Security 1 - Passwords
Computer security is a big and kind of dramatic area which lends itself to movie plots and fear. There are real threats our there, but staying safe is not that hard.
Computer -- The Castle
- The computer is like a castle with walls
- Inside and outside are very different
- Bad guy cannot just access the bytes inside inside the computer at will
- Bad guy will need to work at it
- A couple bad guy strategies:
- obtain a password allowing access
- trick the computer into running bad guy code
- This lecture is scary, but we're going to be ok
In the following sections we'll look at the three most common types of attack, lumping into broad categories: 1. Password attacks, 2. Phishing attacks, 3. Malware attacks.
Aside: Atypical Spear Phishing Case
- "Spear phishing" - rare
- A specifically crafted and sophisticated attack against a specific person
- Likely to succeed if the attacker has money and motivation
- e.g. if the CIA or someone with a billion dollars really wants your files ..
-They could sneak into your house/hotel at night and tamper with your hardware
- Therefore: super-motivated attacker will likely succeed
- Except "encryption" which nobody can break (a later topic)
Typical Bad Guy Attacks - Bulk
- Typically the bad guys are not crafting some attack just for you
- They send out millions of generic attacks, just snaring who falls for it
- If you avoid the most common errors, you will probably be fine
- We'll talk about this typical case first
- I don't have any anti-virus software on my computer, and I have not had any problems (not running Windows probably helps me)
Although I'll talk about problems most of the time, don't get all scared. I use the internet all day long, I don't have any anti-virus software installed, and I have not had any problems (that I know of!). It probably helps that I don't run Windows which is a popular target and has had lots of problems.
Password Dictionary Attacks
A favorite CS101 question: list all the ways a bad guy can get your password? We'll go through them.
- The bad guy could try to guess your password to a site
- This is the "outside" case - bad guy is outside the site, guessing
- Known as "dictionary attack"
- as if they are trying all the words in a dictionary
- Bad guys tries to log in again and again
- Bad guys will try common passwords as guesses
- Works if the password is common, e.g. "password" or "password1"
- The attack fails mostly, but works some percentage of the time with an account with a weak password
- There are 86400 seconds in a day
- 1 guess/second = 31 million guesses per year
- There is not time to make 100 billion guesses
- Not too hard to make a password they will never guess at 1/second rate
The bad guy could try to just guess your password, attempting to log in again and again, hoping to get lucky. They might know the username and just guess the password, or more likely they are guessing both. There are 86400 seconds in a day, and suppose your bank permits 1 login attempt per second. The bad guy could just go through the list of 100000 common passwords ("password", "password123", "janexyz", ...) trying to get lucky. This is good enough for the bad guys. Since they launch the attack in bulk, just getting a fraction of a percent is worthwhile.
Clearly, the bank or whatever should detect thousands of bad logins and slow down or freeze the account. This can cause problems for the legitimate user however, so it's a balance. One simple policy is that the Bank can process login attempts at a slowish rate, such one every second to prevent the bad guys from trying 100 billion different passwords.
Dictionary Attack Example
Here's a real "log file" from my codingbat.com server where it routinely records what happens each day. What you see here is the attacker is trying guess both the username and password on the account. It happens that the username for each attempt is printed in the log file but the password is not. No doubt they are trying common passwords, such as "secret" "password12" etc. It's funny to me that you can see that their list of usernames to try is sort of alphabetical order, and they are just running through it in the most obvious way. So what you need to understand is .. this sort of attack is clicking along, every second of every day aimed at basically all the servers on the internet. They just need to succeed with a few accounts here and there, even though they fail 99.99% of the time. This is why you should not have a password which is close to a dictionary word or someone's name, or is a password people often choose. The good news is .. with just 4 random letters added to your password .. suddenly this dictionary attack is not going to work -- there's not enough seconds in the day. Note that 184.108.40.206 is the IP address of the machine attacking codingbat.com. It appears to be in Japan -- it's probably some person's Windows machine that has been compromised and is now used as a "zombie" under the control of the bad guy to launch more attacks. The zombie is probably running attacks at many servers all at the same time, but here we just see the ones directed at codingbat, about one login attempt every 3 seconds.
... Mar 6 06:26:20 codingbat sshd: Failed password for invalid user alex from 220.127.116.11 port 36268 ssh2 Mar 6 06:26:22 codingbat sshd: Failed password for invalid user alex from 18.104.22.168 port 36605 ssh2 Mar 6 06:26:26 codingbat sshd: Failed password for invalid user alex from 22.214.171.124 port 36937 ssh2 Mar 6 06:26:29 codingbat sshd: Failed password for invalid user adam from 126.96.36.199 port 37212 ssh2 Mar 6 06:26:32 codingbat sshd: Failed password for invalid user fax from 188.8.131.52 port 37546 ssh2 Mar 6 06:26:34 codingbat sshd: Failed password for invalid user fax from 184.108.40.206 port 37864 ssh2 Mar 6 06:26:38 codingbat sshd: Failed password for invalid user demo from 220.127.116.11 port 38201 ssh2 Mar 6 06:26:41 codingbat sshd: Failed password for invalid user demo from 18.104.22.168 port 38561 ssh2 Mar 6 06:26:44 codingbat sshd: Failed password for invalid user amanda from 22.214.171.124 port 38911 ssh2 Mar 6 06:26:47 codingbat sshd: Failed password for invalid user angie from 126.96.36.199 port 39244 ssh2 Mar 6 06:26:51 codingbat sshd: Failed password for invalid user angie from 188.8.131.52 port 39552 ssh2 ...
Here's an example from 2017. This attacker is just guessing on the "root" account, which is a special powerful account on the server.
May 24 15:02:00 codingbat sshd: message repeated 4 times: [ Failed password for root from 184.108.40.206 port 1989 ssh2] May 24 15:02:01 codingbat sshd: Connection reset by 220.127.116.11 port 1989 [preauth] May 24 15:02:01 codingbat sshd: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=18.104.22.168 user=root May 24 15:02:01 codingbat sshd: PAM service(sshd) ignoring max retries; 5 > 3 May 24 15:02:11 codingbat sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.214.171.124 user=root May 24 15:02:14 codingbat sshd: Failed password for root from 126.96.36.199 port 3215 ssh2 May 24 15:02:21 codingbat sshd: message repeated 4 times: [ Failed password for root from 188.8.131.52 port 3215 ssh2] May 24 15:02:21 codingbat sshd: Connection reset by 184.108.40.206 port 3215 [preauth] May 24 15:02:21 codingbat sshd: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.127.116.11 user=root May 24 15:02:21 codingbat sshd: PAM service(sshd) ignoring max retries; 5 > 3 May 24 15:02:24 codingbat sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=18.104.22.168 user=root May 24 15:02:26 codingbat sshd: Failed password for root from 22.214.171.124 port 1800 ssh2 May 24 15:02:35 codingbat sshd: message repeated 4 times: [ Failed password for root from 126.96.36.199 port 1800 ssh2] May 24 15:02:35 codingbat sshd: Connection reset by 188.8.131.52 port 1800 [preauth] May 24 15:02:35 codingbat sshd: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=184.108.40.206 user=root May 24 15:02:35 codingbat sshd: PAM service(sshd) ignoring max retries; 5 > 3 May 24 15:02:43 codingbat sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.127.116.11 user=root May 24 15:02:45 codingbat sshd: Failed password for root from 18.104.22.168 port 4832 ssh2
Aside: Geo IP
Where are these dictionary attacks coming from? It's a necessary part of TCP/IP that the other end needs to reveal its IP address to get IP packets back. Here we see it's: 22.214.171.124
Find a "geo ip" service - approximately where an IP address is on earth. Look up the address attacking us.
- Patterns of weak passwords to avoid
- 1. Passwords should not be a plain word
- 2. Passwords should not be too short - 6 characters is marginal, longer is better
- 3. Passwords with only lowercase letters are weaker
- upper case, digits, punctuation are all stronger
- 4. Passwords should not be a pun or pattern that someone else would think of (this one is the killer!)
- these sorts of passwords are on the common password list
- When asked to make a random, memorable password, the pun instinct is strong!
- 5. When required to add a digit to a password, many people just add 1 at the end
- Here is a list of commonly used passwords, most popular at the top, basically demonstrating all the patterns of bad passwords:
password password1 123456789 12345678 1234567890 abc123 computer tigger 1234 qwerty
Weak Passwords - The Bad Guy Perspective
- How do bad guys guess passwords?
- 1. Dictionary of words
- 2. List of commonly used passwords from other sites
- this includes whatever joke or pun you are thinking of!
- 3. Heuristic changes (scary)
- say bad guys have catfishr from their list
- bad guy code tries variations automatically:
- iheartcatfishr - (add common stuff on the ends)
- Therefore: our strategy must avoid anything from the common list
- Passwords do not need to be super elaborate to be secure (some sites go crazy with this)
- What makes a password stronger:
- more characters: lower case, upper case, digits, punctuation
- not a word or pun
- Here is what I do for secure passwords, e.g a bank site
- Start with a word, say "kittens"
- Change it with a random misspelling, then add some random stuff
- kottens4x -- simple but fine password
- not a word, not a pun, not digit-at-end
- Here are stronger versions
- kottens,erx -- better
- Kottens,9erx -- better
- KottensX,97erx -- probably more complex than necessary
- Key: the random misspelling cannot be a joke or pun
Outside Password Guessing vs. Cracking Stolen Passwords
- Thus far the "outside" case
- The bad guys is outside the site, guessing passwords at the rate of 1/sec or so
- Different from the cracking case:
-The bad guys has stolen all the encrypted passwords from the site itself
-"cracking" is trying to decrypt the stolen passwords, many per second
-Cracking can be done at rates of a billions of guesses per second
- Conclusion: at that rate, most passwords are guessed within a few days
- Therefore: If a site is compromised, assume the passwords will be exposed
- ArsTechnica Cracking Article - yikes!
- Scary example:
- cracked password was: momof3g8kids
- that looks like a great password, what happened?
- bad guy list of 111 million passwords from around the web
- "momof3g" was on the list of 111 million
- bad guy had shorter list with "8kids"
- bad guy just tried all the combinations!
- With a billion guesses per second, you can just do that
- Just remember 2 things:
- 1. If a site is compromised, your password for that site will be cracked
- we are going to lose to the billions / second guesses
- 2. This is why you cannot re-use passwords across sites!
What To Do
- Avoid weak passwords
- Don't have to go crazy with it
- Bad guys are probably guessing thousands, not billions on you
- e.g. kottens4x is pretty good
- Don't re-use passwords across sites
- Do consider writing down important passwords
- Not all passwords need to be super secure
- Email password is extra important, due to password resets
- A hybrid scheme: memorize suffix "x23" for passwords
- Write down / record passwords but not the suffix
For an important site like a bank, you should use a password different from your other passwords. It should not be the case that by stealing your facebook or twitter password, they now have access to your bank. I write the passwords down on a piece of paper at my house in case I forget. The bad guy in Russia or whatever does not have some team of ninjas that's going to break into my house and get passwords off my slip of paper. The attacks are bulk, mindless affairs that work on the low-hanging fruit. One technique for writing down passwords is to pick a little suffix you memorize, like "x936" or whatever, and that always goes on the end of your passwords. Record the passwords down, but never the suffix. That way, even with the piece of paper, a bad guy still does not have the passwords. Or maybe its better to just write the passwords out clearly, so your family can access your email etc. if you are in the hospital.
Email is tricky -- once they have your email password, then they may be able to do a password reset and get into your account. In that sense, your email password is the most important.
Authentication - 3 Ways
- There are 3 ways to authenticate..
- 1. Something you know - a password
- 99% of authentication is just this one
- 2. Something you have
- something physical, e.g. a physical key, a device
- 3. Something you are
-"biometric" like fingerprint or iris
Biometrics are not the ultimate because they cannot be re-issued when stolen
- A second thing to log in
- Typically something you have, since already using a password
- aka "Multi-Factor Authentication"
- Password is 1 pice of info
- Require 2nd info to log in, (not just an additional memorized password)
- example 1: The site SMSs a little number to the user's registered cell phone
- example 2: The user has a free One Time Password generator (OTP) app on their phone
- example 3: U2F (below)
- Two-factor makes it much more difficult for the bad guy
- Although not impossible
- Great side effect: with two-factor, perhaps the password can be simple "kitten2"
- Ideally, 2nd-factor not required every time
- maybe once a month or from a new computer
- Two-factor may still fail for phishing (not U2F though)
Two-Factor Phone SMS - Problems!
- SMS a number to your phone is a common two-factor
- Big improvement on password alone
- But 3 weaknesses...
- 1. Bad guys could trick your mobile provider
- Badger them into a password reset etc. and direct your texts to themselves
- This is a thing that has happened many times (motivated bad guy)
- Security cannot depend on customer support being right 100% of the time
- Read: Technologist Professor Hacked
- Read: Phone Hijack of two-factor
- 2. Phishing!
- The bad guy phishing site could ask you to type in password and SMS number
- 3. Malware on phone
- Bad guy malware on the phone could intercept the SMS number
- e.g. Bank phishing site ALSO tricks user into installing phone malware
- NIST does not recommend SMS
- Therefore: phone/device produces number internally, not received through cell network, e.g. U2F below
- Therefore: only install phone apps from official app store (scanned)
Future of Two-Factor: U2F
- You heard it here first!
- Device source of 2nd-factor
- The world will not continue to use passwords as we know them today
- Free and open FIDO U2F "universal two-factor" shows a next-gen solution
- Right now works in Chrome. Firefox and Edge working on it
- It's an inexpensive little device you can carry around, it has one button on it
- Click button = complete login now
- Click on wrong site .. totally harmless (phishing proof)
- Secure and convenient - you don't have to type anything.
- Ultimately your phone will work as a U2F token too
- U2F is so secure, the password can be trivial, like 4 digit PIN or perhaps nothing