Empire City Casino Online

Transcription

G UESSING HUMAN - CHOSEN SECRETS
Joseph Bonneau
[email protected]
Computer Laboratory
Microsoft Research
Cambridge, UK
April 5, 2012
Joseph Bonneau (University of Cambridge)
Guessing human-chosen secrets
April 5, 2012
1 / 62
Password research? In 2012??
Compatible Time-Sharing System, MIT 1961
April 5, 2012
2 / 62
What are passwords good for?
property
Memorywise-Effortless
Scalable-for-Users
Nothing-to-Carry
Physically-Effortless
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Easy-Recovery-from-Loss
Accessible
Negligible-Cost-per-User
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Physical-Observation
Resilient-to-Targeted-Impersonation
Resilient-to-Throttled-Guessing
Resilient-to-Unthrottled-Guessing
Resilient-to-Internal-Observation
Resilient-to-Leaks-from-Other-Verifiers
Resilient-to-Phishing
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
password
April 5, 2012
3 / 62
Automated password managers?
property
Scalable-for-Users
Nothing-to-Carry
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Accessible
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Theft
Unlinkable
password
Firefox
April 5, 2012
4 / 62
Graphical passwords?
property
Scalable-for-Users
Nothing-to-Carry
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Accessible
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Theft
Unlinkable
password
Firefox
PCCP
April 5, 2012
5 / 62
Smartphones as a hardware token?
property
Scalable-for-Users
Nothing-to-Carry
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Accessible
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Theft
Unlinkable
password
Firefox
PCCP
SMS
April 5, 2012
6 / 62
Biometrics?
property
Scalable-for-Users
Nothing-to-Carry
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Accessible
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Theft
Unlinkable
password
Firefox
PCCP
SMS
Iris
April 5, 2012
7 / 62
Federated authentication?
property
Scalable-for-Users
Nothing-to-Carry
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Accessible
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Theft
Unlinkable
password
Firefox
PCCP
SMS
Iris
April 5, 2012
OpenID
8 / 62
There is no clear alternative to passwords...
Reference
Memory-wise-Effortless
Scalable-for-users
Nothing-to-Carry
Manually-Effortless
Easy-to-Learn
Efficient-to-Use
Infrequent-Errors
Accessible
Server-Compatible
Browser-Compatible
Mature
Non-Proprietary
Resilient-to-Theft
Unlinkable
Table I
C OMPARATIVE EVALUATION OF THE VARIOUS SCHEMES WE EXAMINED
Category
Scheme
(Incumbent)
Web passwords
III [13]
Firefox
IV-A1
Password managers
LastPass
IV-A2
URRSA
IV-B1 [5]
Proxy
Impostor
?? [21]
OpenID
IV-C1 [25]
MS Passport
IV-C2 [29]
FBConnect
IV-C3 [31]
Federated
BrowserID
IV-C4 [33]
OTP over email
IV-C5 [37]
PCCP
IV-D1 [7]
Graphical
PassGo
IV-D2 [93]
GridSure
IV-E1 [51]
Weinshall
?? [47]
Cognitive
Hopper
Blum
?? [48]
Word Association
?? [50]
OTPW
IV-F1 [54]
S/KEY
IV-F2 [53]
Paper tokens
PIN+TAN
IV-F3 [56]
Visual crypto
PassWindow
IV-G1 [61]
RSA SecurID
IV-H1 [63]
Yubikey
IV-H2 [65]
IV-H3 [67]
Hardware tokens Ironkey
CAP reader
IV-H4 [68]
Pico
IV-H5 [8]
Phoolproof
IV-I1 [70]
Cronto
IV-I2
MP-Auth
IV-I3 [6]
Phone-based
OTP over SMS
IV-I4
Google 2-Step
IV-I5 [73]
Fingerprint
IV-J1 [75]
Iris
IV-J2 [76]
Biometric
Voice
IV-J3 [77]
Personal knowledge IV-K1 [83]
Preference-based
IV-K2 [91]
Recovery
Social re-auth.
?? [94]
= offers the benefit; = almost offers the benefit; no symbol = no benefit.
= better than passwords; = worse than passwords; no background = no change.
We group related schemes into categories. For space reasons, our Oakland paper [1] describes at most one scheme per
category, but this tech report discusses them all.
9 / 62
April 5, 2012
Described in section
Joseph Bonneau, Cormac Herley, Paul van Oorschot, and Frank Stajano.
“The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web
Authentication Schemes”, IEEE Security & Privacy, 2012.
The “last mile” of authentication
April 5, 2012
10 / 62
What’s harder to guess?
1
A Cambridge student’s password or an Oxford student’s?
2
A human-chosen 4-digit PIN or a random 3-digit PIN?
3
A password or a stranger’s surname?
April 5, 2012
11 / 62
Semantic password evaluation
year
1989
1992
1999
1999
2004
2006
2010
2009
study
Riddle et al.
Spafford
Wu
Zviran and Haga
Campbell and Bryant
Cazier and Medlin
Devillers et al.
RockYou data
length
4.4
6.8
7.5
5.7
8.0
7.4
7.9
7.9
% digits
3.5
31.7
25.7
19.2
78.0
35.0
54.0
44.4
% special
—
14.8
4.1
0.7
3.0
1.3
3.4
2.6
April 5, 2012
12 / 62
Table A.1 – Estimated Password Guessing Entropy in bits vs. Password Length
Semantic password evaluation
User Chosen
94 Character Alphabet
Length
Char.
1
2
3
4
5
6
7
8
10
12
14
16
18
20
22
24
30
40
No Checks
4
6
8
10
12
14
16
18
21
24
27
30
33
36
38
40
46
56
Dictionary
Rule
14
17
20
22
24
26
28
30
32
34
36
38
40
46
56
Dict. &
Comp. Rule
16
20
23
27
30
32
34
36
38
40
42
44
46
52
62
Randomly Chosen
10 char. alphabet
94 char
alphabet
3
5
7
9
10
11
12
13
15
17
19
21
23
25
27
29
35
45
3.3
6.7
10.0
13.3
16.7
20.0
23.3
26.6
33.3
40.0
46.6
53.3
59.9
66.6
73.3
79.9
99.9
133.2
6.6
13.2
19.8
26.3
32.9
39.5
46.1
52.7
65.9
79.0
92.2
105.4
118.5
131.7
144.7
158.0
197.2
263.4
NIST “entropy” formula
April 5, 2012
13 / 62
Evaluating passwords via cracking tools
April 5, 2012
14 / 62
35
30
µ = lg(dictionary size)
25
20
Morris and Thompson [1979]
Klein [1990]
Spafford [1992]
15
Wu [1999]
Kuo [2006]
10
Schneier [2006]
Dell’Amico (it) [2010]
5
Dell’Amico (fi) [2010]
Dell’Amico (en) [2010]
0
0.0
0.1
0.2
0.3
0.4
0.5
0.6
α = proportion of passwords guessed
0.7
0.8
0.9
April 5, 2012
15 / 62
35
30
µ = lg(dictionary size/α)
25
20
Morris and Thompson [1979]
Klein [1990]
Spafford [1992]
15
Wu [1999]
Kuo [2006]
10
Schneier [2006]
5
0
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
April 5, 2012
16 / 62
45
40
µ = lg(dictionary size/α)
35
30
25
20
15
passwords (various)
mnemonic password
Draw-a-secret
PassPoints
Faces
10
5
0
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
April 5, 2012
17 / 62
Desiderata for evaluating human-chosen secrets
sound
repeatable
no operator bias
no demographic bias
practical
April 5, 2012
18 / 62
Massive password data sets available for the first time
290729
79076
76789
59462
49952
33291
21725
20901
20553
16648
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
April 5, 2012
19 / 62
Dissertation: Guessing human-chosen secrets
1
Develop statistical guessing metrics
2
Collect large-scale data in a privacy-preserving manner
3
Approximate metrics using a random sample
4
Analyse data!
April 5, 2012
20 / 62
Goal #1
Develop statistical guessing metrics
April 5, 2012
20 / 62
Framework
Assume a completely-known distribution X
X has N events (passwords) x1 , x2 , . . .
Events have probability p1 ≥ p2 ≥ . . . ≥ pN ≥ 0
R
Each user chooses at random X ← X
Question: How hard is it to guess X ?
April 5, 2012
21 / 62
Shannon entropy
H1 (X ) = −
N
X
pi lg pi
i=1
Interpretation: Expected number of queries “Is X ∈ S?” for arbitrary
subsets S ⊆ X needed to guess X . (Source-Coding Theorem)
April 5, 2012
22 / 62
Guesswork (guessing entropy)
N
h
i X
R
G1 (X ) = E #guesses (X ← X ) =
pi · i
i=1
Intepretation: Expected number of queries “Is X = xi ?” for
i = 1, 2, . . . , N (optimal sequential guessing)
April 5, 2012
23 / 62
G1 fails badly for real password distributions
1,ed65e09b98bdc70576d6c5f5e2ee38a9
1,e54d409c55499851aeb25713c1358484
1,dee489981220f2646eb8b3f412c456d9
1,c4df8d8e225232227c84d0ed8439428a
1,bd9059497b4af2bb913a8522747af2de
1,b25d6118ffc44b12b014feb81ea68e49
1,aac71eb7307f4c54b12c92d9bd45575f
1,9475d62e1f8b13676deab3824492367a
1,92965710534a9ec4b30f27b1e7f6062a
1,80f5a0267920942a73693596fe181fb7
1,76882fb85a1a8c6a83486aba03c031c9
1,6a60e0e51a3eb2e9fed6a546705de1bf
1,6843b9efec36f428deabce22c0fc1805
1,5dfbcd6390b77d06df9027c8d7d4fe84
1,4374968e935a9a0f8d56785ea682eb5f
1,0753929001291091112580111091991a
1,0410412e7194adc1b419a87a47979c36
...
Random 128-bit passwords in the wild at RockYou (∼ 2−20 )
April 5, 2012
24 / 62
Lemma: For a mixture distribution
Z =p·X +q·Y
we have
G1 (Z) ≥ p · G1 (X ) + q · G1 (Y)
April 5, 2012
25 / 62
Lemma: For a mixture distribution
Z =p·X +q·Y
we have
G1 (Z) ≥ p · G1 (X ) + q · G1 (Y)
Therefore, for real passwords P, we have:
G1 (P) ≥ p · G1 (X ) + 2−20 · G1 (U2128 )
G1 (P) > 2107
April 5, 2012
25 / 62
Optimal attacks will give up on the hardest values
R
New goal: Correctly guess k of m values X1 , X2 . . . XM ← X
April 5, 2012
26 / 62
Name #1
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
Name #2
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
Name #3
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
...
...
...
...
...
...
...
Name #m
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
April 5, 2012
27 / 62
Name #1
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
Name #2
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
Name #3
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
...
...
...
...
...
...
...
Name #m
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
April 5, 2012
28 / 62
Name #1
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
Name #2
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
Name #3
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
...
...
...
...
...
...
...
Name #m
Smith
Jones
Johnson
...
Ytterock
Zdrzynski
(obvious optimal strategy)
April 5, 2012
29 / 62
Partial guessing—model attackers who give up
β-success-rate
Success rate after β guesses:
λβ (X ) =
β
X
pi
i=1
α-work-factor
Dictionary size needed for α success probability:
µ
(
)
X
µα (X ) = min µ ∈ [1, N]
pi ≥ α
i=1
April 5, 2012
30 / 62
Partial guessing—model attackers who give up
β-success-rate
Success rate after β guesses:
λβ (X ) =
β
X
pi
i=1
α-work-factor
Dictionary size needed for α success probability:
µ
(
)
X
µα (X ) = min µ ∈ [1, N]
pi ≥ α
i=1
April 5, 2012
30 / 62
α-guesswork—attackers get to quit early
µα (X )
Gα (X ) = (1 − dαe) · µα (X ) +
X
i=1
pi · i
Intepretation: Expected number of guesses to succeed with
probability α
April 5, 2012
31 / 62
Guessing curves visualise all possible attacks
10000
µα (U104 )
µα (U103 )
dictionary size/number of guesses
8000
µα (PIN)
Gα (PIN)
6000
4000
2000
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
32 / 62
For more on PIN statistics
Joseph Bonneau, Sören Preibusch and Ross Anderson.
A birthday present every eleven wallets? The security of customer-chosen banking PINs.
Financial Crypto 2012.
April 5, 2012
33 / 62
All metrics convertible to bits
Find the size of a uniform distribution UN with equivalent security
Easy cases:
λ̃β (X ) = lg
β
λβ (X )
µ̃α (X ) = lg
µα (X )
dαe
More complicated:
G̃α (X ) = lg
h
2·Gα (X )
dαe
i
− 1 − lg(2 − dαe)
Sanity check:
λ̃β (UN ) = µ̃α (UN ) = G̃α (UN ) = lg N
April 5, 2012
33 / 62
Easy cases:
λ̃β (X ) = lg
β
λβ (X )
µ̃α (X ) = lg
µα (X )
dαe
More complicated:
G̃α (X ) = lg
h
2·Gα (X )
dαe
i
− 1 − lg(2 − dαe)
Sanity check:
April 5, 2012
32 / 62
Easy cases:
λ̃β (X ) = lg
β
λβ (X )
µ̃α (X ) = lg
µα (X )
dαe
More complicated:
G̃α (X ) = lg
h
2·Gα (X )
dαe
i
− 1 − lg(2 − dαe)
Sanity check:
April 5, 2012
31 / 62
Easy cases:
λ̃β (X ) = lg
β
λβ (X )
µ̃α (X ) = lg
µα (X )
dαe
More complicated:
G̃α (X ) = lg
h
2·Gα (X )
dαe
i
− 1 − lg(2 − dαe)
Sanity check:
April 5, 2012
30 / 62
10000
µα (U104 )
µα (U103 )
dictionary size/number of guesses
8000
µα (PIN)
Gα (PIN)
6000
4000
2000
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
31 / 62
14
H0 &
12
4.0
G̃1 & 3.5
H1 →
10
3.0
bits
H2 →
2.0
dits
2.5
8
6
4
1.5
- H∞
µ̃α (U104 )/G̃α (U104 )
µ̃α (U103 )/G̃α (U103 )
2
µ̃α (PIN)
1.0
0.5
G̃α (PIN)
0
0.0
0.2
0.4
0.6
0.8
0.0
1.0
success rate α
April 5, 2012
31 / 62
No single metric can represent all attacks
Non-comparability with H1
Given any δ, α, β there exists a distribution X such that:
λ̃β (X ) < H1 (X ) − δ
µ̃α (X ) < H1 (X ) − δ
G̃α (X ) < H1 (X ) − δ
Non-comparability between different α
Given any δ, α1 , α2 there exists a distribution X such that:
µ̃α1 (X ) < µ̃α2 (X )
G̃α1 (X ) < G̃α2 (X )
April 5, 2012
32 / 62
Summary of guessing metrics
H1 doesn’t apply to guessing
G1 is unrealistic
G̃α for α < 1 is the best metric
But...
µ̃α when comparing to cracking results
λ̃β for online attacks
April 5, 2012
33 / 62
G1 is unrealistic
But...
April 5, 2012
33 / 62
G1 is unrealistic
But...
April 5, 2012
33 / 62
G1 is unrealistic
But...
April 5, 2012
33 / 62
Goal #2
Collect large-scale data in a privacy-preserving
manner
April 5, 2012
33 / 62
Whither the RockYou data?
No demographic info
“Just” a photo-sharing website
Ethical concerns:
Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich and Stuart Schechter.
Its Not Stealing If You Need It: A Panel on The Ethics of Performing Research Using Public
Data of Illicit Origin. 2012 Workshop on Ethics in Computer Security Research.
April 5, 2012
33 / 62
Collecting large-scale data at Yahoo!
Internet
user: joe
pass: 12345
Collection
Proxy
12345
Login
Server
April 5, 2012
34 / 62
Internet
user: joe
pass: 12345
Collection
Proxy
H(12345)
Login
Server
April 5, 2012
34 / 62
Internet
user: joe
pass: 12345
Collection
Proxy
K
H(K||12345)
Login
Server
April 5, 2012
34 / 62
Internet
user: joe
pass: 12345
SELECT gender, lang, age
FROM users
WHERE user = joe
User
database
m, en, 21-34
Collection
Proxy
K
H(K||12345)
m, en, 21-34
Login
Server
April 5, 2012
34 / 62
Internet
user: joe
pass: 12345
SELECT gender, lang, age
FROM users
WHERE user = joe
User
database
m, en, 21-34
H(K||12345)
Collection
Proxy
K
gender=m
H(K||12345)
user: joe
pass: 123456
H(joe)?
H(K||12345)
Seen
users
lang=en
Login
Server
age=21-34
April 5, 2012
34 / 62
Internet
gender=m
Login
Server
lang=en
age=21-34
April 5, 2012
34 / 62
Experiment run May 23–25, 2011
69,301,337 unique users
42.5% unique
328 different predicate functions
April 5, 2012
34 / 62
Goal #3
Approximate metrics using a random sample
April 5, 2012
34 / 62
Reminder: guessing curves
14
H0 &
12
4.0
G̃1 & 3.5
H1 →
10
3.0
bits
H2 →
2.0
dits
2.5
8
6
4
1.5
- H∞
µ̃α (U104 )/G̃α (U104 )
µ̃α (U103 )/G̃α (U103 )
2
µ̃α (PIN)
1.0
0.5
G̃α (PIN)
0
0.0
0.2
0.4
0.6
0.8
0.0
1.0
success rate α
April 5, 2012
35 / 62
Sample size is a major problem for passwords...
25
marginal guesswork µ̃α (bits)
20
15
10
M = 69, 301, 337 (full)
5
M = 10, 000, 000 (sampled)
M = 1, 000, 000 (sampled)
M = 100, 000 (sampled)
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
36 / 62
Low-frequency blindness theorem (Valiant)
Given a sample of size M
Want to approximate f
If there exist distributions X , Y such that f (X ) = f (Y) = δ and
X , Y are isomorphic for all events with p ≥ M1 , then we can’t
compute f to within any accuracy δ using M samples
Related: Canonical Testing Theorem
April 5, 2012
37 / 62
April 5, 2012
37 / 62
April 5, 2012
37 / 62
Theoretical results
25
Ĥ0
G̃ˆ1
metric value (bits)
20
Ĥ1
ˆ0.25
µ̃
ˆ
G̃
0.25
15
ˆ
λ̃
10
ˆ
λ̃
1
10
5
10
12
14
16
18
lg M
20
22
24
26
April 5, 2012
38 / 62
Known negatives
No non-parametric method of estimating N
Estimating H1 requires O( lnNN ) samples (Valiant & Valiant, 2011)
April 5, 2012
39 / 62
We can predict our confidence range by bootstrapping
25
Ĥ0
G̃ˆ1
metric value (bits)
20
Ĥ1
ˆ0.25
µ̃
ˆ
G̃
0.25
15
ˆ
λ̃
10
ˆ
λ̃
1
10
5
10
12
14
16
18
lg M
20
22
24
26
April 5, 2012
40 / 62
We can predict our confidence range by bootstrapping
25
α-work-factor µ̃α (bits)
20
15
10
M = 69, 301, 337 (full)
5
M = 10, 000, 000 (sampled)
M = 1, 000, 000 (sampled)
M = 500, 000 (sampled)
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
41 / 62
We can parametrically extend our approximation
Simple power-law distribution: Pr[p(x) > y ] ∝ y 1−a
Unfortunately, a varies strongly with sample size:
M
â
69M
2.99
10M
3.23
1M
3.70
100k
4.21
April 5, 2012
42 / 62
Generalized inverse-Gaussian Poisson (Sichel) distributiona :
p
−b
2c
2g−1 pg−1 e c 4p
ψ(p|b, c, g) =
(bc)g · Kg (b)
Probability of k observations given pdf ψ:
R1
Pr[k obs.] =
0
1
(p·M)k ·e−p·M
ψ(p)dp
k!
R1
− 0 e−p·M ψ(p)dp
optimize b, c, g by maximizing:
Likelihood =
N̂
Y
Pr[fi obs.]
i=1
a
Kg is the modified Bessel function of the second kind.
April 5, 2012
43 / 62
25
20
15
10
M = 69, 301, 337 (full)
5
M = 10, 000, 000 (sampled)
M = 1, 000, 000 (sampled)
M = 500, 000 (sampled)
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
44 / 62
35
30
25
20
15
10
M = 69, 301, 337 (full)
M = 10, 000, 000 (sampled)
5
M = 1, 000, 000 (sampled)
M = 500, 000 (sampled)
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
45 / 62
Goal #4
Analyse data
April 5, 2012
45 / 62
How secure are Yahoo! passwords
30
α-guesswork G̃α (bits)
25
20
15
10
Yahoo [2011]
BHeroes [2011]
5
Gawker [2010]
RockYou [2009]
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
46 / 62
30
Yahoo [2011]
25
BHeroes [2011]
Gawker [2010]
RockYou [2009]
20
Morris et al. [1979]
Klein [1990]
Spafford [1992]
15
Wu [1999]
Kuo [2006]
10
Schneier [2006]
5
0
0.0
0.1
0.2
0.3
success rate α
0.4
0.5
April 5, 2012
47 / 62
25
20
15
10
1-word phrase
2-word phrase
3-word phrase
4-word phrase
2 random words
Yahoo password
5
0
0.0
0.1
0.2
0.3
0.4
0.5
success rate α
April 5, 2012
48 / 62
Demographic trends
35
30
25
20
15
all users
United States
China
Brazil
India
Indonesia
10
5
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
49 / 62
Demographic trends
30
25
20
15
10
age
age
age
age
age
5
0
0.0
0.2
0.4
0.6
0.8
13-24
25-34
35-44
45-54
55+
1.0
success rate α
April 5, 2012
50 / 62
Demographic trends
30
25
20
15
10
5
all users
retail users
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
51 / 62
Demographic trends
30
25
20
15
10
all users
Registration v2
Registration v3
5
0
0.0
0.2
0.4
0.6
0.8
1.0
success rate α
April 5, 2012
52 / 62
Demographic summary
Differences small but detectable
Online attack λ̃10 = 6–9 bits
Offline attack G̃0.5 = 15–25 bits
There is no “good group” of users
April 5, 2012
53 / 62
Surprisingly little lanuage variation
target
de
en
es
fr
id
it
ko
pt
zh
vi
de
6.5%
4.6%
5.0%
4.0%
6.3%
6.0%
2.0%
3.9%
1.9%
5.7%
en
3.3%
8.0%
5.6%
4.2%
8.7%
6.3%
2.6%
4.3%
2.4%
7.7%
es
2.6%
4.2%
12.1%
3.4%
6.2%
6.8%
1.9%
5.8%
1.7%
5.5%
fr
2.9%
4.3%
4.6%
10.0%
6.3%
5.3%
1.8%
3.8%
1.7%
5.8%
id
2.2%
4.5%
4.1%
2.9%
14.9%
4.6%
2.3%
3.9%
2.0%
6.3%
it
2.8%
4.3%
6.1%
3.2%
6.2%
14.6%
2.0%
4.4%
2.0%
5.7%
ko
1.6%
3.4%
3.1%
2.2%
5.8%
3.3%
5.8%
3.5%
2.9%
6.0%
pt
2.1%
3.5%
6.3%
3.1%
6.0%
5.7%
2.4%
11.1%
1.8%
5.8%
zh
2.0%
4.4%
3.6%
2.7%
6.7%
4.0%
3.7%
3.9%
4.4%
7.0%
vi
1.6%
3.5%
2.9%
2.1%
5.9%
3.2%
2.2%
2.9%
2.0%
14.3%
global
dictionary
3.5%
7.9%
6.9%
5.0%
9.3%
7.2%
2.8%
5.1%
2.9%
7.8%
For β = 1000, greatest efficiency loss is only 4.8 (fr/vi)
April 5, 2012
54 / 62
For more on Yahoo! passwords
Joseph Bonneau.
The science of guessing: analyzing an anonymized corpus of 70 million passwords. IEEE
Security & Privacy, 2012.
April 5, 2012
55 / 62
Statistical analysis of passwords
property
semantic
cracking
statistical
sound
no operator bias
no demographic bias
repeatable
practical
works with small data
April 5, 2012
56 / 62
Putting it all together
30
25
password (Yahoo)
password (RockYou)
surname (Facebook)
20
forename (Facebook)
PIN (iPhone)
password [Morris]
15
password [Klein]
password [Spafford]
10
mnemonic [Kuo]
Faces [Davis]
PassPoints [Thorpe]
5
0
0.0
0.1
0.2
0.3
success rate α
0.4
0.5
April 5, 2012
57 / 62
The future of passwords
Retire passwords from most current roles
Avoid aggregating large databases of credentials
Figure out what humans can actually remember...
April 5, 2012
58 / 62
A long road ahead
Results from a study of password authentication in the wild:
29–40% of websites don’t hash passwords during storage
41% of websites don’t use any encryption for password
submission
22% do so incompletely
84% of websites don’t rate-limit against guessing attacks
97% of websites leak usernames to simple
Joseph Bonneau and Sören Preibusch.
The password thicket: technical and market failures in human authentication on the web.
Workshop on the Economics of Information Security, 2010.
April 5, 2012
59 / 62
Thank you
[email protected]
Other projects on authentication
April 5, 2012
59 / 62
Human choice of PINs
18
95
17
90
16
85
80
15
75
14
65
13
60
12
55
50
11
45
10
40
− log2 p(PIN)
Second two PIN digits
70
9
35
30
8
25
7
20
15
6
10
5
05
00
00
05
10
15
20
25
30
35
40
45
50
55
60
65
70
75
80
85
90
95
4
First two PIN digits
April 5, 2012
60 / 62
The economics of password collection
April 5, 2012
61 / 62
Passwords and character encoding
parol~
=
пароль
=
%26%231087%3B%26%231072%3B%26%231088%3B
%26%231086%3B%26%231083%3B%26%231100%3B
6 → 42 → 78
April 5, 2012
62 / 62
Passwords and character encoding
parol~
=
пароль
=
%26%231087%3B%26%231072%3B%26%231088%3B
%26%231086%3B%26%231083%3B%26%231100%3B
6 → 42 → 78
April 5, 2012
62 / 62

Empire City Casino Online

Transcription

Similar documents

pneumatic actuator eb-dw, double acting