security ps evaluating password alternatives bruce k. marshall, cissp, iam senior security...
TRANSCRIPT
![Page 1: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/1.jpg)
Security PS
Evaluating Password Alternatives
Bruce K. Marshall, CISSP, IAMSenior Security [email protected]
![Page 2: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/2.jpg)
Key Points
Key Presentation Points• Authentication Model
• Authenticator Characteristics
• Knowledge Based Authenticators
• Possession Based Authenticators
• Biometric Based Authenticators
![Page 3: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/3.jpg)
Identification & Authentication
Identification• A process for presenting
an identity for use.
Authentication• A process for validating
proof of an identity.
![Page 4: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/4.jpg)
Authentication System Model
AuthenticatorAuthenticator
InputInput
TransportTransport
VerificationVerification
![Page 5: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/5.jpg)
Authenticator Types
What you know
• Passwords
• Passphrases
• Secret Answers
• Graphical Passwords
What you have
• ID Cards
• Password List
• One-Time Password Tokens
• Certificates & Private Keys
What you are
• Physical Features
• Psychological Traits
![Page 6: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/6.jpg)
Authenticator Characteristics
• Usability How effectively can people operate
• Uniqueness How distinct is the proof
• Integrity How difficult to guess, forge, or steal
• Affordability How much does it cost to buy or maintain
• Accuracy How often do mistakes occur
![Page 7: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/7.jpg)
PINs and Secret Answers
Personal Identification Number (PIN)• Very simple authenticator• Difficult to enforce hard-to-guess PINs• May include non-numeric characters
Secret Answers• One or more correct answers authenticates
an asserted identity• Users may be allowed to define questions• Typically a secondary authenticator
![Page 8: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/8.jpg)
Passwords
Passwords• Based on a string of characters• Usually too predictable (i.e. poor uniqueness)
Length rarely greater than 8 characters Often consist of words or names Typically composed of lowercase letters Often think alike when choosing passwords Use same password across systems Not changed frequently enough
• Controlled through requirements for character use, length, and pattern matching
![Page 9: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/9.jpg)
Case Study 15 Password Analysis
Word2%Word + Number
38%
Word + Char7%
Number1%
Username10%
Username Variation
27%
Other8%
Phrase7%
CS15 Password Lengths
0 0 0 0 0
372
769
607
56 529 8 1 3
0
100
200
300
400
500
600
700
800
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Length
Nu
mb
er o
f O
ccu
rren
ces
99.6%
0.4%
Cracked Uncracked
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
CS01 CS15 Random
Cracking Success of L0phtCrack Brute Force Strings
BFS1 BFS2 BFS3 BFS4
![Page 10: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/10.jpg)
Password Characteristics
Poor Fair OK Good Excellent
Usability
Uniqueness
Integrity
Affordability
Accuracy
![Page 11: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/11.jpg)
Passphrases
Passphrases• Multiple words, typically mixed case with
numbers and symbols• Improvement upon passwords with little
user learning curve• Not much study yet on predictability
“The light of the M00N struck me in June”“SeattleSeahawksSingSadSongS4ME”
“emmyis7”
![Page 12: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/12.jpg)
Graphical Passwords• Rely on memory of
images to authenticate
• Users select, draw, or manipulate pictures
• Relatively young technology that needs more attention
Graphical Passwords
![Page 13: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/13.jpg)
“What You Have” Authenticators
“What You Have” Authenticators• Magnetic-stripe cards
• RF & Wiegand cards
• Stored-value cards
• Password lists
![Page 14: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/14.jpg)
OTP Tokens
One-Time Password (OTP) Tokens• Generates a new password for each use
• Can be challenge/response-based
• Based on a unique, secret token seed value (and usually synchronized time)
• Implemented with hardware or software
![Page 15: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/15.jpg)
OTP Tokens Characteristics
Poor Fair OK Good Excellent
Usability
Uniqueness
Integrity
Affordability
Accuracy
![Page 16: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/16.jpg)
Digital Certificates
Digital Certificates
• Rely on the use of private and public keys
• Typically require a Public Key Infrastructure (PKI) for certificate creation, publication, renewal, & revocation
![Page 17: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/17.jpg)
Digital Certificate Characteristics
Poor Fair OK Good Excellent
Usability
Uniqueness
Integrity
Affordability
Accuracy
![Page 18: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/18.jpg)
Smart Cards
Smart Cards• Microprocessor with memory that can
generate and store keys and certificates
• Different form factors and interfaces
• Cryptographic functions using private key are processed on the card itself
![Page 19: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/19.jpg)
Smart Card Characteristics
Poor Fair OK Good Excellent
Usability
Uniqueness
Integrity
Affordability
Accuracy
![Page 20: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/20.jpg)
Biometric Authenticators
Biometric Authenticators• “The automated use of physiological or
behavioral characteristics to determine or verify identity.” - International Biometrics Group
• Rely on interpretation or ‘minutiae’ of a biometric trait
• Maturing technology and standards
• Increasingly used for physical security
![Page 21: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/21.jpg)
Biometric Authenticators
• Fingerprint = 48%
• Face = 12%
• Hand = 11%
• Eye (Iris) = 9%
• Voice = 6%
• Keyboarding = <1%
* - Data source: International Biometrics Group 2004 Market Share
![Page 22: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/22.jpg)
Biometric Characteristics
Poor Fair OK Good Excellent
Usability
Uniqueness
Integrity
Affordability
Accuracy
![Page 23: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/23.jpg)
Multi-Factor Authenticators
* Coined by Douglas Adams in his book Mostly Harmless.
Multi-Factor Authenticators• Stronger authentication?
• Can combine best features
• Might combine worst features
• Do not want an Ident-I-Eeze”*
![Page 24: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/24.jpg)
Summary
Summary & Call to Action
• Focus on entire authentication system
• Evaluate suitability of authentication solutions for your specific environment
• Do consider the Integrity of authenticators, but don’t forget about other characteristics
• Assess & fortify password dependent systems
• Visit www.passwordresearch.com
![Page 25: Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com](https://reader038.vdocuments.us/reader038/viewer/2022102519/56649ef35503460f94c061df/html5/thumbnails/25.jpg)
Questions?