Password Attacks - PowerPoint PPT Presentation

Loading...

PPT – Password Attacks PowerPoint presentation | free to view - id: dfa7c-ZTE5Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Password Attacks

Description:

1988 Internet worm. Dictionaries: User permutations 6. List of jargon 432 ... 4hY0U:129:129:Walter Belgers:/home/gigawalt:/bin/csh. Windows Passwords ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 21
Provided by: knig9
Category:
Tags: attacks | password

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Password Attacks


1
Password Attacks
  • Password Strength
  • Password Schemes
  • Password Cracking

2
References
  • Richard E. Smith, The Strong Password Dilemma,
    Computer Security Journal, 2002,
    http//www.smat.us/sanity/pwdilemma.html
  • Skoudis, Ed., Counter Hack Reloaded A
    Step-by-Step Guide to Computer Attacks and
    Effective Defenses (2nd Edition), Prentice Hall,
    2005
  • DoD, Password Management Guideline
    CSC-STD-002-85, 1985

3
Teaching Points
  • Password Strength
  • Unix Passwords
  • Windows Passwords

4
Password Strength
2
5
6
5
Password Strength
2
6
0
8
6
How important are passwords?
  • Obviously root is important
  • But, I only use this account for laserprinting
    class handouts, so it has a simple password

7
So we need good passwords
8
Why do we think we need all these rules?
  • E.g
  • Unix DES encripts passwords 25 times
  • DES has 56 bit keys
  • 256 ? 7.21 x 1016
  • At 1000 tries per second? 2.3 million years
  • PRETTY GOOD, EH!

9
But, what is the password space?
  • 4 lower case letters
  • 264 ? 4.57 x 105 (approx. 7 min)
  • 5 lower case letters
  • 265 ? 1.19 x 107 (approx. 3.3 hr)
  • 6 lower case letters
  • 266 ? 3.09 x 108 (approx. 86 hr)
  • 8 lower case letters
  • 268 ? 2.09 x 1011 (approx. 6.6 years)
  • 6 lower/upper/digit characters
  • 626 ? 5.68 x 1010 (approx. 1.8 years)
  • 8 lower/upper/digit characters
  • 628 ? 2.18 x 1014 (approx. 69 years)

10
But, are all passwords just as likely to be used?
  • If we try guessing the most likely ones we can
    work with a smaller search space
  • Dictionary Attack
  • English dictionary
  • Common jargon lists
  • Foreign dictionaries
  • Words from the password file (names, etc.)
  • Permutations of these (0 for o, 3 for e, appended
    numbers, backwards, laughs for laugh, etc.)
  • This space is MUCH smaller!

11
Cracking Example
  • 1988 Internet worm
  • Dictionaries
  • User permutations 6
  • List of jargon 432
  • Unix online dictionary 24,474
  • Null
  • Cracked 50 of the passwords

12
Average Attack Space
  • The average number of tries needed against the
    users in the password database
  • Dictionary size 24,914
  • On average need to try ½ the entries
  • 50 chance any given password is in the
    dictionary
  • So, 24,914/(2 x 0.5) 24,914 (? 25 sec)

13
More General Results
  • Klein, 1990
  • Dictionary size (base) 60,000
  • Dictionary size (permutations) 3.3 milion
  • On average need to try ½ the entries
  • 24.2 chance any given password is in the
    dictionary
  • 3,300,000/(2 x 0.242) 223 (? 140 sec)
  • Not so Good!

14
Need to use strong passwords
  • Each password you choose must be new and
    different
  • Passwords must be memorized. If a password is
    written down, it must be locked up
  • Passwords must be at least six characters long,
    and probably longer, depending on the size of the
    password's character set
  • Passwords must be replaced periodically
  • Passwords must contain a mixture of letters (both
    upper- and lowercase), digits, and punctuation
    characters

15
So we need good passwords
16
The Password Dilemma
  • With these strong rules usability fails
  • People cant remember easily
  • Note when do we have to change passwords
  • Do we have a new one ready?
  • We are usually at another task
  • We cant see it as we enter it
  • To move from short to long term memory requires
    work
  • We have to sacrifice the attention to the job at
    hand to devote focus to conversion to long term
    memory

17
Alternatives
  • Balanced rules
  • Password tokens/one-time passwords
  • Biometrics
  • ?

18
Unix Passwords
accountcoded password datauidgidGCOS-fieldhom
edirshell gigawaltfURfuu4.4hY0U129129Walter
Belgers/home/gigawalt/bin/csh
  • 8 characters plain text
  • 2 bytes salt (4096 possibilites used)
  • DES x 25
  • 11 bytes encrypted 2 salt 13 bytes

19
Windows Passwords
  • SAM database
  • Old LM passwords
  • 14 characters (SLIT IN TWO !)
  • DES encrypted
  • NT passwords
  • Hashed
  • Not-split

20
Teaching Points
  • Password Strength
  • Unix Passwords
  • Windows Passwords
About PowerShow.com