Isys20261 lecture 13


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 13

  1. 1. Computer Security Management(ISYS20261)Lecture 13 – Passwords Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. Last week …• Access control permits or denies the use of a particular resource by a particular entity• To dimensions: authentication and authorisation• Authentication – User to system – System to user• Authorisation – Discretional access control – Mandatory access control – Role-based access controlComputer Security ManagementPage 2
  3. 3. Today• Passwords• PINs• Challenge responseComputer Security ManagementPage 3
  4. 4. Password authentication (1)• Ways of authenticating a person – Knowledge based: password, PIN, etc. – Token based: smartcard, etc. – Biometrics: fingerprints, face recognition, etc.• Password: two factor authentication: – Identification – VerificationComputer Security ManagementPage 4
  5. 5. Password authentication (2)• Assumption: password exists in two places only: – System – User’s memory• In reality also: – Under the keyboard – On a post-it sticking to the monitor – Shared amongst a group of colleagues/friends – Etc.Computer Security ManagementPage 5
  6. 6. Passwords• Unaided recall• Passwords should be meaningless• Recall has to be 100% correct• No feedback on failure• Problems: – Unaided recall harder than cued recall – Non-meaningful items are hard to recall – Limited capacity of working memory – Items stored in memory decay over time – Similar items compete – Old passwords cannot be deleted on demand – Etc.Computer Security ManagementPage 6
  7. 7. Password attacks• General criminal economics: attacker will only invest up to 10% of the achieved profits!• Password attacks: cheap!• Types of password attacks: – Brute-force-attack – Guessing attacks – Shoulder surfing attacks – Spyware – Packet sniffing – Social engineeringComputer Security ManagementPage 7
  8. 8. Password policies• Aim to enforce strong passwords in an organisation• Define the rules for: – Password length – Content – Frequency of change – Number of login attempts – How to recover/reset a password• Ideally: – Variable length – Meaningless – Do not change passwords more often than necessary – Limit login attempts – Credential recovery: see later slideComputer Security ManagementPage 8
  9. 9. Problems, problems …• Nowadays, Joe Average has to remember a large number of passwords/PINs!• Many of these need to be changed frequently• Many similar items compete (including old, invalid passwords!)• Infrequently used passwords are easily forgotten• Recently changed passwords are forgotten or confused• Etc.Computer Security ManagementPage 9
  10. 10. Password failure• 52% Memory failure – Confused with old password 37% – Confused with other system’s password 15%• 20% Wrong user ID• 12% Typo – Missing or additional characters – Pressing ENTERComputer Security ManagementPage 10
  11. 11. User strategies• If not given a strategy: users will make up their own! – Use same password for multiple system – Only change passwords if forced to – Externalise passwords• On-the-spot decisionsComputer Security ManagementPage 11
  12. 12. Password quality (Sasse et al, 2001)• Content – 28% of users’ passwords are identical – 68% use one way to construct their passwords – 51% of the passwords are words with a number on the end• Change – 90% only change when forced to do so – 45% increment number by one when change• Writing down – 30% write down all passwords – 32% write down infrequently used passwordsComputer Security ManagementPage 12
  13. 13. PINs• Numerical passwords, eg. 4587• Similar problems – Same PIN across many applications – Many people give card and PIN to others to fetch cash – Using mobile phones in public – Etc.• Where to find PINs: – On the card – In the wallet – Post-it – Around cash machine – Etc.Computer Security ManagementPage 13
  14. 14. Countermeasures• Help with passwords – Reactive, e.g. reminder – Proactive, e.g. hints, writing down, …• Not really effective• Better: – User support and training – Single sign-on – Changes to password policy – Alternative methods: Graphical or biometricsComputer Security ManagementPage 14
  15. 15. Reminders• Advantages: – No password change – Automated, i.e. reduced workload on helpdesk or system admin• Disadvantages: – Over the internet: security risk – Attacker might guess or know the answer to additional security questions• Example: “what is your mothers maiden name?”Computer Security ManagementPage 15
  16. 16. Hints• User selects reminder of password that is stored on the system together with the password• System provides the hint if: – user forgets his/her password and requests it – login fails• Advantages – No password change – Automated• Disadvantage: – Untrained users often chose bad hints in terms of memorability – Attacker might find out the password through social networksComputer Security ManagementPage 16
  17. 17. How to improve• Provide instructions for better memorability – Must be available when users need them – e.g. “make up sentence to memorise” or “funny content helps to memorise”• Provide feedback – At registration time – Needs to be positive and constructive – Might help an attacker!• Pro-active password checking – Prevent weak passwords – Checks at registration for compliance with password policy• Helpdesks – Many people prefer to interact with other human beings – Humans are more flexibleComputer Security ManagementPage 17
  18. 18. Single sign-on (SSO)• Enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again• Advantages: – Reduces user’s workload to a minimum – Reduces time spend with logins – Reduce help desk calls – Single point of recovery• Disadvantages: – Valuable to attacker (single point of attack!)Computer Security ManagementPage 18
  19. 19. Challenge-response (1)• Authentication technique• An individual is prompted (the challenge) to provide some private information (the response)• Enrolment: – Challenge-response (CR) pairs generated randomly from database – User accepts a set of memorable CRs when enrolling• Operation: – Individual is given one challenge from set – If individual gives the matching response: authenticatedComputer Security ManagementPage 19
  20. 20. Challenge-response (2)• When enrolling challenge can be – Selected entirely by the system, or – Partly chosen by user, or – Partly selected from list by user• Response can be – Selected by the system, or – Chosen by user, or – Selected from list by user• Examples – C: Name of your pet? R: [open answer chosen by user] – C: Your mother’s maiden name? R: [input chosen by the user] – C: What do you think of the [input chosen by the user]? R: I think the [from C] [chosen by the user]Computer Security ManagementPage 20
  21. 21. Challenge-response (3)• Challenge-Response pairs (CRs) two dimensions: – Usability – Security• Criteria for assessing security: – Guessing difficulty• Criteria for assessing usability: – User physical and mental workload – Administrator physical workloadComputer Security ManagementPage 21