password authentication password managers
play

Password, Authentication, Password Managers Week 4 Frank Chen | - PowerPoint PPT Presentation

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud


  1. LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017

  2. Agenda ● Review last week’s material ● Some Definitions ● Password in the Cloud ● How Password Cracking Works ● Password Managers Frank Chen | Spring 2017

  3. Demonstration The power of Google Analytics Frank Chen | Spring 2017

  4. Agenda ● Review last week’s material ● Some Definitions ● Password in the Cloud ● How Password Cracking Works ● Password Managers Frank Chen | Spring 2017

  5. C Phishing I A Def: The activity of defrauding an online account holder of financial information by posing as a legitimate company Frank Chen | Spring 2017

  6. C Social Engineering I A Def: Psychological manipulation of people into performing actions or divulging confidential information Frank Chen | Spring 2017

  7. C Malwares I ● Adware ● Spyware ● Bot ● Trojan Horse A ● Ransomware ● Virus ● Rootkit ● Worm Frank Chen | Spring 2017

  8. Spam Email Classification Our "Magical" OR Classifier Model New, unlabeled email *Slide content credit to Prof. Ameet Talwalkar Frank Chen | Spring 2017

  9. Anti-Virus Software Def: computer software used to prevent, detect and remove malicious software. Frank Chen | Spring 2017

  10. Agenda ● Review last week’s material ● Some Definitions ● Password in the Cloud ● How Password Cracking Works ● Password Managers Frank Chen | Spring 2017

  11. Password Def: word or string of characters used to prove identity or gain access to a resource Frank Chen | Spring 2017

  12. Examples Source: http://bit.ly/2epzvkE Frank Chen | Spring 2017

  13. Plaintext Def: Unencrypted text that is not computationally tagged, specially formatted, or written in code. We don't want passwords to be stored in plaintext! Frank Chen | Spring 2017

  14. Hashing Def: The process of turning your password into a long string of letters and numbers to keep it hidden. Hashing is a one way street. Frank Chen | Spring 2017

  15. 3 Properties of Hashing 1. The same data will always produce the same hash 2. It’s impossible to reverse it back to the original data given knowledge of only the hash 3. It’s infeasible to create another string of data that will create the same hash Frank Chen | Spring 2017

  16. Hash Functions Def: Mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size. MD5 SHA-1 SHA-2 http://bit.ly/2pbzecq http://bit.ly/2przKUs http://bit.ly/2q5dDzB For a list of hash functions http://bit.ly/2pbAADN Frank Chen | Spring 2017

  17. Example: MD5 Hash MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6 MD5("The quick brown fox jumps over the lazy dog . ") = e4d909c290d0fb1ca068ffaddf22cbd0 Source: http://bit.ly/2pVq5pb Frank Chen | Spring 2017

  18. Agenda ● Review last week’s material ● Some Definitions ● Password in the Cloud ● How Password Cracking Works ● Password Managers Frank Chen | Spring 2017

  19. Authentication Def: The act of confirming the truth of an entered piece of data Frank Chen | Spring 2017

  20. A typical Authentication Session AUTHENTICATED! PASSWORD If YES Proceed to your personal STORED ONLINE information/profile LOGIN SCREEN (SHA-1 HASH) Username : fc1995 Hash the fc1995: Password : earl123 Input 4cf39465730e75ebbec21 Password c67facaba7a08d82f0f DENIED! If NO Do the two match? Try again. Frank Chen | Spring 2017

  21. Additional Precautions ● Timeout ● 2 Factor Authentication ● Different Device Notifications Frank Chen | Spring 2017

  22. A lot of headlines... Source: http://bit.ly/1O1Md2G Source: http://bit.ly/2hylQcc Source: http://tcrn.ch/2lLC3Pv Frank Chen | Spring 2017

  23. Agenda ● Review last week’s material ● Some Definitions ● Password in the Cloud ● How Password Cracking Works ● Password Managers Frank Chen | Spring 2017

  24. Password Cracking Def: The process of recovering passwords from data that have been stored in or transmitted by a computer system Frank Chen | Spring 2017

  25. Examples (Revisited) Source: http://bit.ly/2epzvkE Frank Chen | Spring 2017

  26. What makes a Password Strong? A STRONG password resists guessing. The less that your password resembles regular English word patterns, the longer it will take for a repetition tool to guess it. Source: http://bit.ly/2epzvkE Frank Chen | Spring 2017

  27. Dictionary Attack Def: an attempted illegal entry to a computer system that uses a dictionary list to generate possible passwords. Frank Chen | Spring 2017

  28. A typical Dictionary Attack RETRIEVED THE PASSWORD PASSWORD FROM If YES PASSWORD File Proceed to use the DICTIONARY password to login to your (SHA-1 HASH) account ...Dog, Dogs, Dogcatcher, Hash the fc1995: Dogcatchers, Dogberry, Input 4cf39465730e75ebbec21 Dogberries, Dogma, CONTINUE! c67facaba7a08d82f0f Password Dogmatic, Dogmatized, If NO Dog1. Dog2, Dog3, Dog4... Dictionary Attacks can Do the two hashes match? submit up to 1000 attempts per minute Frank Chen | Spring 2017

  29. John the Ripper Password Cracker Frank Chen | Spring 2017

  30. Rainbow Tables Def: a table of precomputed hashes so an attacker does not need to perform hashing on every dictionary attack attempt Frank Chen | Spring 2017

  31. Solution: Add Salt Def: salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Salt is added to the front of the password Frank Chen | Spring 2017

  32. Source : http://bit.ly/2p24ytZ Frank Chen | Spring 2017

  33. Case Study: eHarmony Frank Chen | Spring 2017

  34. What does the leak mean? ● Most leaked files are hashed ● Some are in plaintext!? ● Others are hashed and salted eHarmony password hash (md5 unsalted): http://bit.ly/2nsJOZl Frank Chen | Spring 2017

  35. Dictionary Attack on CrackStation 1,493,677,782 medium dictionary entries 15,171,326,912 huge dictionary entries Frank Chen | Spring 2017

  36. Result of eHarmony Brute Force Attack 275,860 (18.2%) of the passwords retrieved 23.47 Hours Source: Frank Chen | Spring 2017 http://bit.ly/2nsJOZl

  37. How long would it take if the hashes were salted ? over 30 years Source: Frank Chen | Spring 2017 http://bit.ly/2nsJOZl

  38. Let's look at some Math! Source: http://bit.ly/2oFNxTn Frank Chen | Spring 2017

  39. Frank Chen | Spring 2017 Source: http://bit.ly/1M88D3U

  40. Tools Source: https://hashcat.net/hashcat/ Source: http://www.openwall.com/john/ Source: https://www.aircrack-ng.org/ Frank Chen | Spring 2017

  41. Agenda ● Review last week’s material ● Some Definitions ● Password in the Cloud ● How Password Cracking Works ● Password Managers Frank Chen | Spring 2017

  42. Password Manager Def: Software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password Frank Chen | Spring 2017

  43. Lastpass Password Managers can be hacked! http://bit.ly/2q38isq Frank Chen | Spring 2017

  44. 1Password Source: https://1password.com/ Frank Chen | Spring 2017

  45. Should you use a Password Manager? CONS PROS ● Single point of failure ● Balance of convenience ● Trusting in the Cloud and security ● Not necessary for some ● Portability people ● Secure Storage ● Not just for passwords Source: http://bit.ly/2pZCcPc Frank Chen | Spring 2017

  46. S�f��� �� ��� C���� T�� Manage your password well! https://haveibeenpwned.com/ Frank Chen | Spring 2017

  47. The Keybase app helps you perform secure operations with people you know on the Internet via asymmetric key cryptography Next Week... Frank Chen | Spring 2017

Recommend


More recommend