passwords - ucy · 2020-03-20 · passwords •passwords is a user authentication mechanism that is...

PASSWORDSCS682: Advanced Security Topics

Vasiliki Panteli

3/9/2020 Passwords 1

Passwords

• Passwords is a user authenticationmechanism that is widely adoptedfor many years

• Methods for user authentication:• Something you know (password)

• Something you have (mobile phone)

• Something you are (biometrics)


1st Paper:


The Quest to Replace Passwords:A Framework for Comparative Evaluation of

Web Authentication Scheme Bonneau J., Herley C., Van Oorschot P. C., Stajano F.

1st Paper Overview

• Introduction• Problem

• Proposal

• Framework Analysis• Properties

• Weights

• Schemes Evaluation

• Conclusion


Introduction – Problem

• Passwords are plagued with security problems

• Passwords are not replaced by any of the numerous proposals from the research community


Introduction – Proposal

• The authors propose a framework which provides an evaluation of already proposed password-replacement schemes

• It can be used as a benchmark for future password replacement proposals

• 25 different properties where tested against 35 password-replacement schemes (9 of them are analyzed in the paper)


Framework Analysis - Benefits

• Each scheme is rated as either offering or not offering the benefit

• Example of “Quasi”:• Memorywise-Effortless: Users of the scheme do not have to remember any

secrets at all.

• Quasi-Memorywise-Effortless: Users have to remember one secret for everything.

• Framework analysis has 3 categories: Usability, Deployability, Security


Properties – Usability

1. Memorywise-Effortless

2. Scalable-for-Users

3. Nothing-to-Carry

4. Physically-Effortless

5. Easy-to-Learn

6. Efficient-to-Use

7. Infrequent-Errors

8. Easy-Recovery-from-Loss


Properties – Deployability

1. Accessible

2. Negligible-Cost-per-User

3. Server-Compatible

4. Browser-Compatible

5. Mature

6. Non-Proprietary


Properties – Security

1. Resilient-to-Physical-Observation

2. Resilient-to-Targeted-Impersonation

3. Resilient-to-Throttled-Guessing

4. Resilient-to-Unthrottled-Guessing

5. Resilient-to-Internal-Observation


Properties – Security

6. Resilient-to-Leaks-from-Other-Verifiers

7. Resilient-to-Phishing

8. Resilient-to-Theft

9. No-Trusted-Third-Party

10. Requiring-Explicit-Consent

11. Unlinkable


Weights

• Some benefits are more important than others depending on the specific goal for which the scheme is being compared


STEP1• Examine and score each individual scheme on each benefit

STEP2

• Compare competing schemes to identify precisely which benefits each offers over the other

STEP3

• Determinate a ranking with weights that take into account the relative importance of the benefit

Weights


Evaluation – Legacy PasswordsARE ARE NOT

1. Nothing-to-Carry

2. Easy-to-Learn

3. Efficient-to-Use

4. Easy-Recovery-from-Lost

5. Accessible




9. Mature

10.Non-Proprietary

11.Resilient-to-Theft

12.No-Trusted-Third-Party

13.Unlinkable

1. Memory-Effortless


3. Physically-Effortless


5. Resilient-to-Throttled-Guessing






Evaluation – Encrypted password managers: Mozilla Firefox


User

Website 1password

Website 2password

Website 3password

Mozilla Firefoxmaster password

Evaluation – Encrypted password managers: Mozilla Firefox


IS IS NOT

1. Scalable-for-Users2. Easy-to-Learn3. Efficient-to-Use4. Infrequent-Errors5. Resilient-to-Phishing6. Resilient-to-Theft7. No-Trusted-Third-Party8. Requiring-Explicit-Consent9. Unlinkable10. Negligible-Cost-per-User11. Mature12. Accessible13. Server-Compatible14. Non-Proprietary15. Quasi-Memorywise-Effortless16. Quasi-Nothing-To-Carry17. Quasi-Physically-Effortless18. Quasi-Resilient-to-Physical-Observation19. Quasi-Resilient-to-Targeted-Impersonation

1. Easy-Recovery-from-Loss2. Resilient-to-Throttled-Guessing3. Resilient-to-Unthrottled-Guessing4. Resilient-to-Internal-Observation5. Resilient-to-Leaks-from-Other-Verifiers6. Browser-Compatible

Evaluation – Federated Single Sign-On: OpenID


User Single Sign-On

Website 1

Website 2

Website 3

Evaluation – Federated Single Sign-On: OpenID


IS IS NOT


2. Nothing-to-Carry

3. Efficient-to-Use

4. Infrequent-Errors

5. Easy-Recovery-from-Loss

6. Accessible


8. Mature

9. Non-Proprietary


11. Quasi-Memorywise-Effortless

12. Quasi-Physically-Effortless

13. Quasi-Easy-to-Learn


15. Quasi-Resilient-to-Throttled-Guessing

16. Quasi-Resilient-to-Unthrottled-Guessing

17. Quasi-Resilient-to-Targeted-Impersonation

18. Quasi-Resilient-to-Physical-Observation




4. Unlinkable

5. No-Trusted-Third-Party

Evaluation – Graphical Passwords: PCCP


User Login

Evaluation – Graphical Passwords: PCCPIS IS NOT

1. Easy-to-Learn



4. Non-Proprietary

5. Resilient-to-Targeted-Impersonation



8. Unlinkable

1. Memorywise-Effortless


3. Accessible


5. Mature





Evaluation – Cognitive authentication: GrIDsure


UserChoose a pattern

User

2 4 5 6 4

6 8 0 5 4

9 6 4 6 7

8 5 4 7 9

5 7 8 0 5

Write the pattern

Evaluation – Cognitive authentication: GrIDsureIS IS NOT

1. Nothing-to-Carry2. Easy-to-Learn3. Easy-Recovery-from-Lost4. Negligible-Cost-per-User5. Browser-Compatible6. Resilient-to-Targeted-Impersonation7. Resilient-to-Throttled-Guessing8. Resilient-to-Unthrottled-Guessing9. Quasi- Efficient-to-Use

1. Memory-Effortless2. Scalable-for-Users3. Physically-Effortless4. Accessible5. Server-Compatible6. Mature7. Non-Proprietary8. Resilient-to-Physical-Observation9. Resilient-to-Internal-Observation


Evaluation – Other schemes

1. Proxy – Based: URRSA

2. Paper tokens: OTPW

3. Hardware tokens: RSA SecureID

4. Mobile-Phone-based: Phoolproof

5. Biometrics: Fingerprint recognition


Conclusions

• Most schemes do better than passwords on security

• Every scheme does worse than passwords on deployability

• This paper can help research community to evaluate their userauthentication proposal using this framework and adjusting it to theirneeds:• Add weights

• Add more benefits


2nd Paper:


The Tangled Web of Password ReuseDas, A., Bonneau, J., Caesar, M., Borisov, N., & Wang, X. (2014, February)

2nd Paper Overview

• Introduction

• Relative Work

• Measurement Study

• Survey

• Guessing Algorithm

• Conclusions


Introduction

• In this paper the authors:• Estimate the rate of password reuse

• Examine how reusing passwords can benefit the attackers

• Analyze the similarity of non-identical passwords

• Developed a password-guessing algorithm


Relative Work

• Zhang et al.• Drawback: Their password analysis is based on a single source so they

examine one password composition policy

• Florencio et al.• Drawback: Only considered identical passwords and not related ones (with

modifications)

• Weir et al.• Drawback: Focus on cracking passwords in an offline scenario



• A typical Internet user estimated to have 25 distinct online account• Users often reuse passwords across accounts on different online service

Measurement Study

• Understand how often users reuse passwords across sites

• Understand the specific approaches the users use to vary their password at different sites

• In the measurement study the authors take into consideration the password composition policies


Password Composition policies

• In order to increase the security over the websites, online services often use composition policies or metrics, as it is proven that they do help users to choose stronger passwords.

• Example:• Passwords must not contain the user’s entire name/user ID• At least n characters• Passwords must contain characters from two or more of the following

categories:• Uppercase characters• Lowercase characters• Base 10 digits• Non-alphanumeric ASCII characters


Data Set

• Collected publicly available leakedpasswords

• Data analysed to find users with atleast two passwords leaked:• 6077 unique users

• Used “John the Ripper toolkit” tocrack hashed passwords


Password Similarity – String similarity metrics

Distance-like functions Manhattan

Cosine

Edit-distance like functions Levenshtein

Damerau-Levenshtein

Token-based distance functions Dice

Overlap

Alignment-like functions Smith-Waterman

Neddleman Wunsch

Largest Common Subsequence (LCS)


Password Similarity


Different users – Same Websites

Different users – Different websites

Within the same website or different website different users use significantly different passwords

Password Similarity


Same users – Different Websites:40% of the passwords have similarity score [0.9, 1.0]

Same users – Different websitesNon-identical passwords:30% of the non-identical passwords have similarity score [0.8, 1.0]

We find that same users tend to reuse/modify their passwords.

Survey

• To understand why users modify their passwords and whatmodifications they do

• The survey was answered by students and professional staff across several departments at universities

• 224 responses


Survey findings

• 77% of participants either modify or reuse existing passwords when choosing a password for a new account.

• 98% tend to insert at front or end of password digits or symbols.

• 33% of participants modify their passwords to fulfill password constraints enforced by the different websites.

• 61% of participants memorize their passwords.


Guessing Algorithm – The idea


Leaked Password

Candidate Password 1




target

Guessing Algorithm

Guessing Algorithm

• Character sequence

• Deletions

• Insertions

• Capitalizations

• Reversals

• Leet-speak

• Substring movement

• Subword modification


Guessing Algorithm – Character Sequence

• Splits the password into tokens

• Tries different permutations of tokens as candidate passwords

• If the candidate password is not the target password, then the token is modified:• extending it to including the next character of the sequence

“qwer” -> “qwert”• replacing the token with a similar size token belonging to the same category

“qwer” -> “1234”


Guessing Algorithm – Deletions

• Guess the deletion transformation

• Deletes characters that belong in one of the following set: • {Digit, Symbol, Uppercase letter, Lowercase letter}

• If the target is not found, the algorithm reverts the password back to the original one

• Try sequentially deleting characters from the front of the string, then the back and then the combination of both.


Guessing Algorithm – Insertions

• Guess the insertion transformation

• Inserts numbers and symbols at the front and end (from survey)

• Inserts individual characters from missing groups • {Digit, Symbol, Uppercase letter, Lowercase letter}

• Example:• “helloWord!” -> “1helloWord!”• “superstr0ngp@ssword” -> “Superstr0ngp@ssword”


Guessing Algorithm – Capitalization

• Capitalizes all letters in the string at once

• If it’s not the target password then it capitalizes the letters from the front, then back and the combination of both.

• Example:• “helloworld”• Candidate passwords:

• “HELLOWORLD”• “Helloworld”• “HElloworld”


Guessing Algorithm – Reversals

• Revers the input password

• Example:• “helloworld” would be transform into “dlrowolleh”


Guessing Algorithm – Leet-speak

• Tries the popular leet transformations:• o -> 0

• a -> @

• s -> $

• i -> 1

• e -> 3

• t -> 7

• Example:• “helloworld” would transform into “h3ll0w0rld”


Guessing Algorithm – Substring movement

• Splits the input password into substrings where the characters belong to the same group of {Digit, Symbol, Uppercase letter, Lowercase letter}

• Example:• “xyz@123” would split into “xyz”, “@”, “123”

• Candidate passwords: • “123@xyz”

• “@123xyz”

• “xyz123@”


Guessing Algorithm – Subword modification

• Splits the input password based on common English words

• Capitalizes the first one

• Rearranges the words in different orders

• Example:• “darkknight” would split into “dark” and “knight”• Candidate passwords:

• “DarkKnight”• “KnightDark”


Guessing Algorithm – Evaluation

• Authors approach:• Can guess 30% in 10 attempts

• Can guess 80% in 100 attempts

• ED approach:• Can guess 65% in million attempts

• Proposed Guesser Algorithm is more suitable for online attacks


Guessing Algorithm - Evaluation

• The authors’ guessing algorithm was successful in predicting similar passwords.

• To verify this they computed the similarity score of all the password pairs that they successfully cracked.


Conclusions

• 43% of users directly re-use passwords between sites

• Users use small mortifications to their passwords across sites

• Proposed a guessing algorithm than can crack:• 10% of non-identical passwords in 10 attempts

• 80% of substrings passwords in 100 attempts

• Password reuse is a significant security vulnerability


passwords - ucy · 2020-03-20 · passwords •passwords is a user authentication mechanism that is...

Documents