Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Accessing electronic journals from off- campus This causes lots of headaches, but dont despair, heres how to do it! (Please note – this presentation is.

SAM 2007 v3.0 The Student Experience Including SAM Projects and Course Assess assignments.

Password Cracking Lesson 10. Why crack passwords?

1 Web Usability and Age Thomas S. Tullis Ann Chadwick-Dias Human Interface Design Department,

1 + 1 = You Measuring the comprehensibility of metaphors for configuring backup authentication Stuart SchechterRobert W. Reeder Symposium on Usable Privacy.

Welcome to Florida International University Online J.O.B.S. Link Applicant Tutorial.

Now we will introduce you to the computer program that you will use throughout the semester. This program will allow you to create a customized Study Plan,

Information Technology Fundamentals (ITF) Mr. Shultz.

Elsweiler, D. and Ruthven, I. and Jones, C. Dealing with fragmented recollection of context in information management. In: Context- Based Information Retrieval.

Explicit Direct Instruction Critical Elements. Teaching Grade Level Content  The higher the grade the greater the disparity  Test Scores go up when.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Need your MyMathLab card with your access code Need a Valid Address Need to know Purdue’s zip code is and your course ID for your Class You.

Multivariate Analyses & Programmatic Research Re-introduction to Programmatic research Factorial designs  “It Depends” Examples of Factorial Designs Selecting.

Multivariate Analyses & Programmatic Research Re-introduction to Multivariate research Re-introduction to Programmatic research Factorial designs  “It.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

2-Way ANOVA, 3-Way ANOVA, etc.

June is an easy way to communicate. It costs nothing to send an , but it does require a connection to the Internet. You can.

Analysis of Factorial Designs Statistical Analysis of 2x2 Designs Statistical Analysis of kxk Designs.

Lawson System Foundation 9.0

Silent Dismissal Administrator Quick Start Guide.

AM Recitation 2/10/11.

To navigate through this slideshow, use the arrow keys on your keyboard to go forward or backward.  or  Use your mouse to click to the next step within.

Chapter 6 : Memory Michael L. Farris Psychology 101.

GFP in the IUID Registry – A Basic Look Walt Clark, CPPM Raytheon IIS.

E XPLORING USABILITY EFFECTS OF INCREASING SECURITY IN CLICK - BASED GRAPHICAL PASSWORDS Elizabeth StobertElizabeth Stobert, Alain Forget, Sonia Chiasson,

Input for the Bayesian Phylogenetic Workflow All Input values could be loaded as text file or typing directly. Only for the multifasta file is advised.

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.

EXTRACT: MINING SOCIAL FEATURES FROM WLAN TRACES: A GENDER-BASED CASE STUDY By Udayan Kumar Ahmed Helmy University of Florida Presented by Ahmed Alghamdi.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

User Study Evaluation Human-Computer Interaction.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

Understanding and Predicting Personal Navigation Date : 2012/4/16 Source : WSDM 11 Speaker : Chiu, I- Chih Advisor : Dr. Koh Jia-ling 1.

Downloading and Installing Autodesk Revit 2016

Copyright © 2014, 2011 Pearson Education, Inc. 1 Chapter 18 Inference for Counts.

10 August 2005Benchmark/Mentor Student Guide Page 1 CPS Benchmark/Mentor Student Guide Internet Edition.

Today Ensemble Methods. Recap of the course. Classifier Fusion

Difference Between Means Test (“t” statistic) Analysis of Variance (“F” statistic)

Create speaking avatars and use them as an effective learning tool.

Review of the Basic Logic of NHST Significance tests are used to accept or reject the null hypothesis. This is done by studying the sampling distribution.

BEHAVIORAL TARGETING IN ON-LINE ADVERTISING: AN EMPIRICAL STUDY AUTHORS: JOANNA JAWORSKA MARCIN SYDOW IN DEFENSE: XILING SUN & ARINDAM PAUL.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.

Educational Research Chapter 13 Inferential Statistics Gay, Mills, and Airasian 10 th Edition.

Amber Johnson U.S. Department of Education WVASFAA Fall 2015 Conference October 29, 2015 FSA ID: The FSA PIN Replacement.

IMPORTANCE OF STATISTICS MR.CHITHRAVEL.V ASST.PROFESSOR ACN.

Chi-Square X 2. Review: the “null” hypothesis Inferential statistics are used to test hypotheses Whenever we use inferential statistics the “null hypothesis”

PC131/PC151 MECHANICS Dr. Brian West Enrolling in WebAssign (complete this by Sept 26) note: the screencaps on the following slides are from fall 2009…they.

Chi-Square X 2. Review: the “null” hypothesis Inferential statistics are used to test hypotheses Whenever we use inferential statistics the “null hypothesis”

HOW TO CREATE A DCF ACCOUNT. Go to myflfamilies.com.

Virus Assignment JESS D. How viruses affect people and businesses  What is a virus? A computer virus is a code or a program that is loaded onto your.

0 SAT Online - Student Registration What You Will Need In order to register, you must have: –A working account –Several possible user names* –A unique.

Jump to first page Inferring Sample Findings to the Population and Testing for Differences.

Assess usability of a Web site’s information architecture: Approximate people’s information-seeking behavior (Monte Carlo simulation) Output quantitative.

Yahoo Help Phone Number Get Instant Help.

Setting up your College Board Account. With a College Board Account, you will be able to: –Access your PSAT, SAT and AP scores online –Send your scores.

Page ADP PearsonAccess Proctor Training. Page Agenda Test Overview Testing Components Proctor Roles and Responsibilities Overview Administering the Test.

Child Care Subsidy Program Online Billing Provider Training Spring 2016.

Psychology research methods– Analysis Portfolio Taylor Rodgers B

Statistical Exploratory Analysis with “EnQuireR” 1.Introduction 2.Installation 3.How to 4.Report.

Investigation of Instructions for Password Generation

REDCap Data Migration from CSV file

Setting up an online account

What you will need to Register

User Registration.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

CPD ITK and Single Sign On (SSO)

A Usability Study and Critique of Two Password Managers

Presentation transcript:

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot and Robert Biddle Presented by: Payas Gupta

Motivation We know that people generally have difficulty remembering multiple passwords. To compare multiple text password recalls with recall of multiple click- based graphical password. – Short term – Long term

What it is about? No algorithm no technique It has only user study. But a message as how to show such results in a nice way

PassPoints 5 click points in the same order Tolerance accepted around each click point

Hotspots Dictionary attacks in graphical password: – Areas of the image that have higher probability of being selected by users.

Study Details Hypothesis – Click based graphical passwords would be easier for users to recall than text passwords when users had multiple passwords to remember. – Less interference from multiple unique graphical passwords than multiple unique text passwords.

Specific hypothesis Participants will have lower recall success rates with text passwords than with PassPoints passwords. Participants in the Text condition are more likely than PassPoints participants to use patterns across their own passwords. Participants will recall text passwords more slowly than PassPoints passwords. Participants in the Text condition are more likely than Pass-Points participants to create passwords that are directly related to their corresponding accounts. Participants in the Text condition will make more recall errors than participants in the PassPoints condition.

Demographics 65 participants – 26 males and 39 females Participants were primarily university students from various degree programs. None were expert in computer security

Methodology 65 participants in session 1 Second session after two weeks – 26 participants

Session 1 Create Confirm Answer Questions – Perceived difficulty of creating Perform Distraction Task – Mental rotation test Login – Retry as many times to get it correct

Results Used chi-square test to compare non- ordered categorical data (comparing login/failure ratios). Success rate – The success rate is the number of successful password entry attempts divided by the total number of attempts, across all participants.

Recall 1 First attempt – Text passwords – 68% – PassPoints – 95% Participants could try recalling their password as many times as they wished, until they either succeeded or gave up. Participants in the Text condition reached an 88% success rate with multiple recall attempts, compared to 99% for PassPoints participants.

Recall 2 Two weeks after creating their passwords, only 70% of Text participants and 57% of PassPoints participants were able to successfully recall their passwords. Higher accuracies in male in passpoints. – Result aligns with psychology research – Male tend to perform better in visual and female in linguistic tasks

Recall Errors

Success rate for male and female Recall 2

Timings Recall-1 – Participants were quicker at entering PassPoints passwords and this aligns with the fact that participants made fewer errors in the passpoints condition (when participants repeatedly entered the passwords). Recall-2 – No significant difference

Use of Mnemonics 23 out of 34 (68%) participants in the Text condition used the account as a cue for at least one of their passwords. – Some passwords were directly linked with the account name. – instantmsg for the instant messenger – “lovelove” for the online dating account – 40% of text passwords were related to their account – males being more likely to create passwords that were directly related to their accounts

For text conditions Recall 1 – Participants classified as having used account-related text passwords had a 96% success rate for Recall-1 while those who did not had an 83% recall success rate. Recall 2 – Those classified as having created account-related passwords had a 71% success rate for Recall-2, while those who did not had a 69% success rate.

Text Password Patterns 71 out of 204 passwords (35%) were obviously related to other passwords created by the same user – ins901333” for the instant messenger account and “lib901333” for the library account

PassPoints Patterns The earlier study found that in PassPoints, participants were likely to select click-points in simple patterns such as a straight line or C- shape

Comparison PPLab and MPP

Found no statistical difference between the patterns found in the current study (where participants had to create and remember multiple passwords) and the earlier PassPoints lab study (where participants had to remember only one password at a time). Two participants had 4 out of 6 passwords following a “Z” pattern

Text Password Dictionary Attack First tested passwords using the free dictionary of 4 million entries. Followed by a second attack using a larger dictionary of 40 million entries purchased from the John the Ripper web site. Smaller cracked 9.8% Larger cracked 15.2%

Examples of passwords that were not cracked by John the Ripper include: “msnhotmail” for an password, “instantmsg” for an instant messenger account, and “inlibrary” for a library account. In an earlier study of text passwords [16], 9.5% (18 out of 190) of passwords were cracked using John the Ripper with the same 4 million entry dictionary and 18.9% (36 out of 190) of passwords with the larger dictionary.

Passpoints hotspot formation To evaluate PassPoints passwords for predictability, we compared the distribution of click-points in the current study to those of an earlier PassPoints study on the same images [6]. – Wanted to see whether there was increased clustering of click-points across participants.

The J-function measures the level of clustering of points within a dataset. – 32 PassPoints participants for each image in this study (160 click-points per image). – The earlier PassPoints datasets [6] contained between 155 to 220 click-points per image.

J-stat

Validation of hypothesis Participants will have lower recall success rates with text passwords than with PassPoints passwords. – Hypothesis partially supported. Participants in the Text condition are more likely than PassPoints participants to use patterns across their passwords. – Hypothesis partially supported. Participants will recall text passwords more slowly than PassPoints passwords. – Hypothesis partially supported.

Participants in the Text condition are more likely than PassPoints participants to create passwords that are directly related to their corresponding accounts. – Hypothesis supported. Participants in the Text condition will make more recall errors than participants in the PassPoints condition. – Hypothesis supported.

Not a mirror image of real life Unlikely to create 6 passwords one at a time No one in our study wrote down their password, users often tend to do so. However, examining the issue of multiple password interference in a controlled laboratory setting is an important step in understanding the effects of increased memory load and the coping behaviours exhibited by users.