When I first started theorizing what my research question might be, I just knew it would be something security related. I ended up choosing password authentication because it encapsulates a few interesting aspects like hashing and varied attack methods. It's these sorts of things that really interested me, especially the attack/defense aspect. During my research there was one idea that I found extremely interesting; how non-standard technological advancements pose threats to classically based encryption and hash algorithms.
This is likely to manifest itself in two main categories, either quantum computers or machines developed on highly specialized microprocessors that are extremely efficient at problems. Take quantum computing, a newcomer to the scene; the issue revolves around the fact that they are theorized to be efficient for factoring numbers. This break one of the basic building blocks of RSA public key encryption; that multiplying numbers is easy and factoring much harder. If a device comes along that can easily factor the huge numbers that are used to provide encryption. There is also a similar problem with elliptic curve cryptography, these methods developed with classical computing in mind are at severe risk to non-standard attacks.
While not something I decided to do much research on, this is something that should be at least talked about because it has potential consequences for vast areas of IT. The possibility that an entity could get enough quantum computing power to trivially break vast amounts of encryption is very real, in fact probably a certainty. These kinds of game-changing moments are what make IT so interesting to myself and many others, and it's up to us to assess the challenges and develop responses.
Sunday, May 28, 2017
Friday, May 26, 2017
Week 8 - Progress Report
With my presentation coming up shortly, my focus this week has been almost entirely on that. I plan to finish my first draft of the paper over the weekend and then draw from it the key elements that I will be presenting.
Next week I will be finalizing the draft to be submitted for peer review, so I intend to take the presentation process to help to internalize the concepts and feedback to provide that extra bit of input for the paper. Giving the presentation before submitting the draft provides a good opportunity to help polish the final paper, so I would be silly to not take advantage of it.
Shorter than usual blog post, so here's an interesting video about the recent ransomware attack.
Next week I will be finalizing the draft to be submitted for peer review, so I intend to take the presentation process to help to internalize the concepts and feedback to provide that extra bit of input for the paper. Giving the presentation before submitting the draft provides a good opportunity to help polish the final paper, so I would be silly to not take advantage of it.
Shorter than usual blog post, so here's an interesting video about the recent ransomware attack.
Wednesday, May 24, 2017
Presentations - Not the Worst Thing Ever
When it comes to making and giving presentations, there are a few basics that I've learned over the years that can make the process much easier on yourself and your audience. Presenting has never come easy for me (as an INTJ) but it really is a necessity for many positions out there, knowing how to articulate your ideas to groups of people so that they are fairly presented and favorably received could make a world of difference, in the right situations.
My first tip is to know your audience, try to tailor your presentation to match their skill levels. You don't want to lose your audience in the details, nor do you want to leave them with no background information at all. Ideally the presentation should briefly cover some basic aspects that everyone in the audience should know, and then the rest of the time should be spent on new/interesting material.
Next tip; don't read your slides word for word. In my experience reading from slides can reflect poorly on the presentation, especially if they are text heavy and that is the only things you say. Slides should offer short and interesting key ideas as jumping off points for you to talk about. This does require more preparation but I think it shows that you are more dedicated and interested in the subject, it shows that the ideas are coming from you and not the slides. You want the audience to be listening to what you have to say, not trying to read your slides to glean information from them.
Lastly, try to look around the room and remain engaged with the audience. A general good tip for public speaking, the idea is that you want to be talking to the audience, not just into the ether somewhere. A big part of this is being confident in what you are presenting and speaking like you know what you are talking about, once you can do that talking to groups of people does become much easier.
Public speaking is not my forte, but by doing the three things mentioned above I have found that it is not unbearable. (Especially true in the IT field, where many of us are in the same boat)
My first tip is to know your audience, try to tailor your presentation to match their skill levels. You don't want to lose your audience in the details, nor do you want to leave them with no background information at all. Ideally the presentation should briefly cover some basic aspects that everyone in the audience should know, and then the rest of the time should be spent on new/interesting material.
Next tip; don't read your slides word for word. In my experience reading from slides can reflect poorly on the presentation, especially if they are text heavy and that is the only things you say. Slides should offer short and interesting key ideas as jumping off points for you to talk about. This does require more preparation but I think it shows that you are more dedicated and interested in the subject, it shows that the ideas are coming from you and not the slides. You want the audience to be listening to what you have to say, not trying to read your slides to glean information from them.
Lastly, try to look around the room and remain engaged with the audience. A general good tip for public speaking, the idea is that you want to be talking to the audience, not just into the ether somewhere. A big part of this is being confident in what you are presenting and speaking like you know what you are talking about, once you can do that talking to groups of people does become much easier.
Public speaking is not my forte, but by doing the three things mentioned above I have found that it is not unbearable. (Especially true in the IT field, where many of us are in the same boat)
Saturday, May 20, 2017
Sources - What are the Facts?
Here I will provide a summary of my sources so far and explain how they are relevant to my research topic.
Of Passwords and People: Measuring the Effect of Password-Composition Policies
Major points:
Of Passwords and People: Measuring the Effect of Password-Composition Policies
Major points:
- 16 character minimum passwords, with no other requirements resulted in the test users passwords having the highest entropy/usability combination.
- Dictionary checks almost completely frustrates heuristics based attacks, but also results in the users having difficulty in the password creation process.
- Users who write down/store their passwords tend to have stronger passwords.
- Users typically create passwords that exceed the minimum password requirements.
- Adding numbers to passwords can greatly increase entropy
Major Points:
- Passphrases tend to be much more secure compared to normal passwords, and are only marginally more difficult to memorize.
- Random passwords can be strong if long enough but are extremely hard to memorize.
Major Points:
 |
| Hello, 14 million password list |
- A subset of users will tend to pick passwords from a very small subset (such as Passw0rd1), that can technically be strong but their overuse makes them weak.
- Disclosed passwords have tremendous impact on password cracking capabilities, the larger the list the bigger the impact.
Major Points:
- Some password managers have serious vulnerabilities
- Password auto-fill can be hijacked to steal all passwords
- Password managers are responding to these problems
Major Points:
- While GPU hash cracking is already extremely powerful, smaller cheaper microprocessors can be utilized for incredible performance/energy gains.
- Bcrypt will need to be replaced as these custom hashing machines get cheaper and faster.
As you can gather from the above sources, there are some serious problems with password authentication today. I believe that passwords are here to stay, there are too many circumstances where they are the best option for me to seriously consider an alternative, even some forms of multi-factor authentication (MFA). Especially in cases where anonymity need to be maintained, the traditional MFA factors such as phone confirmation, bio-metrics, heuristics, and more have the unfortunate side effect of making connections between that authentication and your person. Another problem is that while password thefts are common and unfortunate passwords are easy to replace, theft of MFA properties will be much harder to resolve because they can be tied to your physical person and/or how you act.
Hence, I think password authentication is here to stay and we must come to face with the challenges presented.
Hence, I think password authentication is here to stay and we must come to face with the challenges presented.
Friday, May 19, 2017
Week 7 - Progress Report
T minus 11 days
It's official, I will be presenting my topic on the 30'th of May, leaving me eleven days to get that presentation and hopefully the final paper completed. My research is essentially completed, I just need to organize the information and take the time to get the first draft completed. I do feel prepared at this stage, even though the apparently sudden onset of the presentation dates did take me a little by surprise. This is where the rubber meets the road in terms of really diving into the contextualization of the ideas I've gathered so far on password authentication.
My plan is to have the first draft completed at a minimum by the presentation date; hopefully it will be a second or third draft, I would really prefer to have my thoughts completely refined before going in to present a technical topic to a group of technically inclined people.
This past week I spent a lot of time going over areas that I have previously covered. It's important to familiarize myself with the whole breadth of my research so far before getting too far into the writing stage. Having the entire context in mind will help focus the paper in the right areas, and not just focusing on whatever research I've been doing in just the last few weeks.
It's official, I will be presenting my topic on the 30'th of May, leaving me eleven days to get that presentation and hopefully the final paper completed. My research is essentially completed, I just need to organize the information and take the time to get the first draft completed. I do feel prepared at this stage, even though the apparently sudden onset of the presentation dates did take me a little by surprise. This is where the rubber meets the road in terms of really diving into the contextualization of the ideas I've gathered so far on password authentication.
My plan is to have the first draft completed at a minimum by the presentation date; hopefully it will be a second or third draft, I would really prefer to have my thoughts completely refined before going in to present a technical topic to a group of technically inclined people.
This past week I spent a lot of time going over areas that I have previously covered. It's important to familiarize myself with the whole breadth of my research so far before getting too far into the writing stage. Having the entire context in mind will help focus the paper in the right areas, and not just focusing on whatever research I've been doing in just the last few weeks.
Sunday, May 14, 2017
Week 6 - A Memo
MEMORANDUM
TO: IS390
FROM: Samuel Stageberg
RE: Password Authentication
DATE: 5/14/2017
Password authentication systems have some serious issues that need to be addressed, especially in business and professional circumstances. Weak passwords, hash algorithms, and other advances in password cracking technology have been making password authentication weaker over time, a trend that will likely continue. This needs to be addressed at two levels, the authentication systems needs to be robust in its handling of passwords, and the users themselves need to consider how their password choices lead to vulnerabilities in the system.
Before going into specifics it will be helpful to go into an overview of how password authentication is commonly implemented. The user creates a password that satisfies any existing password creation policies. This password is then salted and hashed before being stored in a database. Any time the user needs to authenticate they send their password to the server where it is salted and hashed, and compared to the stored hash.
At the back end, commonly the server, implementing a strong version of password authentication that will be resistant to attacks will require a few simple but critically important tasks. First, implement some sort of limit that will lock out or delay anyone who tries and fails to authenticate after a number of tries. This will ensure that active brute force attacks that directly attack the systems authentication will fail. Second, the hashing algorithms need to be configured to be as costly as is reasonable. The more expensive the hash is to compute the less effective attacks that target the actual database information will be.
From the users perspective, increasing the security of password authentication will require them to actively make better decisions about what passwords they choose to use. As real world password lists become more available attacks that utilize this data will get smarter and quicker. Generating dictionaries that are specific to certain individuals and organizations will also become more mainstream, as password attackers move to craft even more specialized attacks. This can be combated by implementations of clever password generating rules, such as using long password phrases, or by using password managers that require the user to only remember a single strong password.
Password authentication is here to stay, and we need to ensure that any system we develop treats passwords securely. No system can be 100% secure or resistant, but being ahead of the curve will immensely reduce the likelihood of becoming the victim of an attack.
Feel free to comment here with anything you wish to discuss.
For further reading:
TO: IS390
FROM: Samuel Stageberg
RE: Password Authentication
DATE: 5/14/2017
Password authentication systems have some serious issues that need to be addressed, especially in business and professional circumstances. Weak passwords, hash algorithms, and other advances in password cracking technology have been making password authentication weaker over time, a trend that will likely continue. This needs to be addressed at two levels, the authentication systems needs to be robust in its handling of passwords, and the users themselves need to consider how their password choices lead to vulnerabilities in the system.
Before going into specifics it will be helpful to go into an overview of how password authentication is commonly implemented. The user creates a password that satisfies any existing password creation policies. This password is then salted and hashed before being stored in a database. Any time the user needs to authenticate they send their password to the server where it is salted and hashed, and compared to the stored hash.
At the back end, commonly the server, implementing a strong version of password authentication that will be resistant to attacks will require a few simple but critically important tasks. First, implement some sort of limit that will lock out or delay anyone who tries and fails to authenticate after a number of tries. This will ensure that active brute force attacks that directly attack the systems authentication will fail. Second, the hashing algorithms need to be configured to be as costly as is reasonable. The more expensive the hash is to compute the less effective attacks that target the actual database information will be.
From the users perspective, increasing the security of password authentication will require them to actively make better decisions about what passwords they choose to use. As real world password lists become more available attacks that utilize this data will get smarter and quicker. Generating dictionaries that are specific to certain individuals and organizations will also become more mainstream, as password attackers move to craft even more specialized attacks. This can be combated by implementations of clever password generating rules, such as using long password phrases, or by using password managers that require the user to only remember a single strong password.
Password authentication is here to stay, and we need to ensure that any system we develop treats passwords securely. No system can be 100% secure or resistant, but being ahead of the curve will immensely reduce the likelihood of becoming the victim of an attack.
Feel free to comment here with anything you wish to discuss.
For further reading:
- Measuring effect of password complexity policies
- Password Memorability and Security: Empirical Results
- Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords
- Passwords and the Evolution of Imperfect Authentication.
- Password Managers: Attacks and Defenses
- Energy-Efficient Bcrypt Cracking with Low-Cost Parallel Hardware
Friday, May 12, 2017
Week 6 - Progress Report
Checking in again at the end of my sixth week of this project, there are a few interesting developments that could be interesting for some of my readers. Of course, the purpose of a progress report is to analyze where you are in relation to where you should be, looking back at the plan I tentatively set during week three. Having my research gathered and for the most part analyzed for its usefulness in the research paper, the next few weeks will be used to form the outline and drafts of the paper while also organizing my thoughts into a presentation that will be delivered towards the end of the quarter.
Having had time to organize most of my thoughts about my topic (password authentication), I have found that there is plenty of scholarly information available in this area, which makes a lot of sense when I consider just how critically important this topic is. Not just in the area of user account control, where passwords are used to control and ensure access and resources, but also how the underlying ideas such as hashing and encryption also provide the essential building blocks that the entire internet and global digital economy is built on. I do not think that the seriousness of these technologies can be overstated; they simply must continue to work. This is admittedly straying a bit from my original topic area, so I am mostly storing these ideas away for use in the future (possible senior project?).
Bringing this back around to my research paper, this past week I have spent most of my time on this project looking into password lists and forming my own collection from publicly available lists. This reveals certain trends that are concerning but also predictable, such as how almost no-one ever uses special characters if they are not required. Gathering and forming my analyses of these numbers will be an ongoing process for this next week, but I also plan to start the outline/first draft of my paper soon. I intend to break the paper/presentation into a few distinct categories such as the following:
Having had time to organize most of my thoughts about my topic (password authentication), I have found that there is plenty of scholarly information available in this area, which makes a lot of sense when I consider just how critically important this topic is. Not just in the area of user account control, where passwords are used to control and ensure access and resources, but also how the underlying ideas such as hashing and encryption also provide the essential building blocks that the entire internet and global digital economy is built on. I do not think that the seriousness of these technologies can be overstated; they simply must continue to work. This is admittedly straying a bit from my original topic area, so I am mostly storing these ideas away for use in the future (possible senior project?).
Bringing this back around to my research paper, this past week I have spent most of my time on this project looking into password lists and forming my own collection from publicly available lists. This reveals certain trends that are concerning but also predictable, such as how almost no-one ever uses special characters if they are not required. Gathering and forming my analyses of these numbers will be an ongoing process for this next week, but I also plan to start the outline/first draft of my paper soon. I intend to break the paper/presentation into a few distinct categories such as the following:
- intro
- background information
- password authentication
- what it is
- what it relies on
- hashing
- salt
- cost
- complexity
- length
- password vulnerabilities
- active attacks
- brute force
- dictionary
- hybrid
- difficult to remember
- an analysis of password lists
- solutions to help cope with the problem
- password managers
- creative password creation strategies
- proper implementation of password authentication
- 2FA
- conclusion
This is in no way set in stone yet, my organization will likely change but I would like to cover all of the above topics to provide a full picture of the current state of password authentication. I do feel on track to meet my initial schedule requirements.
Wednesday, May 10, 2017
A bit of background
Being sure that readers are up to speed with your subject material is important if you want to discuss that material at any advanced level. In my previous post I made a passing mention of dictionary attacks, hybrid attacks, rainbow tables, salting, and more terms that may need more explanation in order understand password authentication and hash cracking. I'll offer a short explanation for these terms below.
Dictionary Attack
The attacker has a list of commonly used words and/or passwords that they test against the target. Quick to hash and compare, these will become stronger as more password lists are released on the internet.
Rainbow Table
Rainbow tables are hash tables that have been computed in certain algorithms for specific character sets (upper and lowercase letters, numbers, special characters, etc). There are many places that host these lists online such as http://project-rainbowcrack.com/table.htm
In the above example, a rainbow table exists for SHA1 that contains all password hashes of nine characters or less that use upper/lowercase letters and numbers. It's a big file (690gb), but this will instantly break any SHA1 hash of a password that fits that specific profile (>10 characters, mixed-alpha and numeric).
Hash Salting
At its simplest, salting a hash means that an extra string is attached to the password before it is hashed. Salts are stored with the hashes because the salt is required to compute and compare the hash.
This effectively eliminates the use of rainbow tables in hash attacks, because all the precomputed hashes are useless if there is a long salt string attached to the password prior to hashing. Even a weak password will be immune to rainbow table attacks as long as the salt is strong enough.
Hybrid Attack
As password lists become more commonplace, attackers will be able to develop smart algorithms that are part dictionary and part brute force. Analyzing password lists and trends allows rule sets to be developed that can severely reduce the amount of combinations needed for a password attack. Just off the top of my head, I might design a rule that computes hashes of two word passwords using camel case, replace I's for 1's and other common '1337' speak substitutions, etc.
Dictionary Attack
The attacker has a list of commonly used words and/or passwords that they test against the target. Quick to hash and compare, these will become stronger as more password lists are released on the internet.
Rainbow Table
Rainbow tables are hash tables that have been computed in certain algorithms for specific character sets (upper and lowercase letters, numbers, special characters, etc). There are many places that host these lists online such as http://project-rainbowcrack.com/table.htm
Hash Salting
At its simplest, salting a hash means that an extra string is attached to the password before it is hashed. Salts are stored with the hashes because the salt is required to compute and compare the hash.
 |
| Source |
This effectively eliminates the use of rainbow tables in hash attacks, because all the precomputed hashes are useless if there is a long salt string attached to the password prior to hashing. Even a weak password will be immune to rainbow table attacks as long as the salt is strong enough.
Hybrid Attack
As password lists become more commonplace, attackers will be able to develop smart algorithms that are part dictionary and part brute force. Analyzing password lists and trends allows rule sets to be developed that can severely reduce the amount of combinations needed for a password attack. Just off the top of my head, I might design a rule that computes hashes of two word passwords using camel case, replace I's for 1's and other common '1337' speak substitutions, etc.
Sunday, May 7, 2017
Week 5 - Journal
One of the most interesting things that my research as brought up is the conundrum that technological advances place on digital security. I love the idea of the double edged sword, something that is beneficial and detrimental at the same time, something that is especially relevant regarding how encryption and hashing respond to computational power increases. Previous to working on this project, I wasn't really aware of how modern digital security is essentially a numbers game where the security of a system is measured in how long it will take to break.
As an example of how technology advances, I looked at the differences between two Nvidia graphics cards (especially relevant for hashing); the 2010 GeForce GTX 580 and the 2016 GeForce GTX 1080 (top of the line cards for their respective years). Perhaps the most relevant specs to consider would be the clock speed, core count, and energy efficiency.
As an example of how technology advances, I looked at the differences between two Nvidia graphics cards (especially relevant for hashing); the 2010 GeForce GTX 580 and the 2016 GeForce GTX 1080 (top of the line cards for their respective years). Perhaps the most relevant specs to consider would be the clock speed, core count, and energy efficiency.
| GTX 580 | GTX 1080 | |
|---|---|---|
| Clock Speed (MHz) | 772 | 1607 |
| Cuda Cores | 512 | 2560 |
| Power Consumption (W) | 244 | 180 |
These are some massive increases; the clock speed effectively doubled and the core count increased by a factor of 5! And to top it all off, energy consumption is about 25% better on the 1080. This is essentially ten times as powerful (2 x 5) for three quarters the energy cost, absolutely incredible performance gains. (in mass hash calculations/attacks, GPU's are often chosen because they excel at calculating parallelized mathematical functions)
With this in mind it is important that we consider how our tech will hold up in the future, and that it be built strong enough to withstand attacks that are orders of magnitude stronger than what is currently reasonable. Thankfully modern hash algorithms have realized this and most (all?) have implemented a cost factor that can be increased at will. In the case of the php implementation of bcrypt, the cost can be modified in its optional inputs. In this case the cost is measured in 2^n, a value of 10 will increase the cost by 2^10 or 1024 (this is the default, 1024 iterative hashes are performed). It is recommended that the cost be set as high as possible without negatively effecting performance.
In the same way that hash salting provides defense against rainbow table attacks, hash costs can provide a defense against dictionary/hybrid attacks.
In the same way that hash salting provides defense against rainbow table attacks, hash costs can provide a defense against dictionary/hybrid attacks.
Friday, May 5, 2017
Week 5 - Progress Report
At the halfway mark for this quarter, and at just over the halfway mark for this project, I would expect that anyone participating in a research project of any kind to have a considerable portion of their preliminary work done. In this case, I would expect to have my primary sources collected and analyzed as the outline and drafting tasks start to appear in the next couple weeks. Thankfully I have had no issues either gathering sources or analyzing them, and I feel ready to get started with the outlining process.
Specifically for this past week, most of my activities were simply reading through my gathered materials and analyzing them for use in the research paper. I have also spent some time brushing up on how hash functions work, both in general and in their specialized password cases (bringing up the nuances of the positive and negative impacts of speed and cost). I'm thankful that my mind mapping analysis showed that I needed to do some more research in this area because hashing has incredible impact in password authentication, its not as cut and dry as I thought it was initially.
The next two weeks I expect to have the outline and rough drafts completed, something that should be easily attainable.
A side note, one thing that came up in my research was hash collisions. Of course these have always been known to theoretically exist for all hashing algorithms out there, but actual examples of it have been hard to find until recently, especially for the more secure algorithms (MD5 has had known collisions for over a decade now). In a shocking reveal earlier this year, a group of researchers developed a method that allowed them to generate two PDF documents with the same SHA1 hash. Clever manipulations of the documents colors and images coupled with the use of server farms to distribute the task has shown that SHA1 has serious weaknesses in the face of modern technology.
Check out shattered.io for more information about this particular attack.
Specifically for this past week, most of my activities were simply reading through my gathered materials and analyzing them for use in the research paper. I have also spent some time brushing up on how hash functions work, both in general and in their specialized password cases (bringing up the nuances of the positive and negative impacts of speed and cost). I'm thankful that my mind mapping analysis showed that I needed to do some more research in this area because hashing has incredible impact in password authentication, its not as cut and dry as I thought it was initially.
The next two weeks I expect to have the outline and rough drafts completed, something that should be easily attainable.
A side note, one thing that came up in my research was hash collisions. Of course these have always been known to theoretically exist for all hashing algorithms out there, but actual examples of it have been hard to find until recently, especially for the more secure algorithms (MD5 has had known collisions for over a decade now). In a shocking reveal earlier this year, a group of researchers developed a method that allowed them to generate two PDF documents with the same SHA1 hash. Clever manipulations of the documents colors and images coupled with the use of server farms to distribute the task has shown that SHA1 has serious weaknesses in the face of modern technology.
Check out shattered.io for more information about this particular attack.
Wednesday, May 3, 2017
Images and Licensing
Images are an important part of communication; they help break up the monotony of text and can also convey information, help set the mood, and provide flow for a discussion. It is important to get license permissions sorted out before using any images, especially in a professional venue, because failing to attribute the original artist and comply with their intentions for using their work will legitimize your own work, and possibly cause legal action to be taken against you.
Creative Commons licensing allows you to specify that a piece of work is able to be freely distributed, even without citing the source (although it may be prudent to do so anyway to inform your readers).
Citing this image in apa format:
Linforth, P. (n.d.). [Login Screen]. Retrieved May 3, 2017, from https://pixabay.com/en/internet-security-password-login-1952019/
Creative Commons licensing allows you to specify that a piece of work is able to be freely distributed, even without citing the source (although it may be prudent to do so anyway to inform your readers).
Citing this image in apa format:
Linforth, P. (n.d.). [Login Screen]. Retrieved May 3, 2017, from https://pixabay.com/en/internet-security-password-login-1952019/
Here's an image that I think would be good for showing the differences in hash speeds of various functions. This could help me lead into a discussion about the double edged sword of hashing speeds, where fast hashes use less resources to computer and are faster/more responsive, a necessity in modern network communication, while slower hashes are more secure. These days password hash algorithms such as bcrypt are tailored for security, being extremely expensive to compute given their small inputs (instead of hundreds of hashes per millisecond something like a few hashes per second).
Unfortunately many images on the web (such as this one) do not disclose their licensing status, and frequently there is also no author or origin information. In this case I could always gather the information and make my own graph instead of using this one which would be more professional (and I would trust the numbers more).
 |
| Link |
Subscribe to:
Comments (Atom)