GTAI-Passwords.pptx
Download
Report
Transcript GTAI-Passwords.pptx
PASSWORDS
THE GOOD, BAD,
& THE UGLY
SC OTT G . A INSWORTH
F OR GR A D UATE TEAC HING A SSISTA NT INSTITUTE
JA NUA RY 1 1 , 2 0 1 2
OVERVIEW
• The problems with Passwords
• A Better Alternative
• Then why do we still have
them?
• Run as fast as you can!
2
• If you must use a password…
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
THE PROBLEMS WITH
PASSWORDS
3
A Little Recent History
• Jun ’11 Sony
77M
• Jan ’12 Zappos 24M
• Jan ‘12 Dropbox “thousands”
• Jun ’12 LinkedIn 6.5M
• Aug ’12 Blizzard millions
• Nov ’12 Twitter
millions
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
42 Trillion Guesses since
I started talking
350 Billion Guesses per Second
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
$250K
4
25-GPU
MONSTER
5
CLOUDCRACKER.COM
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
A BETTER
ALTERNATIVE
• Two-Factor Authentication
• Something you know
+
6
• Something you have
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
WHY DO WE STILL
USE THEM?
• Simply put…
It’s about…
Money…
• It’s cheaper to react…
7
Than to adapt…
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
RUN AWAY,
RUN AWAY!
• For vital services
• Email
• Banking
• Demand two-factor
authentication
8
• If they won’t change, leave
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
IF YOU MUST USE A
PASSWORD…
• Good !HeWf5nlPbuN0C|.avafCn
• Bad
TBoNTBtItQ#0
• Ugly
KateBrian
• Use a password manager
9
• Roboform
• 1Password
• PassKey
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
IF YOU MUST USE A
PASSWORD…
10
A really strong password is one that
nobody else has ever used.
— Joseph Bonneau
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
WRAP
UP
• The time of passwords is over
• Use two-factor authentication
— switch if you have to
11
• Use a password manager
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI
REFERENCES
Bonneau, Joseph. “Want to create a really strong password? Don’t ask Google.”
http://www.lightbluetouchpaper.org/2011/11/08/want-to-create-a-really-strong-passworddont-ask-google/.
•
Monroe, Randall. “Password Strength.” http://xkcd.com/936/.
•
Gamache, Mark. “NTLM Challenge Response is 100% Broken.”
http://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broken.html.
•
Goodin, Dan. “25-GPU cluster cracks every standard Windows password in <6 hours.”
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windowspassword-in-6-hours/,
•
Honan, Mat. “The New York Times Is Wrong: Strong Passwords Can’t Save Us.”
http://www.wired.com/gadgetlab/2012/11/why-no-password-is-safe-from-hackers/
•
Perlroth, Nicole. “How to Devise Passwords That Drive Hackers Away.”
http://www.nytimes.com/2012/11/08/technology/personaltech/how-to-devise-passwordsthat-drive-hackers-away.html
•
Schneier, Bruce. “Passwords aren’t broken, but How We Choose them Still is.”
http://www.schneier.com/essay-246.html.
12
•
Scott G. Ainsworth ・ January 11, 2013 ・ ODU GTAI