 So within the scope of computer security, we want a way to be able to check that the say the human user That's accessing a computer system is who they say they are and we use that in a number of different other security mechanisms Authenticating users some definition of authentication the process of verifying a claim that a system entity the system entity may be a Person or it may be another computer The claim that a system entity or system resource another computer or a program running on another computer a Claim that it has a certain attribute value. So for example Human claims that they are Steve The computer needs to verify that That human made a claim that they have a particular attribute and Our computer system needs to go through some procedure to verify that that human is in fact Steve It's not someone pretending to be him So that's the the general definition of authentication We will focus mainly on authenticating human users But there's a whole other side of how the computers authenticate each other We've seen some techniques regarding cryptography, but there are many other techniques as well There are two steps in authentication first. We need to identify the user and then verify So normally with the identification step that that user presents some form of ID And you know it when you log into systems that is you Log in to Moodle you log into your favorite website. You usually need to present a user ID or a user name Okay, so that identifies you it's generally unique. So within the context of that system That user ID is usually different from everyone else's But it's not necessarily secret So I think most people know everyone else's user ID for their Moodle account It's you followed by your student ID and the student IDs of other students are probably unfortunately easy to find So that's not secret same as your email account What is your user ID? If you've got hotmail gmail or some other email account. What's your user ID? You're your email username, okay, so that is of course not secret because that email address You need to distribute to others. You can't keep that secret. So the ID is usually not secret And in many cases we assume it will be public So we try to identify ourselves to the system saying who we claim to be and then the system needs to go through some verification And that involves the user presenting some information usually or generating information That acts as evidence To prove that this user is who they say they are That they have that attribute that they're claiming for example, I claim to be Steve I need to present some evidence to prove that I am that's the verification step and some common ways we know is a password so when I log into my gmail account my ID is my email address But to prove that I am the user that owns that email address I must also submit some other evidence and that's usually a password with the idea that only one person should know that password and Knowing that password is evidence that you're the person that owned that the account and there are other techniques pins so numbers but we can call it a Really a subset of passwords and also biometric information Be your fingerprint for example Often this verification step uses evidence, which is secret We usually assume passwords or pins should be kept secret Or cannot be generated by others So if we think about biometric information say your fingerprint is your fingerprint secret Not really. I mean you don't go around walking holding your finger so no one can see it you It's public, but it's hard to be generated by others, okay So one or the other it doesn't necessarily have to be secret there was a Report maybe last month that someone could take a photo from within a few meters with a good camera of someone's finger and Take a photo and then use that to fake their fingerprint Okay So there are problems with biometric information So biometric information usually is not secret, but it's hard to be recreated by someone else You must be in possession of it to be able to use it. We'll see some more examples of biometric information User authentication is a very important part of defending computer systems Many other security controls depend upon it For example access control who can do particular things on a computer who can read this file who can write to this file That's access control, but that all depends upon authenticating the user in the first step Same as who can take the quiz for for moodle for your Quiz to well that depends upon that the authentication of the user has worked correctly It's very important for even other parts of the computer system security How do you authenticate there are roughly four different ways? people talk about When we're authentic authenticating people so we're going to focus on authenticating people humans Something that the person knows can act as evidence So Something that I know that no one else could know Can be evidence that I'm that person Passwords pins answers to questions So my password in theory I only I know the password therefore if I can supply that to the computer system Then if it matches a previously supplied password That that computer system stores then that computer system Can prove or takes that as proof that the person trying to access that system is who they say they are So that's based on something that the user the human user knows We'll focus mainly upon that but we'll see a few examples of others as well Something they possess something they have with them and we call them generally tokens So a key a physical key Can act as a token whether it's a key a key card a swipe card There's smart cards, which are really key cards with with some embedded process or a memory in them physical keys They act as tokens sometimes USB Drives can be configured to if you have possession of it You can use that as evidence that you're the person who's supposed to be accessing this computer system similar with mobile phones now with mobile phones and a second form of authentication is that Sometimes a bank or a company will send you an SMS or a message to your mobile phone and The fact that you possess that phone and Can respond or use the information in the message acts as some proof that you're the person who's allowed to access the system So some systems may use a combination of what you know a password plus what you possess say a phone if you Know the password and you possess the phone that is attached to that account because you've registered your phone number there Then you can access and log in or some smart cards or bank cards May require a combination of pin and presence of The actual card if you don't have the card you cannot access your account If you don't have the pin you cannot access your account. You need both The other thing is in the last two are related. So how do we authenticate someone well based on what someone knows What they have what they possess What they are is what they are that individual is so Here we talk about static biometrics. So something about the person that doesn't change. That's the static part of it So your fingerprint doesn't change generally That's considered a biometric authentication technique and it's static your eye or your retina your face The characteristics of that generally are unique amongst a set of people a set of users so therefore You can use them as a Way to prove that you are that particular user So with a fingerprint first you register your fingerprint with the computer system and Then when you want to access that computer system you supply your fingerprint and That compares your supplied fingerprint with a registered one if they match the computer system assumes It's it's the right person it's you and this depends upon the fact that okay Again, you must have that But it's something about what you are part of your body really and These things don't change or very seldomly change The other biometric is about some things that do change. So what you What an individual does or what you do Dynamic biometrics so other things like your voice pattern Your handwriting maybe you're the way that you type keys can be used Tees on keys on your keyboard can be used to identify some users so you talk into a microphone attached to some computer system and That compares your supplied voice with some voice Recording on that the computer system has if they have the same characteristics. We can say that's the same person That's the idea same with handwriting So different four different ways to authenticate humans Which one do you use most? Which right? We all use passwords a lot. I think so we'll spend a lot of time talking about passwords So do you use any others? Which which examples? Smart card what for? Right if I entry into into buildings for example the possession of that card acts as proof that you are a person who's allowed to enter Okay, if you don't have the card you cannot enter Of course, you can think of some obvious flaws with that you can pass the card to someone else Okay, so there's some limitations This one anyone Rose some some buildings have it in SIT. We have I have to do it every day When I come to work Not so much for security more for monitoring But some of the rooms the labs here have the fingerprint on their network lab We have a fingerprint to open the door there and this one you don't see is common Okay, why? It's hard. It's hard to to implement you need say to Record the voice of someone Let's say we have on this door to get into the lecture room. We want to restrict who can come into the building Then with a key card, it's quite easy quite cheap to implement Supplying key cards to people and having a machine to read them But with say voice pattern recognition First everyone needs to register their voice and then when they try to get into the building they must say something and Getting that to work. Well, it is quite difficult because you must make sure that there is no No noise from other sources so that the voice recording is good and comparing voice patterns is computationally difficult so only in Cases where high security may be needed that these may be applied or in combination with others We will focus mainly on what you know and generally about passwords Say a little bit about the others towards the end This is a quote from a textbook about network security and it's about humans and computers so Normally we focus on the computer side how to implement the software the hardware and so on but when we deal with humans as As a designer we consider humans are large expensive to maintain with compared to computers Hard to manage humans and of course they create a lot of pollution It's astonishing that these devices us humans continue to be made and deployed But unfortunately they are so many of us around that we must design our communication protocols our security protocols Around the limitations of humans So if we didn't have to deal with humans in dividing designing computer security Life would be much easier Can humans encrypt using AES? If I give you can you encrypt something you using AES in your head? No computers can quite easily Can you remember a 64 bit key? 64 bit random binary value No Humans are not so good for that a computer can it stores it in memory So there are some limitations of us Which make it difficult to design computer security system for for different systems, so Of course, we cannot avoid us We must design around humans and often they are the weakest link in our system security And one of those weak links is passwords and using passwords to authenticate users It's very pervasive, it's everywhere But it's a big problem in terms of security So passwords include we've made other things. We don't think of passwords of pins There's also a form of a password whether it's a number of a set of letters similar What's your password for Moodle? Right that the first rule of passwords is don't tell anyone about your passwords, okay? So a general principle don't tell anyone what your password is Of course Things are not so easy one of the common This is a small cartoon So in terms of computer security and cryptography Many people think that Okay, I have my laptop I want to protect it and people an attacker is trying to break into it So they've got my laptop and they They find it's encrypted so they go and have an idea. Let's build a computer that will crack the encryption But we think that okay, let's just use a key which is long enough We know that brute force attack is not possible if we have a large enough key so we should use a long key to Stop someone from building an expensive computer to break it So we stop people accessing our my computer by using cryptographic techniques Unfortunately, there are alternatives The alternative maybe in some cases is to exploit the human weakness and that is instead of having to break the encryption of the laptop Just go to the person who owns it and hit them on the head until they tell you the the password okay, so We need to Realize that sometimes there are weaknesses that we don't often think about when we're dealing with cryptography In this course, we will not use this technique for breaking Inter-systems But it is a real issue. There are many different ways to defeat the security of a system Not just technical so with passwords that arises a lot as well. There are different ways to defeat The security of password based authentication some of them are technical some are based upon human behavior and social engineering So let's look at how password authentication works so many computer systems use password based authentication, so We talk about multi-user computer systems It could be my laptop which has accounts for multiple users who want to use that laptop We need a way to authenticate the user and make sure that I can access it and you can't access my laptop and get my exam questions It couldn't be can be a shared computer But more commonly nowadays at some website or some computer system on the internet where many users have access and We use a combination of an ID and a password to authenticate the users How does that work? Look, so we talk about the computer system that we're trying to access and the user that's trying to access it the system Initially stores a username and password for the corresponding users So there's some initial registration and I think you know that when you create an email account Then the first thing you do is you choose the email address. That's your ID and you're Maybe supply some other information about yourself, but you must supply a password. So this registration step Must be done where you store your username and password on the computer system that you're going to access later and then Later when you want to access it the way that it works is that you submit your username and password to the system And the system compares your submitted value and your stored value if they match it Assumes you're the correct user if they don't match it assumes you're not the correct user so that's the user authentication using usernames and passwords or identities and passwords So first a little bit about the ID. What's a good ID to use for user authentication? Depends a lot about the system There's a mistake it determines whether user is authorized to gain access to the system. So that's what the ID is for So if you don't supply an ID that's been registered Then you will not get access to the system. That's the first check the ID sometimes determines privileges of users So I can log in to The Moodle website as Steve And I get the privileges of an instructor or a lecturer But alternatively I could log in the same human user as a different using a different ID like admin and Then I'd have the privileges to to create courses and to do many different things that the lecturer couldn't do so the same human may log in using different IDs and the ID can be used to determine What that user is allowed to do the privileges of those users and A specific case of that is it's used in access control that is Users with particular IDs will be granted permissions to do things on that computer system And if you've been in our network lab, we've seen examples of access control of on Files we have read write execute permissions Some users can read files Other users cannot read those same files How do we determine that it's based upon the identity of that user the username for example? We will not say much more about what the ID is usually They're the structure of an ID depends upon the computer system We want to focus on the password part of it. That's the security part So when you choose a password and submit a password there are a number of issues with respect to security What is a good password? I think we can all think of what is a bad password We can think of examples of bad passwords one two three four your name Password the word password your birthday What's a good password? So up a mix of uppercase lowercase numbers other characters not a word long Okay, many characters not just two characters three characters We'll look at that later of some guidelines and some Many examples of what's bad of a password to try and arrive at well What what are some rules or some pre procedures we can use to choose a good password? The other thing that we need to address is When you register your username a password that password is stored on the computer system We need to keep that password secure Again, the password must be kept secret. It's stored somewhere on the computer system that we're accessing So how do we store that is an important thing and we'll spend some time on that So when you implement that computer system and you implement an authentication technique You need to make sure that the way that you store the password is a good way How do you submit passwords so you have a computer system on that you want to access? You're on the other side of the world using your web browser trying to log in So how that works is that you send your username and password from your web browser To the computer system across the internet How to do that such that no one in the middle can intercept and find your password so the submission is another issue and things like What to do with if the password submitted is incorrect how to respond So we'll see Examples or some issues with all of them in this topic before we go through them We just draw a quick picture of what the model is How we can think of it we have a user Is our user and we we can think that they have a computer that they're using My nice picture of a computer and Is the computer system that they want to access? That is this user Wants to access this computer system Usually they'll do it via another computer, especially in web-based systems across the internet So I've got an old PC. That's why it's this one's so big So There's I will not draw it, but there's a process of registration where this system has some some database Think there's some database inside there is a list of IDs and Password so this database For all the users that are going to access this system stores Something about the the ID of those users and the password of those users so that's the stored values and Then when our user wants to access that system They submit or supply a value So you can think that they supply a ID and password and then There should be a response That's the general model of what we'll consider with passwords Not drawn here, but initially the user registers with the system and in that registration process they select an ID and password and Then that stored on the system that we're trying to access later think of it in a database It doesn't have to be it can be a file. It can be a memory and Then when that user later wants to access that computer system we say they submit their ID and password and The system compares the submitted values with the stored values if they match Then the response will be positive saying yes, you can access If they don't match then the response will be negative saying something's wrong So that's our model. We need to look at how to store the passwords because Note that the password is secret information if someone can access this computer system and then get all the user names and Passwords then that can be a security compromise How to choose passwords when you register? That's another issue. What's a good password? How should you submit your password across an a network especially across the internet? here we have an internet and Someone may intercept that message if we're sending across the network and and discover your password and How should the system respond? What type of message should it send especially if you get the password wrong so Back to our lecture notes There are many problems with passwords We will list a few here most of them and classify them and then we'll go into some details about a selection of them So vulnerabilities of passwords what what can go wrong such that the security is compromised first What's called an offline dictionary attack Somehow the attacker obtains access to the database that is somehow The attacker finds this database, which is a database listing everyone's ID and password So if the attacker can find that Then they learn the secret information. So look the security has been compromised So we need some way to store store that such that even if they get access to the database they cannot get access to their password value and We'll go through the different options and we'll arrive at We make use of hash functions to instead of storing the password store a hash of the password So an offline dictionary attack would be the attacker obtains that database and then tries to find the corresponding passwords which are stored in there and one way is to The concept of offline means that we don't do that attack on the computer system We get the database copy it to our own computer as the attacker and do the attack using our own resources We're not limited by the the computer system a dictionary attack means simply if we're trying to find or guest passwords try common words or Try values which are related to words in a dictionary Not random characters, but words which are structured or strings which are structured based upon words than dictionary We'll spend some more time on that one as we Pass through these different vulnerabilities What we need to do is control control who can access that database on that computer system The database should be somehow protected this database No one should be able to just connect to this computer system and just download the entire database So we need some special protections on that database in addition Even if someone can get access to the to the database we need to use techniques to Either encrypt the passwords, so if they get the database they must find the key to decrypt But often that's not practical. So we instead of using encryptions we use hash functions to store the passwords So explain explain how to use them But there are other types of attacks even if they can't get the database. What can an attacker do a specific account attack an attacker wants to Get into my account on Moodle Okay, they want to get in my account. What they can do is submit My username my ID which let's assume that they know and just try some password maybe a random password so It's on a specific account on one person's account the attacker submits an ID a known ID and guesses a password if The system responds failed Then the attacker tries another password Fail try again and just keep going So try different passwords for a specific account How do we stop that and I think you've seen it? in use in practice Set a limit set a limit of how many attempts can be made So if there are say five failed attempts on that specific account Do not allow any further attempts And you see that using probably I hope you haven't seen it But you've heard it we're using your bank and an ATM if you supply your Your pin three times wrong then it eats your card Okay, the machine takes your card and you can't make a fourth attempt Okay, so that's an example of stopping someone from even if they have your card from just trying many different pins If you only have a four digit pin and there's only ten thousand combinations to try So there's a weight as a countermeasure in that case Lock the account after too many failed attempts What's the problem with this countermeasure? Okay, so that works, but what's the problem with it? So let's say Alright for Moodle you all have accounts on Moodle and I want to make the system secure So I implement a countermeasure if someone tries to log into an account and they make one failed attempt I will lock that account What can go wrong? Right, it could have been the real user and they just typed their password wrong. They made a mistake if we lock the account then they may make a mistake and Then they're locked out and it's inconvenient for them because now they need to take some other steps To try and get their account unlocked the same with a bank if you if you lose your Your ATM card because you tried the pin three times Then you need to the next day go to the bank and get get a new card or something so it's inconvenient if if it's the real user that gets locked out and similar we can an attacker can take advantage of this countermeasure and do a denial of service attack so what I can do if I want to Stop you from accessing your account Then all I do is submit say three wrong passwords into your account and now you're locked out of your account So I deny you from accessing the normal service So we need to make a trade-off between these countermeasures Which improve security and the consequences of them which usually make things more inconvenient or perform worse Related but slightly different a popular password attack Let's say I know many different IDs for a particular computer system Instead of attacking a specific account attack any account and Trying a popular password for many different IDs An example I know the user IDs for all the students who have a Moodle account I know that the list of ID numbers So I know all the IDs what I do is for the first ID I try the password one two three four It didn't work. So I move on to the next user ID and try one two three four and I'm Unfortunately, I I'm quite confident that after I try all the students here that have a Moodle account I probably get one that gets access So this is trying a popular password Something that many people may use on Many different accounts with the aim of just getting access to one of them from the attackers perspective So we can't lock the account after too many attempts because we only make one attempt per account So somehow we need to make sure the user doesn't choose that popular password When you register your password have some rules that say you cannot choose the password one two three four Okay So control how users select their passwords Or maybe block computers that make multiple attempts We identify the IP address who's making many attempts at many different accounts and then block that computer What can go wrong? What are the the negatives of using these countermeasures? The user is not going to try a normal user is not going to try to log in with different IDs. That's unlikely What's the problem with controlling password selection? That is for example, I set a rule when you create a new password on Moodle I set a rule the password Cannot be a popular password So I set up some rules and I say it cannot be a word that's in a dictionary. I that's the rule Popular means Maybe we'll see later that one that's too short. So it needs to be 15 characters long It needs to be random So that's the rule for creating your password. What's the problem with that? You you will not be happy with that password that is 15 random characters. You'll forget it You'll write it down and then it's easier for someone else to learn it So it lets in other weaknesses if we have a password that users do not find convenient okay, so We need to make a trade-off. We need to control What passwords the user can select but don't make it too hard for the user to select a password they can remember? Blocking computers that make multiple attempts It may be that via the the networking techniques of firewalls and network address translation that Blocking a computer from making attempts may block the normal users from accessing the system So you need to be careful when you block things that you don't just block the attackers But you're You shouldn't block the normal users. Let's keep going Password guessing against a single user You want to get access to my account for Moodle so you can change your scores for the quiz So you'll try to guess my password. You don't try many random passwords. That was the specific account You try and guess it within three attempts. You know the system will lock you out after three attempts So in this attack you try and guess the password based upon knowledge of that person So if you know something about the person who has that account, maybe you can guess the password easier Again, we to a stop that control how users select passwords. So they're hard to guess They're long and they don't follow some common structure So involves not just controlling the user by some technical controls, but also training the user inform users that the way they select passwords should Should follow certain guidelines and inform them of the consequences of selecting a bad password another one computer hijacking I've logged into my computer. I go out for a break for five minutes Someone walks up to my laptop and now they think of hijacked my computer They logged in as me because it didn't log out when I left How do we stop that some form of auto log out? After two minutes of inactivity on my laptop it automatically logs me out So when I go away, someone can't log in Again, I think you can see the trade-offs with inconvenience Let's say your computer automatically logs you out every one minute Then you just have a break because you don't do something for one minute and now you need to log back in again So there's a trade-off there exploiting user mistakes a user writes down their password because It was too too long or too too random for them to remember a user shares their password with friends Or somehow they're tricked into telling someone their password Then we need again some training of users not to do these things explain them How those things can arise and what the consequences are and maybe use passwords with some other form of authentication? Like not just a password But also have to supply some number which is sent to you via SMS or a message on your phone a One-time password you you see with different online systems today So even if someone gets your password, they also need that other thing your mobile phone to get access Again inconvenient If you don't have your phone with you at that point in time, then you cannot access We access many different computer systems many different websites. We may have accounts for One thing an attacker can do is exploit that the fact that many people use the same password in different computer systems So if I'm an attacker that can learn your password for Moodle Then I may of course get access to your Moodle account But then I may try that same password for your bank bank account so If people reuse passwords of different across different systems, then the attackers can take advantage of that How do you stop that? The suggestion the countermeasure there is not really practical How do I stop someone from not using the same password in Moodle as they use in their bank account? I cannot really stop it Maybe if I control both websites You could coordinate and check that say within an organization your account on Moodle on registration and so on They don't use the same password But generally over Outside of the system and yet in our control we cannot control what password a particular users user uses on different systems So that's a hard one Can anyone access your password for Moodle? Of course the person who who administrates the computer system can Remember our picture Your password when you registered is stored on this computer the server There's some person who has access to that server Who could in theory get access to the passwords? Who is that person? It's me So in theory I can access all of your passwords and in any Computer system where you've registered password assume the administrator of that computer system Can learn the password they shouldn't and they should but in There's no really technical ways to make it hard for someone to do that So again, we're using across different accounts is a problem not just if someone Gets it from hacking into this system But the administrator knows the password that you use on this system Therefore you shouldn't use it on another system When you submit your password, it's usually sent across a network. So if someone can intercept at this point Then if you don't use the right techniques, then Someone can learn the password as it's been submitted. How do we stop that? How do we stop someone from overhearing this password sent across the internet between you your web browser? and some website What mechanism do we use? Encrypt the password Okay, so we've learned the concepts of encryption if we want to send a message Across a public network like the internet and we don't want others to see that message We should encrypt that message What key do we use to encrypt? That's another problem. We have okay. How do we choose a key that both sides know? We'll see that maybe in a later topic when we look at web security some approaches for that many vulnerabilities of passwords But we still use them Okay, so there are many weaknesses and many computer systems are compromised due to these weaknesses but The trade-off has made that they have currently the most convenient for people to use So we do need still need to improve how they used Any questions about the vulnerabilities the difference between those six or seven vulnerabilities? remember them good idea or at least recognize if I If I say what's the difference between the specific account attack and a popular password attack? Think about that. We'll spend some time. We'll start it today and Start tomorrow We've got to spend some time on how do we store passwords? that is That database on the computer system when you register the password how should that be stored because One job that you may have in the future is creating Websites creating applications that store passwords. So there's some some ways to do that and some weaknesses But maybe we'll do that tomorrow because it takes some time. What we'll do is go do this one selecting passwords Much easier. How should we select passwords? some suggestions You want to create a rule that you can give to some other users your parents your friends The users of your website you want to create a rule to suggest them how they should choose a good password What would you tell them or if you don't know think of how do you choose a good password? How do you do it? right, so Make sure your password is a mixture of uppercase letters lowercase letters and numbers All right, so some mixture of different characters Anything else? So Yeah A long password so you should give a suggestion about How long the password should be? more than More than 12 characters good suggestion. I Will not ask you what your password is, but just think about maybe two or three of your passwords you use the most They think about them and think about their length How many people have one of those passwords which is less than four characters? All right, not many systems today will allow less than four some do less than eight eight or less on Some systems I have a password eight or less less than ten so ten nine more than ten Who has a password more than ten characters? More than twelve more than sixteen good right, not many people will be Have passwords more than say ten or twelve characters will give some statistics Shortly, but that's a big issue the length. Why don't you have a password more than 12 characters? You cannot remember it why not choose Right, you can remember some passwords more than 12 characters Okay, but yes if it's a Say random or semi random mixture of characters. It's hard to remember. What else is wrong with a long password? harder to remember and again Storage on the computer system in theory. Yes, but in practice not a big problem. What's the problem for you using a long password? Typing is hard Okay, all right There's not much difference to type in a password of six versus eight But six versus twelve well takes a bit more time Especially on a mobile device if you're using your phone to enter that password 12 characters versus six characters the convenience of doing a long password is an issue any other suggestions long password What's your suggestion for the long password? What length? What's the minimum length? Six or more okay Eight or more maybe all right. We've got mixture of uppercase lowercase and digits numbers long say eight or more any other suggestions Some people said them before don't use your name. Don't use your birth date Don't use things which are about you Don't use your username an obvious one don't use words from dictionaries So some rules let's have a look there are a few slides here which just show Some people have done analysis of some leaked passwords That is a list of passwords of many users has been leaked on the internet So someone has obtained that and done some looked at the statistics of those passwords Troy Hunt has a website which I've grabbed these figures from From different leaked passwords in this case from 300,000 passwords of different users Someone of that database has released it on the internet and some statistics in this case Analyzing the passwords see that The green one twenty five percent of those passwords one quarter a dictionary words So this is some indicator of how people do choose passwords 25% we consider a bad because they are from a dictionary How many words in a dictionary? about How many words in a dictionary in the order of hundreds of thousands? Okay, say in an English dictionary there may be a hundred thousand But if we have stemming and so on maybe up to a million, but not so many so In terms of just words usually in a language hundreds of thousands of words so Many people choose words from a dictionary That's bad because what the first thing that the attacker tries when they try and guess your password is one of those 100,000 words and we'll see the ways that that is quite easy to try with modern-day computers What else do we see? The blue one up the top is a person name So 14% of people chose a password, which is a name of someone not necessarily their name But a name of someone again what an attacker does if they're trying to guess a password If a word from a dictionary doesn't work try a word Which is someone's name so get a name list and you can download a name list to try them 8% a place name like a city or a country 14% were numbers so no no uppercase or lowercase letters just digits and then a mix of others like Some short phrase so not just a single word but a combination of words some keyboard pattern q-w-e-r-t-y Okay, the first five letters at the top of the the keyboard or other more complex patterns And again assume the attacker knows this so the first things an attacker is going to do if they are trying to guess a password is try the common ones and If they're trying just trying to find some accounts, then it's a good chance that they can guess a password some other Some other details. What about changing the language? Does it help? Not much if it's a computer trying to guess the password using a different language doesn't help much because the same statistics would apply usually in in that language so If it's a human trying to guess your password Maybe the language helps because the human cannot make so so many guesses But a computer can try many guesses within a short amount of time So a different language doesn't change things much. This is from some other analysis of a different database of passwords which would leak and Analysis of the length and this showed that most people chose between six and eight Character long passwords Few people will use less than six and in fact most computer systems today will limit you must have a password longer some value Few people use more than ten Okay, I think here in the class the statistics of this class because you're very security conscious you have long passwords But in the general population, I think most people will not use more than ten Okay, have you got a password more than 12 characters? No, most people would not but I see someone here was counting on her fingers. So I think you do good so just This is indicating that despite the rules that we may create Humans are going to follow this pattern and try and choose passwords in the order of six to eight characters Some other studies have been done in some common characteristics of passwords most use alphanumeric characters that is letters and numbers alphabet and numbers Most passwords are in dictionaries Not just your standard dictionary, but password dictionaries lists of strings that people have created which are common for passwords Many users reuse passwords across systems hands up if you reuse a password across different websites everyone does because nowadays You need passwords for so many different systems. You can't just Create a new one or a member at each one for each different website So that's a big problem There are some very common passwords So in all leaks of passwords that come up. There's usually some at the top okay another study has has realized that When you force someone to change their passwords every month or every few months, they must change their password Most users will try and change just a single character My password is Steve. I have to change it for Every month so the next month I change it to Steve 2 and the next month Steve 3 and Just keep changing it. So Forcing people to change their passwords doesn't always have the intended effect. So We will not study too much more about What are the best rules for choosing a password? But I think you should give us some thought about how you choose passwords and Whether it's a good approach and whether You can think up maybe a better approach for suggesting to others of choosing passwords and Some strategies include to make password selection better inform people of What why it's important to choose a good password what can go wrong if you don't choose a good password? Advise them on what strategies they can use Maybe think of a song name Think of your favorite song and choose the first letters of each word in that song name Okay, so easy to remember the song name and just think of the first letters In each word in that song name. It doesn't have to be long The resulting password may not be long. Okay, and it mixes up the characters So just an example of a strategy computer-generated passwords Instead of getting the user to select the password create one for them. It doesn't work very well Can I find an example? You can find software that would generate passwords for you Zoom out a bit. For example, this is some simple software that generates passwords Let's say When you create an account you must use this password Again, what's the problem with computer-generated passwords? Inconvenient okay, hard to remember. Here's your password a uf 7e y 3z inconvenient and That is hard to remember and sometimes hard to type in so it makes it Unlikely to get it correct all the time You can have variations where you generate pronounceable random passwords So this is roughly Random type passwords, but we could generate passwords which were pronounceable, but semi random to make something pronounceable you need the right combination of consonants and vowels Okay, so you need an e a e i o or you in the right position and it can be a Nonsensical word, but still pronounceable and people generally find it easy to remember pronounceable things So computer-generated passwords don't seem to work very well because users don't like them reactive password checking when a System automatically checks user passwords and lets them know if they have a bad password and proactive is when they are Selecting the password the system advises them on the strength And I think nowadays you see this in many websites when you register to password the website will give some visual feedback strong Fair weak and maybe show a color to indicate is the password you're choosing a good one or not So that seems to help people in selecting better passwords What we'll do tomorrow is look at how to store passwords and Then look at some of the attacks that can happen on someone who tries to get access to the password database