what do you know about password? by guang ling oct. 8 th, 2012 1
TRANSCRIPT
![Page 1: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/1.jpg)
1
What do you know about password?
By Guang LingOct. 8th, 2012
![Page 2: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/2.jpg)
2
What password are you using?
• Before going to the next slide, can you guess what is the most used password?
![Page 3: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/3.jpg)
3
![Page 4: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/4.jpg)
4
![Page 5: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/5.jpg)
5
Some statistics on password
• 4.7% of users have the password password• 8.5% have the passwords password or 123456;• 9.8% have the passwords password, 123456 or
12345678;• 14% have a password from the top 10 passwords• 40% have a password from the top 100 passwords• 79% have a password from the top 500 passwords• 91% have a password from the top 1000
passwords
![Page 6: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/6.jpg)
6
Some statistics on password
thx1138 (turns out this is a movie from forty years back)gundam (actually an anime series)ncc1701 (codename for the USS Enterprise in Star Trek)
![Page 7: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/7.jpg)
7
Some statistics on password
![Page 8: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/8.jpg)
8
I am not concerned!
So what!I am not using these weak passwords!
![Page 10: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/10.jpg)
10
What is strong password?
• Common misunderstand– The more complex the password, the more secure
it is!
![Page 11: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/11.jpg)
11
What is strong password?
• Measure strength of password using entropy–
• So what is the key to the strength of a password?– Length!
![Page 12: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/12.jpg)
12
Wait, is your password secure?
![Page 13: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/13.jpg)
13
I am not concerned!
HAHA!!!My password is impossible to crack!
![Page 14: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/14.jpg)
14
You should be concerned!
• Recent password leakage incidents in China– In December 22nd, 2011, a famous programmer
forum CSDN has its server hacked and 6,000,000 user accounts leaked
– In December 25th, 2011, user accounts of one of the major discuss forum in China, 天涯 , is leaked and 40,000,000 accounts exposed
– In the following weeks, 人人网 (5m) ,多玩网(8m), 猫扑 (10m), 开心网,世纪佳缘,百合网,美空 all have at least part of their accounts leaked
![Page 15: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/15.jpg)
15
You should be concerned!
• To make things worse, passwords leaked from CSDN and 天涯 are all in clear text!
WHAT!!!!!!I use this username password combination for every website!!!
![Page 16: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/16.jpg)
16
You should be concerned!
• Someone claim that 人人网’ s database is also clear text, it turns out that this might not be true
• However, only 0.84% (4001/4768600) password cannot be cracked
![Page 17: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/17.jpg)
17
A peak at the leaked password files
![Page 18: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/18.jpg)
18
Server-side password
• To better understand how to secure our online identity, let’s take a short detour to talk about password transmission and storage.
![Page 19: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/19.jpg)
19
Password storage
• Form of password storage– Clear text– Hash– Salted hash
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542
helloHbllowaltz
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226abhash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007
![Page 20: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/20.jpg)
20
Password storage
• Clear text– Simple and easy to implement– Maybe viewed by website administrator and
employee– Maybe viewed by hacker– Most insecure– Never store password in clear text
helloHbllowaltz
![Page 21: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/21.jpg)
21
Password storage
• Hash– Use cryptography level hash function to hash the
password and obtain a fixed length digest– MD5, SHA-1, SHA-512, WHIRLPOOL– Store the digest (hash) instead of the password– Better than clear text– Vulnerable to attack when the password length is
shorthash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542
![Page 22: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/22.jpg)
22
Password storage
• Offline attack of hash– Cryptography level hash function are designed to
be secure, i.e. it is hard to find phrase such that Hash(phrase) = given digest
– But hash value is vulnerable to the following method of attacks• Dictionary and Brute force attack• Lookup tables and Rainbow Tables
![Page 23: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/23.jpg)
23
Hash attack
• Dictionary attack and Brute force attack
• Lookup tables and Rainbow tables– Pre-compute the hash for all possible combinations up to a length
limit– Free hash cracker at here– Hash cracker that can crack all combination up to length 8 for MD5,
NTLM, LM, SHA1 exists (5711GB of data)
Dictionary Attack
Trying apple : failedTrying blueberry : failedTrying justinbeiber : failed...Trying letmein : failedTrying s3cr3t : success!
Brute Force Attack
Trying aaaa : failedTrying aaab : failedTrying aaac : failed...Trying acdb : failedTrying acdc : success!
![Page 24: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/24.jpg)
24
Password storage
• Salted hash– Rainbow tables attack renders most short password
the same as clear text– Hash the password and salt (randomly generated
string) to obtain a hash, store the hash and the salt value
– Cannot be pre-computed because of the salt– Can be cracked by brute force if the password
strength is weakhash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226abhash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007
![Page 25: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/25.jpg)
25
Password transmission
• Password can be transmitted to the server in different forms and through different channels– Forms: clear text V.S. hash– Channel: unencrypted V.S. encrypted
![Page 26: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/26.jpg)
26
Password transmission
Clear text• Maybe eavesdropped
during transmission
Hash• Eavesdropper can get at
most your password’s hash
• Looks like transmitting the hash is a good idea!– Not really– If hash instead of the clear text is transmitted, the intruder can fake
the identity of the user by sending the hash
![Page 27: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/27.jpg)
27
Password transmission
Unencrypted• No overhead• Insecure
Encrypted• Some overhead, negligible
by today’s hardware speed• Secure
• A website should use encrypted connection channel for user login whenever possible
![Page 28: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/28.jpg)
28
Best practice on a login server
• Store the password in salted hash form• Encrypt the login page and every page if
possible• Transmit the password instead of the hash
![Page 29: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/29.jpg)
29
How to manage our password?
• Never use the same password for different sites
![Page 30: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/30.jpg)
30
How to manage our password?
• Never use the same password for different sites
• Use long and strong password• Use rule based methods to ease the
management of passwords
[ 密码 ]=2* ( [ 用户名标识符(小写 / 大写) ]+[ 用户名长度 ]+[.]+[ 网站标识符(大写 / 小写) ] )
例: [email protected] ,密码为: gk8.GM GK8.gm
[email protected] 密码为: ssh10.HTSSH10.ht
![Page 31: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/31.jpg)
31
How to manage our password?
• Use dedicated password manager– 1Password– LastPass
![Page 32: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/32.jpg)
32
LastPass
• The last password you should remember– It saves your password and automatically fills it in
when you open a website
![Page 33: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/33.jpg)
33
LastPass
• The last password you should remember– It generates secure password
![Page 34: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/34.jpg)
34
LastPass
• The last password you should remember– It is safe• All your information store is encrypted using 256-bit
AES– Even if lastpass is hacked, your information will not leak
• Encrypted channel is used exclusively for all communications• Only you know the decryption key
– Lastpass has no access to your information
![Page 35: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/35.jpg)
35
LastPass
• One thing that concerned me when I first start to use lastpass– The login key and decryption key is the same???!!!– They are not• Hash of your master key is used for login• Combination of your username and master key (in the
original form) is passed through PBKDF2-SHA256 (using a lot of iterations) to generate the decryption key• However, you do need a long and strong master
password so that recover it from the hash is infeasible
![Page 36: What do you know about password? By Guang Ling Oct. 8 th, 2012 1](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649f415503460f94c60cd7/html5/thumbnails/36.jpg)
36
• References and picture source:– http://www.troyhunt.com/2011/07/science-of-pas
sword-selection.html– http://www.troyhunt.com/2011/06/brief-sony-pas
sword-analysis.html– http://www.guokr.com/article/61644/– https://xato.net/passwords/more-top-worst-pass
words/– http://crackstation.net/hashing-security.htm