[PPT] - PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli PowerPoint Presentation

SLIDE 1

PASSWORDS

CS682: Advanced Security Topics

Vasiliki Panteli

3/9/2020 Passwords 1

SLIDE 2

Passwords

Passwords is a user authentication

mechanism that is widely adopted for many years

Methods for user authentication:
Something you know (password)
Something you have (mobile phone)
Something you are (biometrics)

3/9/2020 Passwords 2

SLIDE 3

1st Paper:

3/9/2020 Passwords 3

The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Scheme

Bonneau J., Herley C., Van Oorschot P. C., Stajano F.

SLIDE 4

1st Paper Overview

Introduction
Problem
Proposal
Framework Analysis
Properties
Weights
Schemes Evaluation
Conclusion

3/9/2020 Passwords 4

SLIDE 5

Introduction – Problem

Passwords are plagued with

security problems

Passwords are not replaced by

any of the numerous proposals from the research community

3/9/2020 Passwords 5

SLIDE 6

Introduction – Proposal

The authors propose a framework which provides an evaluation of

already proposed password-replacement schemes

It can be used as a benchmark for future password replacement

proposals

25 different properties where tested against 35 password-

replacement schemes (9 of them are analyzed in the paper)

3/9/2020 Passwords 6

SLIDE 7

Framework Analysis - Benefits

Each scheme is rated as either offering or not offering the benefit
Example of “Quasi”:
Memorywise-Effortless: Users of the scheme do not have to remember any

secrets at all.

Quasi-Memorywise-Effortless: Users have to remember one secret for

everything.

Framework analysis has 3 categories: Usability, Deployability, Security

3/9/2020 Passwords 7

SLIDE 8

Properties – Usability

1. Memorywise-Effortless
2. Scalable-for-Users
3. Nothing-to-Carry
4. Physically-Effortless
5. Easy-to-Learn
6. Efficient-to-Use
7. Infrequent-Errors
8. Easy-Recovery-from-Loss

3/9/2020 Passwords 8

SLIDE 9

Properties – Deployability

1. Accessible
2. Negligible-Cost-per-User
3. Server-Compatible
4. Browser-Compatible
5. Mature
6. Non-Proprietary

3/9/2020 Passwords 9

SLIDE 10

Properties – Security

1. Resilient-to-Physical-Observation
2. Resilient-to-Targeted-Impersonation
3. Resilient-to-Throttled-Guessing
4. Resilient-to-Unthrottled-Guessing
5. Resilient-to-Internal-Observation

3/9/2020 Passwords 10

SLIDE 11

Properties – Security

6. Resilient-to-Leaks-from-Other-Verifiers
7. Resilient-to-Phishing
8. Resilient-to-Theft
9. No-Trusted-Third-Party
10. Requiring-Explicit-Consent
11. Unlinkable

3/9/2020 Passwords 11

SLIDE 12

Weights

Some benefits are more important than others depending on the

specific goal for which the scheme is being compared

3/9/2020 Passwords 12

STEP1 • Examine and score each individual scheme on each benefit STEP2

Compare competing schemes to identify precisely which

benefits each offers over the other

STEP3

Determinate a ranking with weights that take into account the

relative importance of the benefit

SLIDE 13

Weights

3/9/2020 Passwords 13

SLIDE 14

Evaluation – Legacy Passwords

ARE ARE NOT

1. Nothing-to-Carry
2. Easy-to-Learn
3. Efficient-to-Use
4. Easy-Recovery-from-Lost
5. Accessible
6. Negligible-Cost-per-User
7. Server-Compatible
8. Browser-Compatible
9. Mature

10.Non-Proprietary 11.Resilient-to-Theft 12.No-Trusted-Third-Party 13.Unlinkable

1. Memory-Effortless
2. Scalable-for-Users
3. Physically-Effortless
4. Resilient-to-Physical-Observation
5. Resilient-to-Throttled-Guessing
6. Resilient-to-Unthrottled-Guessing
7. Resilient-to-Internal-Observation
8. Resilient-to-Leaks-from-Other-Verifiers
9. Resilient-to-Phishing

3/9/2020 Passwords 14

SLIDE 15

Evaluation – Encrypted password managers: Mozilla Firefox

3/9/2020 Passwords 15

User Website 1 password Website 2 password Website 3 password

Mozilla Firefox

master password

SLIDE 16

Evaluation – Encrypted password managers: Mozilla Firefox

3/9/2020 Passwords 16

IS IS NOT

1. Scalable-for-Users 2. Easy-to-Learn 3. Efficient-to-Use 4. Infrequent-Errors 5. Resilient-to-Phishing 6. Resilient-to-Theft 7. No-Trusted-Third-Party 8. Requiring-Explicit-Consent 9. Unlinkable

10. Negligible-Cost-per-User
11. Mature
12. Accessible
13. Server-Compatible
14. Non-Proprietary
15. Quasi-Memorywise-Effortless
16. Quasi-Nothing-To-Carry
17. Quasi-Physically-Effortless
18. Quasi-Resilient-to-Physical-Observation
19. Quasi-Resilient-to-Targeted-Impersonation
1. Easy-Recovery-from-Loss
2. Resilient-to-Throttled-Guessing
3. Resilient-to-Unthrottled-Guessing
4. Resilient-to-Internal-Observation
5. Resilient-to-Leaks-from-Other-Verifiers
6. Browser-Compatible

SLIDE 17

Evaluation – Federated Single Sign-On: OpenID

3/9/2020 Passwords 17

User Single Sign-On Website 1 Website 2 Website 3

SLIDE 18

Evaluation – Federated Single Sign-On: OpenID

3/9/2020 Passwords 18

IS IS NOT

1. Scalable-for-Users 2. Nothing-to-Carry 3. Efficient-to-Use 4. Infrequent-Errors 5. Easy-Recovery-from-Loss 6. Accessible 7. Negligible-Cost-per-User 8. Mature 9. Non-Proprietary

10. Browser-Compatible
11. Quasi-Memorywise-Effortless
12. Quasi-Physically-Effortless
13. Quasi-Easy-to-Learn
14. Resilient-to-Leaks-from-Other-Verifiers
15. Quasi-Resilient-to-Throttled-Guessing
16. Quasi-Resilient-to-Unthrottled-Guessing
17. Quasi-Resilient-to-Targeted-Impersonation
18. Quasi-Resilient-to-Physical-Observation

1. Server-Compatible 2. Resilient-to-Internal-Observation 3. Resilient-to-Phishing 4. Unlinkable 5. No-Trusted-Third-Party

SLIDE 19

Evaluation – Graphical Passwords: PCCP

3/9/2020 Passwords 19

User Login

SLIDE 20

Evaluation – Graphical Passwords: PCCP

IS IS NOT

1. Easy-to-Learn
2. Negligible-Cost-per-User
3. Browser-Compatible
4. Non-Proprietary
5. Resilient-to-Targeted-Impersonation
6. Resilient-to-Leaks-from-Other-Verifiers
7. Resilient-to-Phishing
8. Unlinkable
1. Memorywise-Effortless
2. Scalable-for-Users
3. Accessible
4. Server-Compatible
5. Mature
6. Resilient-to-Physical-Observation
7. Resilient-to-Unthrottled-Guessing
8. Resilient-to-Internal-Observation

3/9/2020 Passwords 20

SLIDE 21

Evaluation – Cognitive authentication: GrIDsure

3/9/2020 Passwords 21

User

Choose a pattern

User

2 4 5 6 4 6 8 5 4 9 6 4 6 7 8 5 4 7 9 5 7 8 5 Write the pattern

SLIDE 22

Evaluation – Cognitive authentication: GrIDsure

IS IS NOT

1. Nothing-to-Carry
2. Easy-to-Learn
3. Easy-Recovery-from-Lost
4. Negligible-Cost-per-User
5. Browser-Compatible
6. Resilient-to-Targeted-Impersonation
7. Resilient-to-Throttled-Guessing
8. Resilient-to-Unthrottled-Guessing
9. Quasi- Efficient-to-Use
1. Memory-Effortless
2. Scalable-for-Users
3. Physically-Effortless
4. Accessible
5. Server-Compatible
6. Mature
7. Non-Proprietary
8. Resilient-to-Physical-Observation
9. Resilient-to-Internal-Observation

3/9/2020 Passwords 22

SLIDE 23

Evaluation – Other schemes

1. Proxy – Based: URRSA
2. Paper tokens: OTPW
3. Hardware tokens: RSA SecureID
4. Mobile-Phone-based: Phoolproof
5. Biometrics: Fingerprint recognition

3/9/2020 Passwords 23

SLIDE 24

3/9/2020 Passwords 24

SLIDE 25

Conclusions

Most schemes do better than passwords on security
Every scheme does worse than passwords on deployability
This paper can help research community to evaluate their user

authentication proposal using this framework and adjusting it to their needs:

Add weights
Add more benefits

3/9/2020 Passwords 25

SLIDE 26

2nd Paper:

3/9/2020 Passwords 26

The Tangled Web of Password Reuse

Das, A., Bonneau, J., Caesar, M., Borisov, N., & Wang, X. (2014, February)

SLIDE 27

2nd Paper Overview

Introduction
Relative Work
Measurement Study
Survey
Guessing Algorithm
Conclusions

3/9/2020 Passwords 27

SLIDE 28

Introduction

In this paper the authors:
Estimate the rate of password reuse
Examine how reusing passwords can

benefit the attackers

Analyze the similarity of non-identical

passwords

Developed a password-guessing algorithm

3/9/2020 Passwords 28

SLIDE 29

Relative Work

Zhang et al.
Drawback: Their password analysis is based on a single source so they

examine one password composition policy

Florencio et al.
Drawback: Only considered identical passwords and not related ones (with

modifications)

Weir et al.
Drawback: Focus on cracking passwords in an offline scenario

3/9/2020 Passwords 29

SLIDE 30

3/9/2020 Passwords 30

A typical Internet user estimated to have 25 distinct online account
Users often reuse passwords across accounts on different online service

SLIDE 31

Measurement Study

Understand how often users reuse passwords across sites
Understand the specific approaches the users use to vary their

password at different sites

In the measurement study the authors take into consideration the

password composition policies

3/9/2020 Passwords 31

SLIDE 32

Password Composition policies

In order to increase the security over the websites, online services
ften use composition policies or metrics, as it is proven that they do

help users to choose stronger passwords.

Example:
Passwords must not contain the user’s entire name/user ID
At least n characters
Passwords must contain characters from two or more of the following

categories:

Uppercase characters
Lowercase characters
Base 10 digits
Non-alphanumeric ASCII characters

3/9/2020 Passwords 32

SLIDE 33

Data Set

Collected publicly available leaked

passwords

Data analysed to find users with at

least two passwords leaked:

6077 unique users
Used “John the Ripper toolkit” to

crack hashed passwords

3/9/2020 Passwords 33

SLIDE 34

Password Similarity – String similarity metrics

Distance-like functions Manhattan Cosine Edit-distance like functions Levenshtein Damerau-Levenshtein Token-based distance functions Dice Overlap Alignment-like functions Smith-Waterman Neddleman Wunsch Largest Common Subsequence (LCS)

3/9/2020 Passwords 34

SLIDE 35

Password Similarity

3/9/2020 Passwords 35

Different users – Same Websites Different users – Different websites

Within the same website or different website different users use significantly different passwords

SLIDE 36

Password Similarity

3/9/2020 Passwords 36

Same users – Different Websites:

40% of the passwords have similarity score [0.9, 1.0]

Same users – Different websites Non-identical passwords:

30% of the non-identical passwords have similarity score [0.8, 1.0]

We find that same users tend to reuse/modify their passwords.

SLIDE 37

Survey

To

understand why users modify their passwords and what modifications they do

The survey was answered by students and professional staff across

several departments at universities

224 responses

3/9/2020 Passwords 37

SLIDE 38

Survey findings

77% of participants either modify or

reuse existing passwords when choosing a password for a new account.

98% tend to insert at front or end of

password digits or symbols.

33% of participants modify their

passwords to fulfill password constraints enforced by the different websites.

61% of participants memorize their

passwords.

3/9/2020 Passwords 38

SLIDE 39

Guessing Algorithm – The idea

3/9/2020 Passwords 39

Leaked Password Candidate Password 1 Candidate Password 2 Candidate Password 3 Candidate Password 4

target

Guessing Algorithm

SLIDE 40

Guessing Algorithm

Character sequence
Deletions
Insertions
Capitalizations
Reversals
Leet-speak
Substring movement
Subword modification

3/9/2020 Passwords 40

SLIDE 41

Guessing Algorithm – Character Sequence

Splits the password into tokens
Tries different permutations of tokens as candidate passwords
If the candidate password is not the target password, then the token is

modified:

extending it to including the next character of the sequence

“qwer” -> “qwert”

replacing the token with a similar size token belonging to the same category

“qwer” -> “1234”

3/9/2020 Passwords 41

SLIDE 42

Guessing Algorithm – Deletions

Guess the deletion transformation
Deletes characters that belong in one of the following set:
{Digit, Symbol, Uppercase letter, Lowercase letter}
If the target is not found, the algorithm reverts the password back to

the original one

Try sequentially deleting characters from the front of the string, then

the back and then the combination of both.

3/9/2020 Passwords 42

SLIDE 43

Guessing Algorithm – Insertions

Guess the insertion transformation
Inserts numbers and symbols at the front and end (from survey)
Inserts individual characters from missing groups
{Digit, Symbol, Uppercase letter, Lowercase letter}
Example:
“helloWord!” -> “1helloWord!”
“superstr0ngp@ssword” -> “Superstr0ngp@ssword”

3/9/2020 Passwords 43

SLIDE 44

Guessing Algorithm – Capitalization

Capitalizes all letters in the string at once
If it’s not the target password then it capitalizes the letters from the

front, then back and the combination of both.

Example:
“helloworld”
Candidate passwords:
“HELLOWORLD”
“Helloworld”
“HElloworld”

3/9/2020 Passwords 44

SLIDE 45

Guessing Algorithm – Reversals

Revers the input password
Example:
“helloworld” would be transform into “dlrowolleh”

3/9/2020 Passwords 45

SLIDE 46

Guessing Algorithm – Leet-speak

Tries the popular leet transformations:
o -> 0
a -> @
s -> $
i -> 1
e -> 3
t -> 7
Example:
“helloworld” would transform into “h3ll0w0rld”

3/9/2020 Passwords 46

SLIDE 47

Guessing Algorithm – Substring movement

Splits the input password into substrings where the characters belong

to the same group of {Digit, Symbol, Uppercase letter, Lowercase letter}

Example:
“xyz@123” would split into “xyz”, “@”, “123”
Candidate passwords:
“123@xyz”
“@123xyz”
“xyz123@”

3/9/2020 Passwords 47

SLIDE 48

Guessing Algorithm – Subword modification

Splits the input password based on common English words
Capitalizes the first one
Rearranges the words in different orders
Example:
“darkknight” would split into “dark” and “knight”
Candidate passwords:
“DarkKnight”
“KnightDark”

3/9/2020 Passwords 48

SLIDE 49

Guessing Algorithm – Evaluation

Authors approach:
Can guess 30% in 10 attempts
Can guess 80% in 100 attempts
ED approach:
Can guess 65% in million attempts
Proposed Guesser Algorithm is more

suitable for online attacks

3/9/2020 Passwords 49

SLIDE 50

Guessing Algorithm - Evaluation

The authors’ guessing

algorithm was successful in predicting similar passwords.

To verify this they computed

the similarity score of all the password pairs that they successfully cracked.

3/9/2020 Passwords 50

SLIDE 51

Conclusions

43% of users directly re-use passwords between sites
Users use small mortifications to their passwords across sites
Proposed a guessing algorithm than can crack:
10% of non-identical passwords in 10 attempts
80% of substrings passwords in 100 attempts
Password reuse is a significant security vulnerability

3/9/2020 Passwords 51

SLIDE 52

3/9/2020 Passwords 52