Kok-Chie Daniel Pu - MSISPM
Wow... Daniel will be presenting a lecture on Graphical Passwords !!!
Definition of Graphical Passwords A graphical password is a secret that a human user inputs to a computer with the aid of the computers’ graphical input (e.g., mouse, stylus, or touch screen) and output devices. [01]
Example – Slot Machine !!! Has human user input. There is high user acceptance. Graphical passwords (i.e. icons, pictures) What are the problems here?
Background / History Information and computer security is dependent on passwords for the authentication of human users. As presented in previous lectures, common methods include text passwords, biometrics and etc.
Background / History Main drawback of passwords is the password problem. What is this password problem ? –Passwords should be easy to remember. –User authentication protocol should be executed quickly and easily by humans. –Passwords should be secure (random, hard to guess and not in plain text). [02]
Background / History Graphical passwords may be a solution to the password problem. The idea of graphical passwords was pioneered by Greg Blonder who also holds the US patent (1996). His idea – is to let the user click (with a mouse or stylus) on a few chosen (pre- designed) regions in (pre-processed) an image that appears on the screen. [03]
Passwords: Text vs Graphical
Text Passwords: Alpha-numeric passwords guidelines –At least 8 characters long. –Should not be easy to relate to the user (e.g. last name, birth date). –Should not be a word that can be found in a dictionary or public dictionary. –Should combine upper and lower case letters and digits. [04]
Text Passwords: Examples: –DiNoSaUr (by alternating upper and lower case). –rUaSoNiD (by reversing the string). –oSNaiUDr (by shuffling the string). –D9n6s7u3 (combining numbers and letters). [05]
Text Passwords: Vulnerabilities –Shoulder surfing (watching a user log on as they type their password). –Dictionary attacks (using L0phtCrack or Jack the Ripper). –User may forget the password if it is too long and complicated.
Graphical Passwords: Advantages –Human brains can process graphical images easily. –Examples include places we visited, faces of people and things we have seen. –Difficult to implement automated attacks (such as dictionary attacks) against graphical passwords. [06]
Graphical Passwords: Disadvantages –Shoulder surfing problem. Countermeasures –Existing schemes limit usage of graphical passwords to handhelds or workstations where only one person is able to view the screen at the time of login. [07]
What’s Next ?
Research papers & applications A Password Scheme Strongly Resistant to Spyware. Picture Password: A Visual Login Technique for Mobile Devices. Passfaces. On User Choice in Graphical Password Schemes.
A Password Scheme Strongly Resistant to Spyware Spyware is one of the biggest threat to computer security. Spyware gathers information about users and their computer systems without their permissions and send these lucrative information to parties who installed the spyware. It is an arms race for the counter spyware vendors.
A Password Scheme Strongly Resistant to Spyware This research focuses on deploying a login screen that is divided into 121 grid, 11 rows and 11 columns. When a new user creates a password, he chooses all 121 icons from an icon library on the server. User determines 4 pass icons. Each icon has 4 variations. [08]
A Password Scheme Strongly Resistant to Spyware
Password system will lead the user going through the 4 pass icons to set up the password. User will choose a string and enters the string beneath the variation. Strings are chosen to relate to some events in the user’s life. [09]
A Password Scheme Strongly Resistant to Spyware
Once the password is created, the password system will display a summary which can be printed for the users’ reference. In average, it took one person 15 minutes from creating the password to using it fluently. [10]
A Password Scheme Strongly Resistant to Spyware
Picture Password NIST – National Institute of Standards and Technology. A Visual Login Technique for Mobile Devices. (NISTIR 7030) Focuses on devices such as PDAs and possibly cell phones. Uses images in a matrix similar to a keypad. [11]
Picture Password
Organizational policies must enforce password expiration. This is to prevent / reduce the opportunities for attackers to crack the passwords. If password reuse is required, the image sequence must generate completely new password values. [12]
Picture Password
NIST Secure Hash Algorithm is used to compute the cryptographic hash and results in a 20-byte binary value. The value matrix maps selected thumbnails to their underlying alphabet values. This scheme matches the capabilities and limitations of the handheld devices. [13]
Passfaces Passfaces (formerly known as Real User Corporation) is an information security technology company based in Annapolis, Maryland. Commercial application leverages the brain’s innate cognitive ability to recognize human faces. [14]
Passfaces
Logon Process: –Users are asked to pick their assigned Passfaces from a 3 x 3 grids containing one Passface and 8 decoys. –The faces appear in random positions within the grid each time. –This process is repeated until each of the assigned Passfaces is identified. [15]
Passfaces
User Choice in Graphical Password Schemes Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter (Carnegie Mellon University). Strength of graphical passwords based on users’ selections. Face and story schemes were chosen for this research. [16]
User Choice in Graphical Password Schemes Face scheme was modeled after the commercial Passfaces where users select a collection of faces to make the password. Story scheme requires a sequence of images to tell a story. Experiment was conducted at two universities with 154 subjects in [17]
User Choice in Graphical Password Schemes Subjects used graphical passwords to access homework, grades, homework solutions, course reading materials and etc. At the end of the semester, these students were given a survey to describe: –Why they picked the faces they did (for Face) or their chosen stories (for Story) and some demographic information about themselves. [18]
User Choice in Graphical Password Schemes Studies show that people agree about the attractiveness of both adults and children, even across different cultures. Individuals are better able to recognize faces of people from their own race than faces of people from other races. [19]
User Choice in Graphical Password Schemes
Exit surveys (Face) confirmed the following:
User Choice in Graphical Password Schemes Exit surveys (Story) confirmed the following:
User Choice in Graphical Password Schemes Conclusions of the study: –User choice of passwords is not a good method. –Limits should be imposed on the number of incorrect password guesses. –Educate the users on better approaches to select passwords. –Graphical passwords (faces or story) must be easy to remember. [20]
The End
Questions ???
References for Graphical Password Lecture: [01] Fabian Monrose and Michael Reiter Chapter 9 - Security and Usability [02] The Graphical Passwords Project Funded by the NSF CyberTrust Project Co-PIs: J.C. Birget (Rutgers-Camden), D. Hong (Rutgers-Camden), N. Memon (Brooklyn Polytechnic), S.Man (SW Minn. State), S. Wiedenbeck (Drexel) [03] The Graphical Passwords Project Funded by the NSF CyberTrust Project Co-PIs: J.C. Birget (Rutgers-Camden), D. Hong (Rutgers-Camden), N. Memon (Brooklyn Polytechnic), S.Man (SW Minn. State), S. Wiedenbeck (Drexel) [04]Graphical Passwords Leonardo Sobrado and Jean-Camille Birget Department of Computer Science, Rutgers University [05]Graphical Passwords Leonardo Sobrado and Jean-Camille Birget Department of Computer Science, Rutgers University [06]Graphical Passwords Leonardo Sobrado and Jean-Camille Birget Department of Computer Science, Rutgers University [07]Graphical Passwords Leonardo Sobrado and Jean-Camille Birget Department of Computer Science, Rutgers University [08]A Password Scheme Strongly Resistant to Spyware Dawei Hong (Rutgers University), ShuShuang Man & Barbra Hawes (Southwest Minnesota State University), Manton Matthews (University of South Carolina). [09]A Password Scheme Strongly Resistant to Spyware Dawei Hong (Rutgers University), ShuShuang Man & Barbra Hawes (Southwest Minnesota State University), Manton Matthews (University of South Carolina). [10]A Password Scheme Strongly Resistant to Spyware Dawei Hong (Rutgers University), ShuShuang Man & Barbra Hawes (Southwest Minnesota State University), Manton Matthews (University of South Carolina).
[11]NIST National Institute of Standards and Technology - NISTIR 7030 Picture Password: A Visual Login Technique for Mobile Devices. [12]NIST National Institute of Standards and Technology - NISTIR 7030 Picture Password: A Visual Login Technique for Mobile Devices. [13]NIST National Institute of Standards and Technology - NISTIR 7030 Picture Password: A Visual Login Technique for Mobile Devices. [14]Passfaces as a Countermeasure for Phishing and Malware Passfaces_countermeasures.pdf [15]Passfaces Technology Overview Passfaces%20Tech%200verview.pdf [16] On User Choice in Graphical Password Schemes Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter (Carnegie Mellon University) [17] On User Choice in Graphical Password Schemes Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter (Carnegie Mellon University) [18] On User Choice in Graphical Password Schemes Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter (Carnegie Mellon University) [19] On User Choice in Graphical Password Schemes Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter (Carnegie Mellon University) [20] On User Choice in Graphical Password Schemes Darren Davis and Fabian Monrose (John Hopkins University) and Micheal Reiter (Carnegie Mellon University) All South Park Characters are copyrighted and belong to their creators at South Park Studios.