Passwords - PowerPoint PPT Presentation

About This Presentation
Title:

Passwords

Description:

Cryptanalysis time is directly related to randomness. So memorability and ... Cryptanalysis time is 40 minutes. Amortized time is only 10 minutes. What we did ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 16
Provided by: iacr
Learn more at: https://www.iacr.org
Category:

less

Transcript and Presenter's Notes

Title: Passwords


1
Passwords No Longer Viable
Arvind Narayanan Vitaly Shmatikov Univ. of Texas
at Austin (stuck in cowboy country ?)
2
Greek mythology Kerberos is tamed by the Lyre of
Orpheus
3
Today Candy breaks computer security
70 of people will give up their password for a
candy bar!
4
Secure, Easy to Remember Pick any one
Organizations implement cumbersome password
rules require mixed case, numerals, special
characters, etc. The goal is for passwords to be
secure as well as easy to remember. We show
that there is an inherent conflict between these
goals!
5
Password
Modeling Human Password Generation
6
Memorability vs. Security
  • Assume we had a fast algorithm that perfectly
    reproduces the Morph procedure.
  • Memorability is inversely related to randomness.
  • Cryptanalysis time is directly related to
    randomness.
  • So memorability and cryptanalysis time are
    inversely related if we can precisely model
    human password generation!

7
One of our techniques - Markov Modeling
  • sasetcki
  • eshembec
  • ertemenu
  • sleeteat
  • methesen
  • wovmgrbl
  • vfxalnre
  • gnhkzdhl
  • ejvzhrfb
  • sxnsmvql

The words on the right were generated using
MM1 They are more pronouncable than random
character strings, on the left.
8
Keyspace reduction factor
Coverage
With 80 coverage we can get 25-fold compression!
9
Current state of the art Rainbow attack
  • Word list size is 3 x 1012
  • All alphanumeric passwords of length 8
  • Compressed database size is 48 GB
  • Cryptanalysis time is 40 minutes
  • Amortized time is only 10 minutes

What we did
  • Extend timespace tradeoff to implicit
    dictionaries.
  • Same efficiency as rainbow attack, increased
    coverage.

10
Coverage comparison
Word list size for above results was about 2 x
109 With a larger word list size of 3 x 1012,
we believe we can get a 90 success rate.
11
If not passwords, then what?
  • What about biometric?
  • Biometric identification is good.
  • Biometric authentication is brain-damaged.
  • PAKE (Password based Authenticated Key Exchange)
  • Good for some, but not all scenarios.
  • Serge will talk about it tomorrow (and Zully
  • later today).

12
BOFH syndrome
Dont blame users, blame poor system
usability! If users stick their passwords on
their monitors, it doesnt mean theyre
stupid. It means the security engineering needs
rethinking.
13
Smart cards
  • Reduce electronic security to
  • physical security.
  • Protection mechanisms such
  • as RFID based tracking exist.
  • Economic, legal and law
  • enforcement infrastructure to
  • deal with compromise.

14
Find out more at CCS 2005.
Alexandria, VA
15
Thank you. Enjoy your beer ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Passwords " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!