Password, Authentication, Password Managers Week 4 Frank Chen | - - PowerPoint PPT Presentation

password authentication password managers
SMART_READER_LITE
LIVE PREVIEW

Password, Authentication, Password Managers Week 4 Frank Chen | - - PowerPoint PPT Presentation

Sep 24, 2022 101 likes •584 views

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

slide-1
SLIDE 1

Frank Chen | Spring 2017 Frank Chen | Spring 2017

CS 88S

Password, Authentication, Password Managers

Week 4

LastPass, a Password Manager Application

slide-2
SLIDE 2

Frank Chen | Spring 2017

Agenda

  • Review last week’s material
  • Some Definitions
  • Password in the Cloud
  • How Password Cracking Works
  • Password Managers
slide-3
SLIDE 3

Frank Chen | Spring 2017

Demonstration

The power of Google Analytics

slide-4
SLIDE 4

Frank Chen | Spring 2017

Agenda

  • Review last week’s material
  • Some Definitions
  • Password in the Cloud
  • How Password Cracking Works
  • Password Managers
slide-5
SLIDE 5

Frank Chen | Spring 2017

Phishing

Def: The activity of defrauding an online account holder of financial information by posing as a legitimate company

C I A

slide-6
SLIDE 6

Frank Chen | Spring 2017

Social Engineering

Def: Psychological manipulation of people into performing actions or divulging confidential information

C I A

slide-7
SLIDE 7

Frank Chen | Spring 2017

Malwares

  • Adware
  • Bot
  • Ransomware
  • Rootkit
  • Spyware
  • Trojan Horse
  • Virus
  • Worm

C I A

slide-8
SLIDE 8

Frank Chen | Spring 2017

Spam Email Classification

OR

Our "Magical" Classifier Model

New, unlabeled email

*Slide content credit to Prof. Ameet Talwalkar

slide-9
SLIDE 9

Frank Chen | Spring 2017

Anti-Virus Software

Def: computer software used to prevent, detect and remove malicious software.

slide-10
SLIDE 10

Frank Chen | Spring 2017

Agenda

  • Review last week’s material
  • Some Definitions
  • Password in the Cloud
  • How Password Cracking Works
  • Password Managers
slide-11
SLIDE 11

Frank Chen | Spring 2017

Password

Def: word or string of characters used to prove identity or gain access to a resource

slide-12
SLIDE 12

Frank Chen | Spring 2017

Examples

Source: http://bit.ly/2epzvkE

slide-13
SLIDE 13

Frank Chen | Spring 2017

Plaintext

Def: Unencrypted text that is not computationally tagged, specially formatted, or written in code. We don't want passwords to be stored in plaintext!

slide-14
SLIDE 14

Frank Chen | Spring 2017

Hashing

Def: The process of turning your password into a long string of letters and numbers to keep it hidden. Hashing is a one way street.

slide-15
SLIDE 15

Frank Chen | Spring 2017

3 Properties of Hashing

1. The same data will always produce the same hash 2. It’s impossible to reverse it back to the original data given knowledge of only the hash 3. It’s infeasible to create another string of data that will create the same hash

slide-16
SLIDE 16

Frank Chen | Spring 2017

Hash Functions

Def: Mathematical algorithm that maps data

  • f arbitrary size to a bit string of a fixed size.

MD5 http://bit.ly/2pbzecq SHA-1 http://bit.ly/2przKUs SHA-2 http://bit.ly/2q5dDzB For a list of hash functions http://bit.ly/2pbAADN

slide-17
SLIDE 17

Frank Chen | Spring 2017

Example: MD5 Hash

Source: http://bit.ly/2pVq5pb

MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6 MD5("The quick brown fox jumps over the lazy dog.") = e4d909c290d0fb1ca068ffaddf22cbd0

slide-18
SLIDE 18

Frank Chen | Spring 2017

Agenda

  • Review last week’s material
  • Some Definitions
  • Password in the Cloud
  • How Password Cracking Works
  • Password Managers
slide-19
SLIDE 19

Frank Chen | Spring 2017

Authentication

Def: The act of confirming the truth

  • f an entered piece of data
slide-20
SLIDE 20

Frank Chen | Spring 2017

A typical Authentication Session

LOGIN SCREEN

Username: fc1995 Password: earl123

PASSWORD STORED ONLINE (SHA-1 HASH)

fc1995: 4cf39465730e75ebbec21 c67facaba7a08d82f0f

AUTHENTICATED!

Proceed to your personal information/profile

Hash the Input Password Do the two match? If YES

DENIED!

Try again.

If NO

slide-21
SLIDE 21

Frank Chen | Spring 2017

Additional Precautions

  • Timeout
  • 2 Factor Authentication
  • Different Device Notifications
slide-22
SLIDE 22

Frank Chen | Spring 2017

A lot of headlines...

Source: http://bit.ly/2hylQcc Source: http://bit.ly/1O1Md2G Source: http://tcrn.ch/2lLC3Pv

slide-23
SLIDE 23

Frank Chen | Spring 2017

Agenda

  • Review last week’s material
  • Some Definitions
  • Password in the Cloud
  • How Password Cracking Works
  • Password Managers
slide-24
SLIDE 24

Frank Chen | Spring 2017

Password Cracking

Def: The process of recovering passwords from data that have been stored in or transmitted by a computer system

slide-25
SLIDE 25

Frank Chen | Spring 2017

Examples (Revisited)

Source: http://bit.ly/2epzvkE

slide-26
SLIDE 26

Frank Chen | Spring 2017

What makes a Password Strong?

Source: http://bit.ly/2epzvkE

A STRONG password resists guessing. The less that your password resembles regular English word patterns, the longer it will take for a repetition tool to guess it.

slide-27
SLIDE 27

Frank Chen | Spring 2017

Dictionary Attack

Def: an attempted illegal entry to a computer system that uses a dictionary list to generate possible passwords.

slide-28
SLIDE 28

Frank Chen | Spring 2017

A typical Dictionary Attack

PASSWORD FROM DICTIONARY

...Dog, Dogs, Dogcatcher, Dogcatchers, Dogberry, Dogberries, Dogma, Dogmatic, Dogmatized,

  • Dog1. Dog2, Dog3, Dog4...

PASSWORD File (SHA-1 HASH)

fc1995: 4cf39465730e75ebbec21 c67facaba7a08d82f0f

RETRIEVED THE PASSWORD

Proceed to use the password to login to your account

Hash the Input Password Do the two hashes match? If YES

CONTINUE!

Dictionary Attacks can submit up to 1000 attempts per minute

If NO

slide-29
SLIDE 29

Frank Chen | Spring 2017

John the Ripper

Password Cracker

slide-30
SLIDE 30

Frank Chen | Spring 2017

Rainbow Tables

Def: a table of precomputed hashes so an attacker does not need to perform hashing

  • n every dictionary attack attempt
slide-31
SLIDE 31

Frank Chen | Spring 2017

Solution: Add Salt

Def: salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Salt is added to the front of the password

slide-32
SLIDE 32

Frank Chen | Spring 2017

Source: http://bit.ly/2p24ytZ

slide-33
SLIDE 33

Frank Chen | Spring 2017

Case Study: eHarmony

slide-34
SLIDE 34

Frank Chen | Spring 2017

What does the leak mean?

eHarmony password hash (md5 unsalted): http://bit.ly/2nsJOZl

  • Most leaked files are hashed
  • Some are in plaintext!?
  • Others are hashed and salted
slide-35
SLIDE 35

Frank Chen | Spring 2017

Dictionary Attack on CrackStation

1,493,677,782

medium dictionary entries

15,171,326,912

huge dictionary entries

slide-36
SLIDE 36

Frank Chen | Spring 2017

Result of eHarmony Brute Force Attack

275,860

(18.2%) of the passwords retrieved

23.47

Hours

Source: http://bit.ly/2nsJOZl

slide-37
SLIDE 37

Frank Chen | Spring 2017

How long would it take if the hashes were salted ?

  • ver 30 years

Source: http://bit.ly/2nsJOZl

slide-38
SLIDE 38

Frank Chen | Spring 2017

Let's look at some Math!

Source: http://bit.ly/2oFNxTn

slide-39
SLIDE 39

Frank Chen | Spring 2017

Source: http://bit.ly/1M88D3U

slide-40
SLIDE 40

Frank Chen | Spring 2017

Tools

Source:

https://www.aircrack-ng.org/

Source:

https://hashcat.net/hashcat/

Source:

http://www.openwall.com/john/

slide-41
SLIDE 41

Frank Chen | Spring 2017

Agenda

  • Review last week’s material
  • Some Definitions
  • Password in the Cloud
  • How Password Cracking Works
  • Password Managers
slide-42
SLIDE 42

Frank Chen | Spring 2017

Password Manager

Def: Software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password

slide-43
SLIDE 43

Frank Chen | Spring 2017

Lastpass

Password Managers can be hacked! http://bit.ly/2q38isq

slide-44
SLIDE 44

Frank Chen | Spring 2017

1Password

Source: https://1password.com/

slide-45
SLIDE 45

Frank Chen | Spring 2017

PROS

  • Balance of convenience

and security

  • Portability
  • Secure Storage
  • Not just for passwords

Source: http://bit.ly/2pZCcPc

CONS

  • Single point of failure
  • Trusting in the Cloud
  • Not necessary for some

people

Should you use a Password Manager?

slide-46
SLIDE 46

Frank Chen | Spring 2017

Sf C T

Manage your password well!

https://haveibeenpwned.com/

slide-47
SLIDE 47

Frank Chen | Spring 2017

The Keybase app helps you perform secure

  • perations with people you know on the

Internet via asymmetric key cryptography

Next Week...