Presentation2f_for_passwords_MS_Class.ppt

Date: Saturday, February 8, 2025
1
PASSWORDS
An instructional lecture on password basics
Presented By:
KHAN FARHAN RAFAT
International Islamic University, Islamabad
Copy right © 2008

2
our Password is
our Identity &
our Privacy
Y

3
Contents
Intended Audience & Objectives
Definition & Usage
Importance
Difficulties
Password ATTACKS
Strong Password Requirements
PW Construction Techniques
How to test Password Strength
Recommendation
Beyond Passwords
Summary

4
Audience and Objectives
Intended Audience:
 All persons concerned about ways to protect their identity
and privacy in the information age through a better
understanding of passwords and their protection
Objectives:
 Recognize the relationship between authentication and both
identity and privacy
 Recognize the role of passwords in authentication
 Agree that strong passwords and password practices
contribute to protection of identity and privacy
 Discriminate passwords as weak or strong
 Identify a tool helpful to those who have many passwords to
maintain

5
Definition
A password is information associated with
an entity that confirms the entity’s identity.
 Could be a set of characters ,Numbers or alphanumeric.

6
Importance
•It’s virtual key to our system,
Account and our e-mails

7
Difficulties
 Because of the huge number of user ID & passwords
that an individual must remember, one often reuses
the same user ID and password when possible. Thus,
when a password used for access to multiple system
is comprised, all systems become vulnerable.
 If different levels of authorization are determined by
different user IDs and passwords, then the number of
passwords that one must remember grows even more.
 Individuals other than user can alter a user’s
password.
 This situation has many associated problems.
– Does a request for password change really come from the assigned user?
– Usually requires a temporary password that a user may not reset.
– Someone with administrative privileges inappropriately misuses a person’s account.

8
Passwords in the Context of Your Identity and Privacy
 Passwords/Identity/Privacy
 Attackers who obtain your password can authenticate
themselves on various systems and in turn …
Access your personal information
(invade Your Privacy)
Impersonate you by acting on your behalf
(steal Your Identity)
Factoid: Password mechanisms and their users form a socio-technical system, whose
effectiveness relies strongly on the users’ willingness to make the extra effort that
security-conscious behavior requires.

10
Facts ! Worth Remembering
You now know passwords in the Context of
Your Identity and Privacy
Now lets explore
a few password facts worth
remembering…

11
Password Facts worth Remembering
 Protection of Your Identity and Privacy in the
information age hinges on sound password knowledge
and practice
 Those who do not use strong passwords and
password practices are often their own worst enemy
 If you feel you have too many passwords to remember
then consider using a password vault (e.g., Password
Safe)
 The risks are real, they affect you either directly or
indirectly and they can be diminished by using strong
passwords and password practices
Factoid: [Studies] have shown that current password mechanisms have largely failed to consider usability, and that
– given the increasing number of system and passwords – most users cannot cope with the demands
imposed on them.

12
Password Safe
 Many computer users today have to keep track of dozens of passwords: for network
accounts, online services, premium web sites.
 With Password Safe, a free Windows 9x/2000 utility from Counterpane Labs, users can
keep their passwords securely encrypted on their computers. A single Safe
Combination--just one thing to remember--unlocks them all.
 Password Safe features a simple, intuitive interface that lets users set up their
password database in minutes.
 Best of all, Password Safe is completely free: no license requirements, shareware fees,
or other strings attached.
 You can learn more about this product by visiting …
http://www.counterpane.com/passsafe.html

13
Types of ATTACKS
Social engineering
 Impersonation, phishing, bribery, login spoofing.
Protocol weakness
 Keystroke logging, * dumpster diving, google hacking,
 Wiretapping, *side channel attack (timing, acoustic,
etc.)
Guessing
 Brute force, dictionary, smart dictionary.
 Victim specific databases (*)
 Rainbow, hybrids.
Low Tech
High Tech

14
HASH Function - UNIX
Salt Password
56 bits
12 bits
Crypt (3)
Load
11 character
sal
t
Epwd [salt, 0]
User id
Each user selects a password of up to eight printable characters in length. This is
converted into a 56-bit value (using 7-bit ASCII) that serves as the key input to an
encryption routine. The encryption routine, know as crypt (3), is based on DES. The DES
algorithm is modified using a 12-bit “salt” value. Typically, this value is related to the time
at which the password is assigned to the user. The modified DES algorithm is exercised
with a data input consisting of a 64-bit block of zeros. The output of the algorithm then
serves as input for a second encryption. This process is repeated for a total of 25
encryptions. The resulting 64-bit out is then translated into an 11-character sequence.
Loading a new password

15
Salt
Password
Encrypted Password
Crypt (3)
Select
Compare
User id
sal
t
Epwd [salt, 0]
User id
HASH Function - continued
Verifying a Password

16
The cipher text password is then stored, together with a plaintext copy of the salt, in the password
file for the corresponding user ID.
The salt serves thee purposes:
•It prevents duplicate password from being visible in the password file. Even if two users choose
the same password, those passwords will be assigned at different times. Hence, the “extended”
password of the two users will differ.
•It effectively increases the length of the password without requiring the user to remember two
additional characters. Hence, the number of possible passwords is increased by a factor of 4096,
increasing the difficulty of guessing a password.
•It prevents the user of a hardware implementation of DES, which would ease the difficulty of a
brute-force guessing attack.
•When a user attempts to log on to a UNIX system, the user provides an ID and a password. The
operating system uses the ID to index into the password file and retrieve the plaintext salt and the
encrypted password, which are used as input to the encryption routine. If the result matches the
stored value, the password is accepted.
The encryption routine is designed to discourage guessing attacks. Software implementations of DES are
slow compared to hardware versions, and the use of 25 iterations multiplies the time required by 25.
However, since the original design of this algorithm, two changes have occurred. First, newer
implementation of the algorithms itself have resulted in speedups. For example, the internet worm was
able to do on-line password guessing of a few hundred passwords in a reasonably short time by using a
more efficient encryption algorithm than the standard one stored on the UNIX system, so that any
software algorithm executes more quickly.

17
THREATS TO THE UNIX PASSWORD
SCHEME.
A user can gain access on a machine using a guest account or by
some other means and then run a password guessing program,
called a password cracker, on that machine. The attacker should
be able to check hundred and perhaps thousands of possible is able
to obtain at leisure. This enables the opponent to run through
many thousands of possible passwords in a reasonable period.

18
Google Hacking
Google search for hash
of a common password.
No salting done.
Private data available
on the web!
Password
“security”
is a joke.

19

20
Strong Password Requirements
Minimum Security Requirements
A minimum of eight (8) characters
With at least one (1) alpha character and at least one
(1) numeric character
Recommended options
Use of special characters – only ones found on the
keyboard – like: ! @ # $ % ^ & * ( )

21
Requirement’s importance
Following statistics shows estimated time
to crack the password :

22
Requirement’s importance
Using 1 Ghz Pentium processor that perform 1 billion instructions per second

23
Password Management
If I told you how many
people write down their
passwords, you would
laugh (or cry).
The key of good Password
management is:
Treat the password like
your ATM PIN number
Keep it to yourself
Do not write it down
Do not share it with
anyone

24
PW Construction Techniques
Try to use phrases rather than one word
Join phrases together with special characters – such as & + @
Substitute letters with numbers if you can, (examples follow)
Use upper and lower case characters
Use phrases you are comfortable with – things you know and can remember

25
Substitute Method (Letter)
part p4rt
part p@rt
last la5t
last la$t
moon m00n
good 9o0d
•You can create you own
table.
Remember :At least eight (8) characters

26
Password Strength
************
juice&escape
Approximately 4 out of 10
Weak Password
Example
http://www.securitystats.com/tools/password.php

27
Ju1ce&Escape ************
Approximately 8 out of 10 Strong Password
Example
Password Strength

28
Recommendations
You have a responsibility to protect information assets
Stronger passwords protect your integrity & safeguard your
information and reputation
Use a combination of letters, numbers, characters and punctuation
Have fun creating your lists of passwords – use the tools available
to help you
Use words that are familiar to you and easily remembered

29
Beyond Passwords
What about biometric?
Biometric identification is good.
Biometric authentication is worthless.
PAKE (Password-based Authenticated Key
Exchange)
“Bootstrap” password into strong cryptographic
key.
Applicable only in a limited set of scenarios.

30
Smart Cards
• Reduce information security to physical security.
• Tangible, easy to understand.
•Legal, economic, law enforcement infrastructure
to deal with theft.
• Single sign-on without trusting third party.
• Reduces typing, minimal hassle.

31
References
1. Matt Bishop (2003) Computer Security. Pearson Education, Inc. ISBN: 0-201-44099-7.
2. Michael Whitman & Herbert Mattord (2003) Principles of Information Security. Course Technology, a
division of Thomson Learning, Inc. ISBN: 0-619-06318-1.
3. Benny Pinkas & Tomas Sander (2002) Authentication and authorization: Securing passwords against
dictionary attacks. Proceedings of the 9th ACM conference on Computer and communications security.
4. Dirk Weirich & Martina Angela Sasse (2001) Session 7: passwords revisited: Pretty good persuasion: a
first step towards effective password security in the real world. Proceedings of the 2001 workshop on
New security paradigms.
5. Peter G. Neumann (1994) Risks of passwords. Communications of the ACM, Volume 37 Issue 4.
6. Anne Adams & Martina Angela Sasse (1999) Users are not the enemy. Communications of the ACM,
Volume 42 Issue 12.
7. Elinor Abreu (2000). Kevin Mitnick bares all. NetworkWorldFusion News Online (28 September 2000)
[ Cited July 26, 2003 ]’ available from the World Wide Web
http://www.nwfusion.com/news/2000/0928mitnick.html
8. Counterpane Internet Security (2003). Password Safe software. [ Cited July 26, 2003 ] available from the
World Wide Web http://www.counterpane.com/passsafe.html
9. United States Department of Defense Computer Security Center (1985). Department of Defense
Password Management Guideline. CSC-STD-002-85 Library No. S-226,994 [ Cited July 26, 2003 ]
available from the World Wide Web http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-
85.html

32
Thank You

Presentation2f_for_passwords_MS_Class.ppt

More Related Content

Similar to Presentation2f_for_passwords_MS_Class.ppt (20)

Recently uploaded (20)

Presentation2f_for_passwords_MS_Class.ppt