Computer Science 653 --Lecture 2 Passwords Professor Wayne Patterson Howard University Fall 2009 Access Control Access Control • Two parts to access control • Authentication: Who goes there? – Determine whether access is allowed – Authenticate human to machine – Authenticate machine to machine • Authorization: Are you allowed to do that? – Once you have access, what can you do? – Enforces limits on actions • Note: Access control often used as synonym for authorization Authentication Who Goes There? • How to authenticate a human to a machine? • Can be based on… – Something you know • For example, a password – Something you have • For example, a smartcard – Something you are • For example, your fingerprint Something You Know • The most familiar example is the password. The theory is that if you know the secret password for an account, you must be the owner of that account. • There is a problem with this theory: You might give your password away or have it stolen from you. If you write it down, someone might read it. If you tell someone, that person might tell someone else. If you have a simple, easyto-guess password, someone might guess it or systemically crack it. Something You Have • Examples are keys, tokens, badges, and smart cards you must have to “unlock” your terminal or your account. The theory is that if you have the key or equivalent, you must be the owner of it. • The problem with this theory is that you might lose the key, it might be stolen from you, or someone might borrow it and duplicate it. Electronic keys, badges, and smart cards are gaining acceptance as authentication devices and as access devices for buildings and computer rooms. Something You Are • Examples are physiological or behavioral traits such as your fingerprint, handprint, retina pattern, voice, signature, or keystroke pattern. • Biometric systems compare your particular trait against the one stored for you and determine your authenticity. • The problem with these systems is that, on the whole, people aren’t comfortable with them. Passwords: The First Line of Defense • Remember this: – 8x3;2jqab% System Access: Logging into Your System • The first way in which a system provides computer security is by controlling access to that system. Who’s allowed to log in? How does the system decide whether a user is legitimate? How does the system keep track of who’s doing what in the system? • What’s really going on when you try to log into a system? It’s a kind of challenge. You tell the system who you are, and the system proves that you are (or you aren’t) who you claim to be. In security terms, this two-step process is called identification and authentication. Something You Know • Passwords • Lots of things act as passwords! – – – – – PIN Social security number Mother’s maiden name Date of birth Name of your pet, etc. Passwords: The Method of Choice • Passwords are still, far and away, the authentication tool of choice. In most systems, you identify yourself to the system by entering some kind of unique login identifier, followed by a password. The identifier is typically a name, initials, a login number, or an account number assigned by the system administrator based on your own name and/or group. Trouble with Passwords • “Passwords are one of the biggest practical problems facing security engineers today.” • “Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)” Why Passwords? • Why is “something you know” more popular than “something you have” and “something you are”? • Cost: passwords are free • Convenience: easier for SA to reset pwd than to issue user a new thumb Keys vs Passwords • • • • • • Passwords Crypto keys • Spse passwords are 8 Spse key is 64 bits characters, and 256 different characters Then 264 keys 8 = 264 pwds • Then 256 Choose key at random • Users do not select Then attacker must try about passwords at random 63 2 keys • Attacker has far less than 263 pwds to try (dictionary attack) The UNIX Example • As you know, for example, UNIX systems display the prompt: • login: • and expect a “name” in response. Other systems may expect an identifier of a specific length --- for example, a 3-character ID or an account number. After you enter your login ID, the system prompts: • Password: • • and you type the password, and authenticates your identity by verifying that the entered password is currently valid for your account. Passwords are your main defense against intruders. To protect your system and your data, you must select good passwords, and you must protect them carefully. Hints for Protecting Passwords • Both system administrators and users share responsibility share responsibility for enforcing password security. Here are some hints: • A password should be like a toothbrush. Use it every day; change it regularly; and don’t share it with friends. Don’t allow any logins without passwords. If you’re the administrator, make sure every account has a password. Don’t keep passwords that may have come with your system. Change all test or guest passwords, for example root, system, test, demo, etc. Don’t ever let anyone use your password. Don’t write your password down --- particularly on your computer, or anywhere around your desk. If you ever do write it down, don’t identify it as a password, and don’t write the phone number of the computer on the same piece of paper. Don’t type a password while anyone else is watching. Don’t record your password online or send it anywhere by electronic mail. Don’t make a bad situation worse. If you do share your password, change it immediately. Don’t keep the same password indefinitely. • • • • • • • • After Authentication • Once you’ve been authenticated, the system uses your ID to determine what you’re allowed to do in the system. For example, if you try to modify a sensitive file, the system checks your authenticated user ID against the list of IDs representing users who are authorized to read and write the data in that file. Good and Bad Passwords • Bad passwords – – – – – – – frank Fido password 4444 Pikachu 102560 AustinStamp • Good Passwords? – – – – – – jfIej,43j-EmmL+y 09864376537263 P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150 Password Experiment • Three groups of users each group advised to select passwords as follows – Group A: At least 6 chars, 1 non-letter winner – Group B: Password based on passphrase – Group C: 8 random characters • Results – – Group A: About 30% of pwds easy to crack Group B: About 10% cracked • – Passwords easy to remember Group C: About 10% cracked • Passwords hard to remember Password Experiment • User compliance hard to achieve • In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!) • Assigned passwords sometimes best • If passwords not assigned, best advice is – Choose passwords based on passphrase – Use pwd cracking tool to test for weak pwds – Require periodic password changes? Brute Force Attacks • At one time, a system cracker would have to try to guess your password, one attempt at a time (a so-called brute force attack). Like many things, this process has been automated. In theory, the longer the password, the longer it takes to break by brute force. If a password has eight random characters, the number of possible combinations will be: • (Under the assumption that the allowable characters are the 26 letters, not case-sensitive, and the 10 numerals. Thus, 36 symbols altogether.) • 368 = 2,821,109,907,456 3 trillion. • At one search per microsecond, this is still 2,821,110 seconds, or slightly less than 1000 hours, or about six weeks. (By a standard argument of probability, you only have to expect to wait half that long, or three weeks, before you would hit the right password.) Case-sensitivity • If you make the passwords case-sensitive, you can improve this to • 628 = 218,340,105,584,896 218 trillion. • And now the same attacker, at a million tries per second, would have to take 70 times as long, or approximately 4 years. • The problem is, users don’t select random, or even decently secure passwords, and a cracker doesn’t need to figure out your password --- any password will do. Unfortunately, users typically pick passwords that are laughably easy to guess --- their initials, their children’s names, their license plates, etc. Brute Force Attacks in General • The “brute force” or “exhaustive search” password attack relies on trying every potential combination for a password • Thus, in general, if a password system requires entering exactly n symbols, and the allowable symbol set has c elements, the total number of potential passwords is: • c choices for the first symbol, then c choices for the second symbol, … • These are all mutually exclusive, so the total number of choices is c x c … c = cn Brute Force Attacks (more) • So with cn choices, if our symbol set was case sensitive letters, {A..Z,a..z} (cardinality 52) and we had to enter 7 symbols, the total number of choices would be 527 = 1,028,071,702,528 = 1.0 x 1012 • With in addition numerics and perhaps 4 special symbols {& % # $} and a requirement for 10 symbols, now we have 6610 = 1,568,336,880,910,795,776 = 1.6 x 1018 Brute Force Attacks (more) • The computation gets a little more complicated if the password rule insists on at least one of each type of character, for example; or if the password can have a variable length. • E.g., if we only allowed the 26 letters, and the password could be anywhere from 6 to 10 characters, the total number of choices would be • 266 + 267 + 268 + 269 + 2610 = 146,813,767,122,880 = 1.5 x 1014 How Long will the Attack Take? • It is not unreasonable to think that an automated brute force attack could test one password per microsecond • Thus, 106/sec; 3.6 x 109/hr; ~1011/day • So for the 7-symbol, case-sensitive system, we could try all passwords in 10 days • But: every one of the tries has an equal probability of succeeding; thus, the expectation is that we will succeed by the time we are halfway through. Therefore, 5 days to break this system. Attacks on Passwords • Attacker could… – – – – Target one particular account Target any account on system Target any account on any system Attempt denial of service (DoS) attack • Common attack path – Outsider normal user administrator – May only require one weak password! Password Retry • Suppose system locks after 3 bad passwords. How long should it lock? – 5 seconds – 5 minutes – Until SA restores service • What are +’s and -’s of each? Password File • Bad idea to store passwords in a file • But need a way to verify passwords • Cryptographic solution: hash the passwords – Store y = h(password) – Can verify entered password by hashing – If attacker obtains password file, he does not obtain passwords – But attacker with password file can guess x and check whether y = h(x) – If so, attacker has found password! Dictionary Attack • Attacker pre-computes h(x) for all x in a dictionary of common passwords • Suppose attacker gets access to password file containing hashed passwords – Attacker only needs to compare hashes to his precomputed dictionary – Same attack will work each time • Can we prevent this attack? Or at least make attacker’s job more difficult? More General Dictionary Attacks • We can devise dictionary attacks using standard dictionaries. It is not hard to obtain lists of dictionary words online. • Then, the attacker can process this list, trying each word. • This raises the question, “how many words are there in a dictionary?” • Perhaps more generally, “how many words are there in the English language?” Password File • Store hashed passwords • Better to hash with salt • Given password, choose random s, compute y = h(password, s) and store the pair (s,y) in the password file • Note: The salt s is not secret • Easy to verify password • Attacker must recompute dictionary hashes for each user lots more work! Password Cracking: Do the Math • Assumptions • Pwds are 8 chars, 128 choices per character – Then 1288 = 256 possible passwords • • • • There is a password file with 210 pwds Attacker has dictionary of 220 common pwds Probability of 1/4 that a pwd is in dictionary Work is measured by number of hashes Password Cracking • Attack 1 password without dictionary – Must try 256/2 = 255 on average – Just like exhaustive key search • Attack 1 password with dictionary – Expected work is about 1/4 (219) + 3/4 (255) = 254.6 – But in practice, try all in dictionary and quit if not found work is at most 220 and probability of success is 1/4 Password Cracking • Attack any of 1024 passwords in file • Without dictionary – Assume all 210 passwords are distinct – Need 255 comparisons before expect to find password – If no salt, each hash computation gives 210 comparisons the expected work (number of hashes) is 255/210 = 245 – If salt is used, expected work is 255 since each comparison requires a new hash computation Password Cracking • Attack any of 1024 passwords in file • With dictionary – Probability at least one password is in dictionary is 1 (3/4)1024 = 1 – We ignore case where no pwd is in dictionary – If no salt, work is about 219/210 = 29 – If salt, expected work is less than 222 – Note: If no salt, we can precompute all dictionary hashes and amortize the work Other Password Issues • Too many passwords to remember – Results in password reuse – Why is this a problem? • Who suffers from bad password? – Login password vs ATM PIN • • • • Failure to change default passwords Social engineering Error logs may contain “almost” passwords Bugs, keystroke logging, spyware, etc. Social Engineering Attacks • A third approach to breaking passwords is called “social engineering.” • If one is trying to find a password for a specific individual, this is likely to be the most fruitful. • See the film, “War Games” and remember Joshua. Passwords • The bottom line • Password cracking is too easy! – One weak password may break security – Users choose bad passwords – Social engineering attacks, etc. • The bad guy has all of the advantages • All of the math favors bad guys • Passwords are a big security problem Password Cracking Tools • Popular password cracking tools – – – – Password Crackers Password Portal L0phtCrack and LC4 (Windows) John the Ripper (Unix) • Admins should use these tools to test for weak passwords since attackers will! • Good article on password cracking – Passwords - Conerstone of Computer Security Picking Passwords (à la Patterson) • Now here’s the problem with passwords, and it’s serious. There are a limited number of things a human being can remember. What was that string I gave you at the beginning of the class? • Here’s my personal strategy. It is definitely NOT the recommended way. But no one has ever guessed one of mine, and I’ve never forgotten one. What We Remember • There are many things that we do remember easily. Unfortunately, for many of these things, anyone else can remember, discover, or guess them as well. Someone can guess your password by accident or by design. If they guess it by a totally random process, then the only protection you have is to choose longer passwords. • But, if they guess it by design, it’s because you had a weakness in your choice of password. Let’s examine the ways in which one can choose passwords, and the ways in which people can guess that information. The Bulls-Eye • Let’s design a chart, like a bulls-eye, of things that are lodged in your memory. Let rank these things from 1 to 10 by ease of recollection (with 10 meaning easiest to remember). Such a chart might look something like this: Memory Reference Where I left my car keys Next dentist appt Student ID 1 5 10 Bank account number Bill collector’s phone number Car licence Test dates Mom Girlfrien d Boyfrien d Dog Favorite CD Favorite place to visit Ease of Learning by Opponent • Now, by the same token, let’s design another chart, also in this bulls-eye format, representing the ease (10) or the difficulty (1) of someone else remembering or learning the same information. • In this case, what’s easy to determine? My mother’s name, girlfriend/boyfriend, dog’s name, favorite CD, are probably all easy for someone to determine, if they talk to anyone who knows me at all. So I would rank all of these a 10. Where I left my car keys, or my next dentist appointment might be more difficult to determine, so they would probably be down closer to a 1. Student ID, or bank account number? Not too difficult for someone to determine. Let’s say about a 7 or 8. Let’s look at a possible “Cracker Reference”: Cracker’s Reference Where I left my car keys Next dentist appoin tment 1 Studen t ID 5 10 Car licence Favorite place to visit Mom Girlfr iend Boyfr iend Dog Simple to Remember, Hard to Guess • So here’s the principle that’s involved. I want to be able to choose passwords that are as simple as possible to remember (in other words, maximizing the value in the bulls-eye in the memory reference chart); at the same time, making it as hard as possible for anyone else to determine, that is minimizing the value in the cracker’s reference. Simple to Remember, Hard to Guess • Furthermore, in this latter case, I have to minimize this value over all possible crackers --- i.e. anyone else who has some information about me. Thus, if 99% of the world does not know what my favorite place to visit is (therefore giving a cracker reference of 1), but I have discussed that wonderful vacation with 1 percent of the population (for whom that value might therefore be 7 or 8), I have to treat the overall value for that place name to be the 7 or 8. PFQ • So the principle, which I can state as a formula, is maximize the Memory Reference for a potential password, and minimize the greatest possible value for a Cracker Reference. Then, calculate the Privacy and Familiarity Quotient (PFQ) by dividing these two quantities: Memory Reference • PFQ = ------------------------------------------------Max(over all people) Cracker Reference • Obviously, the best possible value for PFQ is 10/1 = 10. Your passwords should come as close as possible to that value. B. O. Lounder • In practice, how can you maximize this “PFQ”? Here’s what I do. I think back through my life for an event, or series of events, that are very vivid to me. For example, the teacher who had me expelled from high school was named B. O. Lounder. I will never forget his name. • That might have been a very good choice of password, since it is clearly a 10 in Memory Reference. However, there are still a lot of my high school classmates around, and sooner or later, if someone talked to them about me, they would likely hear the story of Mr. Lounder. Penobscot • But no one knows about the time that I went off on my own, when I was in college, and had an interesting visit to Penobscot, Maine. • That’s a trip I won’t forget --- and really I’ve never discussed it with anyone --- until now --- and so penobscot would be a very good password choice for me. • Actually, an even better one would be something like penobscotm, or penobscotx, or qpenobscot, or penob%scot, just in case a cracker had an index of all of the place names in the United States. A Dozen Solid Memory References • In this way, I construct a list of about a dozen of those solid memory references, to which virtually no one else can connect me (by the way, I’m just kidding about Penobscot --- but not about B. O. Lounder). • And I construct a slightly modified version of those names for my collection of passwords. As I said, I keep about a dozen or so on hand. And none of them are ever written down --- they don’t have to be! Protecting Passwords • Most systems protect passwords in two important ways: they make passwords hard to guess and login controls hard to crack, and they protect the file in which passwords are stored. • But not UNIX --- e.g.: – cat /etc/passwd • !!! Sample Login/Password Controls • Last login message – When you log in, the system may display the date and time of your last login. Many systems also display the number of unsuccessful attempts since the last successful login. This may give you a chance to discover if your account has been used by someone else. • User-changeable passwords – In many systems, you’re allowed to change your own password at any time Sample Login/Password Controls • System-generated passwords – Some systems require you to use passwords generated randomly by the system. VAX/VMS 4.3 ensures that these passwords are pronounceable. Some systems let you view several random choices from which you can pick one. The danger, of course, is that these are eminently forgettable. • Password aging and expiration – When a specified time is reached, e.g. the end of the month, all passwords in the system may expire. New passwords usually may not be identical to the old passwords. The system should give reasonable notice before requiring you to change a password, if you have to pick quickly, you’re likely to pick poorly. • Minimum length – Some systems require that passwords be a minimum length, say 6 to 8 characters. Sample Login/Password Controls • Password locks – Locks allow the system administrator to restrict certain users from logging in or to lock login accounts that haven’t been used for an extended period of time. • System passwords – System passwords control access to particular devices that might be targets for unauthorized use. • Primary and secondary passwords – Some systems require that two users, each with a valid password, be present to log in successfully to extremely sensitive accounts. • Network password – Some systems require special passwords for network or communications access. Protecting Your Password in Storage • Typically, valid passwords are stored in a password file. Protection of passwords is extremely critical to system security. Systems commonly use both encryption and access controls to protect password data. • Most systems encrypt the data stored in the system’s password file. • Most systems perform “one-way encryption” of passwords. One-way encryption means that the password is never decrypted. Each time you log in and enter your password, the system encrypts your entered password and compares the encrypted version with the encrypted password stored in the password file.