stuart schechter cormac herley michael mitzenmacher why
play

Stuart Schechter Cormac Herley Michael Mitzenmacher Why are we - PowerPoint PPT Presentation

Apr 03, 2023 •219 likes •761 views

Your email address: Choose a password: Stuart Schechter Cormac Herley Michael Mitzenmacher Why are we doing this to our users? Threat 1: Password file compromised stus, 0xCF832A834 0xC86A00386 cormac, michaelm, 0x0DB015528 helenw,

  1. Your email address: Choose a password: Stuart Schechter Cormac Herley Michael Mitzenmacher

  5. Why are we doing this to our users?

  6. Threat 1: Password file compromised stus, 0xCF832A834 0xC86A00386 cormac, michaelm, 0x0DB015528 helenw, 0x5723B9291 wdcui, 0x24BF98902 0x23482AA83 dmolnar, alexmos, 0x1B200D481 bparno, 0x88B330

  7. Threat 1: Password file compromised stus, 0xCF832A834 cormac, 0xC86A00386  michaelm, 0x0DB015528 0xD1F7255CA “ stus,abc123 ” h 0x5723B9291 helenw, wdcui, 0x24BF98902 dmolnar, 0x23482AA83 alexmos, 0x1B200D481 0x88B330 bparno,

  8. Threat 1: Password file compromised = 0xCF832A834 “ stus,asdf ” h cost of one guess = cost to compute h stus, 0xCF832A834 cormac, 0xC86A00386 0x0DB015528 michaelm, helenw, 0x5723B9291 wdcui, 0x24BF98902 dmolnar, 0x23482AA83 0x1B200D481 alexmos, bparno, 0x88B330

  9. Threat 1: Password file compromised

  10. Threat 1: Password file compromised stus, asdf 123456 cormac, michaelm, password1 helenw, rockyou wdcui, princess abc123 dmolnar, alexmos, qwerty bparno, monkey

  11. Threat 2: Online dicTonary aUack stus, 0xCF832A834 0xC86A00386 cormac, michaelm, 0x0DB015528 helenw, 0x5723B9291 wdcui, 0x24BF98902 0x23482AA83 dmolnar, alexmos, 0x1B200D481 bparno, 0x88B330 “ stus,abc123 ” Sorry!

  12. Threat 2a: Online staTsTcal guessing Common passwords (sorted by popularity) password1 password abc123 asdf 1234568 p@ssword iloveyou “ stus,password1 ” “ cormac,password1 ” “ michaelm,password1 ” Welcome! Sorry! Sorry!

  13. Threat 2a: Online staTsTcal guessing • User‐based lockout ineffecTve – 300m users * 10 guesses per user = 3 billion guesses • IP lockout slightly less ineffecTve – 10m node botnet * 10 guesses per IP = 100M guesses • Some accounts will be compromised – Frequency of most popular password * guesses – 100k accounts if 0.1% use most popular password

  14. * Here comes the big idea of the talk… *yet low carbon

  15. Replace composiTon rules with one new rule Your may not choose a popular password (one already in use by n% of other users.)

  16. Don’t password rules already accomplish this? hUp://failblog.org/2008/01/03/fail‐camera/

  17. Expected password choices… without rules Example based on real data… but not real data! 2.0% I’m so clever! Percent of users with password 1.5% 1.0% 0.5% 0.0% password <> asdf 1234 qwert iloveyou fuckyou asdFkl; Password

  18. Rule 1: At least 8 characters SomeTmes rules have unintended consequences 2.0% Percent of users with password 1.5% 1.0% 0.5% 0.0% password asdFkl; 12345678 iloveyou fuckyou! baseball football nothanks Password

  19. Rule 2: At least 1 number 2.0% Percent of users with password 1.5% 1.0% 0.5% 0.0% password1 12345678 blink182 trustno1 no1knows hard2forget answeris42 ih8rules Password

  20. Rule 3: At least 1 “special” character 2.0% Percent of users with password 1.5% 1.0% I sure know how to obfuscate! I’m so original! 0.5% 0.0% p@ssword1 p@$$word1 p@ssword0 1p@assword givememy$ p@ssword0? password1! mk1#ofit Password

  21. Large sites favor strength meters over rules P@ssword

  22. P@ssword password1

  23. P@$$word1

  24. ComposiTon rules stronger passwords   ‘password’  ‘P@$$word1’

  25. Back to our desired policy Your may not choose a popular password (one already in use by n% of other users.)

  26. If we enforced “no popular passwords”… 2.0% 2.0% Percent of users with password Percent of users with password 1.5% 1.5% 1.0% 1.0% 0.5% 0.5% 0.0% 0.0% p@ssword1 p@$$word1 p@ssword0 1p@assword givememy$ p@ssword0? password1! p1 p2 p3 p4 p5 p6 p7 mk1#ofit p8 Password Password

  27. Enforcing the “no popular passwords” rule P@$$word1 Sorry! At least 100 other users are already using this password. You’ll need to choose another one.

  28. We must track popularity to prevent it Common passwords (sorted by popularity) password1, 2805 password, 2280 abc123, 1568 asdf, 1375 1234568, 583 p@ssword, 390 Iloveyou, 334

  29. Dangers of tracking popular passwords • AUackers will use this data for staTsTcal guessing – Against you – Against other sites

  30. Tracking popular passwords Common passwords (sorted by popularity) 100 password1, 2805 100 password, 2280 100 abc123, 1568 100 asdf, 1375 100 1234568, 583 100 p@ssword, 390 100 Iloveyou, 334

  31. Dangers of tracking popular passwords • AUackers will use for staTsTcal guessing aUacks – Against you – Against other sites • AUackers will use for offline staTsTcal guessing – Crack using only passwords in the popularity list

  32. Tracking popular passwords Common passwords (sorted by popularity) 100 password1, 2805 password, 2280 100 100 abc123, 1568 100 asdf, 1375 100 1234568, 583 100 p@ssword, 390 Iloveyou, 334 100

  33. Tracking populra passwords Common passwords (sorted by popularity) 100 0xCF832A834 0xC86A00386 100 100 0x0DB015528 100 0x5723B9291 100 0x24BF98902 100 0x23482AA83 0x1B200D481 100 … … 1 0xA82C010D48

  34. Dangers of tracking popular passwords • AUackers will use for staTsTcal guessing aUacks – Against you – Against other sites • AUackers will use for offline staTsTcal guessing – Crack using only passwords in the popularity list

  35. How can we track popular passwords? Common passwords (sorted by popularity) 100 0xCF832A834 0xC86A00386 100 100 0x0DB015528 100 0x5723B9291 Salt free 100 0x24BF98902 100 0x23482AA83 0x1B200D481 100 … … 1 0xA82C010D48 Crack popular password file (once for all accounts) to idenWfy passwords to use against salted password file entries

  36. Dangers of tracking popular passwords • AUackers will use for staTsTcal guessing aUacks – Against you – Against other sites • AUackers will use for offline staTsTcal guessing – Crack using only passwords in the popularity list – Crack popularity list entries (which are unsalted) to idenTfy passwords in password file (which is salted) – Filter candidate password list (with access to oracle) These seem unavoidable

  37. Requirements for popularity‐tracking data structure add( p ) Adds the occurrence (use) of a password p count(p) Returns # of Tmes p has been added Need not be exact count( p )  number of Wmes p added a few false posi2ves are OK

  38. We’ll implement a probabilis*c oracle • False posiTves (falsely popular), no false negaTves • Count‐min sketch – RelaTve of bloom filter (and counTng bloom filter)

  39. Base case (single table) of a count‐min sketch password h 1 0x0000 0xFFFF h 2 0x0000 0xFFFF h 3 0x0000 0xFFFF h 4 0x0000 0xFFFF

  40. Count‐min sketch: add(“password”) password 0xA5F6 h 1 0x0000 0xFFFF 0 1 0x8D94 h 2 0x0000 0xFFFF 0 1 0x25CC h 3 0x0000 0xFFFF 0 1 0xF303 h 4 0x0000 0xFFFF 0 1

  41. Count‐min sketch: count(“password”) password count(“password”) = min(1,1,1,1) = 1 0xA5F6 h 1 0x0000 0xFFFF 1 0x8D94 h 2 0x0000 0xFFFF 1 0x25CC h 3 0x0000 0xFFFF 1 0xF303 h 4 0x0000 0xFFFF 1

  42. add(“ih8rules”) ih8rules 0x0B44 h 1 0x0000 0xFFFF 0 1 0x8D94 h 2 0x0000 0xFFFF Hash collision with “password” 1 2 0x922A h 3 0x0000 0xFFFF 0 1 0x9359 h 4 0x0000 0xFFFF 0 1

  43. Count‐min sketch: add(“password”) password count(“password”) = min(2,2,2,2) = 2 count(“password”) = min(1,2,1,1) = 1 0xA5F6 h 1 0x0000 0xFFFF 1 2 0x8D94 h 2 0x0000 0xFFFF Need not be incremented 2 (conservaWve add) 0x25CC h 3 0x0000 0xFFFF 1 2 0xF303 h 4 0x0000 0xFFFF 2 1

  44. Count‐min sketch: add(“password”) password count(“password”) = 100 = MAX_ALLOWED count(“password”) = min(1,2,1,1) = 1 0xA5F6 h 1 0x0000 0xFFFF 100 100 0x8D94 h 2 0x0000 0xFFFF 100 100 0x25CC h 3 0x0000 0xFFFF 100 100 0xF303 h 4 0x0000 0xFFFF 100 100

  45. Dangers of tracking popular passwords • AUackers will use for staTsTcal guessing aUacks – Against you – Against other sites • AUackers will use for offline staTsTcal guessing – Crack using only passwords in the popularity list – Crack popularity list entries (which are unsalted) to idenTfy passwords in password file (which is salted) – Filter candidate password list (with access to oracle)

  46. False posiTves to the rescue! • Randomly generated password x likely to have count(x) > 0 0x????? h 1 3

  47. Dangers of tracking user passwords • AUackers will use for staTsTcal guessing aUacks – Against you – Against other sites • AUackers will use for offline staTsTcal guessing – Crack using only passwords in the popularity list – Crack popularity list entries (which are unsalted) to idenTfy passwords in password file (which is salted) – Filter candidate password list (with access to oracle)

  48. False posiTves to the rescue, again! • AssumpTons – 2% false posiTve rate for count‐min sketch – 20% of user password choices are too popular • ImplicaTons – 9% of the passwords rejected as too popular were actually false posiTves – DicTonary of 2 60 10 char passwords, filtered to 2 54 (2% of 2 60 ) If dicTonary cracked, force all passwords to be changed.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Telepathwords Preventing Weak Passwords by Reading Users Minds Authors: Saranga Komanduri,

Telepathwords Preventing Weak Passwords by Reading Users Minds Authors: Saranga Komanduri,

Catalina Cumpanasoiu Erin Gibbons Telepathwords Preventing Weak Passwords by Reading Users Minds Authors: Saranga Komanduri, Richard Shay, and Lorrie Faith Cranor (Carnegie Mellon University) Cormac Herley and Stuart Schechter (Microsoft

504 views • 21 slides
You Neednt Build That Reusable Ethics Compliance Infrastructure for Human Subjects Research

You Neednt Build That Reusable Ethics Compliance Infrastructure for Human Subjects Research

You Neednt Build That Reusable Ethics Compliance Infrastructure for Human Subjects Research Cristian Bravo-Lillo (CMU) Serge Egelman (UC Berkeley) Cormac Herley (Microsoft Research) Stuart Schechter (Microsoft Research) Janice Tsai

329 views • 29 slides
Development and Functional Performance of the Herley Model HFTR60-2 RCC 319-07 Compliant Flight

Development and Functional Performance of the Herley Model HFTR60-2 RCC 319-07 Compliant Flight

Herley Industries Inc. Phone 717-397-2777 3061 Industry Drive Fax 717-394-4475 Lancaster, PA 17603-4092 Development and Functional Performance of the Herley Model HFTR60-2 RCC 319-07 Compliant Flight T ermination Receiver (FTR)

196 views • 15 slides
Parallel Peeling Algorithms Justin Thaler, Yahoo Labs Joint Work with: Michael Mitzenmacher,

Parallel Peeling Algorithms Justin Thaler, Yahoo Labs Joint Work with: Michael Mitzenmacher,

Parallel Peeling Algorithms Justin Thaler, Yahoo Labs Joint Work with: Michael Mitzenmacher, Harvard University Jiayang Jiang The Peeling Paradigm Many important algorithms for a wide variety of problems can be modeled in the same way.

939 views • 49 slides
Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart

Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart

Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart Schechter Edward Felten Microsoft Research Prateek Mittal Arvind Narayanan Princeton University WAY Workshop 2014 Passwords +... Behavioral/soft

524 views • 14 slides
INTERNATIONAL PROJECT MANAGEMENT DAY SEMINAR 2019 Paradigm Shift in Servant Leadership HERLEY

INTERNATIONAL PROJECT MANAGEMENT DAY SEMINAR 2019 Paradigm Shift in Servant Leadership HERLEY

INTERNATIONAL PROJECT MANAGEMENT DAY SEMINAR 2019 Paradigm Shift in Servant Leadership HERLEY ABDUL HAMID, PMP, CSM, CSPO, NS-NLP, DA 3 December 2019 1 About Me: Herley Abdul Hamid I aspire to inspire meaningful life with agility,

427 views • 6 slides
Please Continue to Hold: An Empirical Study on User Tolerance of Security Delays Serge Egelman

Please Continue to Hold: An Empirical Study on User Tolerance of Security Delays Serge Egelman

Please Continue to Hold: An Empirical Study on User Tolerance of Security Delays Serge Egelman David Molnar Nicolas Christin Brown Microsoft Research Carnegie Mellon Alessandro Acquisti Cormac Herley Shriram Krishnamurthi Carnegie Mellon

653 views • 19 slides
Analyst &amp; Investor Day Cormac Barry CEO Introduction 24 October 2014 Agenda Time

Analyst &amp; Investor Day Cormac Barry CEO Introduction 24 October 2014 Agenda Time

Analyst &amp; Investor Day Cormac Barry CEO Introduction 24 October 2014 Agenda Time Topic Presenter 2.00-2.40 Welcome / Office Tour 2.40-3.00 Introduction Cormac Barry CEO Ben Sleep CFO &amp; 3.00-3.20 Regulatory

763 views • 62 slides
Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A.

Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A.

2/16/2017 Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A. Broder and M. Mitzenmacher, Network applications of Bloom filters: A survey, Internet Mathematics , vol. 1 no. 4, pp. 485-509, 2004. Li

532 views • 22 slides
Municipal Building Project Cynthia Stuart | Stuart Consulting Introductions Cynthia Stuart,

Municipal Building Project Cynthia Stuart | Stuart Consulting Introductions Cynthia Stuart,

www.barnetmunicipalvt.org Municipal Building Project Cynthia Stuart | Stuart Consulting Introductions Cynthia Stuart, Stuart Consulting Andrea Brohcu, NCIC Format Presentation Regarding Two Options Cynthia Stuart (questions as we go

690 views • 35 slides
Akiba-Schechter Jewish Day School Content 3 Institutional History 19 Finances 4 Who are we?

Akiba-Schechter Jewish Day School Content 3 Institutional History 19 Finances 4 Who are we?

Akiba-Schechter Jewish Day School Content 3 Institutional History 19 Finances 4 Who are we? 20 Marketing &amp; Recruitment 8 Student Demographics 22 Long-Range Planning 10 Student Test Scores 12 Technology Integration 14

280 views • 24 slides
Terry Lam (with M. Mitzenmacher and G. Varghese) Denial of Service Worm outbreak Millions

Terry Lam (with M. Mitzenmacher and G. Varghese) Denial of Service Worm outbreak Millions

Terry Lam (with M. Mitzenmacher and G. Varghese) Denial of Service Worm outbreak Millions of potentially interesting events How to get a coherent view despite bandwidth and memory limits? Standard solutions: sampling and summarizing

480 views • 22 slides
A Digital Fountain Approach to Reliable Distribution of Bulk Data John Byers, ICSI Michael Luby,

A Digital Fountain Approach to Reliable Distribution of Bulk Data John Byers, ICSI Michael Luby,

A Digital Fountain Approach to Reliable Distribution of Bulk Data John Byers, ICSI Michael Luby, ICSI Michael Mitzenmacher, Compaq SRC Ashu Rege, ICSI Application: Software Distribution New release of widely used software. Hundreds of

229 views • 20 slides
Help Me Grow: An Innovative Approach to Funding Care Coordination Carlota Schechter Consultant,

Help Me Grow: An Innovative Approach to Funding Care Coordination Carlota Schechter Consultant,

Help Me Grow: An Innovative Approach to Funding Care Coordination Carlota Schechter Consultant, Help Me Grow National Center Connecticut Childrens Medical Center Hartford, Connecticut New England Alliance for Childrens Health November 9,

775 views • 22 slides
Streaming Graph Computations with a Helpful Advisor Justin Thaler Graham Cormode and Michael

Streaming Graph Computations with a Helpful Advisor Justin Thaler Graham Cormode and Michael

Streaming Graph Computations with a Helpful Advisor Justin Thaler Graham Cormode and Michael Mitzenmacher Thanks to Andrew McGregor A few slides borrowed from IITK Workshop on Algorithms for Processing Massive Data Sets. Data Streaming

1.31k views • 81 slides
FYP Presentation 28th August 2017 Presented by: Cormac Reidy, Interactive Media, University of

FYP Presentation 28th August 2017 Presented by: Cormac Reidy, Interactive Media, University of

I - M E D I A / C O R M A C R E I D Y FYP Presentation 28th August 2017 Presented by: Cormac Reidy, Interactive Media, University of Limerick CS6042 Thesis Title To establish the feasibility of the development of a lift/ride sharing

712 views • 37 slides
Detector Support System Cost estimate at Conceptual Design Jim Stewart DUNE CDR: DSS Review

Detector Support System Cost estimate at Conceptual Design Jim Stewart DUNE CDR: DSS Review

Detector Support System Cost estimate at Conceptual Design Jim Stewart DUNE CDR: DSS Review August 20 2018 INDICO Agenda h.ps://indico.fnal.gov/event/17719/other-view?view=standard Content Methodology for the Cost Estimate

461 views • 22 slides
Week 9 Page 1 Lab Session Activities Homework assignment #9 Team Homework Assignment #9

Week 9 Page 1 Lab Session Activities Homework assignment #9 Team Homework Assignment #9

Week 9 Page 1 Lab Session Activities Homework assignment #9 Team Homework Assignment #9 http://www.csun.edu/~twang/380/HW/HW9.pdf Page 2 1. Requirements of the ATM Simulator The software to be designed will control a simulated automated

567 views • 28 slides
7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com whoami Positive Technologies (from 2009) Application security researcher (from 2009) Banking systems

647 views • 45 slides
WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS

WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS

WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS JORDI JOFRE 24/10/2017 PUBLIC Agenda The NFC journey including iOS 11 release Key NFC use cases with smartphones NXP NFC portfolio

338 views • 32 slides
Chapter 6: System Data Files and Information CMPS 105: Systems Programming Prof. Scott Brandt T

Chapter 6: System Data Files and Information CMPS 105: Systems Programming Prof. Scott Brandt T

Chapter 6: System Data Files and Information CMPS 105: Systems Programming Prof. Scott Brandt T Th 2-3:45 Soc Sci 2, Rm. 167 Introduction Lots of system parameters, configuration information, and status information is stored in files

150 views • 14 slides
Samba Server Installation, Configuration, and Security Stephen Hilt shilt@cs.siu.edu History

Samba Server Installation, Configuration, and Security Stephen Hilt shilt@cs.siu.edu History

Samba Server Installation, Configuration, and Security Stephen Hilt shilt@cs.siu.edu History SMB Server Message Block IBM First definition of NetBIOS - Sep, 1984 CIFS Common Internet File System CIFS is an enhanced

235 views • 20 slides
Using itsunix.albany.edu for Windows: 1) Download PuTTY at

Using itsunix.albany.edu for Windows: 1) Download PuTTY at

Using itsunix.albany.edu for Mac: 1) Open the Terminal. Searching terminal on Spotlight can open the terminal. This will allow you to use the command line on the Mac. 2) To connect to itsunix.albany.edu type the following command: ssh X

162 views • 4 slides
Downloading and preparing survey data using the Qualtrics API in the Stata ecosystem Danial

Downloading and preparing survey data using the Qualtrics API in the Stata ecosystem Danial

Downloading and preparing survey data using the Qualtrics API in the Stata ecosystem Danial Hoepfner Gibson Consulting Group dhoepfner@gibsonconsult.com danial.hoepfner@gmail.com July 31, 2020 Outline Motivation qualtrics.ado

479 views • 16 slides

More recommend