Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Passwords and Passphrases

    Enviado por

    BambinoDoux
    260 visualizações29 páginas
    This document discusses passwords and passphrases, providing information on their strengths and weaknesses. It notes that passwords are often weak and easy to guess through brute force or social engineering attacks. Passphrases, which are longer phrases made of random words, provide stronger security as they have higher entropy. The document explores techniques for generating secure passphrases, such as diceware, and advises using a password manager to generate and store strong, unique passwords for each account. It also discusses how servers store passwords securely through hashing and salting, and recommends two-factor authentication for added protection.

    Descrição original:

    presented on BALCCoN2K15

    Título original

    passwords and passphrases

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    This document discusses passwords and passphrases, providing information on their strengths and weaknesses. It notes that passwords are often weak and easy to guess through brute force or social engineering attacks. Passphrases, which are longer phrases made of random words, provide stronger security as they have higher entropy. The document explores techniques for generating secure passphrases, such as diceware, and advises using a password manager to generate and store strong, unique passwords for each account. It also discusses how servers store passwords securely through hashing and salting, and recommends two-factor authentication for added protection.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    260 visualizações29 páginas

    Passwords and Passphrases

    Enviado por

    BambinoDoux
    This document discusses passwords and passphrases, providing information on their strengths and weaknesses. It notes that passwords are often weak and easy to guess through brute force or social engineering attacks. Passphrases, which are longer phrases made of random words, provide stronger security as they have higher entropy. The document explores techniques for generating secure passphrases, such as diceware, and advises using a password manager to generate and store strong, unique passwords for each account. It also discusses how servers store passwords securely through hashing and salting, and recommends two-factor authentication for added protection.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 29

    Passwords & Passphrases

    Name: Simovi Petar


    I study computer science at the Faculty of Mathematics,
    University of Belgrade
    Member of Belgrade hackerspace (HKLBGD) sunday
    crypto workshop .
    Writing for Libre online magazine (FLOSS)

    Agenda

    Introducint to passwords and pass phrases

    Measuring password/pass pharse strength

    Service consumer handling secrets: why passwords


    migh be dead
    Password hacking: phishing, bruteforce, Social
    engineering
    Alternative methods of authentication

    What's wrong with my P4$$w0rd?

    Very week & easy to remember.


    remember Replacing 's' and 'o' with
    '$' and '0' won't help you much.

    Or hard to remember & secure

    So users reuse them

    And If not random -> social engeenering guessing


    People are not very good at creating truly random
    passwords, even more they are a species of patterns. And
    it is hard to remember dozens of different nonsense
    passwords with numbers and special characters.

    Password security blanket 1k


    Lorrie Faith Cranor

    Most used Pa$$s0rds

    So, what is pass pharse?

    Short answer: It is just a phrase.


    Long: It contains few word, not neccessery from dictionaty,
    words should be picked at random not from book or
    website.

    What are good and secure pass phrases?

    How to generate them?

    Secure pass phrase?

    pass-phrase1 pass-phrase2 pass-phrase3

    My pass phrase is hard to guess

    Correct horse battery staple

    red cross healty pharmacy medicine

    yeti permutes kilobyte visas skin

    red green blue cyan magenta yellow

    police gun cuffs undercover sherif

    Secure pass phrase?

    pass-phrase1 pass-phrase2 pass-phrase3

    My
    /////////////////////////////////////////////////////
    pass phrase is hard to guess

    Correct
    Correct horse battery staple
    staple

    red cross healty pharmacy medicine

    yeti
    yeti permutes kilobyte visas skin
    skin

    red green blue cyan magenta yellow

    police gun cuffs undercover sherif

    Pass phrase advatages

    Easier to create maybe not for humans

    Easier to remember

    So no need for writing it down or using password


    managers
    Hard automation attacks [verb adjective noun?] --needs
    bruteforce if done right

    More secure?

    ...

    Diceware

    Method for manually generating pass phrases

    Why? PRNG compromissed or paranoid?

    How? Diceware wordlist, dice, paper and pen


    http://goo.gl/swgFz

    Entropy Shannon entropy

    Log2 (Character Set password length)

    For example: 8 character password length with all 94 possible


    character: a-z (26), A-Z (26), 0-9 (10), and
    ~!@#$%^&*()_-+={[}]|\":;?/><,. (32)

    is

    Log2(948) = Log2(6 095 689 385 410 816) = 52 bits

    For pass pharses character set is number of words in


    dictionary, and password length is number of words.
    So any 4 word passphare in set of 20 000 words
    (average dictionary) has Log2(200004) = 57 bits

    Entropy

    8 character password from 94 set:

    4!VN$Fg = 51 bit entropy

    4 word pass phrase from 20 000 words:

    yeti permutes kilobyte visas = 57+ bits of entropy

    Strength comparation

    Passwords & Passphrases

    XKCD:
    Trough 20 years of effort,
    we've successfully trained everyone to use
    passwords that are hard for humans to remember,
    but easy for computers to guess

    https://xkcd.com/936/

    P4$$w0rDs done right

    Using password manager (allways open-source software


    eg. KeePass, KeePassX, )
    Let password manager generate long secure (80+ bits)
    password. No need to remember any, and no reusing.

    Change them all often (at least twice a year)

    Public wi-fi needs layer of encryption

    How servers handle users


    passwords?

    They used hashing function (MD5, sha1, sha256, bcrypt)

    How servers handle users


    passwords?

    They used hashing function (MD5, sha1, sha256, bcrypt)

    Hashing + salting

    How servers handle users


    passwords?

    They used hashing function (MD5, sha1, sha256, bcrypt)

    Hashing + salting
    Use slow and good and hash functions like bcrypt never
    MD4, MD5 or SHA1.
    Generate new random salt for each user, do not reuse salt.

    So how dit this happen?

    Password cr/hacking

    Phishing

    Social engineering

    2FA

    Use Two factor authentication whenever possible:


    Google authenticator, Yubi keys, ...

    Facial recognition & fingerprints


    Kirk Skaugen, Senior VP and general manager of Intel's
    Client Computing Group said at Citi Global Technology
    Conference: "I can confidently say today, you can
    eliminate all your passwords today, if you buy a 6th
    Generation Core system." http://goo.gl/dE4j1q

    Sixth intel core generation CPU + Windows 10


    (Windows Hello program) + Intel's RealSense 3D Camera.

    Or use fingerprint verification/authentication like on


    Iphone 6 Touch ID.

    Are you now 100% secure?

    New methods

    Hashing is Dead: long live the passwords.

    https://goo.gl/0rwfkJ

    RSA auth.

    Questions?

    Você também pode gostar