measuring password strength by
play

Measuring password strength by simulating password-cracking - PowerPoint PPT Presentation

Feb 07, 2024 •950 likes •1.88k views

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

  1. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio López C yLab U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

  2. Recent Data Breaches Affected users Gawker 1,300,000 Sony 25,000,000 Battlefield Heroes 550,000 Sega 1,300,000 Booz Allen Hamilton 90,000 Bloggtoppen 90,000 Valve 700,000 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2

  3. “The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked. This, I'm afraid, is a serious threat; it means that anyone who uses the same email/password on other systems is now vulnerable to a malicious attacker using that information to access their account.” Jeremy White, CEO of Codeweavers October 2011 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3

  4. Threat Model Offline Attack  Attacker has password file  Needs to guess passwords to crack them CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4

  5. Threat Model Offline Attack  Attacker has password file  Needs to guess passwords to crack them  Attacker can make many guesses  Smart guessing strategy CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5

  6. Guessing Strategy Dumb attacker Smart attacker aaaaaaaa 123456789 aaaaaaab password aaaaaaac iloveyou aaaaaaad princess aaaaaaae 12345678 … … Smart attacker uses data to crack passwords more quickly CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6

  7. Threat Model Offline Attack  Attacker has password file  Needs to guess passwords to crack them  Attacker can make many guesses  Smart guessing strategy CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7

  8. Password-composition Policies  Intended to make passwords harder to guess CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8

  9. Password-composition Policies CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9

  11. Existing Guidance

  12. Existing Guidance  NIST guide not based on empirical evidence  No empirical data on user behavior CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12

  13. Password-composition Policies  Users can struggle to create and remember complex passwords [Zviran & Haga 1999, Procter et al. 2002, Yan et al. 2004, Vu et al. 2007, and many others…]  Security can suffer if usability is poor [Sasse et al. 2001, and many others…] CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13

  14. Contributions  Measured guessability across seven password- composition policies – Threat model: offline attack  Studied the impact of tuning and data selection on policy evaluation  Compare security metrics across policies – Correlate security with usability CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14

  15. Policy Metrics  Guessability – Measure of how easy it is to guess passwords  Estimated entropy [Our previous work 2010] NIST “entropy” [NIST SP 800 -63] Usability [CHI 2011] – Login failures – Reported sentiment – Writing down CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15

  16. Policy Metrics  Guessability – Measure of how easy it is to guess passwords  Estimated entropy [Our previous work 2010]  NIST entropy [NIST SP 800-63]  Usability [Our previous work 2011] – Login failures – Reported sentiment – Writing down CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16

  17. Guessability  Measure of password strength Stronger = less guessable  Guess number: The number of attempts needed to guess a password CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17

  18. Guessability Bob’s password Attacker’s guesses iloveyou 1 123456789 2 password 3 iloveyou 4 princess … CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18

  19. Guessability Bob’s password Attacker’s guesses iloveyou 1 123456789 Guess number 2 password 3 3 iloveyou 4 princess … CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19

  20. Measuring Guessability A long time password abcdefgh password17 aceofbase password- hashed guessing passwords tool Traditional approach: Run cracking tool CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20

  21. Offline Attack Speed Single-core CPU 1,500 guesses/s sha512 130,000,000 guesses/day sha512 2,200,000,000 guesses/day md5 Mid-level GPU 34,000,000,000 guesses/day md5 Source: John the Ripper Test Mode and Wiki (openwall.info) CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21

  22. Measuring Guessability password: 2 password abcdefgh: 19546 abcdefgh password17: 1.4  10 6 password17 aceofbase: 3  10 4 aceofbase jnfksl834df: never jnfksl834df password- plaintext guessing passwords calculator Our approach: Calculate guess numbers directly CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22

  23. Threat Model  Offline attacker that can make a huge number of guesses – This paper: 50 trillion (5 x 10 13 ) guesses on each password • 25,000 CPU days with MD5 hashes CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23

  24. Selecting an Attacker  John the Ripper  Markov model [Narayanan and Shmatikov 2005]  Weir’s probabilistic context -free grammar [Weir et al. 2009] CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24

  25. Selecting an Attacker  John the Ripper  Markov model [Narayanan and Shmatikov 2005]  Weir’s probabilistic context -free grammar – Performed best – Previous work found similar result [Weir et al. 2010, Zhang et al. 2010] CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25

  26. Training Data  Leaked datasets – RockYou (32M passwords) – MySpace (47K passwords) Dictionaries – Openwall – Unix dictionary – Inflection list Collected passwords CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26

  27. Training Data  Leaked datasets – RockYou (32M passwords) – MySpace (47K passwords)  Dictionaries – Openwall (40M passwords) – Unix dictionary (235K words) – Inflection list (162K words)  Collected passwords (12K total passwords) CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27

  28. Threat Model  Offline attacker that can make up to 50 trillion guesses  Order of guesses based on Weir’s algorithm – Attacker learns from training data • Leaked data plus collected passwords • Attacker has limited knowledge of the target policy CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28

  29. Data Collection  Mechanical Turk used for anonymous recruitment and payment – Enabled study of many participants • 1,000+ per condition – Well-designed studies can produce high-quality data [Burhmester et al. 2011] – Workers prevented from participating multiple times – Payment: 55¢ + 70¢ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29

  30. Study Design  Hypothetical email scenario for password creation Steps: 1. Create a password under a randomly assigned condition 2. Take a survey 3. Recall password 4. Return in two days CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30

  31. Condition: Basic8 password NIST estimate: 18 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31

  32. Condition: Dictionary8 sapsword NIST estimate: 24 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32

  33. Condition: Comprehensive8 Sapsword1! NIST estimate: 30 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33

  34. Condition: Basic16 passwordpassword NIST estimate: 30 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34

  35. Condition: Blacklist x 3  Blacklists: – Easy: 235K Unix dictionary – Medium: 40M entry cracking wordlist – Hard: 5B guesses from Weir  Only requirement is that candidate password is not on a blacklist NIST estimate: 24 bits CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35

  36. Contributions  Measured guessability across seven password- composition policies – Threat model: offline attack  Studied the impact of tuning and test-set selection on policy evaluation  Compare security metrics across policies – Correlate security with usability CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36

  37. Guessability Results – Basic8 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37

Recommend

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security CURRENT STATUS Problem Statement Stringent

286 views • 15 slides
Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of Measuring In-Place Strength of Concrete Concrete Prasad Rangaraju, Ph.D., P.E. Assistant Professor Department of Civil Engineering Clemson University

1.08k views • 63 slides
Measuring Tie-Strength in Implicit Social Networks Tina

Measuring Tie-Strength in Implicit Social Networks Tina

Measuring Tie-Strength in Implicit Social Networks Tina Eliassi-Rad !na@eliassi.org Joint with Mangesh Gupte (Rutgers Google) 1 Problem Defini@on

975 views • 49 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
From Very Weak to Very Strong : Analyzing Password-Strength Meters Xavier de Carn de Carnavalet

From Very Weak to Very Strong : Analyzing Password-Strength Meters Xavier de Carn de Carnavalet

NDSS 2014 Presentation, Feb 25, 2014 From Very Weak to Very Strong : Analyzing Password-Strength Meters Xavier de Carn de Carnavalet Mohammad Mannan Concordia University, Montreal, Canada X. de Carn de Carnavalet NDSS14: Analyzing

608 views • 27 slides
Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani

Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani

Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani , Michael Schilling, Sascha Fahl, Sven Bugiel , Michael Backes CISPA, Saarland University, Saarland University, Leibniz

535 views • 31 slides
Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

S TATISTICAL METRICS FOR INDIVIDUAL PASSWORD STRENGTH Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK April 12, 2012 Joseph Bonneau (University of Cambridge) Individual password strength

361 views • 21 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Accuracies and Biases in Modeling Password Guessability Blase Ur, Sean M. Segreti, Lujo Bauer,

Accuracies and Biases in Modeling Password Guessability Blase Ur, Sean M. Segreti, Lujo Bauer,

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, Richard Shay

1.35k views • 114 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are

512 views • 32 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap Password

750 views • 31 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Day 3 Steps in compiling: (Optional preprocessing) Lexical analysis

483 views • 17 slides
Measuring Student Success: Innovative Approaches to Understanding Diverse Learners Wifi Network:

Measuring Student Success: Innovative Approaches to Understanding Diverse Learners Wifi Network:

Measuring Student Success: Innovative Approaches to Understanding Diverse Learners Wifi Network: Omni Meeting Password: COE2020 WELCOME Celine Coggins Executive Director, Grantmakers for Education Board Chair, Rennie Center #COE2020

903 views • 31 slides
PGT: Measuring Mobility Relationship using Personal, Global and Temporal Factors Hongjian Wang,

PGT: Measuring Mobility Relationship using Personal, Global and Temporal Factors Hongjian Wang,

PGT: Measuring Mobility Relationship using Personal, Global and Temporal Factors Hongjian Wang, Zhenhui Li, Wang-Chien Lee Penn State University ICDM 2014 Shenzhen Measure the mobility relationship strength Given trajectories of two users,

527 views • 24 slides
Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks Bauhaus-Universitt Weimar www.webis.de NDSS 2017, February 27 th 2017 Mnemonic Password Creation Password: Show password Random

684 views • 17 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides

More recommend