Strengthening Password-based Authentication

Slides:



Advertisements
Similar presentations
ONE STOP THE TOTAL SERVICE SOLUTION FOR REMOTE DEVICE MANAGMENT.
Advertisements

Research and Innovation Participant Portal How to register for an ECAS account NEXT.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Clickjacking Attacks and Defenses.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong
The OWASP Foundation OWASP Chennai Phishing.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Course 201 – Administration, Content Inspection and SSL VPN
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Working with Workgroups and Domains
Reports Pro Visual User Group Nov 21 st 2007.
STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.
Session 11: Security with ASP.NET
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.
© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez)
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Advanced Accounting Information Systems Day 27 Financial Reporting in an Electronic Environment October 28, 2009.
The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
“Stronger” Web Authentication: A Security Review Cory Scott.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Accessing Extras Portal February 9, Finding Link to Extras Portal -The Extras Portal is accessed via the Expedient Extranet -Via the “Manage Extras”
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.
Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
Accessing Evitech network via FTP by Susan Jansson.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Web-based Front End for Kraken Jing Ai Jingfei Kong Yinghua Hu.
Configuring and Deploying Web Applications Lesson 7.
Module 7: Designing Security for Accounts and Services.
+ CIW LESSON 4 Web Browsers. + Basic Functions of Web Browsers Provide a way for users to access and navigate Web pages Display Web pages properly Provide.
ONLINE DETECTION AND PREVENTION PHISHING ATTACKS
IT Security Awareness Day October 19, 2016
New Capabilities of the Web Enabled User Interfaces
Broward Single Sign-On (SSO) Launchpad
Web Applications Security Cryptography 1
Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young.
Select Survey Invitations
Simple Authentication for the Web
Active Server Pages Computer Science 40S.
Basics and Navigation Module 2.
Standard Metrics and Scenarios for Usable Authentication
Conveying Trust Serge Egelman.
Phishing, what you should know
Phishing is a form of social engineering that attempts to steal sensitive information.
Bomgar Remote support software
NFX Q-Port on-boarding guide
Thor: The Hybrid Online Repository
A few tricks to take you beyond the basics
Teaching you NOT to fall for Phish
Access eJournals Form Your Home
SharePoint services Provides team collaboration through SharePoint Sites and makes it easy for communities to work together on documents, tasks, contacts,
Chromebook Carts Kamiak High School.
IT Office hours – 1 Data Sharing 101
INTERNET SECURITY.
Getting Started With LastPass Enterprise
Presentation transcript:

Strengthening Password-based Authentication Scott Ruoti Jeff Andersen Kent Seamons Brigham Young University

Problems with Passwords Servers have access to password plaintext Users trust that servers salt+hash before storage Many servers are vulnerable to password theft POOR SECURITY AT THE SERVER Web pages have access to password plaintext Phishers impersonate legitimate site Credentials immediately vulnerable VULNERABILITY TO PHISHING Password re-use compounds both problems

Strong Password Protocols What can be done? Strong Password Protocols Safe Password Entry

Strong Password Protocols HTML+JS HTTPS Remote Server Client Password Field HTML+JS HTTPS Remote Server Password “Handshake” Password Handshake

Safe Password Entry Spoof-resilient password-entry interfaces Interfaces that indicate they are privileged Position on screen OS features SiteKey

Dynamic Security Skins, Dhamija [2005] Over 500 citations Strong password protocol Visual hashes provide site authentication SiteKey

Our Ideas Site Authentication Safe Password Entry Browser chrome Operating system prompt Site Authentication Browser detects handshake failure

Next Steps Build our systems Design a user study Test them No good methodologies

Improving User Studies Present Methodology Proposed Methodology Too short Occurs in a lab Participants are primed Lab-assigned credentials Long-term “Take-home” Deception Personal credentials

Preliminary Study Design Assign user to one safe password entry tool Playtesting a new game suite Access via BYU Single Sign-On Daily testing, over 10-day period Game links delivered over email On day 7, users are phished for their SSO password Work Needed Introduce safe password entry without priming for security Ensure study is safe for participants

Points of Discussion Where should safe password entry be implemented? Browser window, browser chrome, or operating system How can safe password entry effectiveness be accurately evaluated? Ensuring both deception and safety for users

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.