PW - Pushing on String: Adventures in the 'Don't Care' Regions of Password Strength - Cormac Herley

[Applause]

I told some other people here earlier that you know back in no way at least you know uh threatening people it's not a nice thing to do you actually go to jail just from threatening people but you know giving promises on the other hand and something else and I my previous employee I used to tell people that you know I I don't really like fiscal violence at all so I you know instead I can give you a practical demonstration of how to delete somebody somebody's social security number ask things something and most people actually really understood what was saying by that so well no more no more stor now from this is K from Microsoft research and I

have before I leave the stage com I have something that is to me personally very important to do because this is call M ad M research and I'm just going to do it like

this no pressure com that no pressure but this guy have done so many excellent papers academic papers you know like research papers on passwords and security usability I'm really looking forward to this talk so by that my thank you for that introduction also you forgot to mention a legendary blues guitarist and voted 2015 sexiest man alive so you're just to you're just going to mix stuff up you might as well make up more interesting stuff um anyway thank you thank you very much um so pushing on string um adventures in don't care regions of of of password strength and um so password strength I mean we pursue it endlessly we talk about it a lot we reason about it a lot we do all

sorts of stuff to to pursue it and yet we never seem to get there we always have these you know those endless series of stories about how badly uh users choose passwords all of our efforts including password meters and awareness campaigns and tips and you know it seems a problem that is largely kind of resistant resistance to to our effort why what is what is what is fundamentally you know wrong here why are we not getting what we want and so why do we want strength what what what what is it that that we want well what we really want I think is not strength itself what we want is to deny access to bad guys and those sound like

they're exactly the same thing but and often they are but sometimes they're not and that that that's what I want to pursue here and I think they're they're not the same thing a lot um more often than you might imagine so why do we want strength how much strength do we need the answer to that question always seems to be more more more but I think you know that that that's based on sort of imprecise thinking and if you kind of make your assumptions and desires and goals a little more explicit we can we can actually figure out what can we accomplish and what can we not accomplish and and not be in this endless Death March that we where we

never seem to to reach our goal and does more strength always help with our goal as I said you know we don't really want strength we want to deny access to bad guys does more strength always help deny access on the answer to that question I think is no even when you know even when it's just guessing attacks we're talking about there are the there circumstances and they're very common where it's a guessing attack you're worried about and you can be increasing the strength of passwords chosen by your user population and it has absolutely no effect on the outcomes that your experience that sounds a little counterintuitive but I think it's actually um actually at the

heart of why why much of um um you know things go wrong with our attempts to improve user user behavior um so first of all we're going to talk about strength I mean how do we measure the strength of a p a single password well before I mean many of this audience probably doesn't need to be told it but you know for crying out loud I mean let's stop using this entropy thing this you know length times log two of the um the the size of the character set um it's a kind of a crude proxy that people you know used at at some point but here just to demonstrate how bad how bad it

is this is a subset of um of passwords chosen from the rocku distribution and what I'm graphing is this entropy measure on one side and how common the passwords on the other and if if the entropy were a good measure of how easy something is to guess then this would be monotonically decreasing it would be monotonically going down from left to right you can see that it's not even approximately doing that it's not even it's not even closed there are lots of things over here so this is going to help this is the most common password this is you know occurring something like um you know more or less a million times in the in the Rocky data set so

that's ABCD ESG or something like that and here all the way down here are a bunch of things that occur that occur on the once and what's going on here is there are lots of things that are you know pretty good passwords because they occur only once they're very very uncommon and they have you know um entropy that goes from very very high to actually things that are extremely low but conversely there are also things that um that have what is considered high high entropy but are actually really bad passwords because they're really common so here is basically these are lots of this this entropy measure is giving us lots of weak passwords that it

considers strong and lots of you know what a really good strong Pastor is that it considers weak it's just doing a a really rotten job of of what we want so so what what you know I think you know the community has kind of you know converged on the last couple of years is using one or other of these um guess number measures which is to say you know how many guesses does it take to get to a particular password based on something like John Ripper or based on um you know Bono measure or something like that there are several different out there and you know there's arguments to be made for and against um each of them but

you know the worst of them is def far better than the best of the the the the crude ENT measures um so so that's how how do you measure the strength of a password but suppose I'm suppose I'm an administrator and I'm administering um a a site or an Enterprise uh an Enterprise Network and I've got a population of you know if it's Microsoft it's like 100 100,000 um employees and you know and obviously a far number greater number of consumers use consumer platforms but I don't want to protect a password I want to protect a distribution of password it's a population so well so what do I want now and well the The Reflex answer

as always is well more more more I want everyone to choose very very I want everyone to choose you know 4y character ROM passwords well good luck with that you're not going to get it you know if if the tricks we had around user awareness and tips and slogans and password me if they were going to work they would have worked by now well you know that ain't getting us where where we thought we need to um let's figure out if where we thought we needed to go that is to have everybody with super strong passwords whether we actually need that and and if there's something less than that that will suffice how do we actually get

there so the administrator task is essentially say you know defending not a single password but um but but the whole population and so the question is not you know how do you you know how do I come up with tips to choose super strong passwords the question is given a population of what are going to be user chosen not machine Chosen and assign password of giv a population of user chosen passwords how do I how do I best use the effort and energy of my user population to get to something that I can defend and it's not again you know I don't want to use an abstract measure of strength around the distribution my goal

essentially you know is best worded you know in English first rather than mathematics which is I want to Den the bad guy access to my my my network if I'm defending the Microsoft network against guessing attacks I want to keep bad guys guessing their wi there are other vectors where they can get in but if that's what I want in the password distribution I want to so so it's worth considering you know when I look at this you know this is kind of a you know log 10 of number of guesses using something you know like and this is the fraction of um accounts that are compromised you know as you get more and more guesses to John Ripper or

something like that um you know eventually everything falls you know but you know some of them fall very early and it's worth it's worth asking considering the question of well suppose I have some kind of an awareness campaign and everybody improves their password a little well is is that really what I want you know because the ones out here are really not really much of a threat at all and there seems to be a lot of threat here if I can if I can pour my effort into different places where do I want to pour it to get get the maximum effect how do I focus the energy rather than having a scattershot approach which maybe gets everybody to

improve a lot but doesn't that my goal remember is not to get everybody to improve a lot my goal is not to increase fractionally this kind of platonic good password strength that we're talking about my goal is to deny bad guys access to my network that is my goal and and I am successful in so far as I succeed and improve that and I am unsuccessful in in so far as I do anything else no matter no matter what kind of mathematic rationalization I have for whatever proxy I'm using so so how much strength do I need to do that to to to keep the bad guys off my network to deny them access well from from um in particular

from guessing attacks well there're two very very different types of guessing taxs one is you know roughly speaking online and offline and online roughly speaking is computed on on my heart the guy is sending guesses and my server is doing the checking and the tools I have against that are things like lock up rate limiting and and forensics and you know um IP you know black black listing and stuff like that and then there's offline where generally speaking when it's against a web server or something like that um it kind of means that the guy got in and stole my hash password file hopefully hat password file and then his Computing on his Computing on

on his Hardware um and he's limited only by his Hardware or not necessarily his Hardware whatever number of virtual machines he can steal from azure or or or or Amazon or or or or anywhere else um he's limited only by Hardware but he needs to steal he needs to steal the hash U the hash password file so just before you know deep diving into that um you know it's it's important um but and but it can never be stressed enough I think that there there's a lot of places where strength has absolutely no influence I mean it it has identically zero The Good Bad and the Ugly all fall at the same time independently of

whether the password was ABCD FG or was something you know um 40 characters long and it's commoner than than any of us perhaps want to really admit um you know when you've got a database breach and passwords are stored plain text well it doesn't really matter you know I it always sort of I feel like I'm taking crazy pills when people look at a data breach of something that was stored plain text and they say look how stupid the passwords the users were choosing I said well no I think the stupid people in that distribution were the ones who had the long 40 character passwords because they wasted effort when the real threat when the real threat was that it

was St playing Texas and it was all going to it was all going to bre given that it wasn't properly protected you might as well you might as well um spare your effort so so I drew this little decision tree of you know when is offline offline is clearly clearly a much more serious threat in terms of the number of the number of gesses that somebody can can can can showy against you so here's a kind of just a little decision tree of showing when is offline when is offline guessing the factor first of all so here's your password file up here you know minding its own business sitting happily on your server and you know there's two possible cases

it either leaks or it does not leak well if it doesn't leak there's no offline attack and you know and that's a really good place to be and you want to make a lot of effort to make sure that your password file does not leak if it does leak then it either you either detect that fact or you do not detect that fact if if you detect it's not trivial by any means but um you know a good uh I mean every service essentially needs to have a backup plan to in order to do a reset me you know reset credentials across the um across the service if you detect that um um that it's happening so so if it

leaks and the leak goes undetected now we have it comes down to how is the do stored if it's plain text well you know then no no no guessing is needed the guy just has the password so we're off off the races um I mean he just has just read them off if it's hashed and unsalted um rainbow tables pretty much give you most it's not as bad as PL Tex but it's it's fairly close I think it was the LinkedIn distribution was stored hashed but not salted and you know 80% or so were broken in a matter in a matter of days if it's salted and hashed then that's what we you know we talk

about where cracking and offline guessing you know is really a factor the last option reversibly encrypted which people tend to talk not not talk about you know so much but again there are two options the key Either leaks or it does not leak and if the key leaks well it's kind of back to plain text again right the guy just decrypts and you know we're off the races if the key doesn't leak well now he's guessing against you know he really doesn't have that much better an attack than than doing online so effectively if you draw this tree the only real path that you're that you ought to be worried about I mean where where um offline guessing as a factor is

where things were correctly stored salted and hash if you did anything else there's really there's really not an offline or in other words the strength that you were trying to call from your user population to um to resist offline guessing is IM material if you don't end up in this particular in this particular um box or in other words in particular when if you're storing your passwords plain text or reversibly encrypted then steps to go beyond the strength that is necessary to resist an online attack are are simply unjustifiable right there's really not a scenario where there's going to be an offline attack and trying to um um asking your user population to do anything that that goes beyond

resisting an online attack is is just theater it's it's it's really not there is not an attack scenario in which that in additional strength makes makes a difference and this is commoner you know than than I think people think that here's a here's a list of you know some of the recent um the recent uh password breaches and rocku of course was famously uh planex encrypted uh TI was a Chinese uh company similar size 35 million um and if you look down to the list I mean in only TR these in Gawker and Evernote were things hashed and salted so that offline guessing Beyond rain rainbow tables was actually both necessary and possible in other words in

most of the breaches that we've seen you know all this talk about cracking and resisting offline not a factor not a factor at all there was a simpler there was a simpler attack that yielded the passwords just in plain text without resorting to any of this John the Ripper stuff and if we're going to store things that way then you know it's it's sort of indefensible to ask or and and unnecessary and wasteful to ask use of population to to choose uh things to protect against an attack that that has no possibility of actually happening anyway so so that's when things are when there's strength has absolutely no influence because well you just stored it the wrong way and

strength never had a had a an option to come into play but in addition when guessing really is the vector and um and there is um and things have been stored correctly strength doesn't always have the more more more uh you know more is always good um effect that that I think we've fallen into um into thinking and so how many guesses if we're talking about um you know our proxy for password goodness as as as guest assists how many guesses does a password need to withstand in order to be saved well it depends what kind of attack are you talking about and here are roughly the numbers and I I'll I'll justify um that you know there's online and

there's offline and then there's kind of breath first where somebody's just going against the population and then their depth first where they really want you and the numbers that that that I um that I think are online breath first you need to be able to withand about 10 to the four that is 10,000 guests depth first that is somebody's going against you you probably need beic stand up to 10 to six that is a million offline breath first you need to be able to withstand about 10 to the 14 and offline dep course you need to be able to withstand about 10 to 20 or something like that and here are examples examples of the kind of

passwords that will you know withstand those see you know 10 to four four-digit pin pretty much will you know is is what you need um and not the absolutely enormous difference between online and offline to be safe from an online you know if you can with understand 10 to the six guesses your password is probably going to be good enough to withstand online guessing you know feasible online guessing attack against a well-maintained wellmaintained server for offline you need to withstand it looks like on the order of a minimum of 10 to 14 gases that's an eight order of magnitude an eight order of magnitude difference now it's easy only talk about crypto kind of like orders of magnitude

get slung around but you know eight orders of magnitude is a lot eight orders of magnitude just to kind of like give you an analogy it's about the difference between the size of pe's head and the planet Earth I mean that's eight orders of magnitude it's it's it's it's big um um um so the reasoning just quickly the the reasoning that um that that took me that took me to this is so so I'm assuming so I'm assuming to this for the offline case that it saled and hash correctly that the hash has not been iterated and I'm going to talk about H hash iteration a little bit um later and it's basically a four-month

campaign in each of these online um and offline breath first and death first I'm talking about somebody who's putting four months worth of the most effort they can into getting into getting one of um these accounts so online break first you can get to 10 before um um where you know this was sort of assuming you know that your user population has one legitimate login per day and a 5% fail rate and if he's going to send 10 to the four against everyone against every single um one of your users then he's he's sending on the order of 177,000 more fail events than the rest of your user population combined which is something that you know ought to be

detectable in your log files not to be you know thought to be remediable through ITP blacklisting and and stuff like that I don't rather to drill too far down on that but it's it's it's doable online debt first 10 to the six well um you know this is addressable through lockout and rate limiting there's no reason why a a well-maintained server should allow a million fails consecutively with different with different distinct p passwords against you know single accountant the offline breath first is where you know this is you know the numbers get a little wooler because he's running on his hardware and we don't actually know how much Hardware he has but let's assume that he's got something

like a th000 gpus which he borrowed or rented or stole from you know um an online uh provider each of them doing 10 to the 10 um guesses per second which I think is what you know gpus is you know currently moriz doing and he and he sends this guest volume against 10 to six accounts for um for four months and offline is is the same as that the same Hardware but he sends it against 10 accounts for four months he's got a certain guest budget he just flings you know what you can do in um um so so those where I get those numbers 10 to 10 to the 4 10 6 10 14 10 to 21 um now

here's the thing when there's no gain in exceeding the online threshold when you fall fall short of the offline one that is just to say remember I said that for online and the online kind of here's your risk of being being guessed if your password will withstand you know um you know here's log 10 of the number of passwords this this will here will withand 10 to the four uh 10 to four guesses you know if you'll only withstand you know no guesses well you risk of being guessed by an online guy is Extreme but as you withand more and more guesses it gets better and better and better and by the time you get to 10

to the six or so you're kind of good against the online guy now the the red line here is well what do you need to stand up to an offline guy well you know what you know he can send you know it doesn't even start to get interesting until we get to something like 10 to 14 and then it kind of drops in by 10 to the 20 or 10 to 21 you're probably more or less safe in between between 10 to 6 and 10 to 14 what happens well nothing happens right nothing happens that is to say suppose you've got a password here that will withstand 10 to 12 guesses well no prices for trying right you will

withstand uh an online guessing attack but so would one at 10 to the six guesses you will not withstand an offline guessing attack there are no prices whatsoever for jumping over the first hurdle but failing to get to the second hurdle and remember I said those hurdles are are eight orders of magnitude par so if the first hurdle is let me not use P head as an analogy anymore you know if the first hurdle is 6 in um I don't know what that is in meters but six in off the ground the next one 10 uh uh 8 or of magnitude is 10,000 mil so in other words you could two hardles one is you got to jump

6 in the other one is 10,000 mil now suppose you really train yourself and instead of jumping 6 in you manage to jump one mile well what do good for you you accomplish nothing right you've got to go all the way to 10,000 miles or you get no return whatsoever on your effort assuming you know the um and you know we'll revisit these numbers and how how hard the um um the the the 10 to the six and 10 be U um sure uh first of all they all a report in the room now please do stories explaining the difference between online and offline haard attacks because there are almost none of those stories out in the media it's very

important to get it out people don't know they don't understand difference between online and offline attacks so do those stories second for you uh it's more like no this is to me this is you know statistical entropy of T right in a couple of weeks now there will be lots of people out there in large and small organizations using September 2015 or September 15 as the password with of course but the capital less right at the start Y and in September 2015 is actually a long password but still you know we can absolutely I think we can agree is a bad password in a couple of weeks from now yeah no and and you know kind of

pursuing the proxy goal of some strength measure that you rationalize yourself into believe in um you know accomplishes something but doesn't accomplish the actual goal which is denying denying the bad guy access right that's that's that is a fatal flaw when we kind of when we have a a proxy for what we actually want which diverges from delivering as what we actually want yeah because with this audience uh discussing pass strength trust me is an ongoing discussion right right right and if there are any reporters in the room don't if you're going to write about online off also mentioned a bit about you know per bowing down before me in the start don't don't forget

that anyway so so the numbers I put in but here basically you know here's a graph of you know log 10 of the number of guesses that a password will withstand and here's you know so remembering again for as an administrator I'm not a password I'm interested in my distribution of password I'm interested in my in my I apologize to the people at the back who are standing and can't read the the lines at the bottom um but here is you know here's a distribution of passwords and you know they fall you know um with a with certain number of gesses but let's call t0 the number of G the minimum number of gesses to be um um to

be safe or the maximum number of guesses that an online uh guessing attack might give me and T1 to be the the the the minimum to be Sav from from an offline gu in between here I just said this dead zone where increasing strength just gets to be nothing if you're going to once you get just Epsilon Beyond here if you're going to improve your password from that point um you need to to get all the way all the way to the other side or you get nothing in return you need to you need to get all all the way across there um okay so that's that's one what I would call you know input to

the to the dead zone where there's just you're increasing strength you're getting you know you ask your population to increase strength you're getting what you asked for but you're not getting what you wanted and the gap between what you asked for and what you want is very very very very important but there's more um what you call the the compromise saturation point so here's let's do a thought experiment suppose I'm an administrator and I'm administering you know a corporate network of 100,000 100,000 employees or so if an attacker has 20% of my credentials he's got 20% of passers I'm like 20% own or am I fully own you're fully own I mean for example the RSA breach is started as a fishing

attack and two small groups of employees none of whom were particularly high profile or high value were basically fish starting from on the order of it seems like half a dozen credentials they were able to you know compromise you know the keys of and RSA is is my guess would be above average in terms of you know sensitivity to to NSA got comprehensively beaten by you know one you know particular you know one one one person with one ACC access to and there's been a bunch of things on on sort of snowball attacks within corporate networks where once you get one set of credentials it it snowballs out rapidly it rapidly to others or or

look at another way I mean I mean if an attacker already has n of my credentials how much more does he get by getting one more now when he's got one you's got zero credentials one is really good now he's got something he's in now he's got two he's got more he's got three well get that somewhat better when you get to say let's say 100 when I've got 100 passwords how much more does the 101st get me well it's kind of diminishing right once I have my beach head the set of things to which I denied access on the network starts to shrink very rapidly or look at it from the other end of the spectrum and say here let's say

there's an organization of 100,000 people and I've got all but one of the passwords on the network what what what resources on this network tonight nothing absolutely nothing right if I've got 50% of them same thing you have you know essentially either all the boxes or the administrator of all the boxes you can work your way side this you can get every so yes yes but gaining access ACC to the account of of Bill Gates is like that is the one big thing so absolutely but but you know but if you no but but if you say if you get access to you know you know there're two parties let's say to every email so without having access

to Bill Gates's email you'll get to see all of the emails that you know from the other parties right you know you it's so the claim the claim essentially is that the additional gain decreases steadily with the number of credentials that you've got now getting a beached you your gain you know decreases decreases decreases like am doll's law app the passwords it's whose law am doll's law am doll's yeah incremental gain of adding an additional from one two d add incremental gain is less I mean it's certainly it certainly um his his his um his game saturates I think quite quickly and I think I'm not ready to put a precise a precise kind of you know

mathematical formula on it but I think I think it's reasonable to say that the fraction of resources controlled by the attacker or the or one minus the set of stuff that is denied to him um you know increases very rapidly so here is here is you know the fraction of credentials that he has between Z and one here he controls everything and so nothing is denied to him here he hasn't anything yet but once he gets his beat shed things get up very very very very rapidly you know so and and it well if it's monotonically decreasing it's necessarily you know much much much faster than linear and it's some point it's actur at some point I don't know

whether it's 100 whether it's 1% or 2% or 5% or 10% but I'm going to call I'm going to assume it has this kind of a shap to it and we can argue you know we can argue when we will I'm sure about you know um where the knee of the curve is but I'm going to call alphasat I'm going to call that the point of which his control effectively saturates you know where adding additional credentials doesn't really I already have 100 credentials 101 isn't going to get me more that I that I don't already have that's that's the the essential and so this is going to be clearly very different across organizations you know

RSA got you know comprehensively um um you know owned by you know a fairly small number of credentials um but you know it's going to be very different for a website you know than let's say you know an Enterprise Network and here I'm I'm chiefly interested in Enterprise networks but I think by the time someone has 10% of your credential I think it's fair to say you're pretty much own there's not many things that he wants access to that are password enabled that are now denied to him so once he's got 10% he's kind of he's kind of got as much as he's going to get from from the password um from from the password part okay well let's think

through the implications of that shall we so remember before we had this thing and I said well I show you this there was a Chasm t0 T1 and there was this online offline chm where increasing strength had absolutely no influence on outcomes well now in addition there's another axis here this is log 10 of the number of guests of password will will um survive and this is the fraction of credentials compromised that are already compromised by an attacker well and let's say here you know it's you know this is 10% 20% 30% 40% 50% and so on well if he effectively if you know if alha sat is let's say here it's on this line I'm showing it at 15% then and

everything above this he's not really denied anything anymore you know that's also part of the Dead Zone that's also a place where increasing password strength gets you absolutely nothing it costs you but it gets you nothing it gets you nothing in the sense that there is no attack scenario where it improves outcomes there's no attack scenario where it does remember what it was we were trying to do on the first life deny access the attacker we're not trying to increase some some platonic notion of strength we're trying to we're trying to deprise an attacker access to resources that he seeks and once he's exceeded this Alpha sat point we no longer have that he pretty much has got everything

that he wants so here what I'm saying is t0 is the maximum number of guesses to be safe from um um uh online T1 is the minimum number of guesses to be saved from an offline attack and off theat is the point at which you know the attacker attacker control of whatever it is he can get from passwords effectively saturates and these blue regions here these are just don't care regions where you can do whatever you want your password distribution in this space you can you know make it go you know up down or sideways it does not influence outcomes this is just a dead zone where strength is just is just not is not uh

is not influencing is not influencing um anything so to put that in um um um in some kind of you know bullet points um there's no security Improvement for increasing the strength between t0 and T1 that's you know the gap between the online the online and the offline casm but also once Alpha sat is reached once you has that number of credentials additional strength denies the attacker nothing it costs you but it denies him nothing and and here's the key one the password distribution if you know if you believe this if you believe my analysis and we couldn't argue about it but if you believe my analysis then the password distribution must be below alphasat at T1 it must be below the

point where a haacker control actuates at the point where um you can you can be somewhat sure of withstanding an offline guessing attack it it must or or why or you've wasted all of the effort that you invested above and beyond withstanding an online attack so remember an online attack we were talking about like six-digit pins you can have you can have your your user population jumping through hoop for you that you know having 20 digit random or you can have 50% of your population choosing random 20 character 40 character truly cryptographically strong things and still have an outcome that is no better than if none of them had exceeded um the online um um an online guessing attack

so so let me let me just kind of um yeah don't care region um so here I mean the the the don't care region it's just the same uh the same graph as before but what I wanted to call out here is look I've could of you know drawn on here a couple of you know um speculative uh curves and generally we said you know these curves are this is the fraction of credentials from a a a pass population that falls with a certain number of you know um log 10 of guests here here's my t0 it's the online that's the the offline and here's Alpha sa and generally we say well you know strength is good guessing resistance is

good which means that you know the lore a curve is here the be uh the the the the smaller the fraction of credentials that will be um uh compromised at a certain Guess level so here look for example at the green curve and the blue curve well the green curve here seems to be far better than the blue curve in the sense that you know let's say you know way out here it's there's an enormous difference between the fraction of credentials that are um that are compromis at this point but you know what it doesn't matter you get absolutely nothing to that additional gain because at T1 here this is the point where you know until you get to

here you know you're basically going to be toasted by an offline and a well resourced offline guessing attack well an offline guessing attack on the green curve he going to get about 22% of your credentials and on the blue curve he's going to get about 44% of your credentials doesn't make any difference right you know when you're owned your own when you're when you're cooked to that degree whether it was 22% or 44% so another words from and and and and I've drawn these so that you know they're kind of the same up as far as the the online the online threshold so from a security point of view from the outcome point of view the green curve here and

the blue curve have the same have the same security outcomes just they don't cost the same this one costs your costs your user population far less this one costs you know here all of this additional effort which is put in by people by some of your people at the at the end of the distribution choosing super strong passwords gets you nothing it's kind of like the business of you know teaching the bear to dance you know the dancing isn't very good and it's just annoying the the bear basically um so um okay so are we happy with this I mean this is this is unsatisfactory what what what can we do about this so there

were a bunch of you know what what are the very what what what do we control what do we want and what do we control what do we we want I mean I think the same thing that I said on the first slide we want to deny the bad guy access to our stuff and if I'm an administrator I want to deny the bad guy access to not my stuff the stuff on the network what do I control what what are the knobs that I can turn in order to try to get that well the things I introduced here there was t0 T1 Alpha and then there's the password distribution itself and so how can I go about how can I go about um

um I do apologize to the people of the back here it's kind of hard to see the um um but so alphasat is the is the um the the the point at which attack or control effectively saturates well that's kind of a property of the network and you know that is really addressed through you know normal Network hygiene things like lease privilege access compartmentalization it's not really something that's under the control of you know the authentication or or or pass I mean you shouldn't have you know any if you set up a network where every user has roof access on every machine that is really really bad right if you have a network where people um only have

the privilege that they actually need that is better somehow things always manage to creep and no one says hey I don't need that admin access anymore but it's you know that that's addressed to the normal kind of policy stuff t0 this is remember again this is the um the maximum number of guesses to be somewhat you know to be safe from online guessing attacks well that is addressable um largely through things like throttling um um you know that is pulling this number back making sure that an online guesser instead of being able to send you 10 to the six guesses as as I said you know maybe only 10 to the three three or 10 to the four is

addressable through good frockling techniques so that it's hard for somebody to send a million gases against in anyone of your accounts what about um T1 well T1 is you remember that is the um the minimum number of guesses to be uh to be somewhat safe against um a well resourced offline attacker um and I don't really control its resources but one assumption I did make in there was I said um um I said salted hashed but not iterated one thing we can do there which does pull this back is is is Hash iteration talk about that you know in just a second and then the final thing we can do is improve user chosen passwords you know so basically what I

can do is I can try to push Alpha set up but that's a network thing and very hard to control I can do throttling here to try to pull this in I can do hash iteration to try to pull at T1 theet and then I can try to control the password distribution using you know the usual mix of awareness campaigns and and and whatever else what whatever else we did just look briefly at hat itation to um to to decrease uh T1 I mean so I said you know I I I came up with this number of 10 to the 14 that I thought was reasonable for a well resourced um um attacker assuming no iteration on a 4mon

um campaign if I iterate the hash 10x I reduce T1 by 10x in other words I took it from your Hash a factor of 10 you reduce it from 10 to 14 down to 10 to 13 which is a good deal which is a very good deal now can we iterate until let's say you know I can pull that all the way down to 10 to 6 or so so that you know I kind of more or less close that Gap that's actually I I I think uh hard particularly for um um so if you look at you know um there has to be a maximum amount of time that you will take before before

servicing a guas and for large web services where you're running and you've got hundreds of millions of people authenticating against you at any given time if you assume a maximum 10 millisecond delay that you're willing to put into the the hash iteration um and so and you take you know th gpus can do um just using this 10 milliseconds they could do 10 to the 12 guesses in the four month campaign that we were talking about so if you've got a guy with that kind of resources even if you you know you set the a Max 10 milliseconds if he throws all of that against 100 accounts he's still able to he's still able to do

10 to the 10 guesses right so it's pulling it all the way down to 10 to the six or so is not really feasible you can pull it down from 10 14 but you know a a fairly conservative estimate says 10 10 is probably about as low as you can go using iteration alone which is one of the reasons why I think the the stuff that Jeff was talking about you know this morning with argon argon yes and and you know and memory memory um sensitive things that consume not just CPU are so interesting but it's hard you know given what we currently have to go much lower than 10 to to get to 10 to 10

and I think numbers like 10 to the 11 or 10 to the 12 or higher are are are are far more realistic and it only gets worse because gpus you know generally get get get better um not wors so finally so that was okay remember alphasat can't to much about that t0 that's an online offline T1 hash itation seems like a really good deal okay um and then finally improve the the password distribution and so what tools do we have to alter the password distribution well those the usual mix education campaigns and pass leers Blacklist blah blah blah so remember what do we want right mean said the don't care region told me that the

distribution must be below alphasat atg1 and changes to the distribution in the don't care region just don't don't improve outcomes don't improve outcomes at all the problem when we try to influence um outcomes I mean influence password distribution stuff is that the tools that we have are largely indirect and unfocused in other words they're indirect because I mean I'm the administrator and I've got 100,000 users and I say users please do this and here's tips and here's blah blah blah blah blah and but they choose the passwords not me right and I can I can you know sing and dance all I want but they choose passwords and we've seen that they're largely resistant to you

know and they show great Ingenuity in circumventing things that we thought were fullprof and getting them to choose stronger they are unfocused in that well remember I mean the don't care region I mean there's big areas where yeah improving strength here doesn't matter and like if Alpha sa is 10 is is 0.1 meaning the guy sat an attacker saturates when he's get 10% of my network well suppose I I have some genius scheme that gets all of my population to increase their um their uh passord strength margin well 90% of that was just wasted straight away because 90% of your population lies above Al Alpha sa by definition everything you do 90% of your effort is just poured down

or down the drain in other words you can't focus the energy where you want it which is on the particular cases that are causing your most problem which is the particular cases of um where the attacker has easiest time of gaining access with the fewest with the fewest gesses or fewest resources so how do we achieve this this need I me you so education and stuff like that I think is right two tools can stand out as as um um blacklisting is for online guessing in particular it is direct and it is focused right I mean by blacklisting I mean you know um no I'm sorry the top 1,000 or 10,000 uh passwords from The

Rock distribution are just banned unilaterally sorry you can't choose Snoopy as your password sorry if that's a problem it is Direct in the sense that it just forbids directly the harmful action itself and it is focused in that it inconveniences only the people who need to be inconvenience the only people that you're hurting are the people who well these are the very ones I that need to be told to change and nobody else every body who's fine is left alone um blacklisting I mean I think for protection against online guessing are it's almost criminal not to do it I think it's essentially it is one of the biggest bangs for B to have a a a banned

password list of you know at least the top several hundred and I don't see good reasons not to run it out to to a couple of thousand it's good for you know especially against say bre first um breath bir online online guest composition policy in contrast to Black listing which is direct and focused composition policies are indirect and unfocused um that is to say they don't really um directly address the behavior that you want and they're not focused they're targeted at the whole population even when by definition if Al sat is is is 10% 90% of your your population is is not your problem um so and in addition um pass composition policies are they're not even close to getting us

what we actually need I mean if they have many sins and people hate them but if they we're delivering what we want of them then many sins can be forgiven remember he said the distribution must lie below alphasat at one so there have been a bunch of you know mean you know I mean awesome papers out of out out of CM on all these kind of questions um but if you take I mean the alphasat that I've been using is let's say you know 10% where the guy effectively um has all you you're no longer denying him much access to to him and T1 I don't know 10 to 10 10 to 11 10 to 12 something like that in

a study of CMU passwords and these were actual passwords from the CMU you know Network um which were had minimum length eight 3x4 characters Etc um 48% of them were guessed at 10 to 14 so you know this policy if if T1 is 10 14 is just no it's not really getting you there at all the the the um the additional effort that everybody put in above and beyond necessary to survive online guessing was entirely wasted 22% at 10 to the 11 so unless you believe that you know Alpha saac is significantly lower than 22% or T1 is significantly lower than 10 to 11 this isn't even close it's not even close to um that policy isn't even close

to getting us anywhere there was another paper I mean also by by our friends at CMU um which looked at a bunch of you know um alternative policies across the mechanical C population but again things um the best the best of those which was a length 16 password thing had you know 12% of them you know fell at at 10 to the 11 guesses it's somewhat better but it's it's it's it's 16 characters long and it's still it's still not really what you could describe as being safe if you think alphasat is you know 10% or below and many of the policies they tried had you know 30 or 50% gas at um at 10 to be 11 um so

against using user effort to defend against offline I mean I I think that there's a very strong case to be made you know what do you do against online guessing I think you use you use uh ban password lists to ban the top couple of hundred or top couple of thousand you monitor you know your service you use IP black and you use things like that um what do you use and and lock out policies um what do you use against offline to protect the population of users to make sure that an attacker never gets above Alpha at well let me know if you figure it out because I I I don't know of a way of doing it um the

case against using user effort to defend against offline is that we don't know how to do it we we don't none of the okay I'm almost s um we don't know how to do it once you exceed the online threshold but fall short of the offline threshold you're you're you're wasting enormous amounts of effort the task gets harder every year as you know gpus kind of follow um um um and you know none of the policies that we know actually you know if we think we have policies that are giving us resistance to offline guessing we are simply deluding ourselves we are simply diluting ourselves and we are not we are not really accomplishing anything above

and beyond resistance to um um to online conclusions blacklists for online slow slow hashes um you know to the limit of like your um you know the delay tolerable to your user population and very exciting you know developments in the space of not just interest the attes but using you know using other resources also that are that are hard to parallelize um prevent the file from leaking and detect it when it does I mean um composition policies I mean maybe one of the poorest Returns on effort you know in the whole in the whole um in the whole Space um anyway okay I'm done thank you very much I'll take questions if

we okay uh first of all uh very fundamental flaw in the entire presentation tracking more passwords doesn't give the attack or anything that's wrong I crack passwords and for each new one you know my heart is flooding with pressure so that's fundamental you have to change that in your presentation you you don't you don't noce know these people questions and there are probably lots of them there will be a speaker and participant dinner ear later today and Las Vegas there's nothing else to do here but to talk about passwords so after that dinner reception my suggestion is of course to meet up at the restaurant somewh at your hotel and discuss more about this stuff but okay

so far away Billy first very quick uh just to make sure I understand the math correctly for a password manager considering the case of master password uh think about offline attack scario am I correct assuming that alphastat is zero yeah I think alphastat is a property of of a a population of users and for yeah sure I understand well that means that I do understand how works with the population thank you so you mentioned that slow hashes and iterations are a good defense does that mean that really instead of concentrating on users we should concentrate on marketers and make the pages load faster by reducing some of the tags and ads and so on so we can use

some of that delay for iteration instead of marke tell us how you really feel I mean I I I think that the uh the the the the contribution of slow hashing to page load delay is probably very minor like you know 10 milliseconds is not is you know below the pressure what net you know would be noticeable to to users uh you know I think if you go to a 100 or or or a th milliseconds that's going to be noticeable but I think I I I chose 10 milliseconds more to the point of you know if you've got um you know large web services that have on the order of hundreds of millions of users

you they're getting pounded all the time and you have to handle you know many many But but so you know I I think the off the off is handed off a completely different set of servers from um so there's no reason not to tweak the the delay the to 10 or slightly higher and yeah you cut down marting

I'll just so very much like the approach Enterprise password management and and the sitation concept is very interesting but I think it assumes that passwords or account are born equal to some extent this is not the case in Enterprise Network we have privileged accounts and we have non privileged accounts for priv account one compromise will be sufficient to compromise the entire network for non privileged account you can compromise 40% of them and still not be able to do whatever you want in theet so the question is should we perhaps deoy or employ different uh strategies for privileged versus non privileged account really not care about the complexity of the non-privileged account passwort but care very much regarding

the compens of the privileged ones maybe in the in the optimal case manag them AA system but at least employ a very very high level of complexity on them that will affect yeah I mean absolutely I mean you know the you know the the the importance of of credentials across across an uh an Enterprise you know V varies enormously and this sort of says you know one is getting them at random I think um it is if you're if you're you're trying to break in if you're trying to break in someone trying to break into to say Microsoft doesn't try to crack you know Sakia Saka nadel's you know um password I think what they try to do is

is get close and then work sideways once they're in the the this is um it's a simplified model and yes um you know some things should be protected far more carefully than others but even if you have a set of things that the admin starts and the the CFO and all of that um uh it's it's difficult to firewall that you know so that you know having stuff that's close doesn't allow you to work your way sideway and still get to it that was the last what we have time for we have a changeover uh to R da from uh coic uh this is also going to be a great talk I'm sure I'm sure so uh um

you know stand up and sit down again uh and they get started in three three minutes