Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strengthening Password-based Authentication

Published byMariah Vivian Tyler Modified over 5 years ago

Similar presentations

Presentation on theme: "Strengthening Password-based Authentication"— Presentation transcript:

1 Strengthening Password-based Authentication
Scott Ruoti Jeff Andersen Kent Seamons Brigham Young University

2

3 Problems with Passwords
Servers have access to password plaintext Users trust that servers salt+hash before storage Many servers are vulnerable to password theft POOR SECURITY AT THE SERVER Web pages have access to password plaintext Phishers impersonate legitimate site Credentials immediately vulnerable VULNERABILITY TO PHISHING Password re-use compounds both problems

4 Strong Password Protocols
What can be done? Strong Password Protocols Safe Password Entry

5 Strong Password Protocols
HTML+JS HTTPS Remote Server Client Password Field HTML+JS HTTPS Remote Server Password “Handshake” Password Handshake

6 Safe Password Entry Spoof-resilient password-entry interfaces
Interfaces that indicate they are privileged Position on screen OS features SiteKey

7 Dynamic Security Skins, Dhamija [2005]
Over 500 citations Strong password protocol Visual hashes provide site authentication SiteKey

8 Our Ideas Site Authentication Safe Password Entry Browser chrome
Operating system prompt Site Authentication Browser detects handshake failure

9 Next Steps Build our systems Design a user study Test them
No good methodologies

10 Improving User Studies
Present Methodology Proposed Methodology Too short Occurs in a lab Participants are primed Lab-assigned credentials Long-term “Take-home” Deception Personal credentials

11 Preliminary Study Design
Assign user to one safe password entry tool Playtesting a new game suite Access via BYU Single Sign-On Daily testing, over 10-day period Game links delivered over On day 7, users are phished for their SSO password Work Needed Introduce safe password entry without priming for security Ensure study is safe for participants

12 Points of Discussion Where should safe password entry be implemented?
Browser window, browser chrome, or operating system How can safe password entry effectiveness be accurately evaluated? Ensuring both deception and safety for users

Download ppt "Strengthening Password-based Authentication"

Similar presentations

ONE STOP THE TOTAL SERVICE SOLUTION FOR REMOTE DEVICE MANAGMENT.

ONE STOP THE TOTAL SERVICE SOLUTION FOR REMOTE DEVICE MANAGMENT.
Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Research and Innovation Participant Portal How to register for an ECAS account NEXT.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Clickjacking Attacks and Defenses.

Clickjacking Attacks and Defenses.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Working with Workgroups and Domains

Working with Workgroups and Domains
Reports Pro 2007 2007 Visual User Group Nov 21 st 2007.

Reports Pro Visual User Group Nov 21 st 2007.
STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA EMAIL LINKS 2.NEVER REVEAL YOUR PIN.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer Delivering an Internet-based platform of Next.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.

Similar presentations

Ads by Google