MakingPasswordCheckingSystemsBetter

TomRistenpart

Coveringjointworkwith:AnishAthayle,Devdatta Akawhe,JosephBonneau,RahulChatterjee,Anusha Chowdhury,Yevgeniy Dodis,AdamEverspaugh,AriJuels,YuvalPnueli,SamScott,JoanneWoodage

Passwordcheckingsystemstom,password1 tom password1

alice 123456

bob p@ssword!Loginserver

Allowloginif:

Attackdetectionmechanismsdon’tflagrequest

Sometimes:secondfactorsucceeds

(plushundredsofmillionsmore)

Passwordmatches

Problemsw/passwordcheckingsystemstom,password1 tom password1

alice 123456

bob p@ssword!Loginserver

Peopleoftenenterwrongpassword:- Typos- Memoryerrors

Passwordsdatabasesmustbeprotected:- Servercompromise- Exfiltrationattacks(e.g.,SQLinjection)Widespreadpractice:- Applyhashingw/salts- Hopeslowsdownattacksenough

Today’stalk

Pythia:movingbeyond“hash&hope”Hardenhasheswithoff-systemsecretkeyusingpartiallyobliviouspseudorandomfunctionprotocol

[Everspaugh,Chatterjee,Scott,Juels,R.– USENIXSecurity2015]

Typo-tolerantpasswordcheckingIn-depthstudyoftyposinuser-chosenpasswordsShowhowtoallowtyposwithoutharmingsecurity

[Chatterjee,Athayle,Akawhe,Juels,R.– Oakland2016][Woodage,Chatterjee,Dodis,Juels,R.– Crypto2017]

[Chatterjee,Woodage, Pnueli,Chowdhury,R.– CCS2017]

Passwordcheckingsystemstom,password1 tom password1

alice 123456

bob p@ssword!Loginserver

Websitesshouldnever storepasswordsdirectly,theyshouldbe(atleast)hashedwithasalt(alsostored)

H …pw||salt H H

ctimes CryptographichashfunctionH(H=SHA-256,SHA-512,etc.)

Commonchoiceisc=10,000

Better:scrypt,argon2

tom salt1 ,Hc(password1,salt1)

alice salt2 ,Hc(123456,salt2)

bob salt3 ,Hc(p@ssword!,salt3)

UNIXpasswordhashingscheme,PKCS#5Formalanalyses:[Wagner,Goldberg2000][Bellare,R.,Tessaro 2012]

AshleyMadison hack:36millionuserhashesSalts+Passwordshashedusingbcrypt withc=212=40964,007crackeddirectlywithtrivialapproach

Passwordcracker

29072912345679076123457678912345678959462password49952iloveyou33291princess

…

ListofpossiblepasswordsinorderoftheirlikelihoodRecompute hashandcheck

Examples:Hashcat,Johntheripper,academicprojects

AshleyMadison hack:36millionuserhashesSalts+Passwordshashedusingbcrypt withc=212=40964,007crackeddirectlywithtrivialapproach

CynoSure analysis:11millionhashescracked>630,000peopleusedusernamesaspasswordsMD5hashesleftlyingaroundaccidentally

http://cynosureprime.blogspot.com/2015/09/csp-our-take-on-cracked-am-passwords.html

Passworddatabasecompromises

……

32.6million

#stolen %recovered format

100% plaintext(!)2012

year

117million 90% UnsaltedSHA-12012

36million ?? ECBencryption2013

36millionSaltedbcrypt+MD52015 33%

~500million ?? bcrypt +??2014

(1)Passwordprotectionsoftenimplementedincorrectlyinpractice

(2)Eveninbestcase,hashingslowsdownbutdoesnotpreventofflinebrute-forcecracking

$cur=‘password’$cur=md5($cur)$salt=randbytes(20)$cur=hmac_sha1($cur,$salt)$cur=remote_hmac_sha256($cur,$secret)$cur=scrypt($cur,$salt)$cur=hmac_sha256($cur,$salt)

Facebookpasswordonion

h=Hc(password1||salt)Back-endcryptoservice

h

f =HMAC(K,h)K

Storesalt,f

Back-endcryptoservice

f’=Hc(123456||salt)

f’=HMAC(K,h’) Kf =f’?

Hc(1234567||salt)

Hc(12345||salt)

…

Muststillperformonlinebrute-forceattack

Exfiltrationdoesn’thelp

HMACispseudorandomfunction(PRF).

Strengtheningpasswordhashstoragetom,password1

Strengtheningpasswordhashstorage

Criticallimitation:can’trotateKtoanewsecretK’

h=Hc(password1||salt)Back-endcryptoservice

h

f =HMAC(K,h)K

Storesalt,f

tom,password1

• Idea1:Versiondatabaseandupdateasuserslogin§ Butdoesn’tupdateoldhashes

• Idea2:Invalidateoldhashes§ Butrequirespasswordreset

• Idea3:Usesecret-keyencryptioninsteadofPRF§ Butrequiressendingkeystowebserver(orhighbandwidth)

ThePythia PRFService

h=Hc(password1||salt)Blindh,pickuserIDUnblind PRFoutputfStoreuserID,salt,f

Back-endcryptoservice

userid,blindedh

BlindedPRFoutputfK

tom,password1

Combinetokenandftogeneratef’=F(K’,h)

Back-endcryptoservice

Token(K->K’)K

K’ServerlearnsnothingaboutKorK’

Cryptographicallyerasesf:Uselesstoattackerinthefuture

Blindingmeansservicelearnsnothing aboutpasswords

UserIDrevealsfine-grainedquerypatternstoservice.Compromisedetection&ratelimiting

Newcrypto:partially-obliviousPRF

h=Hc(password1||salt)Chooserandomrf=y1/rStoreuserID,salt,f

userid,hr

y

Ktom,password1

GroupsG1 ,G2 ,GT w/bilinearpairinge:G1 xG2 ->GT e(ax,by)=cxy

t =H(userid)y=e(tK,hr)

f=e(tK,hr)1/r =e(t,h)Kr*1/r=e(t,h)K

• Pairingcryptographicallybindsuseridwithpasswordhash• Canaddverifiability(proofthatPRFproperlyapplied)• Keyrotationstraightforward:Token(K->K’)=K’/ K• Interestingformalsecurityanalysis(seepaper)

ThePythia PRFService

Queriesarefastdespitepairings• PRFquery:11.8ms (LAN)96ms (WAN)

Parallelizablepasswordonions• Hc andPRFquerymadeinparallel(hideslatency)

Multi-tenant(theoretically:scalesto100millionloginservers)

Easytodeploy• Open-sourcereferenceimplementationat

http://pages.cs.wisc.edu/~ace/pythia.html• Atleastonestartupdeployingitcommercially

https://virgilsecurity.com/pythia/

Today’stalk

Pythia:movingbeyond“hash&hope”Hardenhasheswithoff-systemsecretkeyusingpartiallyobliviouspseudorandomfunctionprotocol

[Everspaugh,Chatterjee,Scott,Juels,R.– USENIXSecurity2015]

Typo-tolerantpasswordcheckingIn-depthstudyoftyposinuser-chosenpasswordsShowhowtoallowtyposwithoutharmingsecurity

[Chatterjee,Athayle,Akawhe,Juels,R.– Oakland2016][Woodage,Chatterjee,Dodis,Juels,R.– Crypto2017]

[Chatterjee,Woodage, Pnueli,Chowdhury,R.– CCS2017]

Backtoourbigpicturetom,password1 tom password1

alice 123456

bob p@ssword!Loginserver

Peopleoftenenterwrongpassword:- Typos- Memoryerrors

Passwordsdatabasesmustbeprotected:- Servercompromise- Exfiltrationattacks(e.g.,SQLinjection)Widespreadpractice:- Applyhashingw/salts- Hopeslowsdownattacksenough

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

Backtoourbigpicturetom,password1

Loginserver

Peopleoftenenterwrongpassword:- Typos- Memoryerrors

Usershavehardtimeremembering(complex)passwords[Uretal.2012][Shayetal.2012][Mazurek etal.2013][Shayetal.2014][Bonneau,Schechter2014]

Passwordscanbedifficulttoenterwithouterror(typo)[Keithetal.2007,2009] [Shayetal.2012]

Suggestionsforerror-correctingpassphrases[Bard2007][Jakobsson,Akavipat 2012][Shayetal.2012]

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

Backtoourbigpicturetom,password1

Loginserver

Peopleoftenenterwrongpassword:- Typos- Memoryerrors

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

password1 Password1 PASSWORD1

Typo-tolerantpasswordchecking:Allowregisteredpasswordorsometyposofit

(1)Firststudyoftypo-tolerance&simpleconstructionstocorrectpopularerrors [Oakland2016]

(2)Newconstructionstocorrectmoreerrorssecurely,showthatsimpleapproachesaresofarthebest[Crypto2017]

(3)Personalizedtypo-tolerance:havecheckingsystemlearnovertimetyposspecificusermakes[CCS2017]

Capslock11%

Flipfirstlettercase4.5% Add

characteratend4.6%

Other78.8%

%OFTYPOS

100,000+passwordstypedby4,300workers

MechanicalTurktranscriptionstudy

Top3accountfor20%oftypos

Typo-tolerantpasswordchecking

Password1

password1

pASSWORD1

Flipfirstletter

Flipallletters

Canviewasanerror-correctionproblem

Ball issetofallpointswechecknearasubmittedstring(includingit)

Successoccursiftruepasswordisintheballofsubmittedpasssword

Password

Password12

Password13

Balanceutilityimprovementversusperformance&security

DroplastcharEasytodefineballsbygenericcorrectorfunctions

Ballsize(b) %corrected

3 20%

64 50%

Relaxedcheckingviabrute-forcesearchtom,Password1

Computeballforeachpassword,checkeachhash

GK(salt1,Password1)GK(salt1,pASSWORD1)GK(salt1,password1)

WorkswithexistingpasswordhardeningschemesNochangeinwhatisstoredBallsizeb=4gives20%oftyposacrossallusers

Cansetballtoberesultofapplyingcorrectorfunctionsforpopulartypos

TofinishchecksintimeT,mustsetTime(GK)=T/bApplycapslockcorrectorApplyfirstcaseflipcorrector

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

InstrumentedproductionloginofDropboxtoquantifytyposNOTE:Wedidnotadmitloginusingtypo’d passwords

24hourperiod:

• 3%ofallusers failedtologinduetooneoftop3typos

• 20% ofuserswhomadeatypowouldhavesavedatleast1minuteinloggingintoDropboxiftop3typosarecorrected.

Allowingtyposinpasswordwilladdseveralperson-monthsoflogintimeeveryday.

ImpactofTop3typosinrealworld

Typo-tolerancewouldsignificantlyimproveusabilityofpassword-basedlogin

Canitbesecure?

Threat#1:Servercompromise

Ifbissmall,thencanuseexistingGKNochangeinsecurityaftercompromise

NochangetopasswordDB

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

Threat#2:Remoteguessingattackstom,password

GK(salt1,password)GK(salt1,PASSWORD)GK(salt1,Password)GK(salt1,passwor)

ApplycapslockcorrectorApplyfirstcaseflipcorrectorApplyextracharcorrector

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

Threat#2:Remoteguessingattackstom,password

GK(salt1,iloveyou)GK(salt1,ILOVEYOU)GK(salt1,Iloveyou)GK(salt1,iloveyo)

ApplycapslockcorrectorApplyfirstcaseflipcorrectorApplyextracharcorrector

tom,iloveyou

Serverlocksaccountafterqfailedattempts(e.g.,q=10)

…

Upto4passwordscheckedatcostof1query=>

Attacksuccessincreasesby4x

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

Threat#2:Remoteguessingattackstom,password

tom,iloveyou

Serverlocksaccountafterqfailedattempts(e.g.,q=10)

…

Adversarycangetimprovementsonlyifmanypopularpasswordstypotothesamestring

Eachguessincreasessuccessprobabilitybysumofmassesofpasswordsinball:

password

Password

PASSWORD

passwor

P(password)+P(Password)+P(passwor)+P(PASSWORD)

Won’tbe4xincreasesinceP(passwor)<<P(password)

tom salt1 ,GK(salt1 ,password1)

alice salt2 ,GK(salt2 ,123456)

bob salt3 ,GK(salt3 ,p@ssword!)

Attacksimulationusingpasswordleaks

30

Adversaryknows:Distributionofpasswords,andthesetofcorrectors

2.75

0.79

2.94

0.96

0

1

2

3

4

phpbb myspace

Successp

robability(%

) ExactcheckingTypo-tolerantchecking

ExactcheckingQuerymostprobableqpasswords

Typo-tolerantcheckingQueryqpasswordsthatmaximizessuccessNP-completeproblem.Computeusinggreedyapproximation

Top3correctors,q=10

PASSWORDPassword

Don’t check a correction if the resulting password is too popular.

pASSWORD pASSWOR

pASSWORD

Security-sensitivetypotolerance

Checkersw/heuristicfiltering

32

Usepasswordleakrockyou toestimatepassworddistributionFilterouttypostoensureaggregateballweightnottoolarge

2.75

0.79

2.94

0.96

2.77

0.81

0

0.5

1

1.5

2

2.5

3

3.5

phpbb myspace

Successp

robability(%

)

Exactchecking

Typo-tolerantchecking

Typo-tolerantcheckingw/filtering

Top3correctors,q=10

Typo-tolerancecanenhanceuserexperiencewithoutdegradingsecurity inpractice

Relaxedchecking(brute-forceballsearch):• Workswithexistingpasswordhardeningschemes• Nochangeinwhatisstored• Ballsizeb=4gives20%oftyposacrossallusers

Outstandingquestions:• Canweincrease%oftyposcorrectable?• Whataboutuserswithraretypos?

NewApproach1:Popularity-proportionalhashingWecanincreaseballsizeforrelaxedcheckingbutwillhavetodecreaseruntimeofGKDecreasingruntimeby10=>10xspeedupinofflineattacks

Password1

password1

pASSWORD1

Password

Password12

Password13

Popularityproportionalhashing:Hashtimeinverselyproportionaltostrengthofpassword

P(pw)high=>hashtimelongerP(pw)low=>hashtimefaster

Ballsize(b) %corrected

3 20%

64 50%

~200*|pw| 79%

Aggregatetimetocheckallpointsinaballislowerifsomelow-entropypasswordsinball

Anotherpossibleapproach:usesecuresketches [Dodis,Smith2005]Pairofalgorithms(SS,Rec):

s<- SS(pw)

pw’’<- Rec(pw’,s)

Pr[pw’’=pw]>1- 𝛿ifpw’inballofpw

Password1

password1

pASSWORD1

Password

Password12

Password13

Ballsize(b) %corrected

3 20%

64 50%

~200*|pw| 79%

StoreswithGK(pw)

NewApproach2:Secure-sketch-basedchecking

Tochecksubmissionpw’:IfGK(pw’)=GK(pw)thenallowloginpw’’<- Rec(pw’,s)IfGK(pw’’)=GK(pw)thenallowlogin

Allowederror(e.g.,𝛿 =5%)

Buildingsuitablesecuresketches

Distribution-sensitivesecuresketchescanprovidebettersecurity• Sketchalgorithmsdesignedforparticulardistribution• Securityonlymustholdforthatdistribution

[Fuller,Rezyin,Smith2016]giveconstructionusing“layering”

Weprovideimprovedversionoftheirconstruction,layer-hidinghash

Bestknownsecurity,efficiencytrade-off

Traditionalsecuresketches(e.g.,[Dodis,Smith2005])notsecureenough(leaktoomuchaboutpassword)

Fortypicalpassworddistributions,relaxedcheckingisbetterthanPPH

Comparingtheapproaches

Relaxedchecking

Popularity-proportionalhashing

Secure-sketchchecking

Fixerrorscorrected&runtimeofchecking.Whichoffersbestsecurity?

Lower-boundsecurityofsecure-sketchapproachbyPPH

PPHalwaysbettertrade-offthanbest-knownsecure-sketch(layer-hidinghash)

Relaxedcheckingremainsbestknownapproach

Outstandingquestions:• Canweincrease%oftyposcorrectable?• Whataboutuserswithraretypos?

Conjecture:Relaxedcheckingisbestpossibleapproachinthissetting

tom salt1 ,GK(salt1 ,password1)

Typocache:

Waitlist:

Personalizedtypo-tolerantcheckingAnotherapproach:learntyposindividualusermakesovertime

tom,Password1

CheckGK(salt1 ,Password1),seethatitiswrongAddtoawaitlistofrecentincorrectsubmissions

Whenusercorrectlylogsin:• Checkwaitlist,applytypopolicy(e.g.,editdistance1oftruepassword)• Addvalidtyposfromwaitlistintocacheandclearwaitlist

CheckGK(salt1 ,Password1)andGK(salt2 ,Password1),allowloginifeithermatch

tom,ihatetypos

tom,password1

tom,Password1 Password1 ihatetypos

salt2 ,GK(salt2 ,Password1)

Personalizedtypo-tolerantcheckingAnotherapproach:learntyposindividualusermakesovertime

tom,Password1

tom salt1 ,GK(salt1 ,password1)

Typocache

Waitlist:

Obviouslycan’tstorewaitlistinclear,securityproblemEncryptwaitlistusingpublickeyencryption• Encryptsecretkeyatregistrationtimeusingpassword1• Encryptsecretkeyundereachtypoaddedtotypocache

tom,ihatetypos

tom,password1

tom,Password1

pk ,Epassword1(sk),EPassword1(sk)

salt2 ,GK(salt2 ,Password1)

ihatetyposPassword1Epk(Password1) Epk(ihatetypos)

Lotsmoredetailsofdesign:Randomizingorderoftypocache,cacheevictionpolicies,etc.

Personalizedtypo-tolerantcheckingAnotherapproach:learntyposindividualusermakesovertime

tom,Password1

tom salt1 ,GK(salt1 ,password1)

Typocache

Waitlist:

Security: weprovethatforrealisticpassword/typodistributions,anattackerthatcompromisessystemcannotdobetterthanclassicbrute-forceattackagainstGK(salt1 ,password1)

tom,ihatetypos

tom,password1

tom,Password1

salt2 ,GK(salt2 ,Password1)

Epk(Password1) Epk(ihatetypos)

Nosecuritylossbyaddingtypocache

pk ,Epassword1(sk),EPassword1(sk)

• Mechanicalturk studiesshowedpersonalizationcanbebeneficial– 45%ofuserswouldbenefit

• WebuiltaprototypecalledTypTop.–MacOSXandLinuxpasswordchecking– Pilotdeploymentwith~25users– SomeusersgethugebenefitfromTypTop

• Availableathttps://typtop.info

TypTop:prototypeadaptivechecker

Today’stalk

Pythia:movingbeyond“hash&hope”Hardenhasheswithoff-systemsecretkeyusingpartiallyobliviouspseudorandomfunctionprotocol

[Everspaugh,Chatterjee,Scott,Juels,R.– USENIXSecurity2015]

Typo-tolerantpasswordcheckingIn-depthstudyoftyposinuser-chosenpasswordsShowhowtoallowtyposwithoutharmingsecurity

[Chatterjee,Athayle,Akawhe,Juels,R.– Oakland2016][Woodage,Chatterjee,Dodis,Juels,R.– Crypto2017]

[Chatterjee,Woodage, Pnueli,Chowdhury,R.– CCS2017]