o Basic password authentication Setup User chooses password Hash of password stored in password file Authentication User logs into system, supplies password System computes hash compares to file 復大软件学院
11 Basic password authentication • Setup – User chooses password – Hash of password stored in password file • Authentication – User logs into system, supplies password – System computes hash, compares to file
ol Passwords -weak authentication Usually fixed Stored either in the clear, or encrypted With a we Rules reduce the chance of easy passwords Salt increases search space for a dictionary attack There are many examples using password-based authentication how to manage passwords 12 復大软件学院
12 Passwords -weak authentication • Usually fixed • Stored either in the clear, or “encrypted” with a OWF • Rules reduce the chance of easy passwords • Salt increases search space for a dictionary attack • There are many examples using password-based authentication – how to manage passwords
toht Example: UNIX passwords letc/passwd letc/shadow Username: password: UID: G/D: USERINFO: HOME: SHELL User Password file mypasswd exrygbzyf kgnosfix hash function ggjoklbsz 13 復大软件学院
13 User Password file exrygbzyf kgnosfix ggjoklbsz … … mypasswd hash function Example: UNIX passwords /etc/passwd /etc/shadow Username: password: UID : GID: USERINFO: HOME: SHELL
o Attacks on password schemes Replay of fixed passwords Exhaustive search 8 character password has 40-50 bits More directed dictionary attacks Crack-widely available tool for doing this Online dictionary attack Guess passwords and try to log in Offline dictionary attack Steal password file, try to find p with hash(p)in file 復大软件学院
14 Attacks on password schemes • Replay of fixed passwords • Exhaustive search – 8 character password has 40-50 bits • More directed dictionary attacks – Crack - widely available tool for doing this – Online dictionary attack • Guess passwords and try to log in – Offline dictionary attack • Steal password file, try to find p with hash(p) in file
oO Dictionary Attack- some numbers Typical password dictionary 1,000,000 entries of common passwords people's names, common pet names, and ordinary words Suppose you generate and analyze 10 guesses per second This may be reasonable for a web site offline is much faster Dictionary attack in at most 100,000 seconds= 28 hours, or 14 hours on average If passwords were random Assume six-character password Upper-and lowercase letters, digits, 32 punctuation characters 689, 869, 781, 056 password combinations Exhaustive search requires 1,093 years on average 15 復大软件学院
15 Dictionary Attack – some numbers • Typical password dictionary – 1,000,000 entries of common passwords • people's names, common pet names, and ordinary words. – Suppose you generate and analyze 10 guesses per second • This may be reasonable for a web site; offline is much faster – Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average • If passwords were random – Assume six-character password • Upper- and lowercase letters, digits, 32 punctuation characters • 689,869,781,056 password combinations. • Exhaustive search requires 1,093 years on average