1. Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch

2. Password Management Competing Goals: SecurityUsability 2

3. A Challenging Problem 3  Traditional Security Advice Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords

4. Reevaluate Traditional Advice? 4 Source: http://www.xkcd.com/936/ [Munroe]http://www.xkcd.com/936/ XKCD

5. Experiment #0 5  Memorize a random 10 character password  Case Sensitive! L[IbCGa_ND

6. Experiment #1 Chaplin, Newspapers (plural) Cedric, Scanner 6

7. Experiment #2 March (“Marching” – “ing”) Boats, Brie Swim ( not Michael Phelps ) 7

8. Experiment #2 Kareem, Plunge (“Plunger” – “r”) Seal, Beneath 8

9. Experiment #3 9 CueActionObject Manuel Blumtorturinglion

10. Experiment #4 10 CueActionObject Stephen Rudichdestroyingshark

11. Experiment #3 Darth, Frosty Frosty, SoxDarth, Hover (“Hovercraft” – “craft”) 11

12. Experiment #4 March (“Marching” – “ing”) Boats, Brie Swim ( not Michael Phelps ) 12

13. Outline 13  Introduction and Experiments  Memory and Usability  Four Big Factors  Analyzing Security  Our Password Management Scheme

14. Factor 1: Chunking  Memorize: nbccbsabc  Memorize: tkqizrlwp  3 Chunks vs. 9 Chunks!  Usability Goal: Minimize Number of Chunks in Password Source: The magical number seven, plus or minus two [Miller, 56] 14

15. Chunking 15 Source: http://www.xkcd.com/936/ [Munroe]http://www.xkcd.com/936/

16. Human Memory is Associative ? 16

17. Factor 2: Cue Strength 17  Cue: context when a memory is stored  Surrounding Environment  Sounds  Visual Surroundings  Web Site  ….  As time passes we forget some of this context…

18. Mathematical Model (Cues) 18 i  {music, desk, password, amazon,…}

19. Mathematical Model (Associative Memory) 19 Add the cue-association pair to memory (M) Find the memory associated with the given cue in M

20. Retrieval from Partial Cue 20 Original Cue Retrieval Cue Cue Strength

21. Retrieval from Partial Cue 21

22. Retrieval from Partial Cue 22 Probability of Recall Source: Simple memory: a theory for archicortex [Marr] Partial Cue Fraction

23. Factor 3: Interference Cue jblocki, l3tm3in jblocki, unbr3akabl3 jblocki, Tr0ub4dor&3 jblocki, horsebatterystaplecorrect … 23

24. Interference (Example) 24 Impossible to identify which memory is associated with the cue! If the contexts are only “slightly different” there will still be significant interference!

25. Forgetting 25  What fraction of the original cue is present when the user retrieves the password?  Can we ensure that we always have a significant fraction of the original cue?  Too many chunks associated with one cue?  Interference!

26. Factor 4: Rehearsal 26 Strengthens Associations Goal: minimize the number of rehearsals necessary to remember passwords Password may be linked to different contexts (cues)

27. Rehearsal 27  It helps if part of the context is consistent across all rehearsals/retrieval

28. Usability Desiderata 28  Minimize #chunks per password  Ensure that a large part of the original cue is always available at retrieval time  Minimize Interference  Minimize the required number of rehearsals

29. How Do People Pick Passwords? Source: Science of Password Selection (Hunt, 2011)Science of Password Selection 29

30. Password Management Competing Goals: SecurityUsability 30

31. Competing Goals  Usability – “easy” for user to create and remember his passwords  Security – “hard” for adversary to learn passwords.  After many guesses  Even after seeing other passwords SecurityUsability 31

32. Outline 32  Introduction and Experiments  Memory and Usability  Analyzing Security  Our Password Management Scheme

33. Security (what could go wrong?) OnlineOfflinePhishing Danger Three Types of Attacks 33

34. Online Attack 1234 34 Limit Guesses: Three Strike Policy

35. Offline Dictionary Attack Source: CERT Incident Note IN-98.03: Password Cracking Activity MD5(“UnBr3akabl3”) + “UnBr3akabl3” 35

36. Malicious Sites/Phishing Source: CERT Incident Note IN-98.03: Password Cracking Activity PayPaul.com + 36 pwd

37. Measuring Security 37  Past Measurements and Their Weaknesses  Password Strength Meters  Entropy  Min Entropy  Our Definition of Security

38. Password Strength Meters mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm Impossible to know what background knowledge the adversary will have! 38 Source: https://www.microsoft.com/security/pc-security/password-checker.aspxhttps://www.microsoft.com/security/pc-security/password-checker.aspx Our Approach: Measure the security of the password generator instead

39. Password Generator (G) 39

40. Entropy Source: The mathematical theory of communication (Shannon, 1959) Intuition: 30 bits of entropy => Average # Guesses ~ 2 30 40 # Bits to encode password x Average # Bits to encode password x

41. Entropy  Example: 41

42. Entropy (Strengths) Source: Prediction and entropy of printed English (Shannon, 1951) There are techniques for estimating the entropy of an individual password 42

43. Entropy (Weaknesses) Both password generators have same entropy! One guess breaks scheme one half of the time! 43

44. Entropy (Weaknesses) mmmm G 1 has high entropy, but is insecure! 44

45. Entropy (Weaknesses)  High Entropy Does Not Guarantee Safety! OnlineOfflinePhishing 45

46. Min-Entropy 46 # Bits to encode most likely password x # Bits to encode password x

47. Min Entropy (Strengths) + “horsebatterystaplecorrect” MD5(pwd) 47

48. Min Entropy (Strengths)  High Minimum Entropy OnlineOfflinePhishing 48

49. Min-Entropy (Weaknesses) Unlike regular entropy, Min- Entropy is hard to estimate 49

50. Min-Entropy (Weaknesses) H min (G 1 ) = 2n = H min (G 2 ) Min-Entropy ignores correlations between passwords 50

51. Min-Entropy (Weaknesses) PayPaul.com x x x 51

52. Our Security Approach 52  Dangerous World Assumption  Not enough to defend against existing adversaries  Adversary can adapt after learning the user’s new password management strategy  Provide guarantees even when things go wrong  Offline attacks should fail with high probability  Limit damage of a successful phishing attack

53. The Adversary’s Game  Adversary can compromise at most k sites (phishing).  Adversary can execute offline attacks against at most t additional sites  Resource Constraints => at most M guesses  Adversary wins if he can compromise any new sites. 53 pwd MD5(pwd)

54. (k,t,M,  )-Security We say that a password management scheme is (k,t,M,  )-Secure if for any adversary Adv k = #t = # 54 Offline AttacksPhishing Attacks M = # Guesses

55. Example: (1,1,M,  )-Security PayPaul.com + M guesses k=1 t=1 55

56. Outline 56  Introduction and Experiments  Memory and Usability  Analyzing Security  Our Password Management Scheme

57. Review Usability Desiderata 57  Minimize #chunks per password  Ensure that a large part of the original cue is always available at retrieval time  Minimize Interference What mnemonic techniques do the memory experts use?

58. Memory Palace 58 Memory champions like Dominic O'Brien regularly use memory palaces

59. Memory Palace  Idea: Humans have excellent visual/spatial memory  Memorize a list of words  Memorize: Mentally walk through your house and “store” one word in each location  Recall: Mentally walk past each location to recover each word  Key Point: By associating each word with a familiar location we can always recover part of the original cue Source: Rhetorica ad Herennium [Cicero?] 59

60. Memory Palace Interference?  Don’t reuse the same memory palace very often!  Memory Champions have hundreds of memory palaces!  Spend time mentally “clearing” each palace before a competition  Usability: A typical user doesn’t have time to prepare hundreds of memory palaces! Source: Moonwalking with Einstein [Foer, 2010] 60

61. Our Approach  Idea: Use pictures as cues instead  Don’t have to remember the cue! Store it externally! Liquor, Wounded, Sunk 61

62. Secure Password Management Scheme 62 Public KnowledgePrivate (Password) Amazon eBay …… Random Words (Independently Selected) Random Words (Independently Selected) ……

63. Usability 63  Four chunks per password  Independent Cues  Reduces Interference  Partial Cue (picture) is stored externally and is always available

64. Security 64  Password Strength  Strong Password: 4 random words from common dictionary  Stronger than a truly random ten character password  Password Independence  Independent of Cues  Independent of Other Passwords  (t,k,M,  )-security for large t,k!

65. Experiment #0 65  Can anybody remember the 10 character password? L[IbCGa_ND

66. Experiment #1 66

67. Experiment #2 67

68. Experiment #2 68

69. Experiment #3 69 CueActionObject Manuel Blum

70. Experiment #4 70 CueActionObject Stephen Rudich

71. Experiment #3 71

72. Personal Experience  I have created 25+ unique (strong) passwords using this technique  Tricks to overcome common restrictions  Substitute 3 for e, etc…  Use first 4 letters of each word  Difficulties  Word Order  Confuse verb tense  Plural vs. Singular  Semantically Similar Words 72

73. Future Work 73  Can we quantify and measure the usability of a password management scheme?  Share cues across sites (security/usability tradeoff)  Accepting close passwords  User Studies

74. Usability  More challenging to quantify than security!  Key Question: Given a password management scheme how much effort does it take to create, store and retrieve passwords from human memory?  This Talk:  Key factors that influence memorability  Helpful mnemonic techniques 74

75. Questions? 75