Professional Documents
Culture Documents
Text Passwords
Text Passwords
Hazim Almuhimedi
Agenda
How good are the passwords
people
are choosing?
Human issues
The Memorability and Security of
Passwords
Human Selection of Mnemonic
Phrase-based Passwords
Authentication
Mechanisms
Something you have
cards
Something you know
Passwords
Cheapest way.
Most popular.
Something you are
Biometric
fingerprint
Password is a continuous
problem
Password is a series real-world
problem.
SANS Top-20 2007 Security Risks
Every year, passwords problems in the
list:
Weak or non-existent passwords
Users who dont protect their passwords
OS or applications create accounts with
weak/no passwords
Poor hashing algorithms.
Access to hash files
Source: Jeffery Eppinger, Web application Development.
How good are the passwords
people
are choosing?
It is hard question to answer.
Data is scarce.
MySpace Phishing attack
Poor, Weak Password
Poor, weak passwords have the
following characteristics:
The password contains less than 15
characters.
The password is a word found in a
dictionary (English or foreign)
The password is a common usage
word.
Average: 8 characters.
Password length
There is a 32-character password
"1ancheste23nite41ancheste23nite4
Other long passwords:
"fool2thinkfool2thinkol2think
"dokitty17darling7g7darling7"
Character Mix
Common Passwords
Top 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
Common Passwords
Top 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
Common Password
Blink 182 is a band.
A lot of people use the band's name
Easy to remember.
it has numbers in its name, and therefore
it seems like a good password.
Common Password
"qwerty1" refers to
QWERTY is the most common
keyboard layout on English-language
computer.
Common Password
The band Slipknot doesn't have
any numbers in its name
which explains the 1.
Common Password
The password "jordan23" refers
to
basketball player Michael Jordan
and his number 23.
Common Password
Idon't know what the deal is with
monkey.
Common Password
Passwords getting better
Who said the users havent
learned anything about security?
Human Issues
Social Engineering.
Difficulties with reliable password
Entry.
Difficulties with remembering the
password.
Kevin Mitnick:
It's much easier to trick someone into giving you
his or her password for a system than to spend
the effort to hack in.
http://www.youtube.com/watch?v=8_VYWefmy3
4
(2:00)
Source: Wikipedia. Social engineering
Human Issues
Social Engineering.
336 CS students
at University of Sydney
Control Mnemonic
Password compromised by 6% 3%
Basic Dictionary
Basic Dictionary with 5% 1%
Permutation
Brute Force Attack 8% 4%
The user generated mnemonic
passwords were more resistant to brute
force attacks than control passwords.
Human Selection of
Mnemonic Phrase-based
Passwords
Results:
Password based on external sources:
Majority of mnemonic password are
based on external sources.
13% control password sources are based
on external sources
Human Selection of
Mnemonic Phrase-based
Passwords
Results:
Password based on external sources:
Human Selection of
Mnemonic Phrase-based
Passwords
Conclusion:
The majority of users select phrases from
music lyrics, movies, literature, or
television shows.
This opens the possibility that a dictionary
could be built for mnemonic passwords.
If a comprehensive dictionary is built, it could be
extremely effective against mnemonic
passwords.
Mnemonic-phrase based passwords offer a
user-friendly alternative for encouraging
users to create good passwords.
Human Selection of
Mnemonic Phrase-based
Passwords
Conclusion:
Mnemonic phrase-based passwords are
not as strong as people may believe.
The space of possible phrases is large
Building a comprehensive dictionary is not a
trivial task.
System designers and administrators
should specifically recommend to users
that they avoid generating mnemonic
passwords from common phrases.
Thank You