Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.

Published byOswald Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren."— Presentation transcript:

1 Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren

2 Motivation 2

3 Usability Problem 3  Too many password  users select weak password, reuse passwords or frequently reset passwords. Insecure! Painful effort!

4 Security Problem 4  Password breaches at major companies have affected millions of users.

5 Traditional Security Advice 5 Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords

6 Existing works 6  The password strengthening mechanism of Bonneau and Schechter  How: User authenticates by typing in old password + a random character or word.  Limitation: requiring the user to memorize a new random character/word to append to his password  Password Composition Policies  How: restrict the space passwords that users can choose.  Limitation: negatively effect usability & adverse security effects

7 This work 7  Conducted a user study:  Participants were asked to memorize several randomly generated person-action-object (PAO) stories.  Questions to answer:  Spaced Repetition  Can users recall multiple PAO stories by following spaced repetition schedules?  Which schedules work best?  Mnemonic Advantage  Does the PAO mnemonic technique improve recall?  Interference Effect

8 8

9 Background: Security Against Offline Attacks 9  Offline dictionary attack  Cost of an Offline Attack brute-force attack By comparing H(pw) with guessed H(pw)

10 i.e. Person-action-object (PAO) stories

11 Background: Shared Cues 11 Combinatorial Design: Each pairs of accounts has at most secret stories in common. Source: Naturally Rehearsing Passwords [BBD13]

12 775+ 1575+ 4375+ PAO Stories#PasswordsSecurity 414 Background: Shared Cues 12 Adversary with one password is unlikely to crack any other password

13 13

14 Recruitment 578 participants completed initial memorization phase

15 User Study Protocol 15  Memorization Phase (5 minutes):  Participants asked to memorize four randomly selected person-action object stories.  Rehearsal Phase (120+ days):  Participants periodically asked to return and rehearse their stories (following rehearsal schedule)

16 Memorization Phase – Mnemonic group 16

17 Memorization Phase – Mnemonic group 17

18 Memorization Phase – Mnemonic group 18

19 Memorization Phase – Text group 19

20 Rehearsal 20

21 Rehearsal Schedules 21  Day:0 16 32 48 64 80 96 112 128 144 160 2 10 8 9 7 6 5 4 3 1 0 Final Rehearsal (t 10 ): 157 days

22 Rehearsal Schedules 22 2 76 5 4 3 1 0 Final Rehearsal (t 7 ): 127 days Day:0 16 32 48 64 80 96 112 128 144 160

23 Rehearsal Schedules 23 Rehearsal#/ Schedule 123456789101112 12hrx1.5.5 day1.754.28.214.724.740.764.7101.7157.7N/ A 24hrX21 day37153163127N/A 24hrX2+2Start.1 day.61.63.67.615.631.663.6127.6N/A 30minX2.5 hr1.5hr3.5h r 7.5 hr 15.5 hr 1.7 day 3.77.715.731.763. 7 127. 7

24 Incentives  Memorization Phase ($0.5)  Rehearsal Phase ($0.75 each)  Encourage participants to return  Discourage Cheating

25 Do Not Write Down Your Words  “…we ask that you do not write down the words that we ask you to memorize.”  “You will be paid for each completed rehearsal phase --- even if you forgot the words.”  “Important: …do not write down the words”  “You will be paid for each completed rehearsal phase --- even if you forgot the words.”

26 Study Conditions 26 ConditionComment m_24hrX2+2Start_11 PAO Story m_24hrX2+2Start_22 PAO Stories m_24hrX2+2Start_44 PAO Stories ConditionComment t_24hrX2+2Start_4Text condition/No Cues m_24hrX2+2Start_4Mnemonic Condition Interference Mnemonic vs Text ConditionComment m_24hrX2_424 hour base m_24hrX2+2Start_4Two Extra Rehearsals on Day 1 m_30minX2_430 min base m_12hrX1.5_4Growth Rate: 1.5x Compare Rehearsal Schedules

27 Follow Up Survey 27  Problem  Some participants did not return to rehearse their stories.  Hypothesis:  The primary reason:  too busy  did not get follow up message in time  not interested in interacting with them outside of the initial Mechanical Turk task.  Not because they would not remember the story.  How to prove?  Send a follow up survey to all not return.

28 28

29

30 Rehearsal schedule Survived(i)/Returned(i)

31 Text vs Mnemonic 31 Survived(i)/Returned(i) Advantage is statistically significant Advantage is not statistically significant

32 Interference Survived(i)/Returned(i) Interference Effect was Statistically Significant Days

33 Findings 33  Spaced Repetition  Yes, participants did remember multiple PAO stories!  Winning Schedule: 12hrX1.5  Mnemonics  Short Term: Benefit is statistically significant  Long Term: Rehearsal schedule was only significant factor  Interference  Benefit: Memorize one story at a time  Future Work: Causes of interference

34 The Follow Up Survey: Dropped Participants 34 No participant self-reported that they didn’t return because the stories were too difficult to memorize.

35 Limitations 35  The follow up survey  Only conducted among 61 participants not return to the first rehearsal  There is only one experiment ( t_24hrX2+2Start ) for text group.  Assumption  Users not to participate the flow up survey  not because the users cannot remember the story.

36 Conclusion 36 Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords … …

37 Quiz  What are the two phases of the user study?  Why the authors performed a follow up survey?  According to the results of the user study, which rehearsal schedule performs the best?

Download ppt "Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren."

Similar presentations

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.

Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.
1 + 1 = You Measuring the comprehensibility of metaphors for configuring backup authentication Stuart SchechterRobert W. Reeder Symposium on Usable Privacy.

1 + 1 = You Measuring the comprehensibility of metaphors for configuring backup authentication Stuart SchechterRobert W. Reeder Symposium on Usable Privacy.
1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.

1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.
GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.

GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.
Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.

Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.
HOW DOES YOUR PASSWORD MEASURE UP The Effect of Strength Meters on Password Creation Rui Xie.

HOW DOES YOUR PASSWORD MEASURE UP The Effect of Strength Meters on Password Creation Rui Xie.
Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.

Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Similar presentations

Ads by Google