Why Passwords? - Why is “something you know” more popular than “something you have” and “something you are”?
- Cost: passwords are free
- Convenience: easier for sysadmin to reset pwd than to issue a new thumb
Keys vs Passwords - Crypto keys
- Spse key is 64 bits
- Then 264 keys
- Choose key at random…
- …then attacker must try about 263 keys
- Passwords
- Spse passwords are 8 characters, and 256 different characters
- Then 2568 = 264 pwds
- Users do not select passwords at random
- Attacker has far less than 263 pwds to try (dictionary attack)
- Bad passwords
- frank
- Fido
- Password
- incorrect
- Pikachu
- 102560
- AustinStamp
- Good Passwords?
- jfIej,43j-EmmL+y
- 09864376537263
- P0kem0N
- FSa7Yago
- 0nceuP0nAt1m8
- PokeGCTall150
Password Experiment - Three groups of users each group advised to select passwords as follows
- Group A: At least 6 chars, 1 non-letter
- Group B: Password based on passphrase
- Group C: 8 random characters
- Results
- Group A: About 30% of pwds easy to crack
- Group B: About 10% cracked
- Passwords easy to remember
- Group C: About 10% cracked
winner
Password Experiment - User compliance hard to achieve
- In each case, 1/3rd did not comply
- And about 1/3rd of those easy to crack!
- Assigned passwords sometimes best
- If passwords not assigned, best advice is…
- Choose passwords based on passphrase
- Use pwd cracking tool to test for weak pwds
- Require periodic password changes?
Chia sẻ với bạn bè của bạn: |