Text passwords

Hazim Almuhimedi
Agenda
How good are the passwords
people
are choosing?
Human issues
The Memorability and Security of
Passwords
Human Selection of Mnemonic
Phrase-based Passwords
Authentication
Mechanisms
Something you have
cards
Something you know
Passwords
Cheapest way.
Most popular.
Something you are
Biometric
fingerprint
Password is a continuous
problem
Password is a series real-world
problem.
SANS Top-20 2007 Security Risks
Every year, passwords problems in the
list:
Weak or non-existent passwords
Users who dont protect their passwords
OS or applications create accounts with
weak/no passwords
Poor hashing algorithms.
Access to hash files
Source: Jeffery Eppinger, Web application Development.
How good are the passwords
people
are choosing?
It is hard question to answer.
Data is scarce.
MySpace Phishing attack
Poor, Weak Password
Poor, weak passwords have the
following characteristics:
The password contains less than 15
characters.
The password is a word found in a
dictionary (English or foreign)
The password is a common usage
word.

Source: Password Policy. SANS 2006

Strong Password
Strong passwords have the following
characteristics:
Contain both upper and lower case
characters
Have digits and punctuation characters
Are at least 15 alphanumeric characters
long and is a passphrase.
Are not a word in any language , slang ,
dialect , jargon.
Are not based on personal information.
Passwords should never be written down
or stored on-line.
Source: Password Policy. SANS 2006
Strong Password
?
Strong Password
At least 8 characters.
Contain both upper and lower
case characters.
Have digits and punctuation
characters
MySpace Phishing Attack
A fake MySpace login page.
Send the data to various web servers
and get it later.
100,000 fell for the attack before it
was shut down.
This analysis for 34,000 users.
Password length

Average: 8 characters.
Password length
There is a 32-character password
"1ancheste23nite41ancheste23nite4
Other long passwords:
"fool2thinkfool2thinkol2think
"dokitty17darling7g7darling7"
Character Mix
Common Passwords
Top 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
Common Passwords
Top 20 passwords in order.
password1 abc123 myspace1 password
Blink182 qwerty1 fuckyou 123abc
baseball1 football1 123456 soccer
monkey1 liverpool1 princess1 jordan23
slipknot1 superman1 iloveyou1 monkey
Common Password
Blink 182 is a band.
A lot of people use the band's name
Easy to remember.
it has numbers in its name, and therefore
it seems like a good password.
Common Password
"qwerty1" refers to
QWERTY is the most common
keyboard layout on English-language
computer.
Common Password
The band Slipknot doesn't have
any numbers in its name
which explains the 1.
Common Password
The password "jordan23" refers
to
basketball player Michael Jordan
and his number 23.
Common Password
Idon't know what the deal is with
monkey.
Common Password
Passwords getting better
Who said the users havent
learned anything about security?
Human Issues
Social Engineering.
Difficulties with reliable password
Entry.
Difficulties with remembering the
password.

Human is often the weakest link in the security chain.

 Human Issues
Social Engineering.
Attacker will extract the password directly from the user.
Attacks of this kind are very likely to work unless an
organization has a well-thought-out policies.
In his 2002 book, The Art of Deception, Mitnick states
that he compromised computers solely by using
passwords and codes that he gained by social
engineering.
Motorola case
http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09)

Kevin Mitnick:
It's much easier to trick someone into giving you
his or her password for a system than to spend
the effort to hack in.
http://www.youtube.com/watch?v=8_VYWefmy3
4
(2:00)
Source: Wikipedia. Social engineering
Human Issues
Social Engineering.
336 CS students
at University of Sydney

Some were suspicious:

30 returned a plausible-looking but invalid
password
over 200 changed their passwords without
official prompting.
Very few of them reported the email to authority.
Human Issues
Social Engineering.
How to solve this problem?
Strong and well-known policy.
Human Issues
Difficulties with reliable password
Entry.
if a password is too long or complex, the
user might have difficulty entering it
correctly.
South Africa Case
20-digit number for the pre-paid electricity
meters.
Any suggested solution?
If the operation they are trying to perform
is urgent
This might have safety or other implications.
Human Issues
Difficulties with remembering the
password.
The greatest source of complaints
about passwords is that most people
find them hard to remember.
When users are expected to
memorize passwords
They either choose values that are easy
for attackers to guess.
Write them down.
Or both.
The Memorability and
Security of Passwords
Many of the problems of
password authentication systems
arise from the limitations of
human memory.
The Memorability and
Security of Passwords
Some passwords are very easy to
remember
But very easy to guess
Dictionary attack.
some passwords are very secure
against guessing
Difficult to remember.
might be compromised as a result of
human limitations.
The user may keep an insecure written
record.
The Memorability and
Security of Passwords
An experiment involving 400
first-year students at the
University of Cambridge.
Testing how strong the
mnemonic-based password is.
Testing how it is easy to
remember.
In contrast with control and random
password.
The Memorability and
Security of Passwords
Methods:
4 types of attacks:
Simple Dictionary attack.
Dictionary attack with permutation
User information attack
Brute force attack.
Survey.
The Memorability and
Security of Passwords
Conclusion :
Users have difficulty remembering
random passwords.
Passwords based on mnemonic
phrases are harder for an attacker to
guess than naively selected
passwords are.
The Memorability and
Security of Passwords
Conclusion:
It isnt true that : random passwords are
better than those based on mnemonic
phrases.
each type appeared to be as strong as the
other.
It is not true that : passwords based on
mnemonic phrases are harder to
remember than naively selected
passwords are.
each appeared to be reasonably easy to
remember, with only about 2%-3% of users
forgetting passwords.
Human Selection of
Mnemonic Phrase-based
Passwords
Hypothesis
Users will select mnemonic phrases
that are commonly available on the
Internet
It is possible to build a dictionary to
crack mnemonic phrase-based
passwords.
Human Selection of
Mnemonic Phrase-based
Passwords
Survey
A survey to gather user-generated
passwords
Mnemonic password (144)
Control password (146)
Human Selection of
Mnemonic Phrase-based
Passwords
Attacks:
Dictionary attack
Generate a mnemonic password dictionary.
400,000-entries
John the Ripper
For control password
1.2 million entries
Dictionary attack with Permutation.
Word mangling
replacing a with @
Brute force attack.
Human Selection of
Mnemonic Phrase-based
Passwords
Results:
Password Strength:
Control Mnemonic
Strength Score 15.7 17.2
Number of Character 2.9 2.7
classes
Length 9.9 9.5
Human Selection of
Mnemonic Phrase-based
Passwords
Results:
Password Cracking Results:

Control Mnemonic
Password compromised by 6% 3%
Basic Dictionary
Basic Dictionary with 5% 1%
Permutation
Brute Force Attack 8% 4%
The user generated mnemonic
passwords were more resistant to brute
force attacks than control passwords.
Human Selection of
Mnemonic Phrase-based
Passwords
Results:
Password based on external sources:
Majority of mnemonic password are
based on external sources.
13% control password sources are based
on external sources
Human Selection of
Mnemonic Phrase-based
Passwords
Results:
Password based on external sources:
Human Selection of
Mnemonic Phrase-based
Passwords
Conclusion:
The majority of users select phrases from
music lyrics, movies, literature, or
television shows.
This opens the possibility that a dictionary
could be built for mnemonic passwords.
If a comprehensive dictionary is built, it could be
extremely effective against mnemonic
passwords.
Mnemonic-phrase based passwords offer a
user-friendly alternative for encouraging
users to create good passwords.
Human Selection of
Mnemonic Phrase-based
Passwords
Conclusion:
Mnemonic phrase-based passwords are
not as strong as people may believe.
The space of possible phrases is large
Building a comprehensive dictionary is not a
trivial task.
System designers and administrators
should specifically recommend to users
that they avoid generating mnemonic
passwords from common phrases.
Thank You