 If we look back at one of our pictures from the very first lecture introduced to IT security, just briefly, so the scope of computer security, as a reminder this picture shows that we have a computer system or in fact two computer systems, we have users that use those computer systems and there are different security issues that arise. Don't worry about trying to find this slide, we'll just repeat what it shows. Some of the issues that arise is that users want to use the computer system and there are usually multiple users, so there needs to be some protection or some access control to determine who is allowed to use the computer system, which users are allowed to use this, which users are allowed to run processes and those processes that run on that computer then we need some way to control which users can access which files, so access control on files, on applications in here and other aspects of security including getting the data securely transferred between computers. But an important part of securing our computer system is dealing with the users and when a user tries to access that computer make sure that they are a user that is allowed to access that computer. So user authentication is our next topic, it's about the humans that use the computer, how do we know they are the person that is allowed to access that computer. So that's the topic of user authentication and it's quite important because many of the other security features inside depend upon that. That is once you've logged into the computer then the access control on the files depends upon for example your username, so access control like permissions on files which some of you have studied in a lab already, permissions are given to particular users so we must make sure that the human user that logs in is the one that is associated with that username or an account. So user authentication is very important for many other security concepts. So if we now go to the slides on that, let's talk about how do we authenticate users. What do we mean by user authentication? The process of verifying a claim that a system entity or a system resource has a certain attribute value. That's a quite generic or general description of user authentication, it doesn't mean anything about humans, us users, but some system entity, maybe a human or a system resource, maybe a software process running, claims to have some attribute, claims to be this person, claims to be able to do this, then user authentication is about verifying that claim. What is what they're claiming true or not? The obvious one is that a human user wants to access a computer, they claim to be Steven, then their computer system must verify is this person Steven or is it someone pretending to be him? So that's one role of user authentication. There are two steps involved with the authentication, we split it up into the identification step and the verification step and you verify or you authenticate yourself every day on different computer systems, websites, logins to the network lab, log into Moodle and so on. So you're often performing these two steps, that is first you identify yourself, you say who you are, you present some information to identify yourself and in websites in your computer when you log into your own computer then that's usually username, some user identity. So you type in for example your username, maybe it's your email address on a website or some other service, but that identifies you. So it isn't unique within that system, but not necessarily secret, so user names, user IDs, usually for a particular system the system will be designed such that each username is different, so your username is unique, but the secrecy of those user names is not so important and the security of the system should not depend upon the secrecy of the user names, that's the common case. So for example if your username to a website is your email address then many people know your email address, it is not secret. This step is to make the claim, I claim to be this person, I claim to be this entity. The next step is to verify to the system that you are that entity, the verification step. You present some information or some knowledge of facts such that the system, the computer system can verify that you are who you are claiming to be. And that's commonly a password, so you present a password or a personal identifying number or maybe some biometric information, a fingerprint, an eye scan and more lists of others that we can present. And this information is often secret or it's something that is, that others cannot create, cannot generate. For example your fingerprint is not secret, that is if you can usually take a photo of someone's finger and you see their fingerprint, it's not so secret but it's hard for others to replicate, it's possible but quite hard. So that's why it serves a role in a verification step. So we're going to, in most of our discussion in this topic, we're going to focus on the verification step. And the main thing that you or many users use for verification is passwords. So we'll spend a lot of time talking about passwords but there are some other techniques for verification and we will mention them towards the end. With respect to identification we'll usually assume that the user presents some ID, some username up front. User authentication is very important because once you're authenticated, once you've logged in then the system performs other security functions based upon your identity. So when I log into Moodle, the Moodle website, then because I've logged in as Steve the system allows me to view the quiz answers because I have a role of the teacher in there. So it's important that the authentication works because the access control as to who can see the quizzes depends upon my username. So different security controls rely on correct user authentication. So the verification, how do we or how does a computer system authenticate and entity someone? Usually we're going to split the way which a computer system can identify or authenticate someone based upon what they know, what the person knows, what they have or possess, something that they have in their possession, what they are or this is not LS what they is but what they are and what they do. So four different ways in general that authentication can be performed. And I think you know of examples of each. What they know is something that they know that someone else should not know and a password is a common example. So how does a computer system know it's Steve? Well, I've registered a password in advance. So later when I try to log in I supply that password so the system assumes because I can supply that password, that should be secret value, it means it assumes it's me because it assumes that no one else would know that password, that secret value. So that is an authentication of the user based on what they know, answers to questions and other information. Their birth date, their mother's maiden name and many other things can be used there. So we'll talk about that especially with respect to passwords because they're very common. Another thing maybe something that you have in your possession, something physical usually. So like generally called a token, maybe a key card, a swipe card, if you have that you can swipe it in a machine and it gets you into the building. That can be maybe a little bit smarter, it could have a chip embedded in the card or it can be maybe like a USB disk where you insert it into a computer. And that allows you to log into that computer. So if you hold, if you possess that USB device then you can be authenticated. If someone else gets possession of that USB device then they can be authenticated in that system. And another case that you come across as to possession is usually your mobile phone. Many systems now use what's called two factor authentication. It's not just a password to log in or some extra information is used to confirm if it's really you in case someone has maybe discovered your password. So maybe the web service will ask for your password and then once you supply that it will send a message to your mobile phone because your mobile phone was registered, the phone number. And because you have the phone in your possession you can supply some other information. If someone else had your mobile phone then they could log in as you in that case. So that's related to that if you possess the mobile phone that is connected to that phone number then you can potentially log in. So some of them are combined. So two factor authentication, we use two different things to log someone in. They must know the password and they must possess the mobile phone and that can be more secure than a single factor authentication. Another thing is something about you as a person, your biometrics and we'll distinguish between static and dynamic biometrics. So static are things that don't change. So your fingerprints are one. So some of the rooms in the campus and actually as I come to work I need to scan my fingerprint. And here again I said the fingerprint generally is not secret or you may not see my fingerprint but if you could get a copy of my fingerprint maybe if you could maybe had a camera you could take a photo and you could see it. But it's very hard to generate. It's hard for you to create my fingerprint and replicate it. So systems will use a fingerprint to authenticate a user. Not just to verify that they're the correct user but even to identify them. So fingerprints are used for both identification and verification. I walk up to the fingerprint scanner, I scan my fingerprint, the system identifies me and knows it's me because no one else has my fingerprint or it's very hard for someone else to generate my fingerprint. But there are other body parts that can be used, your eye, your face, so things that don't change and towards the last few slides in this topic we'll talk about the difference between them and which ones may be better or harder to use with biometrics. Dynamic biometrics are things that change about you. For example when you speak you may have a pattern. So the audio, the sounds that come out may be different between two different people. So if a system can analyse your voice in advance and then you go to access the system, you speak to it and it compares your voice there compared to the past one and if they're close enough it assumes they are you. Assuming that two different people have two different voices. We can identify the differences, the different frequencies, the different variations over time. End writing is another example. The way you type, the speed at which you type, the way you walk, your gait. So the way that people walk is people try to identify that two different people when they walk along have different steps, different movement. Therefore if we can uniquely identify someone from that we can use it as a way to authenticate that user. So we'll return to biometrics just at the end briefly. We'll focus mainly on passwords for this topic and maybe a couple of examples on tokens. This is a quote from one of the course textbooks or one that's mentioned on the website. Humans are large, expensive to maintain, difficult to manage and they pollute the environment. That is us humans the users are not so good. It's astonishing that these devices us humans are continued to be made and deployed but unfortunately for people who need to design computer systems to be secure humans are everywhere so we must design security protocols around their limitations. The main point of this quote is trying to say that humans are often a weakness and designing authentication systems especially must take into account the human factor. We can't create systems that don't consider the limitations of humans. Maybe the limitations of how much I can remember or the willingness to memorize something. So we can't ask someone to have a very long random password otherwise they will not remember it or they'll write it down. So user authentication must consider human factors. So let's see how password based authentication work. Everyone uses it? How many times did you use a password today? Several times or sometimes you may not use it anymore because your browser may save the password. So maybe you're not actually typing it in but it is using your password. Every day we use passwords to access computer systems. So it's important to understand how that works such that when someone builds a new computer system that they do it in a secure manner. And the computer system here I say generally but a common thing that we use today is a website or a web service. That is the computer system in that case that we're accessing the website. But there are others. When you sometimes access your phone maybe it requires a pin or a password or you access your laptop it may be set up to require a password. So how does it work? You said five or six times don't go stay there. Five or six times you use passwords. All the same password? Is that good? Right. So we'll talk about yes we've got so many systems that use passwords and now the human issue comes in is that yes you can go charge your phone. The human issue comes in is that so many systems that need passwords well we might as well just remember one password and use that across all of them and we'll see surely that's not a good idea in some cases. So first how does password based authentication work? Well many computer systems have multiple users and they use a combination of an ID and a password for authentication. The ID may be a username maybe a number but something that's usually unique it may be an email address usually unique for the system almost always unique that I can think of and it is usually not secret. Others may know your ID. Someone in this class knows everyone else's class for the Moodle login the ID because the ID is you followed by your student ID and it's easy to find other student's IDs. So user named or user IDs here are usually public. How does it work? We all know because we've done this before what initially happens when you first access that system there's usually a process of registration and in the registration maybe you get to choose your ID or maybe it's a sign to you for example in a new email account you may choose your username whereas with Moodle I give you the username because it's based upon the student ID. So we register we choose a username and we also usually get to choose a password sometimes the password is assigned as well. So the first step is that the username and note I will switch between username and user ID sometimes it means the same in this case they are stored on the system in this registration process so the computer system that we're going to access before we use it we must register a username and password and it's stored somewhere on that system and later when you want to access that computer system what you do is you submit your username and password and the system compares your submitted values with the stored values if they match it assumes it's you if they don't it assumes it's not you okay quite simple there are a few issues that arise though with respect to the user ID the identity what's it used for so it's determined it's used to determine if the user can gain access or not so you visit a website or ask for a login if you've previously registered then you should be able to get access but if you haven't registered and you just try some random ID then it should not let you get access so the user ID the system knows which users should be able to gain access to the system maybe some users could be blocked by the system once you gain access often the ID is also used to determine what you can do in the system and this is like the the moodle setup if I log in as Steve the system knows that Steve can edit and view all the quiz questions if you log in as a student one of you you will not have those privileges so that there is access control that depends upon the ID what about the passwords well there are a number of issues and that's what we want to look at not necessarily in this order what is a good password any ideas what if I if you need to tell someone who's new to computers they need to create a password create a good password what will you tell them you use the word anything a word that you can remember big characters you mean a big font mixed letters with numbers okay have many characters have a long password well I think you may have different ideas most people have ideas of what a good password is we will look at some and even if we do have ideas for what a good one is sometimes it may be good for security but bad for convenience maybe hard to use I can't remember it okay a long password I can't type it in very easily on your phone you have to type in many characters that can be inconvenient so we'll we'll consider the trade-offs of what a good password we will not say too much about that I think you can come up with your own ideas for good passwords or good password generation algorithms ideas for rules for creating a password we will talk about how to store the passwords we said that when you first register the computer system stores the username and password so I think there's some database on the system that has a list of all users and their passwords the database may be a MySQL database it may be a file or just stored in memory but there's some storage of the user names and passwords because when someone tries to log in the system compares the supplied value with the stored value so how do you store the passwords is going to be an issue how do you submit the passwords when you send them to the system to try to access and what should the response be for the last three we can try and draw a picture to capture those the idea is that we can say that there's a we have a user that wants to access a system all right and they use a computer to access that system and there's here's the computer system that they're trying to access I'll explain this so here's the the user is the system or the computer system that we're trying to access now I've drawn as two different computers in that many cases it's across a network that we have a network between the user and the system that is I want to log in to the the the ICT web server to do your to set a new moodle quiz for you then the system there is a web server it's a computer in the other building and the user is me and the computer that I'm using is my laptop all right so this is what I the user am interfacing with and it may communicate with the web server in the other building in other cases the computer used by the user and the system may be the same computer like you log into your phone all right that it's the phone and the the user's computer is just one device but it's easier to draw like this so what happens is that initially and I will not draw it but there's a registration process such that the user has their ID and password stored in the system so we can think there's maybe a database in here here's my database and inside that database is I'll just write the ID and a password so that's stored in the registration procedure and the ID and password of all users for that system and when a user wants to access what happens we can think the user via their computer sends a request to that system and that includes the supplied ID and password I supply my ID and password to the system the system compares the supplied values with the stored values if they are the same then the user is authenticated if not then they cannot access or they're not authentic so a response comes back and that's our simple model of how we use passwords for user authentication we need to look at how do we store the ID and password how do we submit the ID and password that one's not so hard and what the response should be so there are some design issues there as to well some sometimes it's not obvious was to get a correct or a useful and a secure response so we'll spend some time on how to store how should we submit the username and other ID and password well if this is a network between the user and the system what should we do when we send that message across the network what should we do with that message from our last topic I want to send this message across the network I should encrypt it okay because a potential attack if someone discovers my password then they can authenticate as me then a potential attack is that someone intercepts the message sent between the user and the system so if it's across a network if they can intercept this message they can learn my password and we know it's very easy to intercept messages in a number of networks so in Wi-Fi it's quite easy so to stop someone from discovering my password whenever we log in we send send that information it should be encrypted so we should use a secure communications protocol there so that's one issue using encryption for information sent between the user and system upon login if it's logging into your phone then there's not data sent across the network or logging into your laptop the user and the system are the same computer it's just communication between processes software processes but still there's an issue of interception maybe someone looks at your phone or looks at what you're typing or maybe has it some means someone has installed some special software on your laptop that monitors the keys that you press and the keys that you press include your password so maybe that's an issue that should be considered as well some websites for example will have ways that you don't type in your password you click on a keypad on the web page you click on the virtual keyboard with the idea that key key logging software will not be able to log your password in that case key logging software records the keys you press on your keyboard but if you're clicking on buttons on the screen then it's hard for key logging software to record where you click that's a different issue so there are ways to try to make it hard for someone to intercept the password both across the network by encrypting and even on the computer that the user uses what about the response what should the response be all right if the username the ID and the password are correct the response should say all right yes you're logged in you you can use the system that one's easy what if it's incorrect what should the system say to you what should it say access denied okay sorry sorry all right so the username and password you type do not exist the password is wrong the username you supplied is wrong so they're an issue here it should be a useful message for the user for the convenience of the user I would like if I typed in my username correctly but I made a spelling mistake in the password I hit the wrong key for the convenience of me the normal user it would be good if the system said back your password is wrong your user ID is correct your password is wrong but that may be a security issue because if it was an attacker supplying the username and password they now knows that the username is a correct username even though they're not secret they still have learned something and then they can start for that username try some different passwords so the amount of information that's sent in the response to the system the more information about what went wrong the easier it will be for a real user but the more information about what went wrong maybe leaked some information to an attacker so the design of what sent back in the response should be carefully considered commonly a good way is to send back yeah the username and password that you supplied are not correct not necessarily saying which one's wrong check some of the websites that you use or some of the systems you use and see what the response is when you give the wrong credentials how do we store the your ID and password on the system is something we'll look at in depth one of the reasons we look at that is because it's a significant weakness in the system especially if this computer is compromised consider a website the web server stores a whole list of you a website with many users it stores in its database a table with thousands tens of thousands of IDs and corresponding passwords if some malicious user can get access to that web server then they immediately learn the passwords of everyone who has an account on that system and that can be a problem now how do they get access to that computer maybe via some other attack maybe some floor in the software on the computer floor in the operating system but via physical access okay so they they walk into the room where that server is stored and they they get physical access and they just download the database so this is a significant issue and many websites of large organizations have people say have been hacked and what the hackers do is they try and get this database this database of usernames and passwords and then they can use that to get now they have the password of many different users they can use it right they can use it on this system but if you've reused your password on other systems they may be able to use your password on other systems and here's an issue of using your same password on different systems if you have your password for SIT for Moodle stored here and you use the same password for your bank account if Moodle gets hacked now so I CT web server and someone learns your password they now have the password for your bank account so the bank account was secure but now someone's learnt your password the other reason for not reusing your password is that the administrator of this system me in the case of Moodle in theory has access to these passwords so in theory I could set it up that I can see all of your passwords in practice we generally don't we we we do some operations on the password so we can't see it but in theory it could be done such that the administrator the person who owns this computer can see the password so there's another reason for not reusing passwords across systems because if you don't trust the administrator then that's an issue because they know your password all right so let's come back to our slides before we look in depth of how to store the passwords now we'll continue before we get to offline dictionary attack so one of the issues is storing the ID and password on this computer if an attacker some through our some other means gets access to the system they learn many passwords how do we stop that assuming it's very hard sometimes to stop an attacker from getting access to the system what can we do we don't want someone to be able to read the passwords of all of our users of course we don't want someone to be able to hack into our system and read this database but we have to be very safe and very certain that they won't and let's assume that they can so what can we do with those passwords when we store them encrypt them so what I do is I don't store the password here that's the secret information store an encrypted version of that password so even if someone accesses the database they can't see the password they can just see the ciphertext for that password so that's one design so the idea is so that was as an alternative a different design would be to store we'll see this on the slides later but to store the ID and encrypted version using some key of the password so my database has a big table of user names or IDs in one column and then other column the ciphertext for the passwords of those users how does it work when they use a tries to log in they submit their ID and password they don't necessarily know it's encrypted they just submit their password the system when it does the check encrypts the submitted one and compares against the ciphertext here or alternatively decrypts the stored one and compares against the submitted one if they match okay if not no access this is okay in theory there are some practical issues sometimes for the system to check let's say we submit a password the system must encrypt that password and compare the encrypted forms if they match it's okay to do that the system must know the key the secret key used to encrypt the password must be known by the software that performs the check so that key must be stored somewhere on the system if the key is stored on that system in memory on disk somewhere and if an attacker can get access to the database on the system then it's fairly likely they can also get access to the memory or the where the key is stored and learn the key so if the attacker learns the key they can decrypt and find the password so there's a bit of an issue of where to store the key in that case and as a result it's not commonly used if we store it on the same system because we do need it then if the attacker can access this system they can most likely find the key as well as the database and decrypt all the the passwords the more common approach is to not encrypt it but to do another operation and we covered it in last lecture store the ID and a hash of the password you store a hash of the password what are the properties of a hash function two properties of a hash function you have a quiz due I think Friday I want you to finish it as early as possible so you can do some homework so I think one question you may see what are the properties or questions about properties of hash functions what are they have a quick look remind yourself properties of hash functions cryptographic hash functions there's one two listed on one slide one's called the one-way property the one-way property says that with this hash function it's easy to calculate the hash of a password in this case and we store the hash value the hash value let's say is a 128 bit value if we're using MD5 as a hash function we store that the one-way property says that if you know the hash value it's practically impossible to find out the original input so if we know what the stored value is here not the password but the hash of the password then we can't go backwards and find the password if that's the one-way property it's hard to find the password if you know the hash of the password and that's useful here because what we do is we store the hash of the password on the system if the attacker manages to get this database they see all the hash values and the one-way property says that if you have the hash value it's practically impossible to work out the original value so the attacker has a problem now they've stolen the database but all they have is hash values and with a strong algorithm the best you can do is try a brute force attack and if we do set things up well enough then that will be impossible so the attacker cannot find out what the password is even though they've stolen the database the other property collision-free or collision resistant a hash function is considered collision-free if the hash of or it's hard to find the hash of two different messages which are the same the hash of message 1 and the hash of message 2 it's hard to find two such messages where those hash values are the same there's no collisions it's collision-free or another way to think of that that's a R in there password 2 where hash of password 2 equals the hash of password 1 it's hard to find two two values two passwords in this case that have the same hash value so how does the hash work so these definitions are from the slide on hash functions in practice if we do store the hash value the user still submits the ID and password they don't need to know the hash value when I log in I submit my password the system calculates the hash of my submitted value compares to the stored value if they match it's okay if they don't match not okay because of our other or our requirement that the hash of two different passwords should be different it's hard to have two different passwords having that same hash value the collision-free property because if I supply a different password than what I registered with then we calculate a hash of that second password it will not match the hash of the first password if we have a collision-free hash algorithm so this is very common to store the hash of the password in the database not the password and not to encrypt the password even though sometimes people will say we encrypt the password we're not we're actually storing the hash of the password we will return to that maybe next week and and give some numbers about some attacks and how long it takes to break that and we'll see one extension of it which introduces some salt into that password so we'll come back to that let's look at some problems with passwords vulnerabilities and there's a number of them ten or so have listed here so first ones and we we sort of mentioned it there an offline dictionary attack a problem is if the attacker can access the system through other means and steal the database of passwords then they can then try to even if that password is hashed then they can try and guess the passwords in their own time on their own computer so we'll distinguish between offline and online attacks what's the difference what's an online attack think from the attacker's perspective now what an online attack be an online attack with respect to passwords is the attacker is trying to maybe find the password guess the password or find a password that will give them access by accessing the system an offline attack is that they're trying to find a password not by accessing the system but using some other approach like like defeating the hash table that the hash values breaking the hashes in their own computer that is back to our picture an online attack involves the attacker sitting here in the same way that a normal user accesses the system they may be trying to supply a username and password see if they get access if not try another one that will be an online attack they're trying to access the system as it's running as it's online an offline attack involves you maybe the attacker downloads this database to their own computer somewhere else and the database contains a list of hash values then they use their own computer to try from those list of hash values find the passwords that doesn't involve accessing the system to try every password they can try all the passwords or on their own computer an offline attack means the user has many more resources available to them normally and it's hard for us to control what they can do in an offline attack with an online attack we've got some measures that we can use to reduce the chance that an attack can be successful so the offline dictionary attack is if we try and draw the idea is the attacker our attacker downloads the database as the database of IDs and hashed passwords we'll see an example of it later but the idea is a dictionary attack well try and guess the passwords we have the hash values we don't know what the passwords are we can't go backwards because of the one-way property but what we can do is try a common password maybe a word from a dictionary calculate the hash of that value and compare if it matches one of the ones in our database if so we've found the password that is basically just try different potential passwords from a dictionary or variations of words on a dictionary until we find one that matches the hash value in the database if we do we've found a valid password for the system and we're doing this offline that is the attacker is doing that on their own computer or their own network of a thousand computers which means that they can do a very fast in some cases so that's possible and it all comes down to the fact that the attacker got access to this database so what can we do about it try to make sure that the attacker cannot get access to the database make sure that the system storing it is secure as secure as possible right if it's a website then some of the limitations are that the websites have bugs in them such that someone can access the website and access the server itself which stores the database so the the website needs to be developed in a secure manner in a topic towards the end we'll look at web security and some of the common attacks SQL injection and other attacks on websites if the database is compromised if I run the system and my database so I know someone's stolen it or that someone's got access to it and they shouldn't have then immediately change all the passwords so if the attacker now has trying to find all these passwords before that they can use them I change all the passwords for all my users so reissue the passwords as soon as possible use good hash functions use hash functions such that they do have the one-way property and it does take a long time for the attacker to find the password given the hash value and we'll come back to that next week strong hashes and salt what about other attacks a specific account attack the attacker guesses passwords for someone's account let's say someone wants to access my account on moodle they know my username they can guess that quite easily you'll find it so they know my username so what they do is they go to the website type in my username try a password guess what password I may use and submit and the system will say no incorrect so they try again and again and again they try and guess my password by accessing the system online it's attacking a specific account my account in the example how do we stop that one countermeasure one way to try and reduce the chance of that attack being successful is to have the system to lock the account after too many failed attempts which system does that that you know of what a bank a bank system commonly does that how many times you get your with your ATM you put your card in if you use your pin three num three times and you have it wrong usually three times the card doesn't come back the machine eats it and you can't try at the fourth time right so this is a case of the system the attacker is attacking a specific account the one associated with that the card they are guessing the pin the password and the countermeasure first stop them trying the guesses because a pin may only have four numbers there's only ten thousand values that they need to try it doesn't take long but if it locks after three attempts then then the attack will be not unsuccessful or very unlikely to be successful they need to guess it in three three goes so that's the countermeasure there what's the problem with this countermeasure right if if I it is my ATM card I go there I forgot my pin number I think it sits when I try it I try a couple more times and then it locks me out and it's taken my my card and I have to go to the bank the next day to get it back I can't use money for the next 24 hours so that's the problem this countermeasure of locking the account if it is the real user that makes a mistake then they are locked out in inconvenienced from this countermeasure so there's a trade-off here the countermeasure adds security but may make it more inconvenient for the user the normal user what's another way to stop stop a specific account attack we can lock after so many attempts what prevents the attacker from trying yeah the number of attempts that gets locked what about if I have a scheme that if they try three attempts and they get it wrong then the ATM machine the machine blows up and it kills the person who was trying to trying to break in would you try the attack if you knew that's going to happen if you know that the consequence of getting it wrong is very high the very bad consequence there then it's very unlikely that you do the attack so that's the other issue to prevent attacks the countermeasures including here locking the account but in the extreme case is having ways such the consequence of doing it wrong is high and the consequence of getting a wrong for your ATM is quite high in that you have to wait so many hours or days before you can use it but some systems could be higher for example military systems you try to get into the base every day you go out of the base and you come back at the end of the day and you have to say the password if you say the wrong password they shoot you so there's a motivation not to attempt to attack you must know the password but very inconvenient for the people who get a mistake okay so there's it the consequence of getting it wrong acts as a deterrence popular password attack so even if we have this countermeasure then what the attacker does is that they don't try the same account they don't always try and break into Steve's what they do is they try one student's account guess a password using a popular password what's a popular password one two three four five six seven eight if we have an eight mandated eight character limit okay so they try it on the first user's account and the system says no failed access so then they try it on another user's account same password no try it on another user's account same password the locking out won't help here because they're only making one attempt on each user's account so in that case they keep going until hopefully they find a user that uses that popular password and now they have access to the system when they shouldn't have so this is not attacking one specific account trying any account many accounts and trying maybe one password which is popular with the hope that one out of all the users use this popular password how do we stop that control password selection don't let users use popular passwords when they register their username and password and select a password one two three four five six seven eight the system says back no this password is not allowed it's too popular it's too easy to guess and I think you've seen some systems that do that some may say no you cannot use this password others may give feedback many websites now show the policy you just tried to register is very weak maybe you should try again they give some visual feedback on the strength of the password so that's the idea to to try and get users not to use popular passwords or if we can track them if it's the same computer trying to access one account and then five seconds later another account and then five seconds later the third account even though they're accessing different accounts it's coming maybe from the same IP address then we could try and block that user that computer from accessing our server so identify computers that are doing the attack and then block them what's the problem with controlling password selection why is it sometimes a problem controlling password selection may be setting some rules as to what password you're allowed to use your password must be ten characters long it must have one uppercase one lowercase one number one special character the problem with such a means of controlling a password selection maybe that the user now cannot remember that password they write it down and someone steals it from their their piece of paper or they they don't access your system they go and access another website okay so being too strict there means it's inconvenient for the users what's the problem with blocking computers based upon IP address maybe if you know about computer networks you know that let's say that my server I know that the IP address of the computer that's accessing it someone tries to log in as student one using IP address one dot two dot three dot four then they access my server again with a different user also they have IP address one two three four so after I see this computer with IP address one two three four is accessing my server trying different accounts I block them you can no longer access my server that's the security mechanism what's a potential problem with that well in practice in some cases IP addresses may be shared amongst multiple users the way that the net internet is structured is that some IP addresses there's one IP address and it's used by many users so it may be multiple users almost done then you have a break multiple users may be using the same IP address so maybe everyone in SIT when they access one server from that service perspective okay when that service from that service was perspective every user has the same IP address so they have valid users they're accessing their own account they may be blocked when they didn't do anything wrong so there may be problems with blocking based upon IP addresses so we're seeing a trend we've got counter measures to these vulnerabilities but those counter measures have negative consequences password guessing against a single user you want to get my password you don't try random passwords you try and learn about me and try and think what's a likely password I would use okay similar to before but here's try and gather other information about what password someone would use again control password selection and educate users into choosing good passwords computer hijacking I'm logging to my laptop I go out for five minutes so you come up to my laptop and you can access it so leaving the the system unattended and this comes up with many web log-ins if it's a shared computer some web log-ins you're already logged in to that website someone else uses the web browser they can access that website as you so a counter measure auto log out the system automatically logs you out after five minutes of no use exploiting user mistakes tricking users into telling you your password someone calls you they say I'm the head of the computer center at SIT there's a problem with your system please tell me your password and I'll fix your system I'll fix your login you tell them your password but they were just something pretending to be there the computer center so again education of users is an important way to stop such mistakes multi-factor authentication use not just passwords but other things like tokens these are mobile phones comes in there we said this before I think you use the same password across many different websites one website is compromised then effectively your password to all those other websites is now available to malicious people that's hard to control sometimes it's hard for us to control what password you use on different websites so again comes back back to user education and intercepting passwords across a network encrypt your communications everything we do involving sending passwords should be encrypted so some vulnerabilities of passwords some of the countermeasures and some of the problems with those countermeasures the conclusion from this maybe eight or nine vulnerabilities is that passwords have some significant problems why are they still used so there are some significant security problems with passwords but we still use them every day so again we we make the trade off between security and convenience they are reasonably convenient to use we were used to them we can remember them sometimes they're not so hard to type in they're not very expensive to set up if I'm going to have to carry around a USB key and plug it into my computer to get access to every computer I want to to use that becomes expensive to set up hard to manage so passwords have many vulnerabilities but we must deal with them so we're going to spend some time looking at storing passwords but not today we'll come back to that because it needs some time to look at exactly how we store passwords let's look at just to finish today some statistics or some some data about passwords maybe before this one how do you select a password think about you don't have to tell me and you should not tell me don't tell anyone your password don't even tell people how you select your password but think about the rules that you could use for selecting a password you need to create a new account on a website it's quite important maybe it's not your bank account but it contains confidential information so you think well what would you do to choose a password any suggestions anyone's willing to offer any suggestions I will give you some if you don't want to any algorithms or rules for choosing a password that you could tell someone else maybe you could tell your parents follow this rule so they'd choose a good password what would you tell them how to choose a password tell me some rules for how I should choose a good password mix between what type of characters uppercase and lowercase all right so I use s in lowercase t in uppercase e in lowercase v just use my name an attacker will guess that straight away but you're on the right track use different characters all right that's one thing but different characters on there like uppercase lowercase numbers and so on use a combination of them yes what an attacker does is they try and guess your password and a simple way is what we call the dictionary attack consider the hundred thousand words in a dictionary try all of them now vary them change them right replace the letter o in every word with the number zero try all of them if the attacker is doing an offline attack they can do this very easily so small variations or adding a let number at the end may not work any other ways what algorithm can we what rules could you tell someone there's no right answer mix what do you tell me okay so you think about a sentence or a phrase all right something with multiple words that you can remember maybe it's a song name your favorite song songs that's long enough grab the first letter of each word use that to make your password it will not make a word in a dictionary unlikely okay words in dictionaries are bad generally because that's the first thing the attackers try so you want to create a word which is not a word in a dictionary so you need some way to do that but you can still remember so that's a common suggestion that others have first words of some phrase some song names a movie or some something you can remember but essentially creates almost random set of characters there's one try and think of some others over the next week that you can tell other people how to choose passwords such that they'll be random or close to random but easy to remember how do other people choose passwords what happens when an attacker breaks into a system and steals a database often they release that database of passwords on the internet and people do analysis of these databases so this is just analysis done by Troy Hunt on some some leaked passwords so he's looked at 300,000 real passwords that people chose and tried to classify based upon those passwords what were they and maybe how the users chose them a good thing maybe is that the larger percentage 31% he couldn't find any obvious pattern alright so about a third of the passwords in 100,000 of these leaked passwords didn't have some pattern easy to classify about 25% were a dictionary word we're in a dictionary usually English but if it's in a website of a different country maybe in a different dictionary so that they're not good passwords because generally that's what the attacker will first try 8% of place names cities states countries blue ones 15% of persons names whether it's the user's name or just someone else's name but usually it's someone they know again not good if it's an attack on on that specific user because if someone's trying to guess your password if they know something about you they may know the people you know and if they can then try the the names of people 14% were just numbers didn't have any letters in them and if the the length is small enough it's not many combinations and a few other cases so there are often patterns that people use and some of them are not good this is about the length of passwords if the attacker is going to guess the password they the number of guesses they have to make depends upon how long the password is the longer the password the better for security this is based upon analysis of people's password and the distribution of the length you see most of them are 6 to 8 characters a few were 5 or less not many were above 10 characters who has a password of 10 characters or more who has multiple passwords of 10 characters or more so not many people have so a couple of people put their hands up two or three people so not many people use 10 characters or more in their password why not too hard to remember too hard to type in all right all right it's not long to type but maybe on a phone it takes some time to to type so long password is secure but not very convenient small passwords are very convenient but terribly insecure so this is just something about what users do and some other characteristics most only use numbers and letters don't use special characters therefore attackers will try passwords with numbers and letters therefore if you use special characters maybe there's a better password most passwords are in dictionaries not just a normal dictionary like the Oxford dictionary but in password dictionaries lists of words that attackers have developed which they'll try first many users reuse passwords across systems when people can do such analysis they've discovered that mode a user that uses different say websites who use the same password on each and we know that's a problem and there are some passwords which always come out the top as the most frequent and some of them are listed here and another thing to finish today when users are forced to change their passwords some systems will say you must change your password after one month or after something happens most only change a single character all right my password was I love you and the system forces me to change I change I to J J love you so it doesn't help much by forcing users to change passwords just some of the things that people have discovered what I want you to do for your homework as well as do what's on the website think about the rules for generating passwords think about your passwords and how you can make them all secure and make sure your moodle password is secure change it if necessary will continue next week and look at storing