November 19, 2008 CSC 682

Do Strong Web Passwords Do Strong Web Passwords Accomplish Anything?Accomplish Anything?

Florencio, Herley and CoskunFlorencio, Herley and Coskun

Presented by: Ryan LehanPresented by: Ryan Lehan

OutlineOutline

IntroductionIntroduction Duh!, but rather be safe than sorry.Duh!, but rather be safe than sorry.

Strong PasswordsStrong Passwords Attack ScenariosAttack Scenarios Why Use Strong Passwords?Why Use Strong Passwords? Strength of User ID-Password Strength of User ID-Password

CombinationCombination Strength alone is not enoughStrength alone is not enough ConclusionConclusion

IntroductionIntroduction

Authentication Traditionally Depends Authentication Traditionally Depends UponUpon Something you haveSomething you have

BadgeBadge Something you areSomething you are

Fingerprint, voiceFingerprint, voice Something you knowSomething you know

Password Password

Authentication Most Used MethodAuthentication Most Used Method Something you knowSomething you know

User ID (Account) in conjunction with a passwordUser ID (Account) in conjunction with a password

IntroductionIntroduction(continued)(continued)

User IDsUser IDs CreationCreation

Created for you (network administrator)Created for you (network administrator) Created by youCreated by you

Could be public knowledgeCould be public knowledge Person who created the account for youPerson who created the account for you Email address (Email address (jdoe@yahoo.comjdoe@yahoo.com)) Part of standardization process (first initial Part of standardization process (first initial

+ last name)+ last name)

IntroductionIntroduction(continued)(continued)

PasswordsPasswords Should not be public knowledgeShould not be public knowledge To prevent “Credential Theft”, To prevent “Credential Theft”, advisedadvised

to:to: Create Strong PasswordsCreate Strong Passwords Change Password FrequentlyChange Password Frequently Never Write Password DownNever Write Password Down

IntroductionIntroduction(continued)(continued)

Threats to a user’s credentialsThreats to a user’s credentials PhishingPhishing Key LoggingKey Logging Brute ForceBrute Force

Attack on a known User IDAttack on a known User ID Bulk GuessingBulk Guessing

Attack on all accountsAttack on all accounts Special Knowledge or AccessSpecial Knowledge or Access

Shoulder SurfingShoulder Surfing Knowledgeable Information about the userKnowledgeable Information about the user Access to Password ManagerAccess to Password Manager

List, application, databaseList, application, database

Strong PasswordsStrong Passwords Not based upon personal information that can be Not based upon personal information that can be

guessedguessed Names, dates, etc.Names, dates, etc.

Not based upon a word found in the dictionary Not based upon a word found in the dictionary Subject to dictionary attacksSubject to dictionary attacks

Should have a minimum lengthShould have a minimum length Should contain the followingShould contain the following

Combination of upper and lower casingCombination of upper and lower casing Special characters and numbersSpecial characters and numbers

ProblemsProblems Hard to rememberHard to remember More likely to be written downMore likely to be written down

Attack ScenariosAttack Scenarios

What Strong Passwords will not preventWhat Strong Passwords will not prevent PhishingPhishing Key LoggingKey Logging Special Knowledge or AccessSpecial Knowledge or Access

Why?Why? User supplied informationUser supplied information Overt MethodOvert Method

Phishing, Password List/ManagerPhishing, Password List/Manager Covert MethodCovert Method

Key LoggingKey Logging

Attack ScenariosAttack Scenarios

Brute ForceBrute Force Attack on an individual accountAttack on an individual account Why?Why?

The account/user id is knownThe account/user id is known Only need to guess the passwordOnly need to guess the password

ProblemsProblems Strength of the PasswordStrength of the Password

Length, Casing, Special characters and numeric Length, Casing, Special characters and numeric valuesvalues

Many institutions use some type of “lock out” Many institutions use some type of “lock out” strategystrategy

Can significantly increase time to crack accountCan significantly increase time to crack account

Attack ScenariosAttack Scenarios

Bulk GuessingBulk Guessing Attack on multiple accountsAttack on multiple accounts

Using the same guessed passwordUsing the same guessed password Why?Why?

Can attack all known and unknown account idsCan attack all known and unknown account ids Better chance that more than one account uses the Better chance that more than one account uses the

same passwordsame password ProblemsProblems

Easily detected, if not a distributed attackEasily detected, if not a distributed attack Can inadvertently cause a Denial of Service (DoS) Can inadvertently cause a Denial of Service (DoS)

with all accountswith all accounts

Why Use Strong Why Use Strong Passwords?Passwords?

Takes far greater time to guess a Takes far greater time to guess a strong passwordstrong password Brute Force and Bulk Guessing AttackBrute Force and Bulk Guessing Attack

Reduces the chance that more than Reduces the chance that more than one account has the same passwordone account has the same password Bulk Guessing AttackBulk Guessing Attack

Strength of User ID-Strength of User ID-Password CombinationPassword Combination

Successful attacks using Brute Force and Bulk Successful attacks using Brute Force and Bulk Guessing requires both user id and passwordGuessing requires both user id and password

Stronger user id and weaker password Stronger user id and weaker password combinationcombination When used in combination could have the same When used in combination could have the same

affect as a strong password aloneaffect as a strong password alone Requires attacking schemes to focus more on user Requires attacking schemes to focus more on user

idsids i.e. Less likely to be dictionary words, like passwordsi.e. Less likely to be dictionary words, like passwords

Easier for users to remember their passwords. But Easier for users to remember their passwords. But now the user id might be harder to remembernow the user id might be harder to remember

Places a larger burden on the institution for Places a larger burden on the institution for creating or enforcing stronger user idscreating or enforcing stronger user ids

User ids must not be or become public knowledge, User ids must not be or become public knowledge, EVER!EVER!

Strength alone is not Strength alone is not enoughenough

At some point in time, the account will be At some point in time, the account will be crackedcracked

Lock out strategiesLock out strategies 3 strikes rule3 strikes rule

3 sequential unsuccessful attempts and the account is 3 sequential unsuccessful attempts and the account is lockedlocked

Geometrically increasing lock-out timeGeometrically increasing lock-out time 2 2 <number of sequential unsuccessful attempts><number of sequential unsuccessful attempts> in seconds in seconds

Length of time in which the lock remains is vitalLength of time in which the lock remains is vital Increase the time it takes to crack the accountIncrease the time it takes to crack the account Must not be so long as to inconvenience the userMust not be so long as to inconvenience the user

May increase customer support usageMay increase customer support usage

ConclusionsConclusions

Makes attacking more difficultMakes attacking more difficult User id or the process of user id User id or the process of user id

creation is more likely to be public creation is more likely to be public knowledge than your passwordknowledge than your password

Most effective when some type of Most effective when some type of lock out strategy is being usedlock out strategy is being used

Not just for web, but for everything Not just for web, but for everything where a password is usedwhere a password is used