Choosing strong passwords
Download as PPTX, PDF0 likes306 views
This document discusses the illusion of protection from encrypting files and transmitting passwords. It argues that large organizations are high-profile targets, and personal and business information is at risk from well-funded enemies and skilled hackers. Password generation is challenging, and rules intended to strengthen passwords may actually reduce security by limiting possibilities. The document advocates random passwords or password generation services as more secure options. It also outlines how passphrase-based encryption of documents works at a high level.
![ Generating a random password is harder than it looks
Randomness does not occur naturally in language
(English language entropy [sensible language] – 1.5 bits/character)
Password generation algorithms are patterns
Pick a word/phrase and mix it up
n0tY0urP@ssw0rd - Letme!n123 - P@tri0tsRule!!
Mash the keyboard in a pattern
1234!@#$qwerQWER - 12qw!@QW
Password Complexity Rules just limits the usable algorithms
E.g. cat*town_horse_buddy;itself”computer-
drapes%query_limits^yuletide@notices
Strong passwords don’t always meet complexity rules (no caps, no numbers!)
Rules and patterns severely limit search space
Hackers don’t have to test millions of passwords that don’t meet the
complexity criteria
True randomness doesn’t have rules
Rules give hackers too much information about the password](https://image.slidesharecdn.com/choosingstrongpasswordsdemil-130225070235-phpapp01/85/Choosing-strong-passwords-4-320.jpg)
![How encryption is implemented with passphrase-based software
SECRET INFO
Passphrase
Random
Number PBKDF2 AES-128
Generator
Salt AES Key Encrypted
INFO
Compress
& Package
(ZIP)
Encrypted Doc
[and that’s a simplified version of the flow-chart]](https://image.slidesharecdn.com/choosingstrongpasswordsdemil-130225070235-phpapp01/85/Choosing-strong-passwords-7-320.jpg)
Choosing strong passwords
- 1. The Illusion of protection (commentary on passing encrypted data via files)
- 2. Anywhere in US = high profile target Large Organizations have a large target profile Example: With 50,000 users, SOMEONE is going to have the password: *1Passw0rD* Access to home machines gives access to work most of the time Personal AND business information at risk
- 3. Well-funded enemies of the state International Criminal Organizations State-sponsored enemies Hackers with almost unlimited free time Anonymous / Lulz Sec Logistics for all Corporate Resourcing for Hire Cloud Services – AWS, Google Cloud, etc. Each generation has a knowledgebase upon which to build Our children have access to more knowledge than ever before in history Distribution channels for new attacks Internet – fastest distribution methodology history has known
- 4. Generating a random password is harder than it looks Randomness does not occur naturally in language (English language entropy [sensible language] – 1.5 bits/character) Password generation algorithms are patterns Pick a word/phrase and mix it up n0tY0urP@ssw0rd - Letme!n123 - P@tri0tsRule!! Mash the keyboard in a pattern 1234!@#$qwerQWER - 12qw!@QW Password Complexity Rules just limits the usable algorithms E.g. cat*town_horse_buddy;itself”computer- drapes%query_limits^yuletide@notices Strong passwords don’t always meet complexity rules (no caps, no numbers!) Rules and patterns severely limit search space Hackers don’t have to test millions of passwords that don’t meet the complexity criteria True randomness doesn’t have rules Rules give hackers too much information about the password
- 5. Secure password transmission Recommendation #1 – Users should transmit passwords over alternate medium Assumption is that if someone can get the document, they can also get the email. The level of risk already inherent in the transmission Passwords should not be written down, even in emails Key changes should be done with all personnel changes (minimum) Encoding passwords to be easy to remember Train users to get random! Five RANDOM common words (tomboy, skateboard, caterpillar, the, mouse) Estimated 55 bits of entropy based on a working vocabulary of 2048 words Add entropy with personal rules of insertion/capitalization and numbers/symbols Compare to ideal AES-128 key = 128 bits of entropy (2^73 x LESS entropy!) Compare to AES-256 key = 256 bits of entropy (2^201 x LESS entropy!) Technical Controls Ensuring adequate salt (randomness) for AES key Change salt length to match length of encryption key (32 bytes/256 bits) Forced password complexity (? – better than nothing – but good enough - ?) Enforcing simple rules can actually REDUCE available entropy Improving password complexity rules to force more entropy
- 6. Assigning passwords (give entropy to users) Because humans aren’t random – password generation should be ‘more’ random Password Generation as a Service Secure Data Exchange Gateways Encrypted IM Encrypted email
- 7. How encryption is implemented with passphrase-based software SECRET INFO Passphrase Random Number PBKDF2 AES-128 Generator Salt AES Key Encrypted INFO Compress & Package (ZIP) Encrypted Doc [and that’s a simplified version of the flow-chart]
- 8. Almost everyone in IT knows AES! Encryption algorithm Current standard (Rijndael) Advancement from DES/Triple-DES Securing document is not just encryption Encryption needs keys Keys require handling / (Key Management) Key management requires a chains of trust Secure generating and trading of random keys is HARD Few have heard of PBKDF2 Used to ‘passphrase’-protected documents (pseudo-random keys from simple passphrases) Creates AES encryption keys from Passphrases One-way algorithm (like a blender) Having the output you can’t get the input Flexible control # of cycles directly related to time to compute results Added entropy salted in by user (take the pseudo- out of pseudo-random with entropy)
- 9. gr@pe_Pudd1ng SECRET INFO random AES combo one-way hash 101010101010101101011100 001010111011011010000111 101011010100110101001010 AES – pick-proof, complex Salt added to recipe ensures randomness for AES key Email 2 Email 1 Entropy comes from recipe complexity. A passphrase is created with a recipe that describes it. Salt and locked safe delivered to recipient
- 10. Control of this is possible only with Email 2 ONLINE system controls – not offline documents and files 29 million tries per hour ? If attacker has access to emails already, trying every OTHER Attacker has access to Salt so email in the random entropy of AES key does mailbox will be not interfere with trials quick and easy! Highly-automated Blender ($329) 29,064,960 recipes/hour (yes, 29 MILLION!) The complexity of the recipe and number of potential ingredients is the only thing preventing them from duplicating the secret formula to recreate the AES key. Note the attacker does not directly brute force AES keys! With online password systems, we can control speed of attacks with login controls such as timeouts and lockout.
- 11. 100000 Vocabulary 1 100000 100,000 phrases 1 Capital letter 1 1 32 typewriter symbol 1 32 10 number 1 10 4 number/cap/sym position 3 64 Attacker can choose capital speed/cost 32 GPUs @$250 ea $ 10,528.00 Attacker capital resources Total $ 15,328.00 2,048,000,000 2.20 hours 0.09 days Amazon GPU Cloud* $ 81.03 16 AWS GPU instances With cloud computing - attacker no longer worries about capital costs! *Amazon GPUs not this fast (yet) -erring on side of caution Worksheet simulation to examine how password rules/complexity affect attacker cost Based on attack against MS Word 2010 PBKDF2 algorithm of 100,000 cycles – Assumption based on using an ATI Radeon HD 5970 – Online price $329 --- (published attack speed of 20,184 passes/sec with COTS package)