Securing Passwords Against Dictionary Attacks - PowerPoint PPT Presentation


PPT – Securing Passwords Against Dictionary Attacks PowerPoint presentation | free to download - id: 719ee8-YjkxN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Securing Passwords Against Dictionary Attacks


... keys Biometrics Graphical Passwords Conclusion With a scalable, low cost and usable solution similar to standard user/password authentication ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 26
Provided by: ChadF150


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Securing Passwords Against Dictionary Attacks

Securing Passwords Against Dictionary Attacks
  • Presented By
  • Chad Frommeyer

  • Abstract/Introduction
  • Reverse Turing Test (RTT)
  • User Authentication Protocols
  • Security Analysis
  • Authentication Method Requirements
  • Other Authentication Approaches
  • Conclusion

  • Passwords are the most widely used authentication
  • More secure methods are cumbersome to use
  • User chosen passwords are often weak and easy to
    guess with a dictionary
  • User requires the authentication to be easy to
  • Goal is to build authentication that is still
    easy to use but hard for the computer to guess

  • Dictionary Attack Attempting to authenticate by
    guessing all possible passwords
  • Offline Attack attacking passwords when they
    are in transit
  • Offline attacks are prevented by securing
    communications and protecting password files

  • For this discussion we assume that communications
    are properly secured and password files are
  • Online Attack Attack that requires interacting
    with the login server

Introduction Common Countermeasures
  • Delayed Response delaying the authentication
  • Account Locking Locking the account with too
    many negative responses

Introduction Countermeasure Weaknesses
  • Global Password Attacks Simultaneous attempts
    to multiple accounts
  • Risks (from account locking)
  • Denial of Service
  • Customer Service Costs

Introduction Pricing via Processing
  • Add minimal processing time to each request
    results in a large impact to dictionary attacks
    but negligible impact to the individual
  • A drawback to this approach is that it can
    require a special user client or mobile code
  • The suggested approach
  • Add processing without changing the interaction
  • Make the processing hard for machines to automate

Reverse Turing Test (RTT)
  • Requirements of RTT
  • Automated Generation
  • Easy for Humans
  • Hard for Machines
  • Small probability of guessing the answer
  • RTTs can be solved by either utilizing a human
    during the attack, or some type of OCR or Audio

Reverse Turing Test (RTT)
  • Most well known RTT
  • Distorted text image
  • Production usage is typically during a
    registration process
  • Accessibility Issues
  • Utilize both Image and Audio based

User Authentication Protocols
  • Combining an existing system with an RTT
  • Requires passing and RTT for every authentication
  • Usability This is different than most users are
    accustomed, and would likely cause issues
  • Scalability -- RTT generation on a large scale
    is not a proven concept

User Authentication Protocols
  • Answers to the usability and scalability issues
  • Require RTT only a fraction of the time
  • Problem Attacks would skip the attempts when an
    RTT was required
  • Require RTT only after first failure
  • Problem When global password attacks are used,
    this doesnt help

User Authentication Protocols
  • Papers Observations
  • Users typically use a limited number of computers
  • Requiring RTTs for only a fraction of the time
    can be helpful for an appropriate implementation
  • The protocol suggested by this paper assumes the
    ability to identify client computers. The
    following implementation uses web browser cookies.

(No Transcript)
User Authentication Protocols
  • The usability problems are solved because the
    RTTs are only required in a very small number of
  • Scalability problems are solved because of this
    same reason and because the RTTs are generated by
    a deterministic function based on the username
    and password and a probability 1/p
  • All expected RTTs could be cached

Security Analysis
  • Implementation Requirements
  • One of the following feedbacks are returned when
    a username/password pair doesnt match
  • The username/password is invalid
  • Please answer the following RTT
  • The response must be a deterministic function
    based on the username/password
  • Response delays should be the same for a success
    and failed attempt

Security Analysis
  • The nature of the response as well as the
    response time will often key an attacker to more
    information about the system/passwords being
  • If the requirements are met, the proposed system
    will respond with RTTs on correct guesses as well
    as a subset of incorrect guesses

Security Analysis
  • Goal Make the cost of attacking the system more
    than the benefit of a successful attack
  • Some systems are so beneficial to attack that
    attackers will utilize humans to solve the RTTs
    encountered during an attack
  • The probability p must be adjusted to raise the
    cost of the attack

Security Analysis
  • What if an RTT can be broken?
  • The assumption should be that they can
  • In this case the system should dynamically adjust
    the probabilities
  • This means that the system must be able to
    identify a successful attack
  • When unsuccessful attempts with solved RTTs go
    up, this is a clear indication of an attack
  • Alternative RTT solutions should be available

Security Analysis
  • Cookie Theft
  • Cookies can be stolen off of one machine, and set
    on another
  • Keep a count on the server per cookie of the
    number of failed attempts
  • With a high number of failures (say 100) the
    server will ignore the cookie, and act as if no
    cookie was sent

Security Analysis
  • Account Locking Measures
  • Since we can determine when an attack is
    happening, we can use account locking measures as
    long as the number of attempts failed check is
    higher than typical
  • The accounts failed threshold should dynamically
    lower when an attack is happening, at least until
    a new RTT is implemented

Authentication Method Requirements
  • Requirement Availability
  • Users shouldnt be expected to have special
    software Installed
  • Requirement Robust and Reliable
  • Requests should always receive response
  • Requirement Friendliness
  • The interface should be friendly and usable

Authentication Method Requirements
  • Requirement Low cost to implement and operate
  • Take strong consideration to the effect of a
    successful attack and what impact it has on
    business and customers
  • Risk is an important factor in choosing a
    authentication method

Other Authentication Approaches
  • Most other and potentially more secure
    authentication approaches do not satisfy the
    previous stated requirements
  • One time passwords (tokens)
  • Client certificates/keys
  • Biometrics
  • Graphical Passwords

  • With a scalable, low cost and usable solution
    similar to standard user/password authentication
    methods, the authors believe that their proposed
    solution is the answer to secure authentication
  • Why arent solutions that are implemented today
    using similar ideologies?
  • Questions?