 We want to look at how do we authenticate users and especially using passwords to authenticate users So up until now we've mainly looked at some of the the algorithms the protocols for Before the midterm for encrypting data Then we moved on to authentication Using public key cryptography. We've looked at hash algorithms mentioned max different authentication techniques And we've just looked about how do we manage our keys? Here we're going to look at Something that is closer to the human which is authenticating people Making sure that the person accessing a computer system is who they say they are and we'll See passwords is the most common form for authenticating people and we'll go through and focus mainly on passwords So what do we mean by user authentication? Here's a definition from some glossary the process of verifying a claim that a system entity or a resource has A certain attribute value. It's a very general definition That is a system entity. So we want to authenticate Something some entity it may be some human it may be usually a piece of software that's trying to access some resource We want to They claim that they have some attribute for example you claim you are Steve Our system needs to verify that claim So we can check are you Steve and therefore can you access this resource? So a very general definition, but we'll see It's easily described as Two steps that we'll see what we need to do is identify some user and What we do is that the the user presents some identification to the system So when I say a system think of a Computer system a single computer a network computers any computer system The identification step is that the user that wants to access the system Presents their ID and you usually know that is that they present their ID as their username to access your To access the online quiz and homework on Moodle. You need to log in. So how do you log in? You present your username to the system Saying this is you So that's the identification step so that the the system can identify your claiming to be this person If I type in my username of Steve Then I'm claiming to be the user Steve So normally some identity some username generally it's unique amongst the set of users Every user has a different username, but it's not secret. I Think most of you know or could guess my username and you could know or guess the usernames of other people that you know So the identity is normally not secret The second part is verification You claim to be this user But the system wants to be sure it wants to verify are you actually that user and How do we verify? The user presents some information or generates some information that acts as evidence that evidence that proves that that user is who they claim to be and The common way you know is using a password If you have that password then the system assumes that you are that user a pin So for your ATM ATM card when you want to get money out of the bank you type in a pin or Maybe some biometric information You want to access one of the rooms the senior project room You need to scan your finger and it compares your fingerprint against a set of pre-stored information often the This verification step uses information which is secret or If it's not secret then it should not be able to be generated by others Whose fingerprint is secret? Look at your fingerprint Whose fingerprint is secret? Your fingerprints are not secret, okay? Someone could Look at your finger take a photo, but generally they cannot generate the fingerprint Okay, so it's not necessarily secret, but it's something that they cannot generate electronically Unless they could maybe cut your finger off, but then it's not your fingerprint because it's not your finger anymore so It's not necessarily secret, but it's something that someone else cannot generate passwords pins are secrets Whereas biometric information may be Your iris your fingerprint your voice is something that is Public but hard to generate by someone else so two steps Present some ID saying this is who I claim to be and Present some proof proving you're that person And there are different forms of presenting a proof User authentication is everywhere in computer systems So many computer systems use some form of user authentication if it doesn't work well then Presents holes or security flaws in the computer system so in general these Things that we use to prove who we are there are four general approaches for doing so Something that the user the individual knows something they possess they have Something they are or Something that they do So what are they what are the differences here? So a password or a pin or answers to questions is something that you know So that's used to prove that you're a particular person if you know that value then the system assumes that you're that person who You claim to be Possession usually something physical that you have a Key to a door or In electronic computer systems key cards for example swiper key card smart cards USB tokens that you Only you should possess and therefore if you possess that Then the system assumes it's the correct person something you are something that individual is Refers to biometrics, but what we call static biometrics your fingerprint your retina your face Usually, these are things that uniquely identify user in a set of users and If you possess that fingerprint and the system assumes that it's the correct person Something that you do Also biometrics, but things that change dynamic biometrics. So your voice pattern in Many cases a Computer system can recognize people based upon their voice patterns So if you say some words the signal the audio signal generated by that person Your handwriting Maybe you're typing rhythm Those things that you do if they can uniquely identify identify you in a set of users can be used as this form for verification give me some examples of Apart from passwords on login systems and apart from your ATM any examples of where you use authentication No pins no passwords Where do you use authentication? Give me an example? What do you use for authentication? anyone Fingerprint is one Who uses fingerprint anywhere? Yes, some of the some some of you do some of you will also next year Anyone else so fingerprint okay a common one. What else any other forms of it authentication you use? eyes Where do you just scan your eyes? No, it may be maybe you work at the the military or a top-secret? Organization all right. Yes in some things in some cases But I'm looking for your experiences anyone else had any other experiences of authentication a capture a capture, you know the those when you have to type in a a Word or a string based upon some picture It's not very you're right. It's not verifying who you are It's verifying if you're human or not They're slightly different, but two people two different people Consolve the capture and the system cannot distinguish between those people so a capture is not verifying who you are Any other examples? Keycard okay, some people may have a key card to get into a building By possessing that key card the system the building system assumes You're the right user the person to enter any others Sorry Handwriting Okay Some systems bank systems will or I may be not computer-based initially, but use handwriting to recognize who you are blood vessels, okay, and You've experienced that Okay, good where what you don't have to be personal but to authenticate what to get access to some organization Okay Okay, okay. Yeah, there are different forms of biometrics What's the main one you've used hands up for passwords who uses Anything more often than passwords. Okay passwords is the main one that we use Okay So there are others Passwords a pin or an answer all right we can think similar or pass phrase Which is really just a password that can have spaces in it can be generally longer than a typical password But usually something you know is the main form So we're going to focus on those Or specifically on passwords in in this topic the others we will not look at we're all about authenticating humans This is a quote from one of the the secondary textbooks for this course It says humans are large and expensive to maintain and difficult to manage and They pollute the environment, so they're not so useful from that perspective But unfortunately it's saying that it's an astonishing that they can still be manufactured But since there's so many humans around we must design our computer systems our protocols around their limitations so the point is that In many cases for performing authentication humans are not so good If we want to authentic authenticate computers Computers can remember large values. They can generate large random values They can use algorithms to do so whereas humans can normally not remember large large values large strings and Therefore they're limited and mean that we must design our computer systems around those limitations. So humans are often the the weakest link in terms of authentication and That leads to a number of conflicts in designing authentication systems What's your longest password? approximately so Think about some passwords that you have What's your password? Don't tell anyone your password. There's the first rule of passwords You don't tell anyone about what your password is but think about maybe the length of your passwords Some of the common ones you use Let's say less than five characters. Think of your most common password. Who has less than five characters? No one good What about between five and ten characters? common passwords That you use on a regular basis ten to 15 characters Okay, so you may have multiple passwords more than 15 characters more than 100 characters Okay, I think once you're getting 15 or more not many people Have passwords longer than 15 characters and typically longer than 10 in fact Everyone here knows about computer security your IT experts You know to have a long password, but the general population may not have long passwords. So Towards the end there's some slides that give some statistics About password length and we'll see that most of them are typically in the order of six to ten characters in length so We need to look at If we use passwords to authenticate users, what are some of the possible things that can go wrong some of the attacks some of the issues and Password length will be one important thing of course many computer systems use a Combination of an ID and a password Okay, you log into a website. You need your username and your password. So that's common How does it work? when you let's say when you register for this computer system when you register with a website you Possibly select a username and password. So when you first register when you first access you get to select Sometimes the system selects for you sometimes you get to select But there's a username and password Created at the start and those values are stored on the system So when you register for a new account with hotmail or whatever it's called today Then you choose a username you choose a password and the server stores those values in its database So that's what happens on the registration step Then when you subsequently try to access that website What happens is that you submit your username and password and Quite simply you submit your username and password the server Compares the submitted values against the stored values if they match You're authenticated if they don't match. You're not authenticated Quite simple in how it's performed but remember there's a stored username and password initially and You submit usernames and password or username and password and the system compares against the stored values What about your ID? When you got to choose When you log into Moodle did you get to choose your ID? We need some volunteers today Just looking for candidates to volunteer When you log into Moodle, did you choose your ID your username? For the Moodle website. Did you get to choose the username? What's your username? Not your password your ID. Did you get to choose that did I let you choose it? No, I forced you to use your ID when When you created your email account on gmail hotmail or whatever did you get to choose a username? Yes, generally you get to choose a username under what conditions? Can you choose any username? Maybe for Facebook for example, can you choose any username? What conditions? No, why not? It needs to be unique. Okay. It's common that user names Identities need to be unique cannot be the same as an existing user any other conditions It needs to be some length Usually the username may be longer than some Length and most likely shorter than some length. I think you could not have a username on Facebook, which is a megabyte in length Okay, there'll be some upper limits and probably a lower limit. I don't think they'll allow a username of X Okay, so there'll be limits on length any other limits Cannot use some symbols. Okay, so some characters would be limited I think they're the common limits you'll see on user names the uniqueness the the length and the The characters that are possible the character set so that's really implementation details Secret or not? usernames No, your email user username. Is it secret? No because it's in your email address So usernames normally we assume a public not secret What are they used for so when I say usernames generally an identity it's used to identify who you are So to access some computer system some website to determine which user is trying to access So when you try and log on to Facebook and enter in your username the servers Trying to determine that this is the user who's trying to access It can sometimes determine the privileges of the user when you log into the Moodle website and Your username is one of the set of student IDs you get the privilege to do quizzes and so on When you log in with my ID you get the privilege to view the quiz answers To set quizzes and do different things. So usernames also are used for Access control and determine what particular users can do once they're authenticated So access control meaning What permissions do you have to access different resources? So that's the username we'll not cover that in any more depth What about the password? Well, we need to look at well. What is a good password any suggestions? Maybe the opposite. What is a bad password? anyway a Bad password is easy to remember Well, that's a bit inconvenient if I can't remember it. How will I be able to log in? All right, so we'll look at some different different schemes or password selection strategies. What's good or what's bad and then Look at some trade-offs there. So we'll look at and try and answer some of these questions The other aspect is remember what the system does is when you register you Let's say you get to choose a username You get to choose a password the system stores them think in a database and Then when you try and log in later you submit some values and the system compares against the stored values One of the issues or questions is how do we store the passwords? Why do we care? Well in practice if someone can access this database of passwords Then they can learn everyone else's password So the storage of the passwords on the system is an important issue. We'll spend some time on that How do you submit passwords? That is you have the website The servers in the US you open your browser here in Thailand and you type in your username and password on a form and That username and password is sent to the server So it's submitted to the server Any suggestions of how that should happen? Yeah, you press the submit button You hash it first Maybe yeah We'll see the role of a hash. What else could you do? Why do we care? What we worry about is if I'm sending I type in my password on my browser for example And it's being sent to the web server in another country It's being sent in the clear across the internet So what if someone on the path between my browser and the server intercepts that packet that can't contains my username and password If they can intercept then they learn my username and password and now my password is no longer unique or no longer secret to me so the way to submit the password in particular the way to Communicate the password securely between browser and server or between user application and server application is important So when you log into Facebook, what do you use? What do you use to make sure the submission is secure? You use your browser not good enough answer anything else How do you HTTPS? Okay, so what you should be doing when you log into a website with a username and password You want to make sure your communications are encrypted so with web browsing for example use HTTPS Most website or many websites today will allow that the login page at least uses HTTPS You can check with the Moodle website. It's it's set up like that when you log in it's using HTTPS What if you supply username and password and You get it wrong What does the system return to you? Let's say you type in your correct username and you type in your incorrect password You make a typing mistake What should the system send back to you? What sort of message? wrong username and password So the message that sent from the system back to the user saying error you cannot log in is important So there are different options the system could say back Your username is correct, but your password is wrong Please try again Or it could say let's say Your username and or password are incorrect. Please try again there's a subtle difference there and Okay, and then subsequently is okay you try again you get it wrong and again you get it wrong and then how does the system respond? well, maybe it may Stop you from having attempts So we'll see some different security mechanisms that we can use as How can a system respond to incorrect passwords and that's what we'll do for the rest of this topic and Today and on Thursday Let's go to some of the last slides We'll come back to the early ones just some Some statistics about password selection We will not spend too much time on it this is some results of someone's found a a Database of leaked passwords what that means is that some website had Many users passwords stored there user names and passwords 300,000 about and Someone did an attack and released that list of passwords to the internet published them So others could access and this person that did analysis of those 300,000 leaked passwords and try to classify how the person chose that password and Here's some of the classifications This green 25% saying one quarter of all the passwords that they analyzed Well, what's called dictionary words? What's a dictionary word in respect to a password a word from a dictionary? Okay, so consider let's say stick with English say we have a dictionary a list of all words in the English language how many How many words about? Anyone Millions no less 20,000 a few more I think generally around a hundred thousand a few hundred thousand words Okay, so the number of words in a language is about right different languages differ But in terms of the hundreds of thousands of words All right, it's more complex when you consider plurals and so on but let's say we have about a hundred two hundred thousand words So a dictionary is just this list of words We don't need the definitions just the words themselves So this analysis of people's passwords that they selected about a quarter of them people selected Words from a dictionary. I mean they didn't look in a dictionary to select but they'd used a word from their head which matches from a common dictionary Why Why is that? Not good What's wrong with choosing a password from a dictionary or a word? brute force an Attacker if they want to guess your password. What can they do? If they know your username They submit your username to the system and choose a random word from the dictionary and If it passes a good if not then they submit your same username and another word from the dictionary and they keep trying all 200,000 words from the dictionary and once they've tried them all then they've found your password. It's in that set somewhere So because the number of words in the dictionary is quite small Hundreds of thousands is not too many if we have automated techniques We can do an easy brute force and find someone's password if it's from a dictionary So this analysis suggested about a quarter of the people who chose passwords from this system used words from a dictionary What are some of the others? This purple one here 15 14 percent numbers Okay, so they use numbers No, no letters just numbers in that password It doesn't say anything about the length, but usually the length is quite small a 10 character number password versus a 10 character Let password made of letters, which one's better Numbers or letters Hands up for letters Hands up for numbers Letters, okay, if we consider English For every letter there's 26 to choose from with every number. There's just 10 to choose from So the more to choose from the better so Words or at least random letters is better than numbers What else do they observe? These blue 14 percent at the top person name so let's say we consider a Set of names that we know and there's not so many and the passwords that they selected were from this set of names Again from an attacker's perspective They can use a brute force attack Find all the names which are common for people and Try them as a password and you're going to find 14 percent of the people's passwords in this set 8% a place name like a city a country a town Dictionary words, what else have we got smaller ones here this light blue one Is it This is a short phrase double word, okay, not just one word, but two words combined together Concatenated and a few others a keyboard pattern this one here, so I don't know q w e r t y You know that the top five letters from your keyboard This 31% they couldn't recognize a pattern So maybe they are secure or more secure than the others or maybe that they couldn't get it from the analysis But the point is that many people choose passwords which are predictable from dictionaries based on names numbers or places Therefore if an attacker tries to guess your password, where do they start or they start with? trying from a dictionary Because it's highly likely that one of the user has used the word from a dictionary and they start with people's names with place names numbers or sequences of numbers so it makes it easier for the attacker if you use a password which is predictable like words numbers names and so on We'll see some other Suggestions for making it harder for the attacker soon This is another analysis of about 37,000 passwords and and looked at their length So most of the passwords were between six and eight characters Okay, the most was six and eight there were some at seven very few short ones and you see not many above 10 11 or 12 So this may be a typical of many passwords that are selected by a large set of people Why six to eight? Why do you choose a password of around six to eight characters? Why don't you do it like? Our security expert back here who chose more than 15 characters Why doesn't everyone do that? For some people it's hard to remember. Okay, that is you need to remember your password So if you want to remember it rather than having to write it down or put it in a file Then you want it to be short Okay, if you if I ask you to remember a 20 character Password it's much harder than remembering a 10 character password. Yeah, so there's some What some some analysis that says that people can remember between five and nine seven plus or minus two things So maybe that's related as well but yeah Why what other reason Limitation Maybe some computer systems have limits on the length of the password You must choose a password less than eight characters Some systems have that not so good Other reasons why use a short password? Yep, and and you're right. They may be old people, but so what's wrong with old people? I think you're on On on track, but so the length specifically about the length. What's wrong with a long one then? You've said already hard to remember correct. What else for these old people? What's wrong with a long password? Finding the keys not just for old people for anyone You need to type in the password All right on a computer if you need to if I ask you to type in a 30 character password And you need to do it every day It takes some time Okay, so it's much faster to type in a five character password than a 30 character password What's more? With a 30 character password you're more likely to make a mistake you make one mistake You hit one key wrong And you'll need to try again So if you've got six letters in your password the chance of a mistake is Much lower than if you've got 30 letters So it's much more convenient having a shorter password for entering if you're using a mobile phone to enter And you have to press the buttons again That the inconvenience of typing in a long password. It can be quite significant so That's why people want to use short passwords What's wrong with a password with five characters long? Let's say it was random It wasn't from a dictionary. It was in this set of no structure random five characters long What's wrong with it? Recognize there's it's random. There's no structure in it. What's wrong with a five character random password? It still may be possible to do brute force Even with it's random What does that mean? Let's say we just have the 26 English letters when with five characters We have 26 by 26 by 20 we have 26 and power five possible combinations Do the calculation? It's not so many for a computer to try So the short of the password Even if it's random There are more chance that someone can do a brute force and find your password The same as short keys the shorter it is the easier it is to do a brute force so For security reasons we want a long password For convenience reasons. We want a short password So we need to make a trade-off In that as with respect to the password length Some other analysis that people have done of of known passwords Most passwords use only alphanumeric characters letters and numbers Okay, think of your passwords How many use part how many use characters which are not alphanumeric? Okay, their analysis people do is that most people choose something from a to z and zero to nine Or from another language. I'm using English as an example ties. No different. Okay, the same statistics would apply so using non alphanumeric Alphanumeric characters can Make it harder for the attacker to try and guess Most are in dictionaries or what's called password dictionaries a normal dictionary has say English words a password dictionary has Typical passwords English words Maybe combinations or variations on those English words that people come and use names places and so on Most passwords are predictable Many users reuse passwords across systems So this is coming from people doing analysis of passwords selected by real users Who uses passwords across systems? Put your hand up if you use one password for two or more different systems Think carefully alright Put your hand up if you don't If you don't use the same password on any system Maybe a few people. I think most people would use in Just in some cases the same password across two or more systems So we'll talk about later some different strategies. They're genuinely you should not Each website you visit Use a different password Why? Why why use different passwords? Why not use the same password on every website every login I have? okay, if someone Let's say I use the same password on all my Websites I visit my email accounts moodle my bank But then someone hacks into the moodle website and they steal all the passwords and they learn my password Now they know the password for all my other accounts So that's the reason why you should not reuse passwords across multiple systems But it turns out many people do Some very common passwords that people use okay, and I'm sure Some of you have used these Okay, I don't look but sometimes people set passwords on their ICT server or on some Computers in the lab and I see them on the keyboard. Yeah, I watch now one two three four, okay So there are very common passwords That again make it easier for the attacker to guess them Who changes their password every week? Think of how often you change your password for your Maybe your popular systems or your most important systems. Let's see every week who changes their password Every month Every six months every year Okay, not many people change their passwords again Making it easier for the attacker because if they can Learn the password Then that's insecure for the rest of the duration when you don't change it so This is from studies that people have done on password selection So when we build an authentication system, we must consider this we must and say We cannot just say You must use a password of ten twenty characters You must not use a dictionary word and so on it's hard to force people to choose good passwords What we'll go back to we'll finish on this and we'll go back to Some of the techniques for storing passwords and Actually before that how to measure the strength of a password will look at entropy and Then we'll look at some of the password selection strategies strategies and attacks. So we'll continue this on Thursday In between now and then maybe just think about some of those issues and maybe go change your passwords Note that I'm the admin of the Moodle server in theory. I could access all your passwords on Moodle So then think if I could access your Moodle password, would I be able to access something important from you on? Maybe your email account Your bank account or some other financial system So think about your passwords how you reuse them and over the next week or two or over the next lecture or two will discuss other issues