Isys20261 lecture 13

Computer Security Management(ISYS20261)Lecture 13 – Passwords

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security Management

Last week …

• Access control permits or denies the use of a particular resource by a particular entity

• To dimensions: authentication and authorisation

• Authentication– User to system

– System to user

• Authorisation– Discretional access control

– Mandatory access control

– Role-based access control


Today

• Passwords

• PINs

• Challenge response


Password authentication (1)

• Ways of authenticating a person– Knowledge based: password, PIN, etc.

– Token based: smartcard, etc.

– Biometrics: fingerprints, face recognition, etc.

• Password: two factor authentication:– Identification

– Verification


Password authentication (2)

• Assumption: password exists in two places only:– System

– User’s memory

• In reality also:– Under the keyboard

– On a post-it sticking to the monitor

– Shared amongst a group of colleagues/friends

– Etc.


Passwords

• Unaided recall

• Passwords should be meaningless

• Recall has to be 100% correct

• No feedback on failure

• Problems:– Unaided recall harder than cued recall

– Non-meaningful items are hard to recall

– Limited capacity of working memory

– Items stored in memory decay over time

– Similar items compete

– Old passwords cannot be deleted on demand

– Etc.


Password attacks

• General criminal economics: attacker will only invest up to 10% of the achieved profits!

• Password attacks: cheap!

• Types of password attacks:– Brute-force-attack

– Guessing attacks

– Shoulder surfing attacks

– Spyware

– Packet sniffing

– Social engineering


Password policies

• Aim to enforce strong passwords in an organisation

• Define the rules for:– Password length

– Content

– Frequency of change

– Number of login attempts

– How to recover/reset a password

• Ideally:– Variable length

– Meaningless

– Do not change passwords more often than necessary

– Limit login attempts

– Credential recovery: see later slide


Problems, problems …

• Nowadays, Joe Average has to remember a large number of passwords/PINs!

• Many of these need to be changed frequently

• Many similar items compete (including old, invalid passwords!)

• Infrequently used passwords are easily forgotten

• Recently changed passwords are forgotten or confused

• Etc.


Password failure

• 52% Memory failure – Confused with old password 37%

– Confused with other system’s password 15%

• 20% Wrong user ID

• 12% Typo– Missing or additional characters

– Pressing ENTER


User strategies

• If not given a strategy: users will make up their own!– Use same password for multiple system

– Only change passwords if forced to

– Externalise passwords

• On-the-spot decisions


Password quality (Sasse et al, 2001)

• Content– 28% of users’ passwords are identical

– 68% use one way to construct their passwords

– 51% of the passwords are words with a number on the end

• Change– 90% only change when forced to do so

– 45% increment number by one when change

• Writing down– 30% write down all passwords

– 32% write down infrequently used passwords


PINs

• Numerical passwords, eg. 4587

• Similar problems– Same PIN across many applications

– Many people give card and PIN to others to fetch cash

– Using mobile phones in public

– Etc.

• Where to find PINs:– On the card

– In the wallet

– Post-it

– Around cash machine

– Etc.


Countermeasures

• Help with passwords– Reactive, e.g. reminder

– Proactive, e.g. hints, writing down, …

• Not really effective

• Better:– User support and training

– Single sign-on

– Changes to password policy

– Alternative methods: Graphical or biometrics


Reminders

• Advantages:– No password change

– Automated, i.e. reduced workload on helpdesk or system admin

• Disadvantages:– Over the internet: security risk

– Attacker might guess or know the answer to additional security questions

• Example: “what is your mothers maiden name?”


Hints

• User selects reminder of password that is stored on the system together with the password

• System provides the hint if:– user forgets his/her password and requests it

– login fails

• Advantages– No password change

– Automated

• Disadvantage:– Untrained users often chose bad hints in terms of memorability

– Attacker might find out the password through social networks


How to improve

• Provide instructions for better memorability– Must be available when users need them

– e.g. “make up sentence to memorise” or “funny content helps to memorise”

• Provide feedback– At registration time

– Needs to be positive and constructive

– Might help an attacker!

• Pro-active password checking– Prevent weak passwords

– Checks at registration for compliance with password policy

• Helpdesks– Many people prefer to interact with other human beings

– Humans are more flexible


Single sign-on (SSO)

• Enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again

• Advantages:– Reduces user’s workload to a minimum

– Reduces time spend with logins

– Reduce help desk calls

– Single point of recovery

• Disadvantages:– Valuable to attacker (single point of attack!)


Challenge-response (1)

• Authentication technique

• An individual is prompted (the challenge) to provide some private information (the response)

• Enrolment: – Challenge-response (CR) pairs generated randomly from database

– User accepts a set of memorable CRs when enrolling

• Operation:– Individual is given one challenge from set

– If individual gives the matching response: authenticated



• When enrolling challenge can be– Selected entirely by the system, or

– Partly chosen by user, or

– Partly selected from list by user

• Response can be – Selected by the system, or

– Chosen by user, or

– Selected from list by user

• Examples– C: Name of your pet? R: [open answer chosen by user]

– C: Your mother’s maiden name? R: [input chosen by the user]

– C: What do you think of the [input chosen by the user]? R: I think the [from C][chosen by the user]



• Challenge-Response pairs (CRs) two dimensions:– Usability

– Security

• Criteria for assessing security:– Guessing difficulty

• Criteria for assessing usability:– User physical and mental workload

– Administrator physical workload

Isys20261 lecture 13

Documents

Transcript of Isys20261 lecture 13