measuring password strength by
play

Measuring password strength by simulating password-cracking - PowerPoint PPT Presentation

Feb 07, 2024 •950 likes •1.88k views

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

  1. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio López C yLab U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

  2. Recent Data Breaches Affected users Gawker 1,300,000 Sony 25,000,000 Battlefield Heroes 550,000 Sega 1,300,000 Booz Allen Hamilton 90,000 Bloggtoppen 90,000 Valve 700,000 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2

  3. “The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked. This, I'm afraid, is a serious threat; it means that anyone who uses the same email/password on other systems is now vulnerable to a malicious attacker using that information to access their account.” Jeremy White, CEO of Codeweavers October 2011 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3

  4. Threat Model Offline Attack  Attacker has password file  Needs to guess passwords to crack them CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4

  5. Threat Model Offline Attack  Attacker has password file  Needs to guess passwords to crack them  Attacker can make many guesses  Smart guessing strategy CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5

  6. Guessing Strategy Dumb attacker Smart attacker aaaaaaaa 123456789 aaaaaaab password aaaaaaac iloveyou aaaaaaad princess aaaaaaae 12345678 … … Smart attacker uses data to crack passwords more quickly CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6

  7. Threat Model Offline Attack  Attacker has password file  Needs to guess passwords to crack them  Attacker can make many guesses  Smart guessing strategy CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7

  8. Password-composition Policies  Intended to make passwords harder to guess CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8

  9. Password-composition Policies CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9

  11. Existing Guidance

  12. Existing Guidance  NIST guide not based on empirical evidence  No empirical data on user behavior CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12

  13. Password-composition Policies  Users can struggle to create and remember complex passwords [Zviran & Haga 1999, Procter et al. 2002, Yan et al. 2004, Vu et al. 2007, and many others…]  Security can suffer if usability is poor [Sasse et al. 2001, and many others…] CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13

  14. Contributions  Measured guessability across seven password- composition policies – Threat model: offline attack  Studied the impact of tuning and data selection on policy evaluation  Compare security metrics across policies – Correlate security with usability CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14

  15. Policy Metrics  Guessability – Measure of how easy it is to guess passwords  Estimated entropy [Our previous work 2010] NIST “entropy” [NIST SP 800 -63] Usability [CHI 2011] – Login failures – Reported sentiment – Writing down CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15

  16. Policy Metrics  Guessability – Measure of how easy it is to guess passwords  Estimated entropy [Our previous work 2010]  NIST entropy [NIST SP 800-63]  Usability [Our previous work 2011] – Login failures – Reported sentiment – Writing down CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16

  17. Guessability  Measure of password strength Stronger = less guessable  Guess number: The number of attempts needed to guess a password CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17

  18. Guessability Bob’s password Attacker’s guesses iloveyou 1 123456789 2 password 3 iloveyou 4 princess … CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18

  19. Guessability Bob’s password Attacker’s guesses iloveyou 1 123456789 Guess number 2 password 3 3 iloveyou 4 princess … CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19

  20. Measuring Guessability A long time password abcdefgh password17 aceofbase password- hashed guessing passwords tool Traditional approach: Run cracking tool CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20

  21. Offline Attack Speed Single-core CPU 1,500 guesses/s sha512 130,000,000 guesses/day sha512 2,200,000,000 guesses/day md5 Mid-level GPU 34,000,000,000 guesses/day md5 Source: John the Ripper Test Mode and Wiki (openwall.info) CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21

  22. Measuring Guessability password: 2 password abcdefgh: 19546 abcdefgh password17: 1.4  10 6 password17 aceofbase: 3  10 4 aceofbase jnfksl834df: never jnfksl834df password- plaintext guessing passwords calculator Our approach: Calculate guess numbers directly CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22

  23. Threat Model  Offline attacker that can make a huge number of guesses – This paper: 50 trillion (5 x 10 13 ) guesses on each password • 25,000 CPU days with MD5 hashes CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23

  24. Selecting an Attacker  John the Ripper  Markov model [Narayanan and Shmatikov 2005]  Weir’s probabilistic context -free grammar [Weir et al. 2009] CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24

  25. Selecting an Attacker  John the Ripper  Markov model [Narayanan and Shmatikov 2005]  Weir’s probabilistic context -free grammar – Performed best – Previous work found similar result [Weir et al. 2010, Zhang et al. 2010] CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25

  26. Training Data  Leaked datasets – RockYou (32M passwords) – MySpace (47K passwords) Dictionaries – Openwall – Unix dictionary – Inflection list Collected passwords CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26

  27. Training Data  Leaked datasets – RockYou (32M passwords) – MySpace (47K passwords)  Dictionaries – Openwall (40M passwords) – Unix dictionary (235K words) – Inflection list (162K words)  Collected passwords (12K total passwords) CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27

  28. Threat Model  Offline attacker that can make up to 50 trillion guesses  Order of guesses based on Weir’s algorithm – Attacker learns from training data • Leaked data plus collected passwords • Attacker has limited knowledge of the target policy CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28

  29. Data Collection  Mechanical Turk used for anonymous recruitment and payment – Enabled study of many participants • 1,000+ per condition – Well-designed studies can produce high-quality data [Burhmester et al. 2011] – Workers prevented from participating multiple times – Payment: 55¢ + 70¢ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29

  30. Study Design  Hypothetical email scenario for password creation Steps: 1. Create a password under a randomly assigned condition 2. Take a survey 3. Recall password 4. Return in two days CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30

  31. Condition: Basic8 password NIST estimate: 18 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31

  32. Condition: Dictionary8 sapsword NIST estimate: 24 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32

  33. Condition: Comprehensive8 Sapsword1! NIST estimate: 30 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33

  34. Condition: Basic16 passwordpassword NIST estimate: 30 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34

  35. Condition: Blacklist x 3  Blacklists: – Easy: 235K Unix dictionary – Medium: 40M entry cracking wordlist – Hard: 5B guesses from Weir  Only requirement is that candidate password is not on a blacklist NIST estimate: 24 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35

  36. Contributions  Measured guessability across seven password- composition policies – Threat model: offline attack  Studied the impact of tuning and test-set selection on policy evaluation  Compare security metrics across policies – Correlate security with usability CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36

  37. Guessability Results – Basic8 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security CURRENT STATUS Problem Statement Stringent

286 views • 15 slides
Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of Measuring In-Place Strength of Concrete Concrete Prasad Rangaraju, Ph.D., P.E. Assistant Professor Department of Civil Engineering Clemson University

1.08k views • 63 slides
Measuring Tie-Strength in Implicit Social Networks Tina

Measuring Tie-Strength in Implicit Social Networks Tina

Measuring Tie-Strength in Implicit Social Networks Tina Eliassi-Rad !na@eliassi.org Joint with Mangesh Gupte (Rutgers Google) 1 Problem Defini@on

975 views • 49 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
From Very Weak to Very Strong : Analyzing Password-Strength Meters Xavier de Carn de Carnavalet

From Very Weak to Very Strong : Analyzing Password-Strength Meters Xavier de Carn de Carnavalet

NDSS 2014 Presentation, Feb 25, 2014 From Very Weak to Very Strong : Analyzing Password-Strength Meters Xavier de Carn de Carnavalet Mohammad Mannan Concordia University, Montreal, Canada X. de Carn de Carnavalet NDSS14: Analyzing

608 views • 27 slides
Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani

Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani

Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani , Michael Schilling, Sascha Fahl, Sven Bugiel , Michael Backes CISPA, Saarland University, Saarland University, Leibniz

535 views • 31 slides
Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

S TATISTICAL METRICS FOR INDIVIDUAL PASSWORD STRENGTH Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK April 12, 2012 Joseph Bonneau (University of Cambridge) Individual password strength

361 views • 21 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Accuracies and Biases in Modeling Password Guessability Blase Ur, Sean M. Segreti, Lujo Bauer,

Accuracies and Biases in Modeling Password Guessability Blase Ur, Sean M. Segreti, Lujo Bauer,

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, Richard Shay

1.35k views • 114 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are

512 views • 32 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap Password

750 views • 31 slides
Towards Leibnizs Goal of a Computational Metaphysics Edward N. Zalta Center for the Study of

Towards Leibnizs Goal of a Computational Metaphysics Edward N. Zalta Center for the Study of

MotivesMethods CountermodelsErrors Strength of Premise Sets ConsistencyModels Theorems Epistemology Bibliography Towards Leibnizs Goal of a Computational Metaphysics Edward N. Zalta Center for the Study of Language and

815 views • 36 slides
Heidi ONeill, President, NIKE Direct : Good morning, everyone. I'm Heidi O'Neill, President of

Heidi ONeill, President, NIKE Direct : Good morning, everyone. I'm Heidi O'Neill, President of

Heidi ONeill, President, NIKE Direct : Good morning, everyone. I'm Heidi O'Neill, President of NIKE Direct. Adam Sussman, Chief Digital Officer: And I'm Adam Sussman, Chief Digital Officer. Heidi ONeill, President, NIKE Direct: As you've

1.89k views • 13 slides
Regularization INFO-4604, Applied Machine Learning University of Colorado Boulder September 20,

Regularization INFO-4604, Applied Machine Learning University of Colorado Boulder September 20,

Regularization INFO-4604, Applied Machine Learning University of Colorado Boulder September 20, 2018 Prof. Michael Paul Generalization Prediction functions that work on the training data might not work on other data Minimizing the training

750 views • 32 slides
Outline for Today Wednesday, Nov. 28 Chapter 11: Intermolecular Forces and Liquids

Outline for Today Wednesday, Nov. 28 Chapter 11: Intermolecular Forces and Liquids

Outline for Today Wednesday, Nov. 28 Chapter 11: Intermolecular Forces and Liquids Intermolecular Foces Properties of Liquids Vapor Pressure Phase Changes 1 Intermolecular Forces London Dispersion : Attraction between

894 views • 23 slides
JUST THE MATHS SLIDES NUMBER 19.1 PROBABILITY 1 (Definitions and rules) by A.J.Hobson

JUST THE MATHS SLIDES NUMBER 19.1 PROBABILITY 1 (Definitions and rules) by A.J.Hobson

JUST THE MATHS SLIDES NUMBER 19.1 PROBABILITY 1 (Definitions and rules) by A.J.Hobson 19.1.1 Introduction 19.1.2 Application of probability to games of chance 19.1.3 Empirical probability 19.1.4 Types of event 19.1.5 Rules of

623 views • 9 slides
Drainage Installation and Inspection Hank Gottschalk Concrete Pipe & Precast, LLC Buried

Drainage Installation and Inspection Hank Gottschalk Concrete Pipe & Precast, LLC Buried

Drainage Installation and Inspection Hank Gottschalk Concrete Pipe & Precast, LLC Buried Pipeline Structure Conduit Buried Pipeline Structure Pipe + Soil Strength Strength Buried Pipeline Conduit Alignment + Secure Grade

540 views • 36 slides
D3 Tutorial Force-directed Layout Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University

D3 Tutorial Force-directed Layout Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University

D3 Tutorial Force-directed Layout Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University Force-directed Layout Automatically position nodes in an aesthetically pleasing way Uses a physics based simulator for positioning visual

644 views • 32 slides
Beating the bookie A look at statistical models for prediction of football matches Helge Langseth

Beating the bookie A look at statistical models for prediction of football matches Helge Langseth

Beating the bookie A look at statistical models for prediction of football matches Helge Langseth Norwegian University of Science and Technology SCAI 2013 1 Helge Langseth Beating the bookie Building a model for match outcomes Suppose we

688 views • 13 slides

More recommend