passwords and passphrases
-
Upload
bambinodoux -
Category
Documents
-
view
34 -
download
1
description
Transcript of passwords and passphrases
Passwords & Passphrases
● Member of Belgrade hackerspace (HKLBGD) – sunday crypto workshop .
● Writing for Libre online magazine (FLOSS)
● Name: Simović Petar
● I study computer science at the Faculty of Mathematics, University of Belgrade
Agenda
● Introducint to passwords and pass phrases
● Measuring password/pass pharse strength
● Service – consumer handling secrets: why passwords migh be dead
● Password hacking: phishing, bruteforce, Social engineering
● Alternative methods of authentication
What's wrong with my P4$$w0rd?● Very week & easy to rememberVery week & easy to remember. Replacing 's' and 'o' with
'$' and '0' won't help you much.
● Or hard to remember & secure● So users reuse them So users reuse them
● And If not random -> social engeenering guessing
People are not very good at creating truly random passwords, even more they are a species of patterns. And it is hard to remember dozens of different nonsense passwords with numbers and special characters.
So, what is pass pharse?
● Short answer: It is just a phrase.
● Long: It contains few word, not neccessery from dictionaty, words should be picked at random not from book or website.
● What are good and secure pass phrases?
● How to generate them?
Secure pass phrase?
● “pass-phrase1 pass-phrase2 pass-phrase3”
● “My pass phrase is hard to guess”
● “Correct horse battery staple”
● “red cross healty pharmacy medicine”
● “yeti permutes kilobyte visas skin”
● “red green blue cyan magenta yellow”
● “police gun cuffs undercover sherif”
Secure pass phrase?
● “pass-phrase1 pass-phrase2 pass-phrase3”
● “My pass phrase is hard to guess/////////////////////////////////////////////////////”
● “Correct horse battery stapleCorrect horse battery staple”
● “red cross healty pharmacy medicine”
● “yeti permutes kilobyte visas skinyeti permutes kilobyte visas skin”
● “red green blue cyan magenta yellow”
● “police gun cuffs undercover sherif”
Pass phrase advatages
● Easier to create – maybe not for humans
● Easier to remember
● So no need for writing it down or using password managers
● Hard automation attacks – [verb adjective noun?] --needs bruteforce if done right
● More secure?
● ...
Diceware
● Method for manually generating pass phrases
● Why? PRNG compromissed or paranoid?
● How? Diceware wordlist, dice, paper and pen http://goo.gl/swgFz
Entropy – Shannon entropy
● Log2 (Character Set password length)
● For example: 8 character password length with all 94 possible character: a-z (26), A-Z (26), 0-9 (10), and
~‘!@#$%^&*()_-+={[}]|\"’:;?/><,. (32) is
● Log2(948) = Log2(6 095 689 385 410 816) = 52 bits 52 bits
● For pass pharses character set is number of words in dictionary, and password length is number of words.
● So any 4 word passphare in set of 20 000 words
(average dictionary) has Log2(200004) = 57 bits bits
Entropy
● 8 character password from 94 set:
● 4!V”N$Fg = 51 bit entropy
● 4 word pass phrase from 20 000 words:
● yeti permutes kilobyte visasyeti permutes kilobyte visas = 57+ bits of entropy
Passwords & Passphrases
XKCD:XKCD:Trough 20 years of effort,
we've successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess
P4$$w0rDs done right
● Using password manager (allways open-source software eg. KeePass, KeePassX, …)
● Let password manager generate long secure (80+ bits) password. No need to remember any, and no reusing.
● Change them all often (at least twice a year)
● Public wi-fi needs layer of encryption
How servers handle users passwords?
● They used hashing function (MD5, sha1, sha256, bcrypt)
● Hashing + salting
How servers handle users passwords?
● They used hashing function (MD5, sha1, sha256, bcrypt)
● Hashing + salting
Use slow and good and hash functions like bcrypt never MD4, MD5 or SHA1.
Generate new random salt for each user, do not reuse salt.
Facial recognition & fingerprints
Kirk Skaugen, Senior VP and general manager of Intel's Client Computing Group said at Citi Global Technology Conference: "I can confidently say today, you can eliminate all your passwords today, if you buy a 6th Generation Core system." http://goo.gl/dE4j1qhttp://goo.gl/dE4j1q
● Sixth intel core generation CPU + Windows 10
(Windows Hello program) + Intel's RealSense 3D Camera.
● Or use fingerprint verification/authentication like on Iphone 6 Touch ID.
New methods
● Hashing is Dead: long live the passwords.
● https://goo.gl/0rwfkJhttps://goo.gl/0rwfkJ
● RSA auth. RSA auth.