Empire City Casino Online
Transcription
Empire City Casino Online
G UESSING HUMAN - CHOSEN SECRETS Joseph Bonneau [email protected] Computer Laboratory Microsoft Research Cambridge, UK April 5, 2012 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 1 / 62 Password research? In 2012?? Compatible Time-Sharing System, MIT 1961 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 2 / 62 What are passwords good for? property Memorywise-Effortless Scalable-for-Users Nothing-to-Carry Physically-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Joseph Bonneau (University of Cambridge) password Guessing human-chosen secrets April 5, 2012 3 / 62 Automated password managers? property Memorywise-Effortless Scalable-for-Users Nothing-to-Carry Physically-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Joseph Bonneau (University of Cambridge) password Firefox Guessing human-chosen secrets April 5, 2012 4 / 62 Graphical passwords? property Memorywise-Effortless Scalable-for-Users Nothing-to-Carry Physically-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Joseph Bonneau (University of Cambridge) password Firefox Guessing human-chosen secrets PCCP April 5, 2012 5 / 62 Smartphones as a hardware token? property Memorywise-Effortless Scalable-for-Users Nothing-to-Carry Physically-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Joseph Bonneau (University of Cambridge) password Firefox Guessing human-chosen secrets PCCP SMS April 5, 2012 6 / 62 Biometrics? property Memorywise-Effortless Scalable-for-Users Nothing-to-Carry Physically-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Joseph Bonneau (University of Cambridge) password Firefox Guessing human-chosen secrets PCCP SMS Iris April 5, 2012 7 / 62 Federated authentication? property Memorywise-Effortless Scalable-for-Users Nothing-to-Carry Physically-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Joseph Bonneau (University of Cambridge) password Firefox Guessing human-chosen secrets PCCP SMS Iris April 5, 2012 OpenID 8 / 62 There is no clear alternative to passwords... Reference Memory-wise-Effortless Scalable-for-users Nothing-to-Carry Manually-Effortless Easy-to-Learn Efficient-to-Use Infrequent-Errors Easy-Recovery-from-Loss Accessible Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-Proprietary Resilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Throttled-Guessing Resilient-to-Unthrottled-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft No-Trusted-Third-Party Requiring-Explicit-Consent Unlinkable Table I C OMPARATIVE EVALUATION OF THE VARIOUS SCHEMES WE EXAMINED Category Scheme (Incumbent) Web passwords III [13] Firefox IV-A1 Password managers LastPass IV-A2 URRSA IV-B1 [5] Proxy Impostor ?? [21] OpenID IV-C1 [25] MS Passport IV-C2 [29] FBConnect IV-C3 [31] Federated BrowserID IV-C4 [33] OTP over email IV-C5 [37] PCCP IV-D1 [7] Graphical PassGo IV-D2 [93] GridSure IV-E1 [51] Weinshall ?? [47] Cognitive Hopper Blum ?? [48] Word Association ?? [50] OTPW IV-F1 [54] S/KEY IV-F2 [53] Paper tokens PIN+TAN IV-F3 [56] Visual crypto PassWindow IV-G1 [61] RSA SecurID IV-H1 [63] Yubikey IV-H2 [65] IV-H3 [67] Hardware tokens Ironkey CAP reader IV-H4 [68] Pico IV-H5 [8] Phoolproof IV-I1 [70] Cronto IV-I2 MP-Auth IV-I3 [6] Phone-based OTP over SMS IV-I4 Google 2-Step IV-I5 [73] Fingerprint IV-J1 [75] Iris IV-J2 [76] Biometric Voice IV-J3 [77] Personal knowledge IV-K1 [83] Preference-based IV-K2 [91] Recovery Social re-auth. ?? [94] = offers the benefit; = almost offers the benefit; no symbol = no benefit. = better than passwords; = worse than passwords; no background = no change. We group related schemes into categories. For space reasons, our Oakland paper [1] describes at most one scheme per category, but this tech report discusses them all. 9 / 62 April 5, 2012 Guessing human-chosen secrets Joseph Bonneau (University of Cambridge) Described in section Joseph Bonneau, Cormac Herley, Paul van Oorschot, and Frank Stajano. “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”, IEEE Security & Privacy, 2012. The “last mile” of authentication Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 10 / 62 What’s harder to guess? 1 A Cambridge student’s password or an Oxford student’s? 2 A human-chosen 4-digit PIN or a random 3-digit PIN? 3 A password or a stranger’s surname? Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 11 / 62 Semantic password evaluation year 1989 1992 1999 1999 2004 2006 2010 2009 study Riddle et al. Spafford Wu Zviran and Haga Campbell and Bryant Cazier and Medlin Devillers et al. RockYou data Joseph Bonneau (University of Cambridge) length 4.4 6.8 7.5 5.7 8.0 7.4 7.9 7.9 Guessing human-chosen secrets % digits 3.5 31.7 25.7 19.2 78.0 35.0 54.0 44.4 % special — 14.8 4.1 0.7 3.0 1.3 3.4 2.6 April 5, 2012 12 / 62 Table A.1 – Estimated Password Guessing Entropy in bits vs. Password Length Semantic password evaluation User Chosen 94 Character Alphabet Length Char. 1 2 3 4 5 6 7 8 10 12 14 16 18 20 22 24 30 40 No Checks 4 6 8 10 12 14 16 18 21 24 27 30 33 36 38 40 46 56 Dictionary Rule 14 17 20 22 24 26 28 30 32 34 36 38 40 46 56 Dict. & Comp. Rule 16 20 23 27 30 32 34 36 38 40 42 44 46 52 62 Randomly Chosen 10 char. alphabet 94 char alphabet 3 5 7 9 10 11 12 13 15 17 19 21 23 25 27 29 35 45 3.3 6.7 10.0 13.3 16.7 20.0 23.3 26.6 33.3 40.0 46.6 53.3 59.9 66.6 73.3 79.9 99.9 133.2 6.6 13.2 19.8 26.3 32.9 39.5 46.1 52.7 65.9 79.0 92.2 105.4 118.5 131.7 144.7 158.0 197.2 263.4 NIST “entropy” formula Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 13 / 62 Evaluating passwords via cracking tools Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 14 / 62 Evaluating passwords via cracking tools 35 30 µ = lg(dictionary size) 25 20 Morris and Thompson [1979] Klein [1990] Spafford [1992] 15 Wu [1999] Kuo [2006] 10 Schneier [2006] Dell’Amico (it) [2010] 5 Dell’Amico (fi) [2010] Dell’Amico (en) [2010] 0 0.0 0.1 0.2 Joseph Bonneau (University of Cambridge) 0.3 0.4 0.5 0.6 α = proportion of passwords guessed Guessing human-chosen secrets 0.7 0.8 0.9 April 5, 2012 15 / 62 Evaluating passwords via cracking tools 35 30 µ = lg(dictionary size/α) 25 20 Morris and Thompson [1979] Klein [1990] Spafford [1992] 15 Wu [1999] Kuo [2006] 10 Schneier [2006] Dell’Amico (it) [2010] 5 Dell’Amico (fi) [2010] Dell’Amico (en) [2010] 0 0.0 0.1 0.2 Joseph Bonneau (University of Cambridge) 0.3 0.4 0.5 0.6 α = proportion of passwords guessed Guessing human-chosen secrets 0.7 0.8 0.9 April 5, 2012 16 / 62 Evaluating passwords via cracking tools 45 40 µ = lg(dictionary size/α) 35 30 25 20 15 passwords (various) mnemonic password Draw-a-secret PassPoints Faces 10 5 0 0.0 0.1 Joseph Bonneau (University of Cambridge) 0.2 0.3 0.4 0.5 α = proportion of passwords guessed Guessing human-chosen secrets 0.6 0.7 April 5, 2012 17 / 62 Desiderata for evaluating human-chosen secrets sound repeatable no operator bias no demographic bias practical Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 18 / 62 Massive password data sets available for the first time 290729 79076 76789 59462 49952 33291 21725 20901 20553 16648 123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 19 / 62 Dissertation: Guessing human-chosen secrets 1 Develop statistical guessing metrics 2 Collect large-scale data in a privacy-preserving manner 3 Approximate metrics using a random sample 4 Analyse data! Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 20 / 62 Goal #1 Develop statistical guessing metrics Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 20 / 62 Framework Assume a completely-known distribution X X has N events (passwords) x1 , x2 , . . . Events have probability p1 ≥ p2 ≥ . . . ≥ pN ≥ 0 R Each user chooses at random X ← X Question: How hard is it to guess X ? Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 21 / 62 Shannon entropy H1 (X ) = − N X pi lg pi i=1 Interpretation: Expected number of queries “Is X ∈ S?” for arbitrary subsets S ⊆ X needed to guess X . (Source-Coding Theorem) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 22 / 62 Guesswork (guessing entropy) N h i X R G1 (X ) = E #guesses (X ← X ) = pi · i i=1 Intepretation: Expected number of queries “Is X = xi ?” for i = 1, 2, . . . , N (optimal sequential guessing) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 23 / 62 G1 fails badly for real password distributions 1,ed65e09b98bdc70576d6c5f5e2ee38a9 1,e54d409c55499851aeb25713c1358484 1,dee489981220f2646eb8b3f412c456d9 1,c4df8d8e225232227c84d0ed8439428a 1,bd9059497b4af2bb913a8522747af2de 1,b25d6118ffc44b12b014feb81ea68e49 1,aac71eb7307f4c54b12c92d9bd45575f 1,9475d62e1f8b13676deab3824492367a 1,92965710534a9ec4b30f27b1e7f6062a 1,80f5a0267920942a73693596fe181fb7 1,76882fb85a1a8c6a83486aba03c031c9 1,6a60e0e51a3eb2e9fed6a546705de1bf 1,6843b9efec36f428deabce22c0fc1805 1,5dfbcd6390b77d06df9027c8d7d4fe84 1,4374968e935a9a0f8d56785ea682eb5f 1,0753929001291091112580111091991a 1,0410412e7194adc1b419a87a47979c36 ... Random 128-bit passwords in the wild at RockYou (∼ 2−20 ) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 24 / 62 G1 fails badly for real password distributions Lemma: For a mixture distribution Z =p·X +q·Y we have G1 (Z) ≥ p · G1 (X ) + q · G1 (Y) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 25 / 62 G1 fails badly for real password distributions Lemma: For a mixture distribution Z =p·X +q·Y we have G1 (Z) ≥ p · G1 (X ) + q · G1 (Y) Therefore, for real passwords P, we have: G1 (P) ≥ p · G1 (X ) + 2−20 · G1 (U2128 ) G1 (P) > 2107 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 25 / 62 Optimal attacks will give up on the hardest values R New goal: Correctly guess k of m values X1 , X2 . . . XM ← X Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 26 / 62 Optimal attacks will give up on the hardest values Name #1 Smith Jones Johnson ... Ytterock Zdrzynski Name #2 Smith Jones Johnson ... Ytterock Zdrzynski Joseph Bonneau (University of Cambridge) Name #3 Smith Jones Johnson ... Ytterock Zdrzynski ... ... ... ... ... ... ... Guessing human-chosen secrets Name #m Smith Jones Johnson ... Ytterock Zdrzynski April 5, 2012 27 / 62 Optimal attacks will give up on the hardest values Name #1 Smith Jones Johnson ... Ytterock Zdrzynski Name #2 Smith Jones Johnson ... Ytterock Zdrzynski Joseph Bonneau (University of Cambridge) Name #3 Smith Jones Johnson ... Ytterock Zdrzynski ... ... ... ... ... ... ... Guessing human-chosen secrets Name #m Smith Jones Johnson ... Ytterock Zdrzynski April 5, 2012 28 / 62 Optimal attacks will give up on the hardest values Name #1 Smith Jones Johnson ... Ytterock Zdrzynski Name #2 Smith Jones Johnson ... Ytterock Zdrzynski Name #3 Smith Jones Johnson ... Ytterock Zdrzynski ... ... ... ... ... ... ... Name #m Smith Jones Johnson ... Ytterock Zdrzynski (obvious optimal strategy) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 29 / 62 Partial guessing—model attackers who give up β-success-rate Success rate after β guesses: λβ (X ) = β X pi i=1 α-work-factor Dictionary size needed for α success probability: µ ( ) X µα (X ) = min µ ∈ [1, N] pi ≥ α i=1 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 30 / 62 Partial guessing—model attackers who give up β-success-rate Success rate after β guesses: λβ (X ) = β X pi i=1 α-work-factor Dictionary size needed for α success probability: µ ( ) X µα (X ) = min µ ∈ [1, N] pi ≥ α i=1 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 30 / 62 α-guesswork—attackers get to quit early µα (X ) Gα (X ) = (1 − dαe) · µα (X ) + X i=1 pi · i Intepretation: Expected number of guesses to succeed with probability α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 31 / 62 Guessing curves visualise all possible attacks 10000 µα (U104 ) µα (U103 ) dictionary size/number of guesses 8000 µα (PIN) Gα (PIN) 6000 4000 2000 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 32 / 62 For more on PIN statistics Joseph Bonneau, Sören Preibusch and Ross Anderson. A birthday present every eleven wallets? The security of customer-chosen banking PINs. Financial Crypto 2012. Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 All metrics convertible to bits Find the size of a uniform distribution UN with equivalent security Easy cases: λ̃β (X ) = lg β λβ (X ) µ̃α (X ) = lg µα (X ) dαe More complicated: G̃α (X ) = lg h 2·Gα (X ) dαe i − 1 − lg(2 − dαe) Sanity check: λ̃β (UN ) = µ̃α (UN ) = G̃α (UN ) = lg N Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 All metrics convertible to bits Find the size of a uniform distribution UN with equivalent security Easy cases: λ̃β (X ) = lg β λβ (X ) µ̃α (X ) = lg µα (X ) dαe More complicated: G̃α (X ) = lg h 2·Gα (X ) dαe i − 1 − lg(2 − dαe) Sanity check: λ̃β (UN ) = µ̃α (UN ) = G̃α (UN ) = lg N Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 32 / 62 All metrics convertible to bits Find the size of a uniform distribution UN with equivalent security Easy cases: λ̃β (X ) = lg β λβ (X ) µ̃α (X ) = lg µα (X ) dαe More complicated: G̃α (X ) = lg h 2·Gα (X ) dαe i − 1 − lg(2 − dαe) Sanity check: λ̃β (UN ) = µ̃α (UN ) = G̃α (UN ) = lg N Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 31 / 62 All metrics convertible to bits Find the size of a uniform distribution UN with equivalent security Easy cases: λ̃β (X ) = lg β λβ (X ) µ̃α (X ) = lg µα (X ) dαe More complicated: G̃α (X ) = lg h 2·Gα (X ) dαe i − 1 − lg(2 − dαe) Sanity check: λ̃β (UN ) = µ̃α (UN ) = G̃α (UN ) = lg N Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 30 / 62 Guessing curves visualise all possible attacks 10000 µα (U104 ) µα (U103 ) dictionary size/number of guesses 8000 µα (PIN) Gα (PIN) 6000 4000 2000 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 31 / 62 Guessing curves visualise all possible attacks 14 H0 & 12 4.0 G̃1 & 3.5 H1 → 10 3.0 bits H2 → 2.0 dits 2.5 8 6 4 1.5 - H∞ µ̃α (U104 )/G̃α (U104 ) µ̃α (U103 )/G̃α (U103 ) 2 µ̃α (PIN) 1.0 0.5 G̃α (PIN) 0 0.0 0.2 0.4 0.6 0.8 0.0 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 31 / 62 No single metric can represent all attacks Non-comparability with H1 Given any δ, α, β there exists a distribution X such that: λ̃β (X ) < H1 (X ) − δ µ̃α (X ) < H1 (X ) − δ G̃α (X ) < H1 (X ) − δ Non-comparability between different α Given any δ, α1 , α2 there exists a distribution X such that: µ̃α1 (X ) < µ̃α2 (X ) G̃α1 (X ) < G̃α2 (X ) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 32 / 62 Summary of guessing metrics H1 doesn’t apply to guessing G1 is unrealistic G̃α for α < 1 is the best metric But... µ̃α when comparing to cracking results λ̃β for online attacks Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 Summary of guessing metrics H1 doesn’t apply to guessing G1 is unrealistic G̃α for α < 1 is the best metric But... µ̃α when comparing to cracking results λ̃β for online attacks Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 Summary of guessing metrics H1 doesn’t apply to guessing G1 is unrealistic G̃α for α < 1 is the best metric But... µ̃α when comparing to cracking results λ̃β for online attacks Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 Summary of guessing metrics H1 doesn’t apply to guessing G1 is unrealistic G̃α for α < 1 is the best metric But... µ̃α when comparing to cracking results λ̃β for online attacks Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 Goal #2 Collect large-scale data in a privacy-preserving manner Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 Whither the RockYou data? No demographic info “Just” a photo-sharing website Ethical concerns: Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich and Stuart Schechter. Its Not Stealing If You Need It: A Panel on The Ethics of Performing Research Using Public Data of Illicit Origin. 2012 Workshop on Ethics in Computer Security Research. Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 33 / 62 Collecting large-scale data at Yahoo! Internet user: joe pass: 12345 Collection Proxy 12345 Login Server Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Collecting large-scale data at Yahoo! Internet user: joe pass: 12345 Collection Proxy H(12345) Login Server Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Collecting large-scale data at Yahoo! Internet user: joe pass: 12345 Collection Proxy K H(K||12345) Login Server Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Collecting large-scale data at Yahoo! Internet user: joe pass: 12345 SELECT gender, lang, age FROM users WHERE user = joe User database m, en, 21-34 Collection Proxy K H(K||12345) m, en, 21-34 Login Server Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Collecting large-scale data at Yahoo! Internet user: joe pass: 12345 SELECT gender, lang, age FROM users WHERE user = joe User database m, en, 21-34 H(K||12345) Collection Proxy K gender=m H(K||12345) user: joe pass: 123456 H(joe)? H(K||12345) Seen users lang=en Login Server age=21-34 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Collecting large-scale data at Yahoo! Internet gender=m Login Server lang=en age=21-34 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Collecting large-scale data at Yahoo! Experiment run May 23–25, 2011 69,301,337 unique users 42.5% unique 328 different predicate functions Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Goal #3 Approximate metrics using a random sample Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 34 / 62 Reminder: guessing curves 14 H0 & 12 4.0 G̃1 & 3.5 H1 → 10 3.0 bits H2 → 2.0 dits 2.5 8 6 4 1.5 - H∞ µ̃α (U104 )/G̃α (U104 ) µ̃α (U103 )/G̃α (U103 ) 2 µ̃α (PIN) 1.0 0.5 G̃α (PIN) 0 0.0 0.2 0.4 0.6 0.8 0.0 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 35 / 62 Sample size is a major problem for passwords... 25 marginal guesswork µ̃α (bits) 20 15 10 M = 69, 301, 337 (full) 5 M = 10, 000, 000 (sampled) M = 1, 000, 000 (sampled) M = 100, 000 (sampled) 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 36 / 62 Low-frequency blindness theorem (Valiant) Given a sample of size M Want to approximate f If there exist distributions X , Y such that f (X ) = f (Y) = δ and X , Y are isomorphic for all events with p ≥ M1 , then we can’t compute f to within any accuracy δ using M samples Related: Canonical Testing Theorem Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 37 / 62 Low-frequency blindness theorem (Valiant) Given a sample of size M Want to approximate f If there exist distributions X , Y such that f (X ) = f (Y) = δ and X , Y are isomorphic for all events with p ≥ M1 , then we can’t compute f to within any accuracy δ using M samples Related: Canonical Testing Theorem Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 37 / 62 Low-frequency blindness theorem (Valiant) Given a sample of size M Want to approximate f If there exist distributions X , Y such that f (X ) = f (Y) = δ and X , Y are isomorphic for all events with p ≥ M1 , then we can’t compute f to within any accuracy δ using M samples Related: Canonical Testing Theorem Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 37 / 62 Theoretical results 25 Ĥ0 G̃ˆ1 metric value (bits) 20 Ĥ1 ˆ0.25 µ̃ ˆ G̃ 0.25 15 ˆ λ̃ 10 ˆ λ̃ 1 10 5 10 12 14 Joseph Bonneau (University of Cambridge) 16 18 lg M 20 Guessing human-chosen secrets 22 24 26 April 5, 2012 38 / 62 Known negatives No non-parametric method of estimating N Estimating H1 requires O( lnNN ) samples (Valiant & Valiant, 2011) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 39 / 62 We can predict our confidence range by bootstrapping 25 Ĥ0 G̃ˆ1 metric value (bits) 20 Ĥ1 ˆ0.25 µ̃ ˆ G̃ 0.25 15 ˆ λ̃ 10 ˆ λ̃ 1 10 5 10 12 Joseph Bonneau (University of Cambridge) 14 16 18 lg M 20 Guessing human-chosen secrets 22 24 26 April 5, 2012 40 / 62 We can predict our confidence range by bootstrapping 25 α-work-factor µ̃α (bits) 20 15 10 M = 69, 301, 337 (full) 5 M = 10, 000, 000 (sampled) M = 1, 000, 000 (sampled) M = 500, 000 (sampled) 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 41 / 62 We can parametrically extend our approximation Simple power-law distribution: Pr[p(x) > y ] ∝ y 1−a Unfortunately, a varies strongly with sample size: M â Joseph Bonneau (University of Cambridge) 69M 2.99 10M 3.23 1M 3.70 Guessing human-chosen secrets 100k 4.21 April 5, 2012 42 / 62 We can parametrically extend our approximation Generalized inverse-Gaussian Poisson (Sichel) distributiona : p −b 2c 2g−1 pg−1 e c 4p ψ(p|b, c, g) = (bc)g · Kg (b) Probability of k observations given pdf ψ: R1 Pr[k obs.] = 0 1 (p·M)k ·e−p·M ψ(p)dp k! R1 − 0 e−p·M ψ(p)dp optimize b, c, g by maximizing: Likelihood = N̂ Y Pr[fi obs.] i=1 a Kg is the modified Bessel function of the second kind. Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 43 / 62 We can parametrically extend our approximation 25 α-work-factor µ̃α (bits) 20 15 10 M = 69, 301, 337 (full) 5 M = 10, 000, 000 (sampled) M = 1, 000, 000 (sampled) M = 500, 000 (sampled) 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 44 / 62 We can parametrically extend our approximation 35 30 α-work-factor µ̃α (bits) 25 20 15 10 M = 69, 301, 337 (full) M = 10, 000, 000 (sampled) 5 M = 1, 000, 000 (sampled) M = 500, 000 (sampled) 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 45 / 62 Goal #4 Analyse data Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 45 / 62 How secure are Yahoo! passwords 30 α-guesswork G̃α (bits) 25 20 15 10 Yahoo [2011] BHeroes [2011] 5 Gawker [2010] RockYou [2009] 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 46 / 62 How secure are Yahoo! passwords 30 Yahoo [2011] 25 BHeroes [2011] α-work-factor µ̃α (bits) Gawker [2010] RockYou [2009] 20 Morris et al. [1979] Klein [1990] Spafford [1992] 15 Wu [1999] Kuo [2006] 10 Schneier [2006] Dell’Amico (it) [2010] Dell’Amico (fi) [2010] 5 Dell’Amico (en) [2010] 0 0.0 0.1 Joseph Bonneau (University of Cambridge) 0.2 0.3 success rate α 0.4 0.5 Guessing human-chosen secrets April 5, 2012 47 / 62 How secure are Yahoo! passwords 25 α-guesswork G̃α (bits) 20 15 10 1-word phrase 2-word phrase 3-word phrase 4-word phrase 2 random words Yahoo password 5 0 0.0 0.1 0.2 0.3 0.4 0.5 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 48 / 62 Demographic trends 35 30 α-guesswork G̃α (bits) 25 20 15 all users United States China Brazil India Indonesia 10 5 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 49 / 62 Demographic trends 30 α-guesswork G̃α (bits) 25 20 15 10 age age age age age 5 0 0.0 0.2 0.4 0.6 0.8 13-24 25-34 35-44 45-54 55+ 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 50 / 62 Demographic trends 30 α-guesswork G̃α (bits) 25 20 15 10 5 all users retail users 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 51 / 62 Demographic trends 30 α-guesswork G̃α (bits) 25 20 15 10 all users Registration v2 Registration v3 5 0 0.0 0.2 0.4 0.6 0.8 1.0 success rate α Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 52 / 62 Demographic summary Differences small but detectable Online attack λ̃10 = 6–9 bits Offline attack G̃0.5 = 15–25 bits There is no “good group” of users Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 53 / 62 Surprisingly little lanuage variation target de en es fr id it ko pt zh vi de 6.5% 4.6% 5.0% 4.0% 6.3% 6.0% 2.0% 3.9% 1.9% 5.7% en 3.3% 8.0% 5.6% 4.2% 8.7% 6.3% 2.6% 4.3% 2.4% 7.7% es 2.6% 4.2% 12.1% 3.4% 6.2% 6.8% 1.9% 5.8% 1.7% 5.5% fr 2.9% 4.3% 4.6% 10.0% 6.3% 5.3% 1.8% 3.8% 1.7% 5.8% id 2.2% 4.5% 4.1% 2.9% 14.9% 4.6% 2.3% 3.9% 2.0% 6.3% it 2.8% 4.3% 6.1% 3.2% 6.2% 14.6% 2.0% 4.4% 2.0% 5.7% ko 1.6% 3.4% 3.1% 2.2% 5.8% 3.3% 5.8% 3.5% 2.9% 6.0% pt 2.1% 3.5% 6.3% 3.1% 6.0% 5.7% 2.4% 11.1% 1.8% 5.8% zh 2.0% 4.4% 3.6% 2.7% 6.7% 4.0% 3.7% 3.9% 4.4% 7.0% vi 1.6% 3.5% 2.9% 2.1% 5.9% 3.2% 2.2% 2.9% 2.0% 14.3% global dictionary 3.5% 7.9% 6.9% 5.0% 9.3% 7.2% 2.8% 5.1% 2.9% 7.8% For β = 1000, greatest efficiency loss is only 4.8 (fr/vi) Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 54 / 62 For more on Yahoo! passwords Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. IEEE Security & Privacy, 2012. Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 55 / 62 Statistical analysis of passwords property semantic cracking statistical sound no operator bias no demographic bias repeatable practical works with small data Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 56 / 62 Putting it all together 30 25 password (Yahoo) α-work-factor µ̃α (bits) password (RockYou) surname (Facebook) 20 forename (Facebook) PIN (iPhone) password [Morris] 15 password [Klein] password [Spafford] 10 mnemonic [Kuo] Faces [Davis] PassPoints [Thorpe] 5 0 0.0 0.1 Joseph Bonneau (University of Cambridge) 0.2 0.3 success rate α 0.4 0.5 Guessing human-chosen secrets April 5, 2012 57 / 62 The future of passwords Retire passwords from most current roles Avoid aggregating large databases of credentials Figure out what humans can actually remember... Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 58 / 62 A long road ahead Results from a study of password authentication in the wild: 29–40% of websites don’t hash passwords during storage 41% of websites don’t use any encryption for password submission 22% do so incompletely 84% of websites don’t rate-limit against guessing attacks 97% of websites leak usernames to simple Joseph Bonneau and Sören Preibusch. The password thicket: technical and market failures in human authentication on the web. Workshop on the Economics of Information Security, 2010. Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 59 / 62 Thank you [email protected] Other projects on authentication Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 59 / 62 Human choice of PINs 18 95 17 90 16 85 80 15 75 14 65 13 60 12 55 50 11 45 10 40 − log2 p(PIN) Second two PIN digits 70 9 35 30 8 25 7 20 15 6 10 5 05 00 00 05 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 4 First two PIN digits Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 60 / 62 The economics of password collection Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 61 / 62 Passwords and character encoding parol~ = пароль = %26%231087%3B%26%231072%3B%26%231088%3B %26%231086%3B%26%231083%3B%26%231100%3B 6 → 42 → 78 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 62 / 62 Passwords and character encoding parol~ = пароль = %26%231087%3B%26%231072%3B%26%231088%3B %26%231086%3B%26%231083%3B%26%231100%3B 6 → 42 → 78 Joseph Bonneau (University of Cambridge) Guessing human-chosen secrets April 5, 2012 62 / 62