PASSWORDSCS682: Advanced Security Topics
Vasiliki Panteli
3/9/2020 Passwords 1
Passwords
• Passwords is a user authenticationmechanism that is widely adoptedfor many years
• Methods for user authentication:• Something you know (password)
• Something you have (mobile phone)
• Something you are (biometrics)
3/9/2020 Passwords 2
1st Paper:
3/9/2020 Passwords 3
The Quest to Replace Passwords:A Framework for Comparative Evaluation of
Web Authentication Scheme Bonneau J., Herley C., Van Oorschot P. C., Stajano F.
1st Paper Overview
• Introduction• Problem
• Proposal
• Framework Analysis• Properties
• Weights
• Schemes Evaluation
• Conclusion
3/9/2020 Passwords 4
Introduction – Problem
• Passwords are plagued with security problems
• Passwords are not replaced by any of the numerous proposals from the research community
3/9/2020 Passwords 5
Introduction – Proposal
• The authors propose a framework which provides an evaluation of already proposed password-replacement schemes
• It can be used as a benchmark for future password replacement proposals
• 25 different properties where tested against 35 password-replacement schemes (9 of them are analyzed in the paper)
3/9/2020 Passwords 6
Framework Analysis - Benefits
• Each scheme is rated as either offering or not offering the benefit
• Example of “Quasi”:• Memorywise-Effortless: Users of the scheme do not have to remember any
secrets at all.
• Quasi-Memorywise-Effortless: Users have to remember one secret for everything.
• Framework analysis has 3 categories: Usability, Deployability, Security
3/9/2020 Passwords 7
Properties – Usability
1. Memorywise-Effortless
2. Scalable-for-Users
3. Nothing-to-Carry
4. Physically-Effortless
5. Easy-to-Learn
6. Efficient-to-Use
7. Infrequent-Errors
8. Easy-Recovery-from-Loss
3/9/2020 Passwords 8
Properties – Deployability
1. Accessible
2. Negligible-Cost-per-User
3. Server-Compatible
4. Browser-Compatible
5. Mature
6. Non-Proprietary
3/9/2020 Passwords 9
Properties – Security
1. Resilient-to-Physical-Observation
2. Resilient-to-Targeted-Impersonation
3. Resilient-to-Throttled-Guessing
4. Resilient-to-Unthrottled-Guessing
5. Resilient-to-Internal-Observation
3/9/2020 Passwords 10
Properties – Security
6. Resilient-to-Leaks-from-Other-Verifiers
7. Resilient-to-Phishing
8. Resilient-to-Theft
9. No-Trusted-Third-Party
10. Requiring-Explicit-Consent
11. Unlinkable
3/9/2020 Passwords 11
Weights
• Some benefits are more important than others depending on the specific goal for which the scheme is being compared
3/9/2020 Passwords 12
STEP1• Examine and score each individual scheme on each benefit
STEP2
• Compare competing schemes to identify precisely which benefits each offers over the other
STEP3
• Determinate a ranking with weights that take into account the relative importance of the benefit
Weights
3/9/2020 Passwords 13
Evaluation – Legacy PasswordsARE ARE NOT
1. Nothing-to-Carry
2. Easy-to-Learn
3. Efficient-to-Use
4. Easy-Recovery-from-Lost
5. Accessible
6. Negligible-Cost-per-User
7. Server-Compatible
8. Browser-Compatible
9. Mature
10.Non-Proprietary
11.Resilient-to-Theft
12.No-Trusted-Third-Party
13.Unlinkable
1. Memory-Effortless
2. Scalable-for-Users
3. Physically-Effortless
4. Resilient-to-Physical-Observation
5. Resilient-to-Throttled-Guessing
6. Resilient-to-Unthrottled-Guessing
7. Resilient-to-Internal-Observation
8. Resilient-to-Leaks-from-Other-Verifiers
9. Resilient-to-Phishing
3/9/2020 Passwords 14
Evaluation – Encrypted password managers: Mozilla Firefox
3/9/2020 Passwords 15
User
Website 1password
Website 2password
Website 3password
Mozilla Firefoxmaster password
Evaluation – Encrypted password managers: Mozilla Firefox
3/9/2020 Passwords 16
IS IS NOT
1. Scalable-for-Users2. Easy-to-Learn3. Efficient-to-Use4. Infrequent-Errors5. Resilient-to-Phishing6. Resilient-to-Theft7. No-Trusted-Third-Party8. Requiring-Explicit-Consent9. Unlinkable10. Negligible-Cost-per-User11. Mature12. Accessible13. Server-Compatible14. Non-Proprietary15. Quasi-Memorywise-Effortless16. Quasi-Nothing-To-Carry17. Quasi-Physically-Effortless18. Quasi-Resilient-to-Physical-Observation19. Quasi-Resilient-to-Targeted-Impersonation
1. Easy-Recovery-from-Loss2. Resilient-to-Throttled-Guessing3. Resilient-to-Unthrottled-Guessing4. Resilient-to-Internal-Observation5. Resilient-to-Leaks-from-Other-Verifiers6. Browser-Compatible
Evaluation – Federated Single Sign-On: OpenID
3/9/2020 Passwords 17
User Single Sign-On
Website 1
Website 2
Website 3
Evaluation – Federated Single Sign-On: OpenID
3/9/2020 Passwords 18
IS IS NOT
1. Scalable-for-Users
2. Nothing-to-Carry
3. Efficient-to-Use
4. Infrequent-Errors
5. Easy-Recovery-from-Loss
6. Accessible
7. Negligible-Cost-per-User
8. Mature
9. Non-Proprietary
10. Browser-Compatible
11. Quasi-Memorywise-Effortless
12. Quasi-Physically-Effortless
13. Quasi-Easy-to-Learn
14. Resilient-to-Leaks-from-Other-Verifiers
15. Quasi-Resilient-to-Throttled-Guessing
16. Quasi-Resilient-to-Unthrottled-Guessing
17. Quasi-Resilient-to-Targeted-Impersonation
18. Quasi-Resilient-to-Physical-Observation
1. Server-Compatible
2. Resilient-to-Internal-Observation
3. Resilient-to-Phishing
4. Unlinkable
5. No-Trusted-Third-Party
Evaluation – Graphical Passwords: PCCP
3/9/2020 Passwords 19
User Login
Evaluation – Graphical Passwords: PCCPIS IS NOT
1. Easy-to-Learn
2. Negligible-Cost-per-User
3. Browser-Compatible
4. Non-Proprietary
5. Resilient-to-Targeted-Impersonation
6. Resilient-to-Leaks-from-Other-Verifiers
7. Resilient-to-Phishing
8. Unlinkable
1. Memorywise-Effortless
2. Scalable-for-Users
3. Accessible
4. Server-Compatible
5. Mature
6. Resilient-to-Physical-Observation
7. Resilient-to-Unthrottled-Guessing
8. Resilient-to-Internal-Observation
3/9/2020 Passwords 20
Evaluation – Cognitive authentication: GrIDsure
3/9/2020 Passwords 21
UserChoose a pattern
User
2 4 5 6 4
6 8 0 5 4
9 6 4 6 7
8 5 4 7 9
5 7 8 0 5
Write the pattern
Evaluation – Cognitive authentication: GrIDsureIS IS NOT
1. Nothing-to-Carry2. Easy-to-Learn3. Easy-Recovery-from-Lost4. Negligible-Cost-per-User5. Browser-Compatible6. Resilient-to-Targeted-Impersonation7. Resilient-to-Throttled-Guessing8. Resilient-to-Unthrottled-Guessing9. Quasi- Efficient-to-Use
1. Memory-Effortless2. Scalable-for-Users3. Physically-Effortless4. Accessible5. Server-Compatible6. Mature7. Non-Proprietary8. Resilient-to-Physical-Observation9. Resilient-to-Internal-Observation
3/9/2020 Passwords 22
Evaluation – Other schemes
1. Proxy – Based: URRSA
2. Paper tokens: OTPW
3. Hardware tokens: RSA SecureID
4. Mobile-Phone-based: Phoolproof
5. Biometrics: Fingerprint recognition
3/9/2020 Passwords 23
3/9/2020 Passwords 24
Conclusions
• Most schemes do better than passwords on security
• Every scheme does worse than passwords on deployability
• This paper can help research community to evaluate their userauthentication proposal using this framework and adjusting it to theirneeds:• Add weights
• Add more benefits
3/9/2020 Passwords 25
2nd Paper:
3/9/2020 Passwords 26
The Tangled Web of Password ReuseDas, A., Bonneau, J., Caesar, M., Borisov, N., & Wang, X. (2014, February)
2nd Paper Overview
• Introduction
• Relative Work
• Measurement Study
• Survey
• Guessing Algorithm
• Conclusions
3/9/2020 Passwords 27
Introduction
• In this paper the authors:• Estimate the rate of password reuse
• Examine how reusing passwords can benefit the attackers
• Analyze the similarity of non-identical passwords
• Developed a password-guessing algorithm
3/9/2020 Passwords 28
Relative Work
• Zhang et al.• Drawback: Their password analysis is based on a single source so they
examine one password composition policy
• Florencio et al.• Drawback: Only considered identical passwords and not related ones (with
modifications)
• Weir et al.• Drawback: Focus on cracking passwords in an offline scenario
3/9/2020 Passwords 29
3/9/2020 Passwords 30
• A typical Internet user estimated to have 25 distinct online account• Users often reuse passwords across accounts on different online service
Measurement Study
• Understand how often users reuse passwords across sites
• Understand the specific approaches the users use to vary their password at different sites
• In the measurement study the authors take into consideration the password composition policies
3/9/2020 Passwords 31
Password Composition policies
• In order to increase the security over the websites, online services often use composition policies or metrics, as it is proven that they do help users to choose stronger passwords.
• Example:• Passwords must not contain the user’s entire name/user ID• At least n characters• Passwords must contain characters from two or more of the following
categories:• Uppercase characters• Lowercase characters• Base 10 digits• Non-alphanumeric ASCII characters
3/9/2020 Passwords 32
Data Set
• Collected publicly available leakedpasswords
• Data analysed to find users with atleast two passwords leaked:• 6077 unique users
• Used “John the Ripper toolkit” tocrack hashed passwords
3/9/2020 Passwords 33
Password Similarity – String similarity metrics
Distance-like functions Manhattan
Cosine
Edit-distance like functions Levenshtein
Damerau-Levenshtein
Token-based distance functions Dice
Overlap
Alignment-like functions Smith-Waterman
Neddleman Wunsch
Largest Common Subsequence (LCS)
3/9/2020 Passwords 34
Password Similarity
3/9/2020 Passwords 35
Different users – Same Websites
Different users – Different websites
Within the same website or different website different users use significantly different passwords
Password Similarity
3/9/2020 Passwords 36
Same users – Different Websites:40% of the passwords have similarity score [0.9, 1.0]
Same users – Different websitesNon-identical passwords:30% of the non-identical passwords have similarity score [0.8, 1.0]
We find that same users tend to reuse/modify their passwords.
Survey
• To understand why users modify their passwords and whatmodifications they do
• The survey was answered by students and professional staff across several departments at universities
• 224 responses
3/9/2020 Passwords 37
Survey findings
• 77% of participants either modify or reuse existing passwords when choosing a password for a new account.
• 98% tend to insert at front or end of password digits or symbols.
• 33% of participants modify their passwords to fulfill password constraints enforced by the different websites.
• 61% of participants memorize their passwords.
3/9/2020 Passwords 38
Guessing Algorithm – The idea
3/9/2020 Passwords 39
Leaked Password
Candidate Password 1
Candidate Password 2
Candidate Password 3
Candidate Password 4
target
Guessing Algorithm
Guessing Algorithm
• Character sequence
• Deletions
• Insertions
• Capitalizations
• Reversals
• Leet-speak
• Substring movement
• Subword modification
3/9/2020 Passwords 40
Guessing Algorithm – Character Sequence
• Splits the password into tokens
• Tries different permutations of tokens as candidate passwords
• If the candidate password is not the target password, then the token is modified:• extending it to including the next character of the sequence
“qwer” -> “qwert”• replacing the token with a similar size token belonging to the same category
“qwer” -> “1234”
3/9/2020 Passwords 41
Guessing Algorithm – Deletions
• Guess the deletion transformation
• Deletes characters that belong in one of the following set: • {Digit, Symbol, Uppercase letter, Lowercase letter}
• If the target is not found, the algorithm reverts the password back to the original one
• Try sequentially deleting characters from the front of the string, then the back and then the combination of both.
3/9/2020 Passwords 42
Guessing Algorithm – Insertions
• Guess the insertion transformation
• Inserts numbers and symbols at the front and end (from survey)
• Inserts individual characters from missing groups • {Digit, Symbol, Uppercase letter, Lowercase letter}
• Example:• “helloWord!” -> “1helloWord!”• “superstr0ngp@ssword” -> “Superstr0ngp@ssword”
3/9/2020 Passwords 43
Guessing Algorithm – Capitalization
• Capitalizes all letters in the string at once
• If it’s not the target password then it capitalizes the letters from the front, then back and the combination of both.
• Example:• “helloworld”• Candidate passwords:
• “HELLOWORLD”• “Helloworld”• “HElloworld”
3/9/2020 Passwords 44
Guessing Algorithm – Reversals
• Revers the input password
• Example:• “helloworld” would be transform into “dlrowolleh”
3/9/2020 Passwords 45
Guessing Algorithm – Leet-speak
• Tries the popular leet transformations:• o -> 0
• a -> @
• s -> $
• i -> 1
• e -> 3
• t -> 7
• Example:• “helloworld” would transform into “h3ll0w0rld”
3/9/2020 Passwords 46
Guessing Algorithm – Substring movement
• Splits the input password into substrings where the characters belong to the same group of {Digit, Symbol, Uppercase letter, Lowercase letter}
• Example:• “xyz@123” would split into “xyz”, “@”, “123”
• Candidate passwords: • “123@xyz”
• “@123xyz”
• “xyz123@”
3/9/2020 Passwords 47
Guessing Algorithm – Subword modification
• Splits the input password based on common English words
• Capitalizes the first one
• Rearranges the words in different orders
• Example:• “darkknight” would split into “dark” and “knight”• Candidate passwords:
• “DarkKnight”• “KnightDark”
3/9/2020 Passwords 48
Guessing Algorithm – Evaluation
• Authors approach:• Can guess 30% in 10 attempts
• Can guess 80% in 100 attempts
• ED approach:• Can guess 65% in million attempts
• Proposed Guesser Algorithm is more suitable for online attacks
3/9/2020 Passwords 49
Guessing Algorithm - Evaluation
• The authors’ guessing algorithm was successful in predicting similar passwords.
• To verify this they computed the similarity score of all the password pairs that they successfully cracked.
3/9/2020 Passwords 50
Conclusions
• 43% of users directly re-use passwords between sites
• Users use small mortifications to their passwords across sites
• Proposed a guessing algorithm than can crack:• 10% of non-identical passwords in 10 attempts
• 80% of substrings passwords in 100 attempts
• Password reuse is a significant security vulnerability
3/9/2020 Passwords 51
3/9/2020 Passwords 52