Security PS

Evaluating Password Alternatives

Bruce K. Marshall, CISSP, IAMSenior Security Consultantbmarshall@securityps.com

Key Points

Key Presentation Points• Authentication Model

• Authenticator Characteristics

• Knowledge Based Authenticators

• Possession Based Authenticators

• Biometric Based Authenticators

Identification & Authentication

Identification• A process for presenting

an identity for use.

Authentication• A process for validating

proof of an identity.

Authentication System Model

AuthenticatorAuthenticator

InputInput

TransportTransport

VerificationVerification

Authenticator Types

What you know

• Passwords

• Passphrases

• Secret Answers

• Graphical Passwords

What you have

• ID Cards

• Password List

• One-Time Password Tokens

• Certificates & Private Keys

What you are

• Physical Features

• Psychological Traits

Authenticator Characteristics

• Usability How effectively can people operate

• Uniqueness How distinct is the proof

• Integrity How difficult to guess, forge, or steal

• Affordability How much does it cost to buy or maintain

• Accuracy How often do mistakes occur

PINs and Secret Answers

Personal Identification Number (PIN)• Very simple authenticator• Difficult to enforce hard-to-guess PINs• May include non-numeric characters

Secret Answers• One or more correct answers authenticates

an asserted identity• Users may be allowed to define questions• Typically a secondary authenticator

Passwords

Passwords• Based on a string of characters• Usually too predictable (i.e. poor uniqueness)

Length rarely greater than 8 characters Often consist of words or names Typically composed of lowercase letters Often think alike when choosing passwords Use same password across systems Not changed frequently enough

• Controlled through requirements for character use, length, and pattern matching

Case Study 15 Password Analysis

Word2%Word + Number

38%

Word + Char7%

Number1%

Username10%

Username Variation

27%

Other8%

Phrase7%

CS15 Password Lengths

0 0 0 0 0

372

769

607

56 529 8 1 3

0

100

200

300

400

500

600

700

800

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Length

Nu

mb

er o

f O

ccu

rren

ces

99.6%

0.4%

Cracked Uncracked

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

CS01 CS15 Random

Cracking Success of L0phtCrack Brute Force Strings

BFS1 BFS2 BFS3 BFS4

Password Characteristics

Poor Fair OK Good Excellent

Usability

Uniqueness

Integrity

Affordability

Accuracy

Passphrases

Passphrases• Multiple words, typically mixed case with

numbers and symbols• Improvement upon passwords with little

user learning curve• Not much study yet on predictability

“The light of the M00N struck me in June”“SeattleSeahawksSingSadSongS4ME”

“emmyis7”

Graphical Passwords• Rely on memory of

images to authenticate

• Users select, draw, or manipulate pictures

• Relatively young technology that needs more attention

Graphical Passwords

“What You Have” Authenticators

“What You Have” Authenticators• Magnetic-stripe cards

• RF & Wiegand cards

• Stored-value cards

• Password lists

OTP Tokens

One-Time Password (OTP) Tokens• Generates a new password for each use

• Can be challenge/response-based

• Based on a unique, secret token seed value (and usually synchronized time)

• Implemented with hardware or software

OTP Tokens Characteristics

Poor Fair OK Good Excellent

Usability

Uniqueness

Integrity

Affordability

Accuracy

Digital Certificates

Digital Certificates

• Rely on the use of private and public keys

• Typically require a Public Key Infrastructure (PKI) for certificate creation, publication, renewal, & revocation

Digital Certificate Characteristics

Poor Fair OK Good Excellent

Usability

Uniqueness

Integrity

Affordability

Accuracy

Smart Cards

Smart Cards• Microprocessor with memory that can

generate and store keys and certificates

• Different form factors and interfaces

• Cryptographic functions using private key are processed on the card itself

Smart Card Characteristics

Poor Fair OK Good Excellent

Usability

Uniqueness

Integrity

Affordability

Accuracy

Biometric Authenticators

Biometric Authenticators• “The automated use of physiological or

behavioral characteristics to determine or verify identity.” - International Biometrics Group

• Rely on interpretation or ‘minutiae’ of a biometric trait

• Maturing technology and standards

• Increasingly used for physical security

Biometric Authenticators

• Fingerprint = 48%

• Face = 12%

• Hand = 11%

• Eye (Iris) = 9%

• Voice = 6%

• Keyboarding = <1%

* - Data source: International Biometrics Group 2004 Market Share

Biometric Characteristics

Poor Fair OK Good Excellent

Usability

Uniqueness

Integrity

Affordability

Accuracy

Multi-Factor Authenticators

* Coined by Douglas Adams in his book Mostly Harmless.

Multi-Factor Authenticators• Stronger authentication?

• Can combine best features

• Might combine worst features

• Do not want an Ident-I-Eeze”*

Summary

Summary & Call to Action

• Focus on entire authentication system

• Evaluate suitability of authentication solutions for your specific environment

• Do consider the Integrity of authenticators, but don’t forget about other characteristics

• Assess & fortify password dependent systems

• Visit www.passwordresearch.com

Questions?