Passwords & Passphrases
Name: Simovi Petar
I study computer science at the Faculty of Mathematics,
University of Belgrade
Member of Belgrade hackerspace (HKLBGD) sunday
crypto workshop .
Writing for Libre online magazine (FLOSS)
�Agenda
Introducint to passwords and pass phrases
Measuring password/pass pharse strength
Service consumer handling secrets: why passwords
migh be dead
Password hacking: phishing, bruteforce, Social
engineering
Alternative methods of authentication
�What's wrong with my P4$$w0rd?
Very week & easy to remember.
remember Replacing 's' and 'o' with
'$' and '0' won't help you much.
Or hard to remember & secure
So users reuse them
And If not random -> social engeenering guessing
People are not very good at creating truly random
passwords, even more they are a species of patterns. And
it is hard to remember dozens of different nonsense
passwords with numbers and special characters.
�Password security blanket 1k
Lorrie Faith Cranor
�Most used Pa$$s0rds
�So, what is pass pharse?
Short answer: It is just a phrase.
Long: It contains few word, not neccessery from dictionaty,
words should be picked at random not from book or
website.
What are good and secure pass phrases?
How to generate them?
�Secure pass phrase?
pass-phrase1 pass-phrase2 pass-phrase3
My pass phrase is hard to guess
Correct horse battery staple
red cross healty pharmacy medicine
yeti permutes kilobyte visas skin
red green blue cyan magenta yellow
police gun cuffs undercover sherif
�Secure pass phrase?
pass-phrase1 pass-phrase2 pass-phrase3
My
/////////////////////////////////////////////////////
pass phrase is hard to guess
Correct
Correct horse battery staple
staple
red cross healty pharmacy medicine
yeti
yeti permutes kilobyte visas skin
skin
red green blue cyan magenta yellow
police gun cuffs undercover sherif
�Pass phrase advatages
Easier to create maybe not for humans
Easier to remember
So no need for writing it down or using password
managers
Hard automation attacks [verb adjective noun?] --needs
bruteforce if done right
More secure?
...
�Diceware
Method for manually generating pass phrases
Why? PRNG compromissed or paranoid?
How? Diceware wordlist, dice, paper and pen
http://goo.gl/swgFz
�Entropy Shannon entropy
Log2 (Character Set password length)
For example: 8 character password length with all 94 possible
character: a-z (26), A-Z (26), 0-9 (10), and
~!@#$%^&*()_-+={[}]|\":;?/><,. (32)
is
Log2(948) = Log2(6 095 689 385 410 816) = 52 bits
For pass pharses character set is number of words in
dictionary, and password length is number of words.
So any 4 word passphare in set of 20 000 words
(average dictionary) has Log2(200004) = 57 bits
�Entropy
8 character password from 94 set:
4!VN$Fg = 51 bit entropy
4 word pass phrase from 20 000 words:
yeti permutes kilobyte visas = 57+ bits of entropy
�Strength comparation
�Passwords & Passphrases
XKCD:
Trough 20 years of effort,
we've successfully trained everyone to use
passwords that are hard for humans to remember,
but easy for computers to guess
�https://xkcd.com/936/
��P4$$w0rDs done right
Using password manager (allways open-source software
eg. KeePass, KeePassX, )
Let password manager generate long secure (80+ bits)
password. No need to remember any, and no reusing.
Change them all often (at least twice a year)
Public wi-fi needs layer of encryption
�How servers handle users
passwords?
They used hashing function (MD5, sha1, sha256, bcrypt)
�How servers handle users
passwords?
They used hashing function (MD5, sha1, sha256, bcrypt)
Hashing + salting
�How servers handle users
passwords?
They used hashing function (MD5, sha1, sha256, bcrypt)
Hashing + salting
Use slow and good and hash functions like bcrypt never
MD4, MD5 or SHA1.
Generate new random salt for each user, do not reuse salt.
�So how dit this happen?
�Password cr/hacking
�Phishing
�Social engineering
�2FA
Use Two factor authentication whenever possible:
Google authenticator, Yubi keys, ...
�Facial recognition & fingerprints
Kirk Skaugen, Senior VP and general manager of Intel's
Client Computing Group said at Citi Global Technology
Conference: "I can confidently say today, you can
eliminate all your passwords today, if you buy a 6th
Generation Core system." http://goo.gl/dE4j1q
Sixth intel core generation CPU + Windows 10
(Windows Hello program) + Intel's RealSense 3D Camera.
Or use fingerprint verification/authentication like on
Iphone 6 Touch ID.
�Are you now 100% secure?
�New methods
Hashing is Dead: long live the passwords.
https://goo.gl/0rwfkJ
RSA auth.
�Questions?
