Why Authentication?
The general intention of computer security is to prevent unauthorised access and to ensure authorised users can access systems quickly.
First step of control is to identify who a user is (Identification) and verify this identification (authentication)
- Identification: Identity by username
- Authentication: a process of verifying if the users are really who they claim they are
Passwords
A basic but very useful authentication method
invaluable first line of security defence
easy to use and implement
The Problem with Passwords
- Weak passwords (People set weak passwords)
- People often repeat passwords for different accounts
- Even if people have good password habits, some sites store passwords in plaintext
- Some sites allow unlimited login attempts
- Some sites/systems don’t salt passwords – makes it easy to crack with computers.
People’s tendency in setting passwords
- According to one survey, 12% of employees used “password” as their password
- Password length is short
- 1/4 of hashed passwords were cracked using a dictionary and combinations of the username.
- Around 12% use dictionary words
- 81% use alphanumeric passwords
User Overload
- On one hand, we should not set simple passwords but should set different passwords for different accounts
- On the other hand, we have many different accounts
- Microsoft studied users’ password behaviour
- The average user has 25 password accounts
- But the average user has 6.5 different passwords.
- Microsoft studied users’ password behaviour
Edmund shared an XKCD the other day that summarises the problem with passwords.
Password Cracking
The time taken to crack a password with brute force depends on the number of combinations, \(\text{Let length = L, and character set size = W} \\ Total \; Combinations= W^{L}\)
| Password | Combinations (C) |
|---|---|
| 26 characters - length 4 | 264 = 456,976 |
| 52 characters - length 4 | 524 = 7.3 × 106 |
| 94 characters - length 8 | 948 = 6.1 × 1015 |
Cracking Speed
Indicative speeds using current tools like hashcat or John the Ripper
| Hash | Using | Speed |
|---|---|---|
| MD5 | Good PC | 107 guess/second |
| SHA256 | Good PC | 106 g/s |
| MD5 | PC + Graphics Card | 1010 g/s |
| SHA256 | PC + Graphics Card | 109 g/s |
With a GPU cluster, passwords can be cracked even faster – heavily depends on hardware.
Expected time to crack a password, \(Time = (Total\; Combinations)/Speed\)
Password Strength
Often expressed as an entropy value, x – the number of bits needed to represent WL.
Therefore, \(x = log_2W^L\).
Examples:
\[Entropy = 2 \times log_226 \approx 2 \times 4.7 = 9\] \[Entropy = 4 \times log_252 \approx 4\times 5.7 = 22.8\]Human Generated Passwords
While entropy measures the “uncertainty” of a password - it is the maximum level of uncertainty. However, humans don’t choose random passwords; they use words or a pattern of characters - much less uncertainty in user-generated password. This leads to some reasons behind certain password cracking techniques like look-up tables, which we will look at in the next chapter.
Password Hashing
We should never store passwords in plaintext. Instead we store the hash:
- Hash is generated by a one-way hash function
- Hash function produces a fixed length hash value from the input
- Hashes are not meant to be reversible. Easy to compute f(x) but very hard to compute x from f(x).
- If the input changes by even a bit - the resulting hash should be completely different
- Hash function types: MD5, SHA256, SHA512 etc…
Other Authentication Methods
Passwords are just one way of providing authentication, what other methods are there?
Biometrics. Does not have a clear cut yes or no - there is room for false negatives or even false positives (which are worse).
Here are some statistics on the various non-password authentication methods
| Biometric | False Pos | False Negative |
|---|---|---|
| Face | 1% | 10% |
| Fingerprint | 1% | 0.1% |
| Hand Geometry | 2% | 0.1% |
| Iris | 0.94% | 0.99% |
| Retina | 0.0001% | 0.2% |
| Keystrokes | 7% | 0.1% |
| Voices | 2% | 10% |