Text passwordsText passwordsHazim Almuhimedi

AgendaAgendaHow good are the passwords

people are choosing?

Human issuesThe Memorability and Security of

PasswordsHuman Selection of Mnemonic

Phrase-based Passwords

Authentication Authentication MechanismsMechanismsSomething you have

◦cardsSomething you know

◦Passwords Cheapest way. Most popular.

Something you are◦Biometric

fingerprint

Password is a continuous Password is a continuous problemproblemPassword is a series real-world

problem.◦SANS Top-20 2007 Security Risks◦Every year, password’s problems in the

list: Weak or non-existent passwords Users who don’t protect their passwords OS or applications create accounts with

weak/no passwords Poor hashing algorithms. Access to hash files

Source: Jeffery Eppinger, Web application Development.

How good are the passwords How good are the passwords people people are choosing?are choosing?

It is hard question to answer.◦Data is scarce.

MySpace Phishing attack

Poor, Weak PasswordPoor, Weak PasswordPoor, weak passwords have the

following characteristics:◦The password contains less than 15

characters.◦The password is a word found in a

dictionary (English or foreign)◦The password is a common usage

word.

Source: Password Policy. SANS 2006

Strong PasswordStrong PasswordStrong passwords have the

following characteristics:◦Contain both upper and lower case

characters◦Have digits and punctuation characters◦Are at least 15 alphanumeric characters

long and is a passphrase.◦Are not a word in any language ,

slang , dialect , jargon.◦Are not based on personal information.◦Passwords should never be written

down or stored on-line. Source: Password Policy. SANS 2006

Strong PasswordStrong Password?

Strong PasswordStrong PasswordAt least 8 characters.Contain both upper and lower

case characters.Have digits and punctuation

characters

MySpace Phishing AttackMySpace Phishing Attack◦A fake MySpace login page.◦Send the data to various web servers

and get it later.◦100,000 fell for the attack before it

was shut down.◦This analysis for 34,000 users.

Password lengthPassword length

Average: 8 characters.

Password lengthPassword lengthThere is a 32-character password

"1ancheste23nite41ancheste23nite4“

Other long passwords: "fool2thinkfool2thinkol2think“ "dokitty17darling7g7darling7"

Character MixCharacter Mix

Common PasswordsCommon PasswordsTop 20 passwords in order.

password1 abc123 myspace1 password

Blink182 qwerty1 fuckyou 123abc

baseball1 football1 123456 soccer

monkey1 liverpool1 princess1 jordan23

slipknot1 superman1 iloveyou1 monkey

Common PasswordsCommon PasswordsTop 20 passwords in order.

password1 abc123 myspace1 password

Blink182 qwerty1 fuckyou 123abc

baseball1 football1 123456 soccer

monkey1 liverpool1 princess1 jordan23

slipknot1 superman1 iloveyou1 monkey

Common PasswordCommon Password“Blink 182” is a band.

◦A lot of people use the band's name Easy to remember. it has numbers in its name, and therefore

it seems like a good password.

Common PasswordCommon Password"qwerty1" refers to

◦QWERTY is the most common keyboard layout on English-language computer.

Common PasswordCommon PasswordThe band “Slipknot” doesn't have

any numbers in its name◦which explains the “1”.

Common PasswordCommon PasswordThe password "jordan23" refers

to◦basketball player Michael Jordan◦and his number 23.

Common PasswordCommon PasswordI don't know what the deal is with

“monkey”.

Common PasswordCommon Password

Passwords getting betterPasswords getting better• Who said the users haven’t

learned anything about security?

Human IssuesHuman IssuesSocial Engineering.Difficulties with reliable password

Entry.Difficulties with remembering the

password.

Human is often the weakest link in the security chain.

Human IssuesHuman IssuesSocial Engineering.

◦ Attacker will extract the password directly from the user.

◦ Attacks of this kind are very likely to work unless an organization has a well-thought-out policies.

◦ In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering. Motorola case http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09)

Kevin Mitnick:It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in.http://www.youtube.com/watch?v=8_VYWefmy34 (2:00)

Source: Wikipedia. Social engineering

Human IssuesHuman IssuesSocial Engineering.

336 CS students at University of Sydney

Some were suspicious: 30 returned a plausible-looking but invalid

password over 200 changed their passwords without

official prompting. Very few of them reported the email to authority.

Human IssuesHuman IssuesSocial Engineering.

◦How to solve this problem? Strong and well-known policy.

Human IssuesHuman IssuesDifficulties with reliable password

Entry.◦if a password is too long or complex, the

user might have difficulty entering it correctly.

◦South Africa Case 20-digit number for the pre-paid electricity

meters. Any suggested solution?

◦If the operation they are trying to perform is urgent

This might have safety or other implications.

Human IssuesHuman IssuesDifficulties with remembering the

password.◦The greatest source of complaints

about passwords is that most people find them hard to remember.

◦When users are expected to memorize passwords They either choose values that are easy

for attackers to guess. Write them down. Or both.

The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsMany of the problems of

password authentication systems arise from the limitations of human memory.

The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsSome passwords are very easy to

remember ◦But very easy to guess

Dictionary attack. some passwords are very secure

against guessing ◦Difficult to remember. ◦might be compromised as a result of

human limitations. The user may keep an insecure written

record.

The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsAn experiment involving 400

first-year students at the University of Cambridge.

Testing how strong the mnemonic-based password is.

Testing how it is easy to remember.◦In contrast with control and random

password.

The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsMethods:

◦4 types of attacks: Simple Dictionary attack. Dictionary attack with permutation User information attack Brute force attack.

◦Survey.

The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsConclusion :

◦Users have difficulty remembering random passwords.

◦Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.

The Memorability and The Memorability and Security of PasswordsSecurity of PasswordsConclusion:

◦It isn’t true that : random passwords are better than those based on mnemonic phrases. each type appeared to be as strong as the

other.◦It is not true that : passwords based

on mnemonic phrases are harder to remember than naively selected passwords are. each appeared to be reasonably easy to

remember, with only about 2%-3% of users forgetting passwords.

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsHypothesis

◦Users will select mnemonic phrases that are commonly available on the Internet

◦It is possible to build a dictionary to crack mnemonic phrase-based passwords.

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsSurvey

◦A survey to gather user-generated passwords Mnemonic password (144) Control password (146)

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsAttacks:

◦Dictionary attack Generate a mnemonic password dictionary.

400,000-entries

John the Ripper For control password 1.2 million entries

◦Dictionary attack with Permutation. Word mangling

replacing “a” with “@”

◦Brute force attack.

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:

◦Password Strength:

Control Mnemonic

Strength Score 15.7 17.2

Number of Character classes

2.9 2.7

Length 9.9 9.5

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:

◦Password Cracking Results:

◦The user generated mnemonic passwords were more resistant to brute force attacks than control passwords.

Control Mnemonic

Password compromised by Basic Dictionary

6% 3%

Basic Dictionary with Permutation

5% 1%

Brute Force Attack 8% 4%

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:

◦Password based on external sources: Majority of mnemonic password are

based on external sources. 13% control password sources are based

on external sources

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsResults:

◦Password based on external sources:

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsConclusion:

◦The majority of users select phrases from music lyrics, movies, literature, or television shows.

◦This opens the possibility that a dictionary could be built for mnemonic passwords. If a comprehensive dictionary is built, it could

be extremely effective against mnemonic passwords.

◦Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.

Human Selection of Human Selection of Mnemonic Phrase-based Mnemonic Phrase-based PasswordsPasswordsConclusion:

◦Mnemonic phrase-based passwords are not as strong as people may believe.

◦The space of possible phrases is large Building a comprehensive dictionary is not a

trivial task.

◦System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.

Thank You