Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch

Password Management Competing Goals: SecurityUsability 2

A Challenging Problem 3  Traditional Security Advice Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords

Reevaluate Traditional Advice? 4 Source: [Munroe] XKCD

Experiment #0 5  Memorize a random 10 character password  Case Sensitive! L[IbCGa_ND

Experiment #1 Chaplin, Newspapers (plural) Cedric, Scanner 6

Experiment #2 March (“Marching” – “ing”) Boats, Brie Swim ( not Michael Phelps ) 7

Experiment #2 Kareem, Plunge (“Plunger” – “r”) Seal, Beneath 8

Experiment #3 9 CueActionObject Manuel Blumtorturinglion

Experiment #4 10 CueActionObject Stephen Rudichdestroyingshark

Experiment #3 Darth, Frosty Frosty, SoxDarth, Hover (“Hovercraft” – “craft”) 11

Experiment #4 March (“Marching” – “ing”) Boats, Brie Swim ( not Michael Phelps ) 12

Outline 13  Introduction and Experiments  Memory and Usability  Four Big Factors  Analyzing Security  Our Password Management Scheme

Factor 1: Chunking  Memorize: nbccbsabc  Memorize: tkqizrlwp  3 Chunks vs. 9 Chunks!  Usability Goal: Minimize Number of Chunks in Password Source: The magical number seven, plus or minus two [Miller, 56] 14

Chunking 15 Source: [Munroe]

Human Memory is Associative ? 16

Factor 2: Cue Strength 17  Cue: context when a memory is stored  Surrounding Environment  Sounds  Visual Surroundings  Web Site  ….  As time passes we forget some of this context…

Mathematical Model (Cues) 18 i  {music, desk, password, amazon,…}

Mathematical Model (Associative Memory) 19 Add the cue-association pair to memory (M) Find the memory associated with the given cue in M

Retrieval from Partial Cue 20 Original Cue Retrieval Cue Cue Strength

Retrieval from Partial Cue 21

Retrieval from Partial Cue 22 Probability of Recall Source: Simple memory: a theory for archicortex [Marr] Partial Cue Fraction

Factor 3: Interference Cue jblocki, l3tm3in jblocki, unbr3akabl3 jblocki, Tr0ub4dor&3 jblocki, horsebatterystaplecorrect … 23

Interference (Example) 24 Impossible to identify which memory is associated with the cue! If the contexts are only “slightly different” there will still be significant interference!

Forgetting 25  What fraction of the original cue is present when the user retrieves the password?  Can we ensure that we always have a significant fraction of the original cue?  Too many chunks associated with one cue?  Interference!

Factor 4: Rehearsal 26 Strengthens Associations Goal: minimize the number of rehearsals necessary to remember passwords Password may be linked to different contexts (cues)

Rehearsal 27  It helps if part of the context is consistent across all rehearsals/retrieval

Usability Desiderata 28  Minimize #chunks per password  Ensure that a large part of the original cue is always available at retrieval time  Minimize Interference  Minimize the required number of rehearsals

How Do People Pick Passwords? Source: Science of Password Selection (Hunt, 2011)Science of Password Selection 29

Password Management Competing Goals: SecurityUsability 30

Competing Goals  Usability – “easy” for user to create and remember his passwords  Security – “hard” for adversary to learn passwords.  After many guesses  Even after seeing other passwords SecurityUsability 31

Outline 32  Introduction and Experiments  Memory and Usability  Analyzing Security  Our Password Management Scheme

Security (what could go wrong?) OnlineOfflinePhishing Danger Three Types of Attacks 33

Online Attack Limit Guesses: Three Strike Policy

Offline Dictionary Attack Source: CERT Incident Note IN-98.03: Password Cracking Activity MD5(“UnBr3akabl3”) + “UnBr3akabl3” 35

Malicious Sites/Phishing Source: CERT Incident Note IN-98.03: Password Cracking Activity PayPaul.com + 36 pwd

Measuring Security 37  Past Measurements and Their Weaknesses  Password Strength Meters  Entropy  Min Entropy  Our Definition of Security

Password Strength Meters mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm Impossible to know what background knowledge the adversary will have! 38 Source: Our Approach: Measure the security of the password generator instead

Password Generator (G) 39

Entropy Source: The mathematical theory of communication (Shannon, 1959) Intuition: 30 bits of entropy => Average # Guesses ~ # Bits to encode password x Average # Bits to encode password x

Entropy  Example: 41

Entropy (Strengths) Source: Prediction and entropy of printed English (Shannon, 1951) There are techniques for estimating the entropy of an individual password 42

Entropy (Weaknesses) Both password generators have same entropy! One guess breaks scheme one half of the time! 43

Entropy (Weaknesses) mmmm G 1 has high entropy, but is insecure! 44

Entropy (Weaknesses)  High Entropy Does Not Guarantee Safety! OnlineOfflinePhishing 45

Min-Entropy 46 # Bits to encode most likely password x # Bits to encode password x

Min Entropy (Strengths) + “horsebatterystaplecorrect” MD5(pwd) 47

Min Entropy (Strengths)  High Minimum Entropy OnlineOfflinePhishing 48

Min-Entropy (Weaknesses) Unlike regular entropy, Min- Entropy is hard to estimate 49

Min-Entropy (Weaknesses) H min (G 1 ) = 2n = H min (G 2 ) Min-Entropy ignores correlations between passwords 50

Min-Entropy (Weaknesses) PayPaul.com x x x 51

Our Security Approach 52  Dangerous World Assumption  Not enough to defend against existing adversaries  Adversary can adapt after learning the user’s new password management strategy  Provide guarantees even when things go wrong  Offline attacks should fail with high probability  Limit damage of a successful phishing attack

The Adversary’s Game  Adversary can compromise at most k sites (phishing).  Adversary can execute offline attacks against at most t additional sites  Resource Constraints => at most M guesses  Adversary wins if he can compromise any new sites. 53 pwd MD5(pwd)

(k,t,M,  )-Security We say that a password management scheme is (k,t,M,  )-Secure if for any adversary Adv k = #t = # 54 Offline AttacksPhishing Attacks M = # Guesses

Example: (1,1,M,  )-Security PayPaul.com + M guesses k=1 t=1 55

Outline 56  Introduction and Experiments  Memory and Usability  Analyzing Security  Our Password Management Scheme

Review Usability Desiderata 57  Minimize #chunks per password  Ensure that a large part of the original cue is always available at retrieval time  Minimize Interference What mnemonic techniques do the memory experts use?

Memory Palace 58 Memory champions like Dominic O'Brien regularly use memory palaces

Memory Palace  Idea: Humans have excellent visual/spatial memory  Memorize a list of words  Memorize: Mentally walk through your house and “store” one word in each location  Recall: Mentally walk past each location to recover each word  Key Point: By associating each word with a familiar location we can always recover part of the original cue Source: Rhetorica ad Herennium [Cicero?] 59

Memory Palace Interference?  Don’t reuse the same memory palace very often!  Memory Champions have hundreds of memory palaces!  Spend time mentally “clearing” each palace before a competition  Usability: A typical user doesn’t have time to prepare hundreds of memory palaces! Source: Moonwalking with Einstein [Foer, 2010] 60

Our Approach  Idea: Use pictures as cues instead  Don’t have to remember the cue! Store it externally! Liquor, Wounded, Sunk 61

Secure Password Management Scheme 62 Public KnowledgePrivate (Password) Amazon eBay …… Random Words (Independently Selected) Random Words (Independently Selected) ……

Usability 63  Four chunks per password  Independent Cues  Reduces Interference  Partial Cue (picture) is stored externally and is always available

Security 64  Password Strength  Strong Password: 4 random words from common dictionary  Stronger than a truly random ten character password  Password Independence  Independent of Cues  Independent of Other Passwords  (t,k,M,  )-security for large t,k!

Experiment #0 65  Can anybody remember the 10 character password? L[IbCGa_ND

Experiment #1 66

Experiment #2 67

Experiment #2 68

Experiment #3 69 CueActionObject Manuel Blum

Experiment #4 70 CueActionObject Stephen Rudich

Experiment #3 71

Personal Experience  I have created 25+ unique (strong) passwords using this technique  Tricks to overcome common restrictions  Substitute 3 for e, etc…  Use first 4 letters of each word  Difficulties  Word Order  Confuse verb tense  Plural vs. Singular  Semantically Similar Words 72

Future Work 73  Can we quantify and measure the usability of a password management scheme?  Share cues across sites (security/usability tradeoff)  Accepting close passwords  User Studies

Usability  More challenging to quantify than security!  Key Question: Given a password management scheme how much effort does it take to create, store and retrieve passwords from human memory?  This Talk:  Key factors that influence memorability  Helpful mnemonic techniques 74

Questions? 75