Passwords

Tom RistenpartCS 6431

The game plan

• Historical analysis• Brief overview of research landscape• Current practices in industry• Bonneau paper• Weir et al. paper• Misc and wrap-up

Password use cases

• OS login• Website / service login• PINs• Encryption

Authentication

Confidentiality

PW-based authentication: the basic architecture

Register:tom, pw

Store tom, pw in someform.

login:tom, pw’

Authenticationservice

Check that pw’ = pw

What are security threats?

The history of password research

“Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. “

[Morris, Thompson 1979]

Analysis of UNIX passwords & password-hashing system

“The results were disappointing, except to the bad guy. In a collection of 3,289 passwords gathered from many users over a long period of time,

15 were a single ASCII character;72 were strings of two ASCII characters;464 were strings of three ASCII characters;477 were strings of four alphamerics;706 were five letters, all upper-case or all lower-case;605 were six letters, all lower-case.”

[Morris, Thompson 1979]

The history of password research

86% crackable

Morris, Thompson suggest:– Slow hashing (they called it encryption)– Less predictable passwords– Salt before hashing– Use custom version of DES to avoid hardware– Don’t have separate error for bad login

The history of password research

The research landscape since 1979…• Understanding user selection

– Measuring password strength [see citations in Bonneau paper], [Li, Han `14], [CMU papers]• Guiding password selection

– Strength meters, requirements, etc.– Password expiration [Zhang et al. ‘12]

• Password transmission, login logic– Single sign-on (SSO) technologies

• Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15]– Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12]

• Improving offline brute-force attacks– Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov

‘05]– Better dictionaries [JohntheRipper], [Weir et al. ‘09], [Ma et al. ‘14]

• Password managers – Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15]– Breaking password managers [Li et al. ‘14] [Silver et al. ’15]– Stateless password managers [Ross et al. ’05]

What do you think is the quality of password management today?

• https://github.com/hackappcom/ibrute• https://github.com/Pr0x13/iDict/blob/

master/main.php

Courtesy of Belenko, Troshichev (viaForensics)

Linked in circa 2012 stored passwords as which of:• pw• MD5(pw)• H(salt,pw)• Hc(salt,pw) 6.5 million hashes leaked

90% cracked in 2 weeks

Offline brute-force attacks

Dictionary:List of probable passwords

h1 = H(pw1) h2 = H(pw2) … hm = H(pwm)

H(guess1) , H(guess2) , …

Check if any guesses equal any of h1, … , hm

Password hashing• Recall Morris, Thompson goal: slow down

brute-force attacks• PKCS#5 approach:

H H H…pw || salt h = Hc(pw || salt)

H : {0,1}* -> {0,1}n is cryptographic hashfunction (e.g., SHA-256)

salt should be random bit string large enough to be unpredictable

c times

Password hashing• Recall Morris, Thompson goal: slow down

brute-force attacks• The role of salts:– Prevents use of time-memory trade-offs (rainbow

tables)– Cracking m accounts requires m times the work

h1 = Hc(pw1,salt1) h2 = Hc(pw2,salt2) … hm = Hc(pwm,saltm)

Proofs: See [Bellare, Ristenpart, Tessaro ‘12]

$cur = ‘password’$cur = md5($cur)$salt = randbytes(20)$cur = hmac_sha1($cur, $salt)$cur = remote_hmac_sha256($cur, $secret)$cur = scrypt($cur, $salt)$cur = hmac_sha256($cur, $salt)

Facebook password “onion”

Brute-force attacks

• Offline attacks of hashed database slowed down by a constant factor -- guessing still works if passwords are bad– Nowadays, use memory-hard functions (e.g., scrypt,

Argon2)

• Online brute-force attacks– Public login pages– Compromised web server in distributed security

architecture

Rockyou data breach: 32 million social gaming accounts

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess 21725 1234567 20901 rockyou 20553 12345678 16648 abc123 16227 nicole 15308 daniel 15163 babygirl 14726 monkey 14331 lovely 14103 jessica 13984 654321 13981 michael 13488 ashley 13456 qwerty 13272 111111 13134 iloveu 13028 000000 12714 michelle 11761 tigger 11489 sunshine 11289 chocolate 11112 password1 10836 soccer 10755 anthony 10731 friends 10560 butterfly 10547 purple 10508 angel 10167 jordan 9764 liverpool 9708 justin 9704 loveme 9610 fuckyou ... ... 9 tonee 9 tonebone 9 tonatzin 9 tonatihu 9 tonaor 9 tonantzin 9 tomybill 9 tomtomgo 9 tomtom8 9 tomrules 9 tomoe 9 tommyr 9 tommylee1 9 tommyjr 9 tommydog

... 5 dansbaby 5 dansar 5 danrules 5 danrox 5 danrick 5 danou 5 danota 5 danonino1 5 danone1

[Bonneau 2012]69 million Yahoo! Passwords1.1% of users pick same password

Most common password used by almost 1%

Rockyou empirical probability mass function

(Only first 5,000 points shown)

Bonneau Yahoo password study

• Instrument login infrastructure• Hash passwords with key H(K,pw) and store

result in histogram• Throw away K– Can’t do brute-force attacks later on– Only learn empirical distribution of passwords

• Also stored some demographic information

Password strength metrics

Shannon entropy:

Let X be password distribution. Passwords are drawn iid from XN is size of support of Xp1 , p2 , …, pN are probabilities of passwords in decreasing order

An example distribution

N = 1,000,000p1 = 1 / 100p2 = (1 – 1/100)/999,999 ≈ 1 / 220 …pN = (1 – 1/100)/999,999 ≈ 1 / 220

.01

2-20

What is probability of success if attacker makes one guess?

H1(X) ≈ 19

19 bits of “unpredictability”. Probability of success about 1/219

Shannon entropy is almost never useful measure for security

H∞(X) = - log p1 ≈ 6.6 The min-entropy of X

Password strength metrics

Beta-success rate:

alpha-work-factor:

From [Bonneau ‘12]

From [Bonneau ‘12]

Bonneau takeaways

• People pick lousy passwords• New strength measures for password

distributions

• What questions are left open by his paper?

Building good password guessers

Brute-force guessers- try all strings of a certain lengthDictionary guessers- Try only common words

A better guesser would:Output list of passwords in order of likelihood

JohnTheRipper:Dictionaries of common words + mangling rules

Also has brute-force mode

Eg: add digit to end: pw -> pw1

Train models from leaked passwordsTraining alg. for language

model

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …

Trivial model is just the empirical CDF of the histogram itself

Model

Model

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …

Model defines a probability distributionover passwords. Can use to:- sample passwords according to distribution- enumerate passwords in order of likelihood

Supports all the aboveGeneralizability is quite poorML people would say this model isoverfit

Train models from leaked passwordsTraining alg. for language

model

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …

Model

CFG with probability distribution associated to each rule

Probabilistic context-free grammar

We can encode a string by its parse tree, thetree represented by probabilities in PCFG CDF

[Weir et al. 2009]

Fix a CFG, then learn probabilities by training on passwords

S -> L3D1S1 -> L34S1 -> L34! Pr[ L34! ] = 0.25 * 0.60 * 0.65 = 0.0975

With good training data: Works better than JtR

Train models from leaked passwordsTraining alg. for language

model

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …

Model

What open questions do Weir et al. leave?

Train models from leaked passwordsTraining alg. for language

model

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess …

Model

Probabilistic context-free grammar only one NLP modeling approach

n-gram Markov models another popular choice.:

[Ma et al. ’14] show carefully chosen Markov model beats Weir et al. PCFG

Password selection policies

• [Komanduri et al. ‘11], [Vu et al. ‘07], [Proctor et al. ‘02] and others studied with Amazon Mturk– General consensus that it increases resistance (but

by exactly how much is not clear to me), but decreases usability

• Password expiration policies [Zhang et al. ’10]– High-level bit: they don’t work– Attacker with old password can crack new one

very often

The research landscape since 1979…• Understanding user selection

– Measuring password strength [see citations in Bonneau paper], [Ma et al. `14], [Li, Han `14], [CMU papers]

• Guiding password selection – Strength meters, requirements, etc.– Periodic forced changes [Zhang et al. ‘12]

• Password transmission, login logic– Single sign-on (SSO) technologies

• Password hashing – New algorithms [PKCS standards], [Percival ’09], [Biryukov, Khovratovich ‘15]– Proofs [Wagner, Goldberg ‘00] [Bellare, Ristenpart, Tessaro ‘12]

• Improving offline brute-force attacks– Time-space trade-offs (rainbow tables) [Hellman ’80], [Oeschlin ‘03], [Narayanan, Shmatikov

‘05]– Better dictionaries [JohntheRipper], [Weir et al. ‘09],

• Password managers– Decoy-based [Bojinov et al. ’10], [Chatterjee et al. ‘15]– Breaking password managers [Li et al. ‘14] [Silver et al. ’15]– Stateless password managers [Ross et al. ’05]