authentication and passwords
play

Authentication and Passwords Spring 2017 Shrirang (Shri) Mare - PowerPoint PPT Presentation

Apr 25, 2023 •233 likes •654 views

CSE 484 / CSE M 584: Computer Security and Privacy Authentication and Passwords Spring 2017 Shrirang (Shri) Mare shri@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Authentication and Passwords Spring 2017 Shrirang (Shri) Mare shri@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Outline • Authentication • Different ways to authenticate • Passwords • Biometrics CSE 484 / CSE M 584 - Spring 2017

  3. Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem. CSE 484 / CSE M 584 - Spring 2017

  4. Related terms • Identification • Authentication • Authorization Q: Can you authenticate someone without identification? CSE 484 / CSE M 584 - Spring 2017

  5. Many Ways to Prove Who You Are • Three main factors: 1. What you know • Passwords • Answers to questions that only you know 2. What you are • Biometrics 3. What you have • Secure tokens, mobile devices • Other factors: – Where you are • IP address, geolocation – Somebody you know • Leveraging your social network CSE 484 / CSE M 584 - Spring 2017

  6. Passwords and Computer Security • In 2012, 76% of network intrusions exploited weak or stolen credentials (username/password) – Source: Verizon Data Breach Investigations Report • First step after any successful intrusion: install sniffer or keylogger to steal more passwords • Second step: run cracking tools on password files – Cracking needed because modern systems usually do not store passwords in the clear (how are they stored?) • In Mitnick’s “Art of Intrusion” 8 out of 9 exploits involve password stealing and/or cracking CSE 484 / CSE M 584 - Spring 2017

  7. UNIX-Style Passwords • How should we store passwords on a server? – In cleartext? “ cypherpunk ” – Encrypted? system password file – Hashed? t4h97t4m43 hash fa6326b1c2 function N53uhjr438 Hgg658n53 … user CSE 484 / CSE M 584 - Spring 2017

  8. Password Hashing • Instead of user password, store H(password) • When user enters password, compute its hash and compare with entry in password file – System does not store actual passwords! – System itself can’t easily go from hash to password • Which would be possible if the passwords were encrypted • Hash function H must have some properties – One-way: given H(password), hard to find password • No known algorithm better than trial and error – “Slow” to compute CSE 484 / CSE M 584 - Spring 2017

  9. UNIX Password System • Approach: Hash passwords • Problem: passwords are not truly random – With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 94 8 ≈ 6 quadrillion possible 8-character passwords (~2 52 ) – Humans like to use dictionary words, human and pet names ≈ 1 million common passwords CSE 484 / CSE M 584 - Spring 2017

  10. Dictionary Attack • Dictionary attack is possible because many passwords come from a small dictionary – Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once! • This is an offline attack • Once password file is obtained, cracking is instantaneous – Sophisticated password guessing tools are available • Take into account freq. of letters, password patterns, etc. • In UNIX, /etc/passwd is world-readable – Contains user IDs and group IDs which are used by many system programs CSE 484 / CSE M 584 - Spring 2017

  11. Salt franzi:fURxfg,4hLBX:14510:30:Franzi:/u/franzi:/bin/csh /etc/passwd entry salt (chosen randomly when password is first set) Password hash(salt,pwd) • Users with the same password have different entries in the password file • Offline dictionary attack becomes much harder CSE 484 / CSE M 584 - Spring 2017

  12. Advantages of Salting • Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries – Same hash function on all UNIX machines – Identical passwords hash to identical values; one table of hash values can be used for all password files • With salt, attacker must compute hashes of all dictionary words once for each password entry – With 12-bit random salt, same password can hash to 2 12 different hash values – Attacker must try all dictionary words for each salt value in the password file • Pepper: Secret salt (not stored in password file) CSE 484 / CSE M 584 - Spring 2017

  13. Shadow Password franzi:x:14510:30:Franzi:/u/franzi:/bin/csh /etc/passwd entry Hashed password is no longer stored in a world-readable file Hashed passwords are stored in /etc/shadow file which is only readable by system administrator (root) CSE 484 / CSE M 584 - Spring 2017

  14. Other Password Security Risks • Keystroke loggers – Hardware – Software (spyware) • Shoulder surfing • Same password at multiple sites • Broken implementations – TENEX timing attack CSE 484 / CSE M 584 - Spring 2017

  15. Other Password Security Risks • Social engineering CSE 484 / CSE M 584 - Spring 2017

  16. Other Issues • Usability – Hard-to-remember passwords? – Carry a physical object all the time? • Denial of service – Stolen wallet – Attacker tries to authenticate as you, account locked after three failures – “ Suspicious ” credit card usage CSE 484 / CSE M 584 - Spring 2017

  17. Default Passwords • Pennsylvania ice cream shop phone scam – Voicemail PIN defaults to last 4 digits of phone number; criminals change message to “I accept collect call ” , make $8600 on a 35-hour call to Saudi Arabia • Examples from Mitnick’s “ Art of Intrusion ” – U.S. District Courthouse server: “public” / “public” – NY Times employee database: pwd = last 4 SSN digits – “Dixie ban” ” : break into router (pwd=“administrator”), then into IBM AS/400 server (pwd=“administrator”), install keylogger to snarf other passwords • “99% of people there used ‘ password123 ’ as their password” CSE 484 / CSE M 584 - Spring 2017

  18. Weak Passwords • RockYou hack – “ Social gaming ” company – Database with 32 million user passwords from partner social networks – Passwords stored in the clear – December 2009: entire database hacked using an SQL injection attack and posted on the Internet CSE 484 / CSE M 584 - Spring 2017

  19. Weak Passwords • RockYou hack – “ Social gaming ” company – Database with 32 million user passwords from partner social networks – Passwords stored in the clear – December 2009: entire database hacked using an SQL injection attack and posted on the Internet CSE 484 / CSE M 584 - Spring 2017

  20. Password Usability CSE 484 / CSE M 584 - Spring 2017

  21. [Inglesant and Sasse, “ The True Cost of Unusable Password Policies ” ] Password Policies • Overly restrictive password policies… – 7 or 8 characters, at least 3 out of {digits, upper-case, lower-case, non-alphanumeric}, no dictionary words, change every 4 months, password may not be similar to previous 12 passwords… • … result in frustrated users and less security – Burdens of devising, learning, forgetting passwords – Users construct passwords insecurely, write them down • Can’t use their favorite password construction techniques (small changes to old passwords, etc.) • “ An item on my desk, then add a number to it ” – Heavy password re-use across systems CSE 484 / CSE M 584 - Spring 2017

  22. Image from http://www.interactivetools.com/staff/dave/damons_office/ CSE 484 / CSE M 584 - Spring 2017

  23. Recovering Passwords CSE 484 / CSE M 584 - Spring 2017

  24. Wired Cover Story (Dec 2012) “This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat.” CSE 484 / CSE M 584 - Spring 2017

  25. “Mugged in London” Scam James Fallows in Nov 11 issue of The Atlantic: “When she looked at her Inbox, and her Archives, and even the Trash and Spam folders in her account, she found—absolutely nothing.” CSE 484 / CSE M 584 - Spring 2017

  26. Improving(?) Passwords • Graphical passwords – Goal: easier to remember? no need to write down? • Password managers – Examples: LastPass, KeePass, built into browsers – Can have security vulnerabilities… • Two-factor authentication – Leverage phone (or other device) for authentication • Add biometrics – For example, keystroke dynamics or voiceprint CSE 484 / CSE M 584 - Spring 2017

  27. Graphical Passwords • Many variants… one example: Passfaces – Assumption: easy to recall faces – Problem: to make passwords easy to remember, users choose predictable faces CSE 484 / CSE M 584 - Spring 2017

  28. Graphical Passwords • Another variant: draw on the image (Windows 8) • Problem: users choose predictable points/lines CSE 484 / CSE M 584 - Spring 2017

  29. Unlock Patterns • Problems: – Predictable patterns (sound familiar by now??) – Smear patterns – Side channels: apps can use accelerometer and gyroscope to extract pattern! CSE 484 / CSE M 584 - Spring 2017

  30. Multi-Factor Authentication CSE 484 / CSE M 584 - Spring 2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics

Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics

CS 166: Information Security Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics Something You Are Biometric You are your key Schneier Examples Fingerprint Are Handwritten

800 views • 32 slides
Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan

Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Franzi Roesner, Vitaly

751 views • 39 slides
OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw

OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw

OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw Jarecki, Hugo Krawczyk, Jiayu Xu Motivation: Password Authentication Passwords are the prevalent tool for authentication Passwords are vulnerable

481 views • 22 slides
A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in Authentication Workshop (WAY) 2019 Nikita Samarin, Donald Sannella Traditional Passwords Most common mechanism of authenticating users online

251 views • 14 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Advanced Computer Graphics CS 525M: Identifying diverse usage behaviors of smartphone apps Alec

Advanced Computer Graphics CS 525M: Identifying diverse usage behaviors of smartphone apps Alec

Advanced Computer Graphics CS 525M: Identifying diverse usage behaviors of smartphone apps Alec Mitnik Computer Science Dept. Worcester Polytechnic Institute (WPI) Introduction The popularity of mobile devices is increasing. Apps are

437 views • 21 slides
An Introduction to Social Mining Vladimir Gorovoy and Yana Volkovich @yvolkovich

An Introduction to Social Mining Vladimir Gorovoy and Yana Volkovich @yvolkovich

An Introduction to Social Mining Vladimir Gorovoy and Yana Volkovich @yvolkovich Barcelona Media, Information, Technology & Society Group Barcelona, Spain @vgorovoy Yandex, Yandex.Uslugi Saint Petersburg, Russia August,

944 views • 35 slides
TAO: Facebooks Distributed Data Store for the Social Graph Before TAO Data stored in MySQL

TAO: Facebooks Distributed Data Store for the Social Graph Before TAO Data stored in MySQL

TAO: Facebooks Distributed Data Store for the Social Graph Before TAO Data stored in MySQL and cached in memcached Caching managed by apps Problems: Operations on lists are inefficient in memcached (update whole list) Complexity

150 views • 10 slides
Sponsors: How to Find Them & Create a Win-Win @fundraiserchad PHILANTHROPIC PIE What

Sponsors: How to Find Them & Create a Win-Win @fundraiserchad PHILANTHROPIC PIE What

Sponsors: How to Find Them & Create a Win-Win @fundraiserchad PHILANTHROPIC PIE What percentage of the philanthropic pie is BUSINESS SUPPORT at your organization? Image Credit: imarketsmart.com Credit: Sponsorship Collective Who is

865 views • 69 slides
The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Narseo

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Narseo

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Narseo Vallina-Rodriguez (IMDEA Networks) and Juan Tapiador (UC3M) Jornadas REDIMadrid 2020 20 Oct 2020 Lots of data, lots of data crunchers Anja Feldmann Oliver

1.32k views • 98 slides
Promoting Cooperative Solutions for Space Security SWF-DHS Workshop on Community Remote Sensing:

Promoting Cooperative Solutions for Space Security SWF-DHS Workshop on Community Remote Sensing:

Promoting Cooperative Solutions for Space Security SWF-DHS Workshop on Community Remote Sensing: Citizen Science and Social Networks Ray A. Williamson Secure World Foundation rwilliamson@swfound.org 20 September 2010

467 views • 11 slides
Gamification Gerben Bakker Melanchthon Schiebroek Rotterdam gbakker@melanchthon.nl Subjects to

Gamification Gerben Bakker Melanchthon Schiebroek Rotterdam gbakker@melanchthon.nl Subjects to

Gamification Gerben Bakker Melanchthon Schiebroek Rotterdam gbakker@melanchthon.nl Subjects to be covered What is gamification? The promises The controversies Scientific basis Definition Gamification is the use of game design

1.24k views • 27 slides
Adaptive gamification Bogdan Bob Chebac bogdanchebac@gmail.com @chebacbogdan Agenda 1.

Adaptive gamification Bogdan Bob Chebac bogdanchebac@gmail.com @chebacbogdan Agenda 1.

Adaptive gamification Bogdan Bob Chebac bogdanchebac@gmail.com @chebacbogdan Agenda 1. Introduction 2. Gamification mechanics 3. Group Exercise 4. Repeat WHY Gamification? Because Games Are FUN 85% Of employees would spend more

975 views • 75 slides

More recommend