passwords
play

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli - PowerPoint PPT Presentation

Feb 22, 2023 •378 likes •901 views

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

  1. PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1

  2. Passwords • Passwords is a user authentication mechanism that is widely adopted for many years • Methods for user authentication: • Something you know (password) • Something you have (mobile phone) • Something you are (biometrics) 3/9/2020 Passwords 2

  3. 1 st Paper: The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Scheme Bonneau J., Herley C., Van Oorschot P. C., Stajano F. 3/9/2020 Passwords 3

  4. 1 st Paper Overview • Introduction • Problem • Proposal • Framework Analysis • Properties • Weights • Schemes Evaluation • Conclusion 3/9/2020 Passwords 4

  5. Introduction – Problem • Passwords are plagued with security problems • Passwords are not replaced by any of the numerous proposals from the research community 3/9/2020 Passwords 5

  6. Introduction – Proposal • The authors propose a framework which provides an evaluation of already proposed password-replacement schemes • It can be used as a benchmark for future password replacement proposals • 25 different properties where tested against 35 password- replacement schemes (9 of them are analyzed in the paper) 3/9/2020 Passwords 6

  7. Framework Analysis - Benefits • Each scheme is rated as either offering or not offering the benefit • Example of “Quasi”: • Memorywise-Effortless: Users of the scheme do not have to remember any secrets at all. • Quasi-Memorywise-Effortless: Users have to remember one secret for everything. • Framework analysis has 3 categories: Usability, Deployability, Security 3/9/2020 Passwords 7

  8. Properties – Usability 1. Memorywise-Effortless 2. Scalable-for-Users 3. Nothing-to-Carry 4. Physically-Effortless 5. Easy-to-Learn 6. Efficient-to-Use 7. Infrequent-Errors 8. Easy-Recovery-from-Loss 3/9/2020 Passwords 8

  9. Properties – Deployability 1. Accessible 2. Negligible-Cost-per-User 3. Server-Compatible 4. Browser-Compatible 5. Mature 6. Non-Proprietary 3/9/2020 Passwords 9

  10. Properties – Security 1. Resilient-to-Physical-Observation 2. Resilient-to-Targeted-Impersonation 3. Resilient-to-Throttled-Guessing 4. Resilient-to-Unthrottled-Guessing 5. Resilient-to-Internal-Observation 3/9/2020 Passwords 10

  11. Properties – Security 6. Resilient-to-Leaks-from-Other-Verifiers 7. Resilient-to-Phishing 8. Resilient-to-Theft 9. No-Trusted-Third-Party 10. Requiring-Explicit-Consent 11. Unlinkable 3/9/2020 Passwords 11

  12. Weights • Some benefits are more important than others depending on the specific goal for which the scheme is being compared STEP1 • Examine and score each individual scheme on each benefit • Compare competing schemes to identify precisely which benefits each offers over the other STEP2 • Determinate a ranking with weights that take into account the relative importance of the benefit STEP3 3/9/2020 Passwords 12

  13. Weights 3/9/2020 Passwords 13

  14. Evaluation – Legacy Passwords ARE ARE NOT 1. Nothing-to-Carry 1. Memory-Effortless 2. Easy-to-Learn 2. Scalable-for-Users 3. Efficient-to-Use 3. Physically-Effortless 4. Easy-Recovery-from-Lost 4. Resilient-to-Physical-Observation 5. Accessible 5. Resilient-to-Throttled-Guessing 6. Negligible-Cost-per-User 6. Resilient-to-Unthrottled-Guessing 7. Server-Compatible 7. Resilient-to-Internal-Observation 8. Browser-Compatible 8. Resilient-to-Leaks-from-Other-Verifiers 9. Mature 9. Resilient-to-Phishing 10.Non-Proprietary 11.Resilient-to-Theft 12.No-Trusted-Third-Party 13.Unlinkable 3/9/2020 Passwords 14

  15. Evaluation – Encrypted password managers: Mozilla Firefox Website 1 password master password Mozilla Firefox Website 2 User password Website 3 password 3/9/2020 Passwords 15

  16. Evaluation – Encrypted password managers: Mozilla Firefox IS IS NOT 1. Scalable-for-Users 1. Easy-Recovery-from-Loss 2. Easy-to-Learn 2. Resilient-to-Throttled-Guessing 3. Efficient-to-Use 3. Resilient-to-Unthrottled-Guessing 4. Infrequent-Errors 4. Resilient-to-Internal-Observation 5. Resilient-to-Phishing 5. Resilient-to-Leaks-from-Other-Verifiers 6. Resilient-to-Theft 6. Browser-Compatible 7. No-Trusted-Third-Party 8. Requiring-Explicit-Consent 9. Unlinkable 10. Negligible-Cost-per-User 11. Mature 12. Accessible 13. Server-Compatible 14. Non-Proprietary 15. Quasi-Memorywise-Effortless 16. Quasi-Nothing-To-Carry 17. Quasi-Physically-Effortless 18. Quasi-Resilient-to-Physical-Observation 19. Quasi-Resilient-to-Targeted-Impersonation 3/9/2020 Passwords 16

  17. Evaluation – Federated Single Sign-On: OpenID Website 1 Single Sign-On Website 2 User Website 3 3/9/2020 Passwords 17

  18. Evaluation – Federated Single Sign-On: OpenID IS IS NOT 1. Scalable-for-Users 1. Server-Compatible 2. Nothing-to-Carry 2. Resilient-to-Internal-Observation 3. Efficient-to-Use 3. Resilient-to-Phishing 4. Infrequent-Errors 4. Unlinkable 5. Easy-Recovery-from-Loss 5. No-Trusted-Third-Party 6. Accessible 7. Negligible-Cost-per-User 8. Mature 9. Non-Proprietary 10. Browser-Compatible 11. Quasi-Memorywise-Effortless 12. Quasi-Physically-Effortless 13. Quasi-Easy-to-Learn 14. Resilient-to-Leaks-from-Other-Verifiers 15. Quasi-Resilient-to-Throttled-Guessing 16. Quasi-Resilient-to-Unthrottled-Guessing 17. Quasi-Resilient-to-Targeted-Impersonation 18. Quasi-Resilient-to-Physical-Observation 3/9/2020 Passwords 18

  19. Evaluation – Graphical Passwords: PCCP User Login 3/9/2020 Passwords 19

  20. Evaluation – Graphical Passwords: PCCP IS IS NOT 1. Easy-to-Learn 1. Memorywise-Effortless 2. Negligible-Cost-per-User 2. Scalable-for-Users 3. Browser-Compatible 3. Accessible 4. Non-Proprietary 4. Server-Compatible 5. Resilient-to-Targeted-Impersonation 5. Mature 6. Resilient-to-Leaks-from-Other-Verifiers 6. Resilient-to-Physical-Observation 7. Resilient-to-Phishing 7. Resilient-to-Unthrottled-Guessing 8. Unlinkable 8. Resilient-to-Internal-Observation 3/9/2020 Passwords 20

  21. Evaluation – Cognitive authentication: GrIDsure 2 4 5 6 4 6 8 0 5 4 Write the pattern Choose a pattern User User 9 6 4 6 7 8 5 4 7 9 5 7 8 0 5 3/9/2020 Passwords 21

  22. Evaluation – Cognitive authentication: GrIDsure IS IS NOT 1. Nothing-to-Carry 1. Memory-Effortless 2. Easy-to-Learn 2. Scalable-for-Users 3. Easy-Recovery-from-Lost 3. Physically-Effortless 4. Negligible-Cost-per-User 4. Accessible 5. Browser-Compatible 5. Server-Compatible 6. Resilient-to-Targeted-Impersonation 6. Mature 7. Resilient-to-Throttled-Guessing 7. Non-Proprietary 8. Resilient-to-Unthrottled-Guessing 8. Resilient-to-Physical-Observation 9. Quasi- Efficient-to-Use 9. Resilient-to-Internal-Observation 3/9/2020 Passwords 22

  23. Evaluation – Other schemes 1. Proxy – Based: URRSA 2. Paper tokens: OTPW 3. Hardware tokens: RSA SecureID 4. Mobile-Phone-based: Phoolproof 5. Biometrics: Fingerprint recognition 3/9/2020 Passwords 23

  24. 3/9/2020 Passwords 24

  25. Conclusions • Most schemes do better than passwords on security • Every scheme does worse than passwords on deployability • This paper can help research community to evaluate their user authentication proposal using this framework and adjusting it to their needs: • Add weights • Add more benefits 3/9/2020 Passwords 25

  26. 2 nd Paper: The Tangled Web of Password Reuse Das, A., Bonneau, J., Caesar, M., Borisov, N., & Wang, X. (2014, February) 3/9/2020 Passwords 26

  27. 2 nd Paper Overview • Introduction • Relative Work • Measurement Study • Survey • Guessing Algorithm • Conclusions 3/9/2020 Passwords 27

  28. Introduction • In this paper the authors: • Estimate the rate of password reuse • Examine how reusing passwords can benefit the attackers • Analyze the similarity of non-identical passwords • Developed a password-guessing algorithm 3/9/2020 Passwords 28

  29. Relative Work • Zhang et al. • Drawback: Their password analysis is based on a single source so they examine one password composition policy • Florencio et al. • Drawback: Only considered identical passwords and not related ones (with modifications) • Weir et al. • Drawback: Focus on cracking passwords in an offline scenario 3/9/2020 Passwords 29

  30. • A typical Internet user estimated to have 25 distinct online account • Users often reuse passwords across accounts on different online service 3/9/2020 Passwords 30

  31. Measurement Study • Understand how often users reuse passwords across sites • Understand the specific approaches the users use to vary their password at different sites • In the measurement study the authors take into consideration the password composition policies 3/9/2020 Passwords 31

  32. Password Composition policies • In order to increase the security over the websites, online services often use composition policies or metrics, as it is proven that they do help users to choose stronger passwords. • Example: • Passwords must not contain the user’s entire name/user ID • At least n characters • Passwords must contain characters from two or more of the following categories: • Uppercase characters • Lowercase characters • Base 10 digits • Non-alphanumeric ASCII characters 3/9/2020 Passwords 32

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of Passwords Motivation for Studying Passwords Outline Motivation for Studying Passwords 1 2 Overview of Password Failure

373 views • 36 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
Sesame: A Secure and Convenient Mobile Solution for Passwords Dr. Mehrdad Aliasgari , Nick Sabol,

Sesame: A Secure and Convenient Mobile Solution for Passwords Dr. Mehrdad Aliasgari , Nick Sabol,

Sesame: A Secure and Convenient Mobile Solution for Passwords Dr. Mehrdad Aliasgari , Nick Sabol, and Ashutosh Sharma California State University, Long Beach MobiSecServ Feb. 2015 Passwords CSU Long Beach 2 Most Popular Passwords of 2014*

683 views • 20 slides
OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE.

OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE.

The purpose of todays presentation is to provide tools in ARTS to help monitor activity within your office. OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE. Do not publicly post passwords.

332 views • 29 slides
Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb

Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb

Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb smb 1 Problem Area Clients and servers frequently store plaintext passwords Used for

289 views • 9 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Replacing passwords with FIDO2 Nils Amiet June 29, 2020 Who am I? Nils Amiet

Replacing passwords with FIDO2 Nils Amiet June 29, 2020 Who am I? Nils Amiet

Replacing passwords with FIDO2 Nils Amiet June 29, 2020 Who am I? Nils Amiet Research team @ 2 Passwords are a problem 71% of accounts are guarded by password used on multiple 62% of breaches involved the use of

1.19k views • 63 slides
Recap: Question 1 If passwords are strings starting with an uppercase letter and ending in a

Recap: Question 1 If passwords are strings starting with an uppercase letter and ending in a

Recap: Question 1 If passwords are strings starting with an uppercase letter and ending in a single digit and characters in between may be either letters or numbers, how many passwords of length 4 are there? CS200 - Grammars 1 Recap: Question

627 views • 30 slides
Recap: Question 1 If passwords are strings starting with an uppercase letter and ending in a

Recap: Question 1 If passwords are strings starting with an uppercase letter and ending in a

Recap: Question 1 If passwords are strings starting with an uppercase letter and ending in a single digit and characters in between may be either letters or numbers, how many passwords of length 4 are there? CS200 - Grammars 1 Recap: Question

691 views • 26 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th October 2008 Overview Securing Systems Passwords Storing Passwords Guessing Passwords What can I do about it?

518 views • 16 slides
The First-Ever Fingerprint Mouse Say farewell to passwords, simply use your finger Don t let

The First-Ever Fingerprint Mouse Say farewell to passwords, simply use your finger Don t let

The First-Ever Fingerprint Mouse Say farewell to passwords, simply use your finger Don t let valuable time slip through your fingers. We spend around 5 seconds logging in to 3 to 5 accounts per day on average, and that adds up to 300,000

218 views • 20 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics

Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics

CS 166: Information Security Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics Something You Are Biometric You are your key Schneier Examples Fingerprint Are Handwritten

800 views • 32 slides
Administrivia Enrollment Lottery Paper Reviews (Adobe) Data passwords My

Administrivia Enrollment Lottery Paper Reviews (Adobe) Data passwords My

Administrivia Enrollment Lottery Paper Reviews (Adobe) Data passwords My office hours Michael J. Black (and Frank Wood) - Feb 2005 Brown University Good Cop Bad Cop Two or three ways to think about this class

480 views • 33 slides

More recommend