passwords and passphrases
DESCRIPTION
presented on BALCCoN2K15TRANSCRIPT
Passwords & Passphrases
● Member of Belgrade hackerspace (HKLBGD) – sunday crypto workshop .
● Writing for Libre online magazine (FLOSS)
● Name: Simović Petar
● I study computer science at the Faculty of Mathematics, University of Belgrade
Agenda
● Introducint to passwords and pass phrases
● Measuring password/pass pharse strength
● Service – consumer handling secrets: why passwords migh be dead
● Password hacking: phishing, bruteforce, Social engineering
● Alternative methods of authentication
What's wrong with my P4$$w0rd?● Very week & easy to rememberVery week & easy to remember. Replacing 's' and 'o' with
'$' and '0' won't help you much.
● Or hard to remember & secure● So users reuse them So users reuse them
● And If not random -> social engeenering guessing
People are not very good at creating truly random passwords, even more they are a species of patterns. And it is hard to remember dozens of different nonsense passwords with numbers and special characters.
Password security blanket 1k Lorrie Faith Cranor
Most used Pa$$s0rds
So, what is pass pharse?
● Short answer: It is just a phrase.
● Long: It contains few word, not neccessery from dictionaty, words should be picked at random not from book or website.
● What are good and secure pass phrases?
● How to generate them?
Secure pass phrase?
● “pass-phrase1 pass-phrase2 pass-phrase3”
● “My pass phrase is hard to guess”
● “Correct horse battery staple”
● “red cross healty pharmacy medicine”
● “yeti permutes kilobyte visas skin”
● “red green blue cyan magenta yellow”
● “police gun cuffs undercover sherif”
Secure pass phrase?
● “pass-phrase1 pass-phrase2 pass-phrase3”
● “My pass phrase is hard to guess/////////////////////////////////////////////////////”
● “Correct horse battery stapleCorrect horse battery staple”
● “red cross healty pharmacy medicine”
● “yeti permutes kilobyte visas skinyeti permutes kilobyte visas skin”
● “red green blue cyan magenta yellow”
● “police gun cuffs undercover sherif”
Pass phrase advatages
● Easier to create – maybe not for humans
● Easier to remember
● So no need for writing it down or using password managers
● Hard automation attacks – [verb adjective noun?] --needs bruteforce if done right
● More secure?
● ...
Diceware
● Method for manually generating pass phrases
● Why? PRNG compromissed or paranoid?
● How? Diceware wordlist, dice, paper and pen http://goo.gl/swgFz
Entropy – Shannon entropy
● Log2 (Character Set password length)
● For example: 8 character password length with all 94 possible character: a-z (26), A-Z (26), 0-9 (10), and
~‘!@#$%^&*()_-+={[}]|\"’:;?/><,. (32) is
● Log2(948) = Log2(6 095 689 385 410 816) = 52 bits 52 bits
● For pass pharses character set is number of words in dictionary, and password length is number of words.
● So any 4 word passphare in set of 20 000 words
(average dictionary) has Log2(200004) = 57 bits bits
Entropy
● 8 character password from 94 set:
● 4!V”N$Fg = 51 bit entropy
● 4 word pass phrase from 20 000 words:
● yeti permutes kilobyte visasyeti permutes kilobyte visas = 57+ bits of entropy
Strength comparation
Passwords & Passphrases
XKCD:XKCD:Trough 20 years of effort,
we've successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess
https://xkcd.com/936/
P4$$w0rDs done right
● Using password manager (allways open-source software eg. KeePass, KeePassX, …)
● Let password manager generate long secure (80+ bits) password. No need to remember any, and no reusing.
● Change them all often (at least twice a year)
● Public wi-fi needs layer of encryption
How servers handle users passwords?
● They used hashing function (MD5, sha1, sha256, bcrypt)
How servers handle users passwords?
● They used hashing function (MD5, sha1, sha256, bcrypt)
● Hashing + salting
How servers handle users passwords?
● They used hashing function (MD5, sha1, sha256, bcrypt)
● Hashing + salting
Use slow and good and hash functions like bcrypt never MD4, MD5 or SHA1.
Generate new random salt for each user, do not reuse salt.
So how dit this happen?
Password cr/hacking
Phishing
Social engineering
2FA
● Use Two factor authentication whenever possible:
Google authenticator, Yubi keys, ...
Facial recognition & fingerprints
Kirk Skaugen, Senior VP and general manager of Intel's Client Computing Group said at Citi Global Technology Conference: "I can confidently say today, you can eliminate all your passwords today, if you buy a 6th Generation Core system." http://goo.gl/dE4j1qhttp://goo.gl/dE4j1q
● Sixth intel core generation CPU + Windows 10
(Windows Hello program) + Intel's RealSense 3D Camera.
● Or use fingerprint verification/authentication like on Iphone 6 Touch ID.
Are you now 100% secure?
New methods
● Hashing is Dead: long live the passwords.
● https://goo.gl/0rwfkJhttps://goo.gl/0rwfkJ
● RSA auth. RSA auth.
Questions?