Password Storage forms(3)
- Plaintext(bad)
- Encrypted(fair)
- Hashed(good)
Password related techniques(4)
- Password storage forms
- Password policies
- Salting passwords
- Alternative password forms
Types of passwords(4)
- Passphrases: user enters long phrases/sentences that are hashed to become passwords
- One Time Passwords
- Visual Passwords
- Picture Passwords
One way functions properties and example
- ensures password security
- easy to compute and hard to reverse
eg. hash functions: input of arbitrary length produces output of fixed length
Hash functions properties(2 general)
- Preimage resistance: given hash value y, computationally infeasible to calculate x where H(x)=y
- Collision resistance: computationally infeasible to find pair(x,y) where x!=y and H(x) = h(Y)
Hash functions examples for crypto and password hashing(2 each)
crypto: SHA256, KECCAK
password hashing: ARGON2, bcrypt
Plaintext password and 1 -ve
claimant password checked against password DB
-ve: No protection against attacker, dispute over real user
Hashed passwords
- only hashed password stored
- claimant password gets hashed and checked against hashed password DB
- protection against hacker
Attack on passwords(2)
- Offline Guessing Attacks
- Exhaustive attacks
- Dictionary attacks - Phishing and Spoofing
Offline Guessing attack overview + why it is a threat + 3 incidents
- attacker gets hashed password and attempts to guess passwords
- threat if user uses same passwords for different accounts and due to server hacks or traffic sniffing
- password incidents: SingHealth breach,Adobe breach, Linkedin password leaked
- Brute force attack + Solution
- guess password by going through passwords and hashes to check for match
Sol: Increase space of possible passwords, measured with password entropy 2^k
Password entropy for dummies
2^k = (number of character types)^length of password
- Dictionary Attack
- can attack hashed passwords
- exploit weakness in human picked passwords based on words in natural languages
- same password has same hash value
1. Guess commonly used passwords
2. Compute hash values
3. Look for same hash value in password file - sped up with precomputed hash table
- cheap to crack passwords due to high speed hardware and cloud services
- Strong password: modern hashing algo + hashing best practices
Pre computed hash table
- contains password and their hashes
- with n bits and k password possibilities, table is size k x n
- NOT practical if k is large(ideal)
Password salting
- prevents precomputed hashes being effective
- salt(random string) added to password before applying hash function
- diff salt => diff hashes
- salt of n bit: needs 2^n hashes for same password
Password Storage summary
- store passwords to prevent them from being obtained by attacker even if DB compromised
- slow down offline attacks by choosing hash algorithms that are resource intensive/slow, work factor was changed
Hashing VS Encryption
- passwords hashed NOT encrypted
- Hashing: one way function to check passwords
- Encryption: two way function to recover original plaintext password using key
Password policies(6)
- Set a password for attacker to guess
- Change default password
- Avoid guessable passwords: min length, variety
- Password ageing: expiry dates + prevent reuse of passwords
- Limit login attempts
- Inform user of last login time and number of failed logins since then
One Time Password Overview + 1+ve
+ve: tackles issue where stolen passwords reused
- generates list of passwords where each password only used once
- Lamport’s OTP: one way function to generate password possibilities
Protecting password file + methods(3)
OS has file with usernames and passwords
1. Cryptographic protection
2. Access Control
3. Combination of above
Failure Rates
- measure of similarity between reference features and current features
- user accepted if match above a threshold
i) False positive: accept wrong user
ii) False Negative: reject legit user, embarrassment and reduced work efficiency
Should you write passwords down?
You can then store in locked drawer BUT still vulnerable to keyloggers
How to protect website’s security
- Ask own security team to test BUT depends on skillsets and possible internal conflicts
- Get experts in penetration testing BUT depends on skillsets, work commitment, work dedication and cost
- Open competition, talent from worldwide to fix bugs asap
