Proc. HotSec '07 Do Strong Web Passwords Accomplish Anything? Dinei Florencio,ˆ Cormac Herley Baris Coskun Microsoft Research ECE Department One Microsoft Way Polytechnic University Redmond, WA, USA Brooklyn, NY, USA [email protected], [email protected] [email protected] ABSTRACT Unfortunately, these recommendations appear somewhat We ¯nd that traditional password advice given to users out of date. If we enumerate the principal threats to a is somewhat dated. Strong passwords do nothing to user's credentials they would appear to be: protect online users from password stealing attacks such 1. Phishing as phishing and keylogging, and yet they place consid- erable burden on users. Passwords that are too weak of 2. Keylogging course invite brute-force attacks. However, we ¯nd that 3. A brute-force attack on the user's account (i.e. an relatively weak passwords, about 20 bits or so, are suf- attacker knows the userID and tries to guess the ¯cient to make brute-force attacks on a single account password) unrealistic so long as a \three strikes" type rule is in place. Above that minimum it appears that increasing 4. A bulk guessing attack on all accounts at the in- password strength does little to address any real threat. stitution If a larger credential space is needed it appears better to increase the strength of the userID's rather than the 5. Special knowledge or access attacks: passwords. For large institutions this is just as e®ective (a) guessing based on information about the user in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears (b) shoulder sur¯ng little reason to require strong passwords for online ac- (c) console access to a machine where password counts. auto-¯ll is enabled or a password manager is in use. 1. INTRODUCTION As can be seen none of the password \best practices" Passwords have become the dominant means of ac- o®ers any real protection against phishing or keylog- cess control to online services. With this success has ging, which appear to be the most prevalent attacks. come an enormous variety of attacks: each login page Strong passwords are just as susceptible to being stolen represents an opportunity for an attacker who is just a by a phisher or keylogger as weak ones, and changing short sequence of characters away from someone else's the password frequently helps only if the attacker is ex- email, banking, medical or social networking accounts. tremely slow to exploit the harvested credentials. Nonetheless, it is common to assume that stronger 1.1 Why Choose Strong Passwords? passwords help against guessing and brute-force attacks, Users are frequently reminded of the risks: the popu- i.e. Threats 3 and 4. We show in Section 2.1 that even a lar press often reports on the dangers of ¯nancial fraud relatively weak password (e.g. 6 digit PIN) withstands and identity theft, and most ¯nancial institutions have a brute-force attack on the user's account (Threat 3), security sections on their web-sites which o®er advice so long as a \three strikes" type lockout rule is in place. on detecting fraud and good password practices. As to Guessing based on information about the user (Threat password practices traditionally users have have been 5 (a)) is di±cult. Further, making a password strong in advised to (e.g. see [3]): the cryptographic sense is very far from making it hard to guess for someone who has knowledge of the indi- ² Choose strong passwords vidual. For example \Sn00py2" is a stronger password cryptographically than \749278" but might be much ² Change their passwords frequently easier to guess for someone who knows the individual. Shoulder sur¯ng (Threat 5(b)) does not appear to be ² Never write their passwords down. common: humans are very good at detecting people in 1 Proc. HotSec '07 their personal space and this is an attack that even un- have an o²ine attack on a particular account. That sophisticated users understand. It would be di±cult to is, if the attacker wishes to gain access to the account argue that users should choose stronger passwords to userID at the login server BigBank he must attempt make the memorization task of shoulder surfers more login. Brute-force attacks are easily detected. For ex- di±cult. Finally, the console access problem (Threat ample many web sites institute a \three strikes" rule 5(c)) is una®ected by password strength. whereby three unsuccessful login attempts will cause Thus it would appear that the main reason for insti- access to the account to be locked (at least for some pe- tutons such as banks to insist on strong passwords is riod of time). More sophisticated rules can be applied Threat 4: i.e. a bulk guessing attack not just on a sin- to detect less obvious attacks; e.g. if the ratio of unsuc- gle account, but on many of the accounts at the same cessful to successful login attempts exceeds a threshold institution. We discuss this attack in detail in Section and so on. 2.2. While stronger passwords certainly make this at- Thus a direct brute-force attack on the password of a tack more di±cult they are only one tool a bank has given account is di±cult. To consider a concrete exam- against bulk guessing attacks. We demonstrate in this ple, if a bank allows only 6 digits PINs (a relatively weak paper that a bank can lower the global break-in rate password) and locks an account for 24 hours after three from a bulk guessing attacker while increasing usability attempts an attacker could search 3 £ 365 £ 10=1e6 ¼ by insisting on stronger userID's rather than stronger 0:011 or 1% of the key-space in 10 years. This seems like passwords. This is just as e®ective (against Threat 4) as a small risk. Further, the ratio of unsuccessful to suc- insisting on stronger passwords but reduces the burden cessful logins would be huge and hence easily detected; on users. It has no influence on susceptibility to pass- in reality this is a very loose upper bound on the risk word stealing attacks phishing and keylogging (Threats of a brute-force break-in on a single account protected 1 and 2) or console access (Threat 5 (c)) and appears to with a 6 digit PIN (or equivalent). In essence a brute- have little e®ect on knowledgeable guessing or shoulder force attack requires searching a large portion of the sur¯ng (Threats 5 (a) and (b)). password key-space. Even for a weak password, and a very active user it is easy to detect the large number of 2. ATTACK SCENARIOS unsuccessful attempts. Passwords have long been the subject of attack. Users' 2.2 Bulk guessing attack on all accounts habits of choosing weak and easily guessed passwords was already noted in early Unix systems [15]. While Thus, if even a 6 digit PIN gives good protection why much has changed in thirty years a great deal has stayed do banks suggest (or demand) that users choose strong the same: a more recent study of web password habits passwords? For example PayPal requires that new user reveals that users often still choose the weakest pass- passwords be at least 8 characters \is not a word you can words allowed [9]. One can view this as evidence that ¯nd in the dictionary, includes both capital and lower users are hopelessly lazy where security is concerned: in case letters, and contains at least one special character spite of frequent warnings about account fraud users on (1-9, , , , etc.)." Why require that the password be average select the weakest password they can get away chosen from such a large key-space when: with. On the other hand one can argue that users show ² The strength of the password o®ers no defence considerable wisdom from a cost bene¯t standpoint: against phishing, keylogging or other password steal- choosing a strong password generates very little bene¯t ing mechanisms to a user, but it does carry considerable cost. There ² Even a 6 digit PIN yields at most a 1% probability is little bene¯t in a strong password since phishing and of success to 10 years of brute-force attack? keylogging are the main threats to a user's password and even a weak password will withstand ten years of One reason is that PayPal, and other large institu- sustained brute-force attack on an account (see Section tions, must worry about attacks on more than a single 2.1). There is cost because strong passwords are harder user account. Suppose BigBank has 10 million online to remember than weak ones, and users have many pass- user accounts. If BigBank allows 6 digit PINs each PIN words to remember [9]. Since the cost (i.e. the di±- will on average be used by ten di®erent users. Instead culty of remembering stronger passwords) is borne by of searching all possible passwords for a given userID the user, but the bene¯t (increased protection against an attacker can search all possible userID's for a given the attack of Section 2.2) is enjoyed by the bank user re- password. Ten million attempts will yield ten successful sistance to stronger passwords is predictable. We argue logins using this strategy. that there are better means of addressing brute-force Worse, BigBank's tools to detect this type of attack bulk guessing attacks. are far poorer than a brute-force attack on an individ- ual userID.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages6 Page
-
File Size-