result of
human limitations. The user may keep an insecure written
record.
![Page 31: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/31.jpg)
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsAn experiment involving 400
first-year students at the University of Cambridge.
Testing how strong the mnemonic-based password is.
Testing how it is easy to remember.◦In contrast with control and random
password.
![Page 32: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/32.jpg)
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsMethods:
◦4 types of attacks: Simple Dictionary attack. Dictionary attack with permutation User information attack Brute force attack.
◦Survey.
![Page 33: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/33.jpg)
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsConclusion :
◦Users have difficulty remembering random passwords.
◦Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.
![Page 34: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/34.jpg)
The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsConclusion:
◦It isn’t true that : random passwords are better than those based on mnemonic phrases. each type appeared to be as strong as the
other.◦It is not true that : passwords based
on mnemonic phrases are harder to remember than naively selected passwords are. each appeared to be reasonably easy to
remember, with only about 2%-3% of users forgetting passwords.
![Page 35: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/35.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsHypothesis
◦Users will select mnemonic phrases that are commonly available on the Internet
◦It is possible to build a dictionary to crack mnemonic phrase-based passwords.
![Page 36: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/36.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsSurvey
◦A survey to gather user-generated passwords Mnemonic password (144) Control password (146)
![Page 37: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/37.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsAttacks:
◦Dictionary attack Generate a mnemonic password dictionary.
400,000-entries
John the Ripper For control password 1.2 million entries
◦Dictionary attack with Permutation. Word mangling
replacing “a” with “@”
◦Brute force attack.
![Page 38: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/38.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password Strength:
Control Mnemonic
Strength Score 15.7 17.2
Number of Character classes
2.9 2.7
Length 9.9 9.5
![Page 39: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/39.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password Cracking Results:
◦The user generated mnemonic passwords were more resistant to brute force attacks than control passwords.
Control Mnemonic
Password compromised by Basic Dictionary
6% 3%
Basic Dictionary with Permutation
5% 1%
Brute Force Attack 8% 4%
![Page 40: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/40.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password based on external sources: Majority of mnemonic password are
based on external sources. 13% control password sources are based
on external sources
![Page 41: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/41.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:
◦Password based on external sources:
![Page 42: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/42.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsConclusion:
◦The majority of users select phrases from music lyrics, movies, literature, or television shows.
◦This opens the possibility that a dictionary could be built for mnemonic passwords. If a comprehensive dictionary is built, it could
be extremely effective against mnemonic passwords.
◦Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.
![Page 43: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/43.jpg)
Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsConclusion:
◦Mnemonic phrase-based passwords are not as strong as people may believe.
◦The space of possible phrases is large Building a comprehensive dictionary is not a
trivial task.
◦System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.
![Page 44: Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649dc35503460f94ab617f/html5/thumbnails/44.jpg)
Thank You