Upload
piers-casey
View
217
Download
0
Embed Size (px)
Citation preview
November 19, 2008 CSC 682
Do Strong Web Passwords Do Strong Web Passwords Accomplish Anything?Accomplish Anything?
Florencio, Herley and CoskunFlorencio, Herley and Coskun
Presented by: Ryan LehanPresented by: Ryan Lehan
OutlineOutline
IntroductionIntroduction Duh!, but rather be safe than sorry.Duh!, but rather be safe than sorry.
Strong PasswordsStrong Passwords Attack ScenariosAttack Scenarios Why Use Strong Passwords?Why Use Strong Passwords? Strength of User ID-Password Strength of User ID-Password
CombinationCombination Strength alone is not enoughStrength alone is not enough ConclusionConclusion
IntroductionIntroduction
Authentication Traditionally Depends Authentication Traditionally Depends UponUpon Something you haveSomething you have
BadgeBadge Something you areSomething you are
Fingerprint, voiceFingerprint, voice Something you knowSomething you know
Password Password
Authentication Most Used MethodAuthentication Most Used Method Something you knowSomething you know
User ID (Account) in conjunction with a passwordUser ID (Account) in conjunction with a password
IntroductionIntroduction(continued)(continued)
User IDsUser IDs CreationCreation
Created for you (network administrator)Created for you (network administrator) Created by youCreated by you
Could be public knowledgeCould be public knowledge Person who created the account for youPerson who created the account for you Email address (Email address ([email protected]@yahoo.com)) Part of standardization process (first initial Part of standardization process (first initial
+ last name)+ last name)
IntroductionIntroduction(continued)(continued)
PasswordsPasswords Should not be public knowledgeShould not be public knowledge To prevent “Credential Theft”, To prevent “Credential Theft”, advisedadvised
to:to: Create Strong PasswordsCreate Strong Passwords Change Password FrequentlyChange Password Frequently Never Write Password DownNever Write Password Down
IntroductionIntroduction(continued)(continued)
Threats to a user’s credentialsThreats to a user’s credentials PhishingPhishing Key LoggingKey Logging Brute ForceBrute Force
Attack on a known User IDAttack on a known User ID Bulk GuessingBulk Guessing
Attack on all accountsAttack on all accounts Special Knowledge or AccessSpecial Knowledge or Access
Shoulder SurfingShoulder Surfing Knowledgeable Information about the userKnowledgeable Information about the user Access to Password ManagerAccess to Password Manager
List, application, databaseList, application, database
Strong PasswordsStrong Passwords Not based upon personal information that can be Not based upon personal information that can be
guessedguessed Names, dates, etc.Names, dates, etc.
Not based upon a word found in the dictionary Not based upon a word found in the dictionary Subject to dictionary attacksSubject to dictionary attacks
Should have a minimum lengthShould have a minimum length Should contain the followingShould contain the following
Combination of upper and lower casingCombination of upper and lower casing Special characters and numbersSpecial characters and numbers
ProblemsProblems Hard to rememberHard to remember More likely to be written downMore likely to be written down
Attack ScenariosAttack Scenarios
What Strong Passwords will not preventWhat Strong Passwords will not prevent PhishingPhishing Key LoggingKey Logging Special Knowledge or AccessSpecial Knowledge or Access
Why?Why? User supplied informationUser supplied information Overt MethodOvert Method
Phishing, Password List/ManagerPhishing, Password List/Manager Covert MethodCovert Method
Key LoggingKey Logging
Attack ScenariosAttack Scenarios
Brute ForceBrute Force Attack on an individual accountAttack on an individual account Why?Why?
The account/user id is knownThe account/user id is known Only need to guess the passwordOnly need to guess the password
ProblemsProblems Strength of the PasswordStrength of the Password
Length, Casing, Special characters and numeric Length, Casing, Special characters and numeric valuesvalues
Many institutions use some type of “lock out” Many institutions use some type of “lock out” strategystrategy
Can significantly increase time to crack accountCan significantly increase time to crack account
Attack ScenariosAttack Scenarios
Bulk GuessingBulk Guessing Attack on multiple accountsAttack on multiple accounts
Using the same guessed passwordUsing the same guessed password Why?Why?
Can attack all known and unknown account idsCan attack all known and unknown account ids Better chance that more than one account uses the Better chance that more than one account uses the
same passwordsame password ProblemsProblems
Easily detected, if not a distributed attackEasily detected, if not a distributed attack Can inadvertently cause a Denial of Service (DoS) Can inadvertently cause a Denial of Service (DoS)
with all accountswith all accounts
Why Use Strong Why Use Strong Passwords?Passwords?
Takes far greater time to guess a Takes far greater time to guess a strong passwordstrong password Brute Force and Bulk Guessing AttackBrute Force and Bulk Guessing Attack
Reduces the chance that more than Reduces the chance that more than one account has the same passwordone account has the same password Bulk Guessing AttackBulk Guessing Attack
Strength of User ID-Strength of User ID-Password CombinationPassword Combination
Successful attacks using Brute Force and Bulk Successful attacks using Brute Force and Bulk Guessing requires both user id and passwordGuessing requires both user id and password
Stronger user id and weaker password Stronger user id and weaker password combinationcombination When used in combination could have the same When used in combination could have the same
affect as a strong password aloneaffect as a strong password alone Requires attacking schemes to focus more on user Requires attacking schemes to focus more on user
idsids i.e. Less likely to be dictionary words, like passwordsi.e. Less likely to be dictionary words, like passwords
Easier for users to remember their passwords. But Easier for users to remember their passwords. But now the user id might be harder to remembernow the user id might be harder to remember
Places a larger burden on the institution for Places a larger burden on the institution for creating or enforcing stronger user idscreating or enforcing stronger user ids
User ids must not be or become public knowledge, User ids must not be or become public knowledge, EVER!EVER!
Strength alone is not Strength alone is not enoughenough
At some point in time, the account will be At some point in time, the account will be crackedcracked
Lock out strategiesLock out strategies 3 strikes rule3 strikes rule
3 sequential unsuccessful attempts and the account is 3 sequential unsuccessful attempts and the account is lockedlocked
Geometrically increasing lock-out timeGeometrically increasing lock-out time 2 2 <number of sequential unsuccessful attempts><number of sequential unsuccessful attempts> in seconds in seconds
Length of time in which the lock remains is vitalLength of time in which the lock remains is vital Increase the time it takes to crack the accountIncrease the time it takes to crack the account Must not be so long as to inconvenience the userMust not be so long as to inconvenience the user
May increase customer support usageMay increase customer support usage
ConclusionsConclusions
Makes attacking more difficultMakes attacking more difficult User id or the process of user id User id or the process of user id
creation is more likely to be public creation is more likely to be public knowledge than your passwordknowledge than your password
Most effective when some type of Most effective when some type of lock out strategy is being usedlock out strategy is being used
Not just for web, but for everything Not just for web, but for everything where a password is usedwhere a password is used