Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.

Slides:

Advertisements

Similar presentations

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.

Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.

1 + 1 = You Measuring the comprehensibility of metaphors for configuring backup authentication Stuart SchechterRobert W. Reeder Symposium on Usable Privacy.

1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.

Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

HOW DOES YOUR PASSWORD MEASURE UP The Effect of Strength Meters on Password Creation Rui Xie.

Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Building Robust and Automatic Authentication Systems with Activity- Based Personal Questions Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Human Computable Passwords

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

E XPLORING USABILITY EFFECTS OF INCREASING SECURITY IN CLICK - BASED GRAPHICAL PASSWORDS Elizabeth StobertElizabeth Stobert, Alain Forget, Sonia Chiasson,

1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

CIS 450 – Network Security Chapter 8 – Password Security.

It’s no secret It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions By Schechter, Brush and Egelman ® 2009 Presenter:

Adrian Ellison Assistant Director, IT Services Wednesday 23 November 2011.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

Lecture 11: Strong Passwords

Password Security Everything (well… a lot, anyway) you didn’t know, or want to, but really actually need to.

The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.

Password Management Strategies for Online Accounts Shirley Gaw, Edward W. Felten Princeton University.

D´ej`a Vu: A User Study Using Images for Authentication Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人：張淯閎.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Graphical Passwords Possible Collaborative Project Usable Security – CS 6204 – Fall,

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Jawaharlal Nehru National College of Engineering, Shimoga – Department of Computer Science & Engineering Technical Seminar on, Under the guidance.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Presented by Sharan Dhanala

Maintaining a Cache of Previously Queried Prefixes “Telepathwords: Preventing weak passwords by reading users’ minds.” Saranga Komanduri, Richard Shay,

Problems With Centralized Passwords Dartmouth College PKI Lab.

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Authentication and access control.

Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Passwords and Password Policies An Important Part of IT Control – by Craig Piercy.

Timbre and Memory An experiment for the musical mind Emily Yang Yu Music 151, 2008.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

Human-Computable Passwords Jeremiah Blocki Manuel Blum Anupam Datta Santosh Vempala.

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Towards Human Computable Passwords

Investigation of Instructions for Password Generation

Usable and Secure Human Authentication

Human Computable Passwords

Human-Computable Passwords

Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta

Presentation transcript:

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren

Motivation 2

Usability Problem 3  Too many password  users select weak password, reuse passwords or frequently reset passwords. Insecure! Painful effort!

Security Problem 4  Password breaches at major companies have affected millions of users.

Traditional Security Advice 5 Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords

Existing works 6  The password strengthening mechanism of Bonneau and Schechter  How: User authenticates by typing in old password + a random character or word.  Limitation: requiring the user to memorize a new random character/word to append to his password  Password Composition Policies  How: restrict the space passwords that users can choose.  Limitation: negatively effect usability & adverse security effects

This work 7  Conducted a user study:  Participants were asked to memorize several randomly generated person-action-object (PAO) stories.  Questions to answer:  Spaced Repetition  Can users recall multiple PAO stories by following spaced repetition schedules?  Which schedules work best?  Mnemonic Advantage  Does the PAO mnemonic technique improve recall?  Interference Effect

8

Background: Security Against Offline Attacks 9  Offline dictionary attack  Cost of an Offline Attack brute-force attack By comparing H(pw) with guessed H(pw)

i.e. Person-action-object (PAO) stories

Background: Shared Cues 11 Combinatorial Design: Each pairs of accounts has at most secret stories in common. Source: Naturally Rehearsing Passwords [BBD13]

PAO Stories#PasswordsSecurity 414 Background: Shared Cues 12 Adversary with one password is unlikely to crack any other password

13

Recruitment 578 participants completed initial memorization phase

User Study Protocol 15  Memorization Phase (5 minutes):  Participants asked to memorize four randomly selected person-action object stories.  Rehearsal Phase (120+ days):  Participants periodically asked to return and rehearse their stories (following rehearsal schedule)

Memorization Phase – Mnemonic group 16

Memorization Phase – Mnemonic group 17

Memorization Phase – Mnemonic group 18

Memorization Phase – Text group 19

Rehearsal 20

Rehearsal Schedules 21  Day: Final Rehearsal (t 10 ): 157 days

Rehearsal Schedules Final Rehearsal (t 7 ): 127 days Day:

Rehearsal Schedules 23 Rehearsal#/ Schedule hrx1.5.5 day N/ A 24hrX21 day N/A 24hrX2+2Start.1 day N/A 30minX2.5 hr1.5hr3.5h r 7.5 hr 15.5 hr 1.7 day

Incentives  Memorization Phase ($0.5)  Rehearsal Phase ($0.75 each)  Encourage participants to return  Discourage Cheating

Do Not Write Down Your Words  “…we ask that you do not write down the words that we ask you to memorize.”  “You will be paid for each completed rehearsal phase --- even if you forgot the words.”  “Important: …do not write down the words”  “You will be paid for each completed rehearsal phase --- even if you forgot the words.”

Study Conditions 26 ConditionComment m_24hrX2+2Start_11 PAO Story m_24hrX2+2Start_22 PAO Stories m_24hrX2+2Start_44 PAO Stories ConditionComment t_24hrX2+2Start_4Text condition/No Cues m_24hrX2+2Start_4Mnemonic Condition Interference Mnemonic vs Text ConditionComment m_24hrX2_424 hour base m_24hrX2+2Start_4Two Extra Rehearsals on Day 1 m_30minX2_430 min base m_12hrX1.5_4Growth Rate: 1.5x Compare Rehearsal Schedules

Follow Up Survey 27  Problem  Some participants did not return to rehearse their stories.  Hypothesis:  The primary reason:  too busy  did not get follow up message in time  not interested in interacting with them outside of the initial Mechanical Turk task.  Not because they would not remember the story.  How to prove?  Send a follow up survey to all not return.

28

Rehearsal schedule Survived(i)/Returned(i)

Text vs Mnemonic 31 Survived(i)/Returned(i) Advantage is statistically significant Advantage is not statistically significant

Interference Survived(i)/Returned(i) Interference Effect was Statistically Significant Days

Findings 33  Spaced Repetition  Yes, participants did remember multiple PAO stories!  Winning Schedule: 12hrX1.5  Mnemonics  Short Term: Benefit is statistically significant  Long Term: Rehearsal schedule was only significant factor  Interference  Benefit: Memorize one story at a time  Future Work: Causes of interference

The Follow Up Survey: Dropped Participants 34 No participant self-reported that they didn’t return because the stories were too difficult to memorize.

Limitations 35  The follow up survey  Only conducted among 61 participants not return to the first rehearsal  There is only one experiment ( t_24hrX2+2Start ) for text group.  Assumption  Users not to participate the flow up survey  not because the users cannot remember the story.

Conclusion 36 Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords … …

Quiz  What are the two phases of the user study?  Why the authors performed a follow up survey?  According to the results of the user study, which rehearsal schedule performs the best?