User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.
-
Upload
joshua-peters -
Category
Documents
-
view
215 -
download
0
Transcript of User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.
User Friendly Passwords
Nicole LongworthMichael Shoppell
RJ Brown
Overview
• Introductiono Current Password Methodso Project Proposal
• Researcho Related Workso Possible Solutions
• Demo
• Conclusions
• Questions
Password Generation
• Randomo create random passwords that are secure and
difficult to guess due to a combination of uppercase and lowercase letters, numbers, and punctuation symbols
• User Generatedo passwords created by the user that are unique and
made up due what is easiest for the user to remember
Project Proposal
• Problem
• secure passwords are becoming easier to crack than to remember
• security is compromised by user behavior through multiple instances
o passwords aren't strong enougho storing passwords on computero reusing passwords for multiple accounts
Project Proposal
• investigate two methods to generate passwordso using abstract imageso using simple images
• based on results, methods will show whether images make it easier for users to remember passwords
Purpose
Proposed Solution
• substitute the number of characters possible for a higher character count
• logically makes it easier for a human to remember
• creating 4 shorter words that create a 20-character password
Related WorksBeaver, Kevin “Hacking For Dumies 3rd Edition Publisher: For Dummies Jan 12, 2010
Mohs, Richard C., PHD “How Human Memory Works” howstuffworks.com July 7 2011 Feb 29, 2012
“The Human Memory” human-memory.net Feb 29, 2012
Shimonski, Rob “Hacking Techniques, Introduction to password cracking”
ibm.com/developerworks/library/s-crack Jul 01 2002 Feb 29 2012
Vines, Russell Dean“Ethical hacking tools and techniques: password cracking” searchsecuritychannel.techtarget.com Feb 29 2012
Related Workshttp://ict.govt.nz/guidance-and-resources/standards-compliance/authentication-standards/password-standard/5-
password-vulnerabilities-and-attacks
http://static.usenix.org/event/usenix99/provos/provos_html/node11.html
http://www.computer-network-security-training.com/what-are-password-attacks/
http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/232700282/command-injection-attacks-automated-password-guessing-on-the-rise.html
http://www.windowsecurity.com/articles/passwords-attacks-solutions.html
http://www.windowsitpro.com/article/kerberos/types-of-password-attacks-
http://www.go4expert.com/forums/showthread.php?t=7685
http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices
http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html
http://www.securitynewsdaily.com/553-how-to-create-remember-super-secure-passwords.html
Survey• Test user generation password and recall upon
forgetting
• Two Partso Given 4 random words to remembero Shown 4 imageso 2 Concreteo 2 Abstracto Asked to produce four words per image
• After one month, participants shown same images to test memory
Purposes
1. Test randomness of user generation for a given image
2. Test ability of user to recall password when linked with an image
3. Given word bank, efficiency of brute force attack
Total Participants: 20
9 took part in both generation and recall
Duration between surveys: 1 month
Results
Over a short period of time successful recall
Between two surveys recall almost nonexistant
Randomly Generated Words
Results - Image Prompted
Picture 1 2 3 4
Words Generated
115 116 115 114
Unique Words 67 63 68 74
Average Password Length
23 21 22 23
Minimum 16 11 17 16
Maximum 41 27 30 311
Results - Recall
Password Strength• Measured in Entropy
o lack of predictability
• Randomness stated in Bits
(entropy per character) = log2(n)password entropy = L * (entropy per character)n = pool size of charactersL = password length
Calculation
Results - EntropyAverage password length = 22
Entropy of case insensitive alphabet = 4.7 bits
Average password entropy = 103 bits
Time to crack at 1000 Guesses/SecCharacter based = 4.2718 x 1020 years
Word bank (as generated by participants) = 5.5 hours
Demo
Future Work
Conduct survey on a larger group in a more similar situation
Determine method for randomly assigning unique images securely to users
Conclusions
Image prompted passwords plausible alternative
No user generated password were identical
Traditional brute force methods highly inefficient
Images did assist somewhat in recall
Inquiries?