160 likes | 375 Views
PIS Unit 5- Password management. Sanjay Rawat Sanjay_r@vnrvjiet.in. Based on: Lecture slides by Lawrie Brown. Password Management. front-line defense against intruders users supply both: login – determines privileges of that user password – to identify them
E N D
PISUnit 5- Password management Sanjay Rawat Sanjay_r@vnrvjiet.in Based on: Lecture slides by Lawrie Brown
Password Management • front-line defense against intruders • users supply both: • login – determines privileges of that user • password – to identify them • passwords often stored encrypted • Unix uses multiple DES (variant with salt) • more recent systems use crypto hash function • should protect password file on system
Unix password system • Each user selects a password of up to eight printable characters (56-bits DES key). • Uses a variant of DES called crypt(3) with 12-bit salt (time of generation). • Crypt encryption with 64-bits of zeros asd 25 rounds! • 64-bits output is expanded to 11 chars and hashed of it is stores.
Password Selection Strategies • User education • Computer-generated passwords • Reactive password checking • Proactive password checking
Managing Passwords - Education • can use policies and good user education • educate on importance of good passwords • give guidelines for good passwords • minimum length (>6) • require a mix of upper & lower case letters, numbers, punctuation • not dictionary words • but likely to be ignored by many users
Computer Generated • let computer create passwords • if random likely not memorisable, so will be written down (sticky label syndrome) • even pronounceable not remembered • have history of poor user acceptance • FIPS PUB 181 one of best generators • has both description & sample code • generates words from concatenating random pronounceable syllables
Reactive Checking • reactively run password guessing tools • note that good dictionaries exist for almost any language/interest group • cracked passwords are disabled • but is resource intensive • bad passwords are vulnerable till found
Proactive Checking • most promising approach to improving password security • allow users to select own password • but have system verify it is acceptable • simple rule enforcement • compare against dictionary of bad passwords • use algorithmic (markov model or bloom filter) to detect poor choices
Markov model based password • M = {3, <a,b,c>, T, 1} • T= abbcabac abbcbaabb
Bloom filter (BF) based password • BF of order k consists of k hash functions His.t. each produces a hash between 0 and N-1 • Hi(Xj) = y s.t. 0<i ≤k; 0<j ≤D; 0 ≤ y ≤N-1 • Xj= jth word in password dictionary • D = number of words in password dictionary • The procedure is to create a table for each password and check it against new password.
Bloom…. • A hash table of N-bits is defined, with all bits initially set to 0. • For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1. • When a new password is presented to the checker, its k hash values are calculated. • If all the corresponding bits of the hash table are equal to 1, then the password is rejected
Bloom… • There could be false positives i.e. a new password can be reject if it has similar hash values. • Prob of false positive • ;
Some math • From N objects, select ordered r-set • Nr (repetitions) • no repetitions • Binomial coefficient • Bayes’ Theorem