Usable Security and Passwords, Cylab Corporate Partners Oct 2009
-
Upload
jason-hong -
Category
Technology
-
view
112 -
download
2
description
Transcript of Usable Security and Passwords, Cylab Corporate Partners Oct 2009
Usable Security and Passwords
Jason HongCarnegie Mellon University
Passwords and Usable Security
• People have difficulties remembering passwords– NYTimes site 100k readers forget password each week
• 15% of “new” readers were old readers that had forgotten their passwords
– Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call
Basic Coping Strategies
• Choose simple passwords– password, letmein, qwerty, but easy to guess
• Reuse passwords– But break one password, break them all– Phishers attacking Facebook, twitter, other targets
• Write down passwords– Depending on
threat model, might not be bad
WebTicket
• Observation #1– People who couldn’t remember
their passwords, let alone what site to go to
• Observation #2– People already writing down passwords,
can we help them do this more securely?
– And have positive side effects:• Phish resistance• Stronger, unique passwords• Faster login times
WebTicket
• Idea: Print out passwords on “business card”– QR Code has encrypted URL, username, password– Strong password is generated for you– Only requires printer and web cam– Encrypted to work with your computers only
WebTicket Login Process
1 2
3
WebTicket Pros and Cons
• Advantages– Commodity devices (webcam, printer)– Don’t know own password, phish resistance– Compatible with today’s web sites– Stronger passwords
• Disadvantages– Scale, number of tickets– Attackers with cameras– Weaker than other 2FA
• Not claiming solves all authentication problems,just that it’s better than many current practices today
Evaluation of WebTicket
• 20 people– age 21-57 (mean=32), 11M and 9F
– Paid $10 + $3 per successful login
• Method– Warmup task to understand WebTicket
– Session 1: Go to site, create account, and login• Two different sites, password and WebTicket• Told that sites had credit card info, and login week later
– Session 2: One week later, go back to site, login• Had 10 WebTickets in wallet / purse / bag• 2 minutes to login
Account Creation Time
• WebTicket is slower for creating new accounts
Logins
• Success rate in logging in
• Time to login
– Note that people tended to go to website first to loginfor WebTicket
Perceptions
• Perceived ease of use and perceived time
– Higher numbers better for both
– WebTicket statistically significantly better in both cases
Ongoing Work
• Phone version of WebTicket to scale up passwords
Use Your Illusion Authentication
• Again, passwords hard to remember• Image based authentication
– Rely on human recognition over recall
– However, may be easy for attackers to recognize
• Idea: blur images– People can recognize
their tokens, but harder for attackers to guess
• Demonstrate the claimsmade above
Evaluation of Use Your Illusion
• Individualized educated guesses– Recognize a specific person’s image tokens
– Analogy: if you know a person’s birthday or spouse, can guess possible text passwords
– Ex. Pictures of their spouse, pet, house, or car
• Group educated guesses– Biases in general for specific kinds of image tokens
– Analogy: people tend to choose words in dictionary for text passwords
– Ex. Pictures of animals, buildings, etc
Use Your Illusion (Undistorted)
Choose your three tokens (unordered)
Use Your Illusion (Distorted)
Choose your three tokens (unordered)
Individualized Educated Guesses
• Recruited pairs of friends– One of the pair tried to guess friend’s image tokens
Other of the pair tried to guess stranger’s image tokens
– In both cases, guessed two sets, undistorted and distorted
– Guess the 3 tokens out of 27
Results
• Original undistorted images were easy to guess– People tended to choose image tokens similar in
some way, e.g. lighting, background, object, etc
– Despite being told about the study
• Distorted images more resilient– One person got very lucky
– * means statistically significantly better than chance
Distortion Reduces Correct Guesses
Summary
• WebTicket– Helping people manage passwords
– Login using webcam + tickets
– Mobile phone version
• Use Your Illusion– Recognize blurred images
– Showed that blurredimages more resilient to guesses
Logging in with WebTicket