DOC PREVIEW
UT CS 361s - Authentication: Passwords and Security Questions

This preview shows page 1-2-3-4-5-6-38-39-40-41-42-78-79-80-81-82-83 out of 83 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 83 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Vitaly Shmatikov CS 361S Authentication: Passwords and Security Questionsslide 2 Reading Assignment Read Kaufman 9.1-2, 10.1-10, 11.1-2, 12.2 • Don’t have to read about public-key authentication (yet)slide 3 Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problemslide 4 Many Ways to Prove Who You Are What you know • Passwords • Answers to questions that only you know Where you are • IP address, geolocation What you are • Biometrics What you have • Secure tokens, mobile devicesslide 5 Multi-Factor Authenticationslide 6 Password-Based Authentication User has a secret password. System checks it to authenticate the user. How is the password communicated? • Eavesdropping risk How is the password stored? • In the clear? Encrypted? Hashed? How does the system check the password? How easy is it to guess the password? • Easy-to-remember passwords tend to be easy to guessslide 7 Usability • Hard-to-remember passwords? • Carry a physical object all the time? Denial of service • Stolen wallet • Attacker tries to authenticate as you, account locked after three failures • “Suspicious” credit card usage Social engineering Other Aspectsslide 8 Passwords and Computer Security In 2012, 76% of network intrusions exploited weak or stolen credentials (username/password) • Source: Verizon Data Breach Investigations Report First step after any successful intrusion: install sniffer or keylogger to steal more passwords Second step: run cracking tools on password files • Cracking needed because modern systems usually do not store passwords in the clear (how are they stored?) In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or crackingslide 9 Password Security Risks Keystroke loggers • Hardware – KeyGhost, KeyShark, others • Software (spyware) Shoulder surfing Same password at multiple sites Broken implementations • TENEX timing attack Social engineeringslide 10 Default Passwords Pennsylvania ice cream shop phone scam • Voicemail PIN defaults to last 4 digits of phone number; criminals change message to “I accept collect call”, make $8600 on a 35-hour call to Saudi Arabia Examples from Mitnick’s “Art of Intrusion” • U.S. District Courthouse server: “public” / “public” • NY Times employee database: pwd = last 4 SSN digits • “Dixie bank”: break into router (pwd=“administrator”), then into IBM AS/400 server (pwd=“administrator”), install keylogger to snarf other passwords – “99% of people there used ‘password123’ as their password”slide 11 Gary McKinnon Scottish “bumbling computer nerd” In 2001 and 2002, hacked into 97 US military and NASA computers searching for evidence of free energy suppression and UFO coverups • “… shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hrs” • “… rendered [US Naval Weapons Station Earle]’s entire network of over 300 computers inoperable at a critical time immediately following 11 September 2001” Method: Perl script randomly looking for blank and default passwords to administrator accountsslide 12 Old Password Surveys Klein (1990) and Spafford (1992) • 2.7% guessed in 15 minutes, 21% in a week • Much more computing power is available now! U. of Michigan: 5% of passwords were “goblue” • How many passwords on this campus involve “orange”, “horns”, “bevo”, etc.? Zviran and Haga (1999) • Password usage at a DoD facility in California • 80% of passwords were 4-7 characters in length, 80% used alphabetic characters only, 80% of the users had never changed their passwordslide 13 Hack (2009) “Social gaming” company Database with 32 million user passwords from partner social networks Passwords stored in the clear December 2009: entire database hacked using an SQL injection attack and posted on the Internet • More about SQL injection attacks laterslide 14 Passwords in RockYou Database [Imperva]slide 15 Password Length Distribution [Imperva]slide 16 Gawker Passwords (2010) trustno1 [WSJ]slide 17 Stratfor Passwords (2011) Austin forecasting and intelligence firm Hacked on December 24, 2011 • Client names, credit card numbers (in the clear, with CVV!), 860,000 MD5-hashed passwords 86% of password hashes recovered by Gerrit Padgham using GPU technology • Many very weak passwords – Top ten: stratfor, 123456, 0000, password, stratfor1, changeme, strat4, 1qaz2wsx, 1234, wright • 630,000 algorithmically generated by Stratfor – 8 characters, mixed uppercase & lowercase, digitsslide 18 More Password Datasets More than 30 million passwords “#1 Most Trusted Online Dating Site” SQL injection attack For sale for $3000slide 19 Adobe Passwords (2013) 153 million account passwords • 56 million of them unique Encrypted using 3DES in ECB mode rather than hashed (why is this important?) Password hintsslide 20 How About PINs? In 2012, Nick Berry analyzed all four-digit passwords from previous leaksslide 21 Password Usabilityslide 22 Memorability vs. Security One bank’s idea for making PINs “memorable” • If PIN is 2256, write your favorite word in the grid • Fill the rest with random letters [Ross Anderson] Normally 9,999 choices for PIN hard to guess Now only a few dozen possible English words – easy to guess!slide 23 Password Guessing Techniques Dictionary with words spelled backwards First and last names, streets, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc. Letter substitutions and other tricks • If you can think of it, attacker will, tooslide 24 Social Engineering Univ. of Sydney study (1996) • 336 CS students emailed asking for their passwords – Pretext: “validate” password database after suspected break-in • 138 returned their passwords; 30 returned invalid passwords; 200 reset passwords (not disjoint) Treasury Dept. report (2005) • Auditors pose as IT personnel attempting to correct a “network problem” • 35 of 100 IRS managers and employees provide their usernames and change passwords to a known value Other examples: Mitnick’s “Art of


View Full Document

UT CS 361s - Authentication: Passwords and Security Questions

Download Authentication: Passwords and Security Questions
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Authentication: Passwords and Security Questions and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Authentication: Passwords and Security Questions 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?