security some fun with passwords
play

Security: Some Fun with Passwords How to handle Passwords: the - PDF document

Feb 05, 2023 •308 likes •369 views

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

  1. CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords • How to handle Passwords: the Basics • Rainbow Attacks Not too long ago… Hi, I forgot my password! Let me help you. What is your name? My Name is John Doe. I found you in my system. Your password is XXXYYY. Q: What is wrong with this scenario? 1

  2. CSCE Intro to Computer Systems Security - Passwords Password Hashing Instead of storing the password on the server … Alice: XXXYYY Bob: YYYZZZ “ user name: Alice, password: XXXYYY ” Charlie: ZZZAAA Dorothy: AAABBB Alice … Is Alice ’ s password = “ XXXYYY ” ? … we store an encrypted ( hashed ) version of the password. Alice: sX&*Xzy Bob: 78BeBc# “ user name: Alice, password: XXXYYY ” Charlie: wqlkr03 Dorothy: 94pg9s Alice … Is Alice ’ s password hash = Hash( “ XXXYYY ” )? Replay Attacks and Challenge Response Simply encrypting a request does not protect from replays. Alice: sX&*Xzy Bob: 78BeBc# ( “ user:Alice, pw:XXXYYY ” ) kBpub Charlie: wqlkr03 Dorothy: 94pg9s Alice … ( “ user:Alice, pw:XXXYYY ” ) kBpub Solution: Challenge-response. knock knock! Alice: sX&*Xzy 9345 Bob: 78BeBc# ( “ user:alice, pw:XXXYYY, 9345) kBpub Charlie: wqlkr03 Dorothy: 94pg9s Alice knock knock! … 2134560 ?!?! 2

  3. CSCE Intro to Computer Systems Security - Passwords Is Password Hashing Overrated? (or, hacking password files using rainbow tables) Password Hashing: Passwords Hashes Two approaches to “ Decrypt ” passwords: 1. Exhaustively generate and hash passwords and check for match. 2. Generate table for all possible passwords and their hashes. Then just look up. Rainbow Tables: Reduction Functions MD5(483039) = dca12104d04e02176fc6bc9a7fdcaf50 Hash function: MD5() PW = “ 483039 ” hash Passwords Hashes “ reduce ” RED(dca 12104 d 0 4e02176fc6bc9a7fdcaf50) = 121040 Reduction function: RED(arg) := pick first numerical 6 digits of arg. 3

  4. CSCE Intro to Computer Systems Security - Passwords “ Chains ” of Hashes Passwords Hashes start end Simple Hash Chain Table: start end iaisudhiu 4259cc34599c530b1e4a8f225d665802 oxcvioix c744b1716cbf8d4dd0ff4ce31a177151 9da8dasf 3cd696a8571a843cda453a229d741843 […] sodifo8sf 7ad7d6fa6bb4fd28ab98b3dd33261e8f Problems with Hash Chains • Chains can collide : – When hash function or reduction values collide, hash chains merge . – Hash function values are unlikely to collide – Reduction function values are likely to collide • Reduction function should map back to likely subset of passwords. – If not, we are spending time scanning the entire space. 4

  5. CSCE Intro to Computer Systems Security - Passwords How to Counter such Attacks? Salting Instead of storing the hash hash(password) we store the salted hash hash(password + salt) where salt is a very large number. 5

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to

Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to

Security 1 - Passwords Computer security is a big and kind of dramatic area which lends itself to movie plots and fear. There are real threats our there, but staying safe is not that hard. Computer -- The Castle The computer is like a

416 views • 37 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th October 2008 Overview Securing Systems Passwords Storing Passwords Guessing Passwords What can I do about it?

518 views • 16 slides
Information Security Forum Fall 2018 Gary McCrillis & Jon Vazquez Information Security

Information Security Forum Fall 2018 Gary McCrillis & Jon Vazquez Information Security

Information Security Forum Fall 2018 Gary McCrillis & Jon Vazquez Information Security Analysts, Cal Poly Information Security Office 9/28/18 1 Better Passwords, with 9/28/18 2 Ninjio Video 9/28/18 3 Passwords Are (Still) Hard

387 views • 10 slides
CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs

CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs

CSE 484 / CSE M 584 Computer Security: Passwords and Lab 3 Prep TA: Thomas Crosley tcrosley@cs Thanks to Franzi for some previous slides LogisIcs / Reminders Lab #2 due 5/20,5pm (tomorrow!) Next office hour: Thomas and Kevin: 2-3pm

382 views • 25 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start motivation & start internet security evaluate password cracker to check security of passwords passwords problems problems default

703 views • 27 slides
Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

CSE 484 / CSE M 584 Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics / Reminders Class tomorrow at PCAR 290 Lab #2 due 5/20,5pm (next Wednesday) Next office hour: Michael and

574 views • 22 slides
Analyzing Pwned Passwords with Spark Kelley Robinson @kelleyrobinson Developer Evangelist +

Analyzing Pwned Passwords with Spark Kelley Robinson @kelleyrobinson Developer Evangelist +

Analyzing Pwned Passwords with Spark Kelley Robinson @kelleyrobinson Developer Evangelist + @KELLEYROBINSON BIG DATA & SECURITY Spark: then and now The state of passwords Spark in action Big Data Security BIG DATA & SECURITY

606 views • 33 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using

Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using

Financial Crypto and Data Security Mar. 3, 2011 Mercury: Recovering Forgotten Passwords Using Personal Devices M. Mannan NSERC PDF, University of Toronto m.mannan@utoronto.ca Collaborators: D. Barrera, C.D. Brown, D. Lie, P.C. van Oorschot

483 views • 24 slides
CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

780 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

827 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g.

506 views • 34 slides
Decrypting All Users' Secrets and PFX Passwords Paula Januszkiewicz CQURE: CEO, Penetration

Decrypting All Users' Secrets and PFX Passwords Paula Januszkiewicz CQURE: CEO, Penetration

DPAPI and DPAPI-NG: Decrypting All Users' Secrets and PFX Passwords Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft: Regional Director www.cqureacademy.com

615 views • 27 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords

520 views • 38 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

472 views • 21 slides
The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of Passwords Motivation for Studying Passwords Outline Motivation for Studying Passwords 1 2 Overview of Password Failure

373 views • 36 slides

More recommend