Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.
GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.
Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
Human Computable Passwords
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
STRONG PASSWORDS Common Sense Unit 2-Lesson 1 (Cross-Curricular Categories) Privacy and Security.
Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
PAGE 1 Company Proprietary and Confidential Internet Safety and Security Presented January 13, 2014.
Security and Usability of Password Based User Authentication Systems Hatim Alsuwat Sami Alsuwat.
1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
Lecture 11: Strong Passwords
The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Usable Security Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for.
Password Management Strategies for Online Accounts Shirley Gaw, Edward W. Felten Princeton University.
REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.
User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Authentication and access control.
Information Security CS 526 Topic 6: User Authentication Topic 7: User Authentication 1.
Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Usable Privacy and Security.
Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.
Human-Computable Passwords Jeremiah Blocki Manuel Blum Anupam Datta Santosh Vempala.
Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.
PASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine.
Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Introduction to Web Safety
Towards Human Computable Passwords
Authentication Schemes for Session Passwords using Color and Images
Designing Proofs of Human Work for Cryptocurrency and Beyond
Password Management Limit login attempts Encrypt your passwords
Security Barriers Asset Proper Access Attack Security System
Usable and Secure Human Authentication
Human Computable Passwords
Human-Computable Passwords
Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta
Lesson 2: Epic Security Considerations
Security and Usability of Password Based User Authentication Systems
REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.
Lesson 2: Epic Security Considerations
Lesson 2: Epic Security Considerations
start to finish – November 20181
6. Application Software Security
Presentation transcript:

Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta

Memory Experiment 1 2 PersonAlan Turing ActionKissing ObjectPiranha

Memory Experiment 2 PersonBill Gates Actionswallowing Objectbike

Password Management Scheme Competing Goals: SecurityUsability 4

A Challenging Problem 5 Traditional Security Advice Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords

Outline 6 Introduction and Experiments Example Password Management Schemes Quantifying Usability Quantifying Security Our Password Management Scheme

Example Password Management Schemes Scheme 1: Reuse Password Pick four random words w 1,w 2,w 3,w 4 AccountAmazonEbay Passwordw1w2w3w4w1w2w3w4 w1w2w3w4w1w2w3w4 Scheme 2: Strong Random Independent AccountAmazonEbay Passwordw1w2w3w4w1w2w3w4 x1x2x3x4x1x2x3x4

Questions How can we evaluate password management strategies? – Quantify Usability – Quantify Security Can we design password management schemes which balance security and usability considerations?

Outline 9 Introduction and Experiments Example Password Management Schemes Quantifying Usability – Human Memory – Rehearsal Requirement – Visitation Schedule Quantifying Security Our Password Management Scheme

Human Memory is Semantic Memorize: nbccbsabc Memorize: tkqizrlwp 3 Chunks vs. 9 Chunks! Usability Goal: Minimize Number of Chunks Source: The magical number seven, plus or minus two [Miller, 56] 10

Human Memory is Associative ? 11

Cues 12 Cue: context when a memory is stored Surrounding Environment – Sounds – Visual Surroundings – Web Site – …. As time passes we forget some of this context…

Human Memory is Lossy Rehearse or Forget! – How much work? Quantify Usability – Rehearsal Assumption p amazon p google ???? 13

Quantifying Usability Human Memory is Lossy – Rehearse or Forget! – How much work does this take? Rehearsal Assumptions Visitation Schedule – Natural Rehearsal for frequently visited accounts

Rehearsal Requirement Expanding Rehearsal Assumption: user maintains cue-association pair by rehearsing during each interval [s i, s i+1 ]. Day: Visit Amazon: Natural Rehearsal X t : extra rehearsals to maintain all passwords for t days. Google 15

Rehearsal Requirement Day: X t : extra rehearsals to maintain all passwords for t days. Reuse Password Independent Passwords X8X8 02

Visitation Schedule 17 t1t1 t2t2 t2t2

Visitation Schedule User =1 (daily) =1/3 (biweekly) =1/7 (weekly) =1/31 (monthly) =1/365 (annual) Active10 35 Typical Occasional Infrequent Number of accounts visited with frequency Day: Poisson Process with parameter AmazonGoogle

Usability Results 19 Reuse Strong Strong Random Independent Active Typical Occasional Infrequent E[X 365 ]: Extra Rehearsals to maintain all passwords over the first year. UsableUnusable

Outline 20 Introduction and Experiments Example Password Management Schemes Quantifying Usability Quantifying Security – Background – Philosophy – Security Definition: Password Guessing Game Our Password Management Scheme

Security (what could go wrong?) OnlineOfflinePhishing Danger Three Types of Attacks 21

Online Attack password Guess Limit: k-strikes policy

Offline Dictionary Attack 23 Username jblocki + jblocki, SHA1( d978034a3f6)=85e23cfe 0021f584e3db87aa72630a9a2345c062 Hash 85e23cfe0021 f584e3db87aa 72630a9a234 5c062 Salt 89d978034a3f6

Plaintext Recovery Attack PayPaul.com 24 pwd

Snowball Effect Source: CERT Incident Note IN-98.03: Password Cracking Activity PayPaul.com + 25 pwd

Our Security Approach 26 Dangerous World Assumption – Not enough to defend against existing adversaries – Adversary can adapt after learning the user’s new password management strategy Provide guarantees even when things go wrong – Offline attacks should fail with high probability – Limit damage of a successful phishing attack

+ Password Guessing Game PayPaul.com q $1,000,000 guesses p5p5 BCRYPT(p 4 ) p5p5 p4p4 p3p3 p2p2 p1p1

Password Guessing Game Adversary can compromise at most r sites (phishing). Adversary can execute offline attacks against at most h additional sites – Resource Constraints => at most q guesses Adversary wins if he can compromise any new sites. 28 pwd BCRYPT(pwd)

(q, , m,s,r,h)-Security r = #h = # 29 Offline Attack Accounts Phishing Attack Accounts q = # offline guesses m = # of accounts s = # online guesses

Example: (q, , m,3,1,1)-Security PayPaul.com + q guesses r=1 h=1 30

Security Results (q $1,000,000, ,m,3,r,h)-security Attacks r= 1 h=1 r=2 ReuseNo Strong Random Independent Yes Usable + Insecure Unusable + Secure

Outline 32 Introduction and Experiments Example Password Management Schemes Quantifying Usability Quantifying Security Our Password Management Scheme

Our Approach Object: bike Public Cue Private Action: kicking Object: penguin

Login Kic+Pen + Tor+Lio +... … Kis+pir

Login Kic+Pen + …. … Swa+bik

Sharing Cues Usability Advantages – Fewer stories to remember! – More Natural Rehearsals! Security? Day:

(n,l,  )-Sharing Set Family n n

n n

Security Results (q $1,000,000, ,m,3,r,h)-security Attacks r= 1 h=1 r=2 (n,4,4)-Sharing [Reuse] No (n,4,0)-Sharing [Independent] Yes (n,4,1)-Sharing [SC-1] Yes No (n,4,3)-Sharing [SC-0] YesNoYesNo

Sharing Cues 40 Thm: There is a (43,4,1)-Sharing Set Family of size m=90, and a (9,4,3)-Sharing Set Family of size 126 Proof? – Chinese Remainder Theorem! – Notice that 43 = where 9, 10, 11, 13 are pair wise coprime. – A i uses cues: {i mod 9, i mod 10, i mod 11, i mod 13}

Chinese Remainder Theorem

Usability Results 42 ReuseStrong Random Independent SC-1SC-0 Active 0 00 Typical 0 00 Occasional 0 00 Infrequent E[X 365 ]: Extra Rehearsals to maintain all passwords over the first year.

Security Results (q $1,000,000, ,m,3,r,h)-security Attacks r= 1 h=1 r =2 (n,4,4)-Sharing [Reuse] No (n,4,0)-Sharing [Independent] Yes (n,4,1)-Sharing [SC-1] Yes No (n,4,3)-Sharing [SC-0] YesNoYesNo Usable + Insecure Unusable + Secure Usable + Secure

Memory Experiment 1 44

Memory Experiment 2

Thanks for Listening!

Backup Slides

User Study Validity of Expanding Rehearsal Assumption Mnemonic Devices and Rehearsal Schedules Collaborate with CyLab Usable Privacy and Security group (CUPS)

User Study Protocol Memorization Phase (5 minutes): – Participants asked to memorize four randomly selected person-action object stories. Rehearsal Phase (90 days): – Participants periodically asked to return and rehearse their stories (following rehearsal schedule)

Password Managers?

Limited Protection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.