 We're focusing just on with this topic was originally about authentic authenticating users, but we're focusing just on passwords So let's go through and just Skip through some slides that we've already seen in detail and return to the ones we've missed So we know that we want to authenticate a user We use an ID to identify them like a username and we use some Other information for the verification to check they are that right user Password is what we're going to focus on But there are other things and passwords pin a passphrase we can think the same concept as a password But there are other things things we possess tokens and then biometrics things. We are and things we do But we're not focusing on them Just be aware that it's not just passwords that we use for authentication. So the basic way to use passwords is that For the system that you want access to you register a username and password and Then when you want to access that system you supply a username and password and the system compares the supplied values with the Registered values if they match everything's okay, and you get access. That's the basic approach So we've mentioned this before and there are many issues involved with how do that? How does that work securely and we've looked at a few of them a few slides here that we've skipped over? So let's go through them now So what's the problem with passwords and we may have talked about some of these but let's go through some some different names an offline attack offline means that the attacker is Not Trying to access the system to get Access they've somehow managed to get some information about passwords and trying to guess your password So let's say the system that we're protecting is The Moodle website that you log in for the quizzes So that system has the list of usernames and passwords an offline attack would be some attacker has somehow managed to gain the list of passwords or what we know from last lecture hashed and salted passwords and Then they get that list and they take that back to their house and on their computer and from that They try and do a brute-force attack to guess your password So in an offline attack The attacker is not submitting attempts to the system They doing the attack in their own time and with their own resources an online attack is When let's say we have the Moodle website an online attack would be that someone submits a username and password Trying to guess your acts your password and the system would return an error or or success offline is that they're trying to guess your password using other measures measures outside the system and We the last topic we looked at how to store passwords and we'll summarize that later But we saw that we don't store the password in the database We should store a hash of the password so that if someone does discover the database they can't get the original password and Even better store the hash of the password combined with some random value assault So offline dictionary attack The attacker gets this database of hashed passwords So what they do is that they take those hash values and try and work backwards to find the correct password of of the users and We gave a few examples of how they could do that a brute-force approach is try every possible value a dictionary attack is try values, which are most likely of the 40 users in this class that have access on Moodle I suspect some of them may have passwords which are much more likely to occur than others like from common words from a dictionary Therefore the attacker would try those first Rather than trying random passwords So there's an offline dictionary attack How do you stop it? Control access to the database try and set up your system so that a malicious user cannot access this list of hash values the database of password information Reissue passwords if they're compromised Let's say I run the Moodle website and I realize someone has accessed the database due to some other floor Then immediately I should tell all the students Your password has been canceled. You need to get a set up a new one through other means So that even even if the attacker finds your password, they will not be able to access the system so stop using the passwords once you know that they're compromised and What we got to in the last lecture is store the passwords such that even if the database is accessed It's a takes a lot of effort for the attacker to take that hash value and get the original password. So use good hashing algorithms and Use salts as these random values to make it harder against rainbow attacks So offline the attacker gets access to some password information and then tries to guess in their own time Let's look at a few other attacks and I think most of them not all are online attacks a Specific account attack The attacker Submits guesses to the system for a specific account You're the attacker you want to log into Moodle as me You know my username. So what you do is you go to the website you type in my username and guess the password The system returns an error saying no incorrect So you try again and you keep trying until you get your past T and you get my password So you're attacking a specific account One way to stop that is once there's been a certain number of attempts failed attempts on that specific account Don't let any more attempts to take place lock the account Okay, and I think you know that with if you've had the bad luck if you forgot your pin for your ATM you go to the ATM and you type in your pin if you get it wrong what three times Your card gets eaten by the ATM. It doesn't come back So you can no longer make attempts. So there's a simple example of locking the number of attempts after too many failed Attempts any other ideas how to stop a specific account attack you want to Stop them What else can you do? Just alright, that's that one disable the account if there are too many attempts. Okay, what's the problem with that? What's the problem with the countermeasure? Sorry All right If I forget the password myself and I'd make let's say I'm limited to three attempts and I make three attempts Or I hit the wrong key when I type it in and I've locked myself out. That's an inconvenience Yeah Okay, so that leads to if I once the account is locked. How do you deal with that? So if I lock myself out because I type the password or forget it then I Need some other way to securely make sure I can get the correct password. What happens with the bank? Anyone done it type the pin wrong three times in the ATM Yeah, I've done it Your ATM stuck in there, okay So you need to go to the bank the actual branch and provide some identity and Then go through some steps to prove you are the right person and they'll set up a new pin Okay, but that takes time. It's an inconvenience. So and it's something you cannot do online Okay, so there may be other ways, but it's very inconvenient once the account is locked What's the other problem with this countermeasure? I think you're an attacker. What can how can you take advantage of this? you want to let's say let's say there's a Quiz the deadline is in 10 minutes and you know that some student in the class if they do it They're going to get a higher score than you. So what you do is you? Go and try and log in as they're in their account 10 times until the account's locked and that means they can't do the quiz because they can't log in You've denied them access to the system meaning they Have lost something there. Okay, so it's called a denial of service attack you or the attacker Forces the account to be locked Locking it for the normal user so the normal user cannot access their account So very inconvenient because now the normal user has to go and manually get it enabled So although the countermeasure works it can also be easily used as some form of denial of service by the attacker Get the account to be locked so that the normal users can't use it another one popular password attack Let's say a popular password is remember any from the last slides. What's a popular password? One two three four, okay, let's say of the the hundreds of students at SIT It's likely that someone has chosen one two three four or similar. So what the attacker does is For the first student ID they try and log in as one two three four if it doesn't work They try the next student ID and Log in using the popular password one two three four and they keep going trying all the different students and It's likely after they've tried all the students that at least one of them had that password and they get access so it's not accessing a specific account is trying to access any account and Using popular passwords not just one you can try a range of popular passwords Locking the account doesn't help Because you only take make one or two attempts on that one user's account Locking the account is only really useful if It's multiple attempts on one user's account, but the popular password attack try each user once So their account won't be locked. How do we fix that or how do we make it harder? Make sure that the users select good passwords. They don't select popular passwords So when they use a registers their password that they don't have the opportunity to select any value There may be some restrictions What are some restrictions that you've seen on different websites and different systems? Yeah Okay, minimum length of the password your password cannot be four characters and it must contain a combination of characters Numbers maybe at least one uppercase Maybe at least one special punctuation character. So some websites and some systems will have such rules They can check against dictionaries if your password is In a dictionary that an attacker may use then they don't allow you to use that password. Okay, so the The system controls the passwords you can select. They don't allow any choice Let's say the attacker. It's me and I'm attacking. I'm trying to log in as many other students on the registration system The system could then start to detect. Okay from the same source computer. There are attempts to log in at many different accounts That's unlikely to occur So the system can start to block computers that make multiple failed attempts Okay, so if the the website recognizes this one web browser Is making thousands of attempts on many different user accounts within a short period of time? Then after some some number of attempts block that computer So use a firewall for example to automatically set up a rule to disable that computer accessing the system Problems with the counter measures What can go wrong? What about controlling password selection? What if I create a rule? Your password it must be 12 characters long. It must have three uppercase three numbers three lowercase and three Punctuation characters it cannot combine letters in this way Then it makes it very hard for you to choose a a nice password that you can remember and that you can type in So if we control the selection too much Then the password becomes inconvenient and then users write them down then they forget them okay, so you need a trade-off between Having a little bit of control over what they can select but having them some freedom so that they can select a password That's useful or easy for them to remember What about blocking computers that make multiple attempts? What's wrong with that? Well, how can it go wrong? Let's say Facebook blocks If if a computer makes five wrong attempts on any account To any Facebook account then Facebook blocks and all Subsequent requests from that one computer are blocked from accessing Facebook What can go wrong in that case? Someone could misuse it change the IP and more practical thing It's more about the network structure is that most networks use this concept of network address translation Nat What that means is when you access a website out on the internet The IP address from the perspective of that website is the IP address of SIT You check it one day you go to a website like what's my IP address and Everyone will get the same IP address the way that many networks are structured that even though your computer internally has a different IP address from the perspective of outside They look like they all have that one SIT IP address Therefore from the Facebook web server It doesn't know that it's a different person trying to log in So things can go wrong if you do that people can use fake addresses People can take advantage of this and it may not work in some network scenarios See if we can finish the next three Password guessing against a single user Again, you want to get access to my account on Moodle So you gain knowledge about me You're specifically attacking me so you know me and you try and guess my password You don't have to do a brute force and try many passwords because you know me Then maybe there's a higher chance that you can guess my password Okay, maybe I mistakenly told you that I create my password based upon my my birth year and my last name Then since you know me and you know how that's like how I create my password. It's much easier for you to Guess my password That's different to let's say you want to just get access to any random users account If you know the user you've got more chance as the attacker again make sure the users don't choose easy to guess passwords and train the users educate them to use passwords which are Strong I go. I'm logged in on my computer I go to have a break five minutes outside someone sneaks up to my laptop and They can log in to my account okay computer hijacking The simple example that is in computers that other people can get access to Then the password information or the login is Currently valid for that computer so that the user who access that computer is logged in as you And it could be more complex using web attacks and so on but The idea is that if you're using a computer that either multiple people access or an attacker could get physical access to then you want to log out before you leave that computer and Websites and systems should have some form of automatic log out If you go to a lab computer and access Facebook and Then tomorrow someone goes and access is the same at lab computer They shouldn't be able to access your Facebook account the system the Facebook website should automatically log you out after some time So that's this general idea of computer hijacking what else can go wrong Users make mistakes because we force them to control to select Complex passwords they write them down on a piece of paper and they stick it on a post-it note on their monitor or They make mistakes and they tell their friend. Oh, can you please log in for me? So here's my password So their friend now learns their password Or that tricked into revealing a password You call up the SIT computer center and say hi, I'm dr. Steve and I want to I Forgot my password. Can you tell me my password? And they tell you my password, okay? so tricking people into telling you their password or don't use Don't change default passwords. You install some software on Your website and that comes with a default password and you never change it So the attacker can try that default password to try and log in How do you fix it? Make sure users are smarter provide them some training about how to use passwords and Maybe combine passwords with other forms of authentication And I think you've known of some with mobile phones. You can use other factors for Authenticating users getting an SMS and so on a big problem Many users use passwords the same password across different systems. I Think we may have asked a couple of last week who uses a password who reuses a password a Game will try anyone has a password that's used on two different systems Think of all the tens maybe hundreds of websites that you have passwords for all your accounts I'm sure most people reuse passwords what's the problem if One of those systems is compromised and the attacker finds your password for that system Now all the other systems that use that same password are effectively compromised so Now it's the weakest point that leads to the failure if just one of those websites that you've reused your password is compromised Effectively all of those websites from your perspective are compromised the attacker has your password for all those other websites alright, there's complexity of How do they know which other websites you visit? But I think they could learn that in many cases or try so this is a major problem because That suggests we should use different passwords across different sites But who can remember 100 different passwords? Okay, so that suggests we need some other way to manage passwords and in many cases things like password managers Software that will keep track of your passwords for different systems is one way to get around that How can you stop this? How do you stop a user from me using a password? Well, you cannot in a public system, but say SIT could of all the services the SIT uses registration moodle and others They because they're just separate services, but all under control of SIT We could set up a system that forces you to use different passwords across each It would be hard to do but it's possible final The other way that attackers find passwords is by intercepting the packets which contain them sent across a public network. I Visit a website on my laptop and I log into that website My computer my laptop is sending wirelessly to that access point which then goes across the land and then out to the Internet It'd be very easy for any of you with your laptop to intercept and take a copy of the packets my laptop sends to the access point and Hence in those packets one of them will contain my username and password Basically, the only way to stop it is to encrypt those communications Make sure that where people can intercept anything that is sent that contains a password is encrypted first How do you do that? What techniques used normally in the in the Internet? When you log into Facebook How come no one can intercept your password HTTPS Okay, when you visit the website many websites not all but some will at least when you log in and Submit the username and password. They'll be using HTTPS, which it means that the communications between your browser and The web server in the US are encrypted So even if someone intercepts, they'll just see some random characters. They will not see my actual pass. What's the problem with that? What's the problem with encrypting? it's Yeah, it's It's easy for the user, but it's it's slow for Sometimes the computers especially the server and maybe it slows down the communication. So performance is the problem Okay, so if the web server has to handle many encrypted Connections encryption takes some time and it slows down the server Performance, I think most of them you may have heard of before but we just try and put them down as common problems with passwords You may get a question in the exam about them similar issues with passwords any questions That was one thing that we missed in in the earlier lectures Any questions on those vulnerabilities of passwords? password entropy How do you calculate it? Calculate the password entropy guarantee question in the exam. How are you going to do it? again log base 2 of what of the number of possible passwords, okay, so If a password selection scheme allows you to have a billion different possible combinations Then we say the entropy of that or a password using that selection scheme is log base 2 of 1 billion Have a look at the the lecture notes on which we've covered already on password entropy a quick test then If a password so look at that slide if a password was made up of say a random password, but made up it had to have Two digits it had to contain two English characters lowercase They must be two lowercase English characters and maybe Any two of the 94 characters on the keyboard. I'll say two printable characters What's the entropy of that password? Try and calculate if you can do that you'll be on track for the exam So the password is six characters long Two of the did two of the characters must be numbers any numbers are random two of them must be lowercase English letters And two of them must be any of those 94 printable characters on your keyboard uppercase lowercase numbers punctuation What's the entropy of that password? so entropy Anyone have an answer? think about from the ind that the sets of characters and As a hint you can look at the individual characters where you can go the long way Remember entropy of the password is the log base two of all possible combinations Anyone have an approximate answer? While you're calculating. I'll just record what we know Digits we have 10 possible values lowercase we have 26 printable characters is a Total of 94 possible values We're assuming that That is lowercase uppercase numbers plus the 32 punctuation characters entropy Well, let's look Just go back to our slides here. We said the entropy of a single digit Zero to ten is 3.32 Where does that come from? Well with ten possible values log base two of ten is three point three two So the entropy of one digit is three point three two The entropy of a lowercase character is four point seven and the entropy of so log base two of twenty six Entropy of the ninety four printable characters is six point five five Log base two of ninety four just make note of the entropy of them We have this was four point seven. I can remember That's the entropy of one character of that type If you do the maths you see remember we're using log So in fact because we have two digits the entropy of a two digit Number is what? Well, we have 100 Possible values ten times ten log base two of 100 is what? calculator about six point six four two times three point three two the log of 100 is Two times the log of ten Because 100 is ten squared So in fact with two digits each having an entropy of three point three two and Then two lowercase letters having an entropy of four point seven and Another two printable characters with an entropy of six point five five That gives us the total entropy of this six-character password Which is whatever it is About 27 you can get it more accurate That's the beauty of entropy you can add them add them up for individual characters Because it's a log base measure What's easier adding or multiplying adding is easier. That's why we use logs sometimes You could have done it calculated a long way. You could have said okay. There are two digits There's a hundred possible value or ten times ten possible values 26 here so ten times ten times 26 times 26 times 94 times 94 and Take log base two of that large number and you should get about 27 so if we know the entropy of an individual character if we just Increase the length we can easily calculate the entropy of the whole password. I just 26 I approximate it. I think if you calculate with a calculator, you'll get closer to 29 okay My adding is not as good as a calculator Any questions on entropy if you wanted to do it the long way it would be log base two of First a digit of ten characters by another ten digits 26 for the two English lowercase letters and 94 Times 94 if you calculate that I think you also get 29 or approximately 29 It's the same math just Calculated differently. How do you store passwords? Hmm? Put it into a database. Okay. He won't get full marks in the exam Anyone else? How are you going to store a password in the exam? If a question says how do you store a password? And hash hash them you'll get wrong zero marks hash them hash the Yeah, okay hide them hide them No zero marks So the password then hash generally called assaulted password or assaulted hash assaulted password and We didn't we sort of run out of time to go through the detailed explanations, especially rainbow tables I went through that quite quick last lecture. I will not ask a question about rainbow tables in the exam What's first? What's the problem with just storing the password in the clear? well If the systems compromised Someone's immediately learned all the passwords so we can't do that We could encrypt Okay, it's possible we saw a possible way last week There are a few issues with encryption especially if we use the same key to encrypt all passwords We need to store the key somewhere So it's possible, but usually It's no better than using a hash And usually we need to use a hash even if we encrypt anyway Because if you encrypt sometimes it's hard to know whether it successfully decrypts or not especially if you encrypt random passwords We said and we said we could hash the password But there are some problems in that it's possible that people can do a look up on this concept of a rainbow table What you should remember if you can't if you don't know about rainbow tables and all this that we went through last week Remember how we recommended to store the passwords You store the username or the ID Assault what is a salt? Random value different for every user Okay, so a random value It's just called assault here and we hash the password combined with the salt. I Don't care how that combined Password salt salt password by that combined So we store a hash value the random value and the username and When someone submits their use their password and username we look up find the username We take the submitted password combine it with the stored salt Hash and compare to the hash value if they're the same they log in if not failed attempt It would be nice to talk more about Rainbow tables and and why this is needed versus just a hash password, but unfortunately we're out of time so There won't be a question about rainbow tables in the in the exam next week There may be a question about how to store the recommended way okay So remember that All right in more specifically the which hash function do you use there are some recommended hash functions for Making it harder for the attacker, but that's we didn't get to cover that we designed for failure It would be nice if no one could ever Access the database no one who doesn't have authorization if not they couldn't access it doesn't matter how we store the passwords But designing for failure is saying okay assume something can go wrong and An attacker can access the database then that's designed such that it's still hard for them to get the passwords and we in our first discussion of this topic we will Gave a few examples of how people choose passwords, and I think you gave me a few written Written down password selection strategies and some common ones and to summarize and finish this topic All right to make sure that people use passwords well and select good passwords People need to be aware the users need to be aware of how important the passwords are and How easy it is for an attacker to get some forms of passwords computer-generated passwords sometimes are useful The computer generates a password for you the user doesn't get to choose More secure but can be more inconvenient because you get some strange-looking password that you have to remember I think everyone when they first got an account on Moodle got an email with this random password computer-generated I suspect if you haven't changed it then you've got that email and you go always look it up. You haven't remembered it That's the problem You can have variations where it's generated is pseudo random, but has It's maybe pronounceable Okay, you combine the letters in a way such that It's a little bit easier to actually say it and if something's pronounceable It's a little bit easier to remember Okay, so you don't generate a password which is QTX ZB maybe you generate a password which is not a real word but has The correct arrangement of consonants and vowels so someone can remember it easier reactive password checking when if they've the users of your system have selected their passwords you could check Go through and check and see if they're easy to break and then advise them to change their password or Check as they're selecting the password and many websites do this you type in a password It shows you some graphical feedback saying this is weak or this is strong or Even may say sorry you can't use that password. It's too weak Okay, so some advice on selecting passwords many other interesting things about passwords But that is all the time we have to cover it