Naturally Rehearsing Passwords

We introduce quantitative usability and security models to guide the design of password management schemes --- systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and validated through empirical studies. Given rehearsal requirements and a user's visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues--- a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals

A Survey on Password Guessing

Text password has served as the most popular method for user authentication so far, and is not likely to be totally replaced in foreseeable future. Password authentication offers several desirable properties (e.g., low-cost, highly available, easy-to-implement, reusable). However, it suffers from a critical security issue mainly caused by the inability to memorize complicated strings of humans. Users tend to choose easy-to-remember passwords which are not uniformly distributed in the key space. Thus, user-selected passwords are susceptible to guessing attacks. In order to encourage and support users to use strong passwords, it is necessary to simulate automated password guessing methods to determine the passwords' strength and identify weak passwords. A large number of password guessing models have been proposed in the literature. However, little attention was paid to the task of providing a systematic survey which is necessary to review the state-of-the-art approaches, identify gaps, and avoid duplicate studies. Motivated by that, we conduct a comprehensive survey on all password guessing studies presented in the literature from 1979 to 2022. We propose a generic methodology map to present an overview of existing methods. Then, we explain each representative approach in detail. The experimental procedures and available datasets used to evaluate password guessing models are summarized, and the reported performances of representative studies are compared. Finally, the current limitations and the open problems as future research directions are discussed. We believe that this survey is helpful to both experts and newcomers who are interested in password securityComment: 35 pages, 5 figures, 5 table

Introducing a Machine Learning Password Metric Based on EFKM Clustering Algorithm

we introduce a password strength metric using Enhanced Fuzzy K-Means clustering algorithm (EFKM henceforth). The EFKM is trained on the OWASP list of 10002 weak passwords. After that, the optimized centroids are maximized to develop a password strength metric. The resulting meter was validated by contrasting with three entropy-based metrics using two datasets: the training dataset (OWASP) and a dataset that we collected from github website that contains 5189451 leaked passwords. Our metric is able to recognize all the passwords from the OWASP as weak passwords only. Regarding the leaked passwords, the metric recognizes almost the entire set as weak passwords. We found that the results of the EFKM-based metric and the entropy-based meters are consistent. Hence the EFKM metric demonstrates its validity as an efficient password strength checker

On Enhancing Security of Password-Based Authentication

Password has been the dominant authentication scheme for more than 30 years, and it will not be easily replaced in the foreseeable future. However, password authentication has long been plagued by the dilemma between security and usability, mainly due to human memory limitations. For example, a user often chooses an easy-to-guess (weak) password since it is easier to remember. The ever increasing number of online accounts per user even exacerbates this problem. In this dissertation, we present four research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays a very important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. We create a new metric---Coverage---to quantify the personal information in passwords. Armed with this knowledge, we develop a novel password cracker named Personal-PCFG (Probabilistic Context-Free Grammars) that leverages personal information for targeted password guessing. Experiments show that Personal-PCFG is much more efficient than the original PCFG in cracking passwords. The second project aims to ease the password management hassle for a user. Password managers are introduced so that users need only one password (master password) to access all their other passwords. However, the password manager induces a single point of failure and is potentially vulnerable to data breach. To address these issues, we propose BluePass, a decentralized password manager that features a dual-possession security that involves a master password and a mobile device. In addition, BluePass enables a hand-free user experience by retrieving passwords from the mobile device through Bluetooth communications. In the third project, we investigate an overlooked aspect in the password lifecycle, the password recovery procedure. We study the password recovery protocols in the Alexa top 500 websites, and report interesting findings on the de facto implementation. We observe that the backup email is the primary way for password recovery, and the email becomes a single point of failure. We assess the likelihood of an account recovery attack, analyze the security policy of major email providers, and propose a security enhancement protocol to help securing password recovery emails by two factor authentication. \newline Finally, we focus on a more fundamental level, user identity. Password-based authentication is just a one-time checking to ensure that a user is legitimate. However, a user\u27s identity could be hijacked at any step. For example, an attacker can leverage a zero-day vulnerability to take over the root privilege. Thus, tracking the user behavior is essential to examine the identity legitimacy. We develop a user tracking system based on OS-level logs inside an enterprise network, and apply a variety of techniques to generate a concise and salient user profile for identity examination

Online Automotive Services Information System (OASIS)

Workshop have started to use technology (computer, database, system, web application and also mobile application) as a way to store or retrieve all the information for their customer (car owner). It is important for workshop to understand their customers better. However, workshop owner do not have a platform to make a car services process done smoothly. The platform will store all the information that car owner really needs to make car services appointment process done and stored properly. The aim of this project is to develop a web-based system that can facilitate the car services information to the car owner and at the same time to build the customer relationship with the workshop. The system is called Online Automotive Services Information System (OASIS). The functionality of OASIS is to provide service information about the car services, the important dates such as insurance and road tax, the cost that occur, and workshop owner can always maintain and keep update with their regular car owner. Informal interviews and survey has been conducted with the workshop owner and also the car owner. Analysis and design models such as use case diagram, activity diagram, and context diagram was developed. A working prototype of OASIS already developed and tested based on the gathered user requirements. The end product as the result of development phase is a webbased system named oasis.t15.org/index.ph

Understanding common password design:a study towards building a penetration testing tool

Abstract. Almost everything that is meant to be kept private is currently being protected by passwords. While systems and devices can be designed with robust security measures, the effcacy of such systems can be compromised if the end-user chooses a weak password, especially one easily found in common wordlists. Given the prevailing security dynamics, especially with the ongoing Ukraine war and Finland’s NATO membership considerations, the inadequate protection of WiFi devices may transcend individual privacy concerns. Supo, the Finnish Security and Intelligence Service, posits that routers with subpar security could pose considerable national security risks. This thesis aims to investigate the strategies people use when creating new passwords. This is done by using prior knowledge about password creation habits and by conducting an analysis of leaked passwords. The study also examines existing tools for password list generation for penetration testing to see what the strengths and weaknesses of those tools are. This will be the groundwork for creating a lightweight tool for password list generation that can be used to do penetration testing with dictionary attacks and possibly detect if weak passwords are being used. The problem with the current tools is that they either create a very large wordlist or are too small to be practical. They also seem to lack the mangling capabilities of the wordlists. The proposed solution is evaluated using the wardriving method, accompanied by the acquisition of pmkid hashes from WiFi access points. Subsequently, these hashes are matched against passwords generated by the designated tool, leveraging Hashcat to ascertain their decryptability. Through this process, the study also provides a snapshot of WiFi password robustness within the City of Oulu. The fndings revealed that approximately 6% of WiFi access points employed passwords deemed too weak. This discovery aligns with earlier research conducted in the city of Oulu, where a related investigation highlighted that nearly 14.78% of devices lack password protection, effectively operating as open access points [1].Yleisten suunnittelumenetelmien ymmärtäminen salasanojen luomiseen : tutkimus penetraatiotestaustyökalun rakentamiseen. Tiivistelmä. Lähes kaikki yksityisenä pidettävät asiat ovat tällähetkellä salasanojen suojaamia. Laitteet ja järjestelmät voidaan suunnitella tietoturvaominaisuuksiltaan kattavaksi, mutta näiden laitteiden ja järjestelmien turvallisuus voi vaarantua, jos loppukäyttäjä valitsee laitteen salasanaksi heikon salasanan. Etenkin jos valittu salasana sattuu vielä löytymään yleisistä salasanalistoista. Wif laitteiden riittämätön suojaaminen voi aiheuttaa turvallisuusongelmia, kun tarkastellaan vallitsevaa turvallisuusdynamiikkaa, Ukrainan sotaan ja Suomen Nato jäsenyyteen liittyen. Suojelupoliisi arvioi että heikosti suojatut reitittimet voivat aiheuttaa merkittäviä kansallisia turvallisuusriskejä. Tämän opinnäytetyön tavoitteena on tutkia ihmisten käyttämiä strategioita salasanojen luomiseen. Tämä tehdään käyttämällä aiempaa tietoa salasanojen luomistavoista, sekä tekemällä analyysi aiemmin nettiin vuotaneista salasanoista. Tutkimuksessa myös tarkastellaan olemassa olevia työkaluja salasanalistojen luomiseen ja selvitetään mitkä ovat näiden työkalujen vahvuudet ja heikkoudet. Edellämainitut toimenpiteet ovat pohjatyö jonka perusteella rakennetaan kevyt työkalu salasanalistojen luomiseen penetraatiotestausta varten. Jo tehtävää varten olemassaolevien työkalujen ongelmana on että ne luovat joko liian suuria tai pieniä sanalistoja ollakseen käytännöllisiä. Niistä puuttuu myös toiminnallisuus sanalistojen muokkaamiseen. Työkalun tehokkuutta arvioidaan ja testataan wardriving menetelmällä Wiftukipisteistä hankituilla pmkid hasheilla. Myöhemmin hashejä verrataan työkalun luomiin sanalistoihin käyttäen apuna Hashcat nimistä työkalua ja tutkitaan löytyykö vastaavuuksia, ts. vastaako jokin työkalun luomista sanoista salasanaa jolla hash on luotu. Tätä kautta saadaan myös tilannekuva Wifsalasanojen vahvuudesta Oulun kaupungissa. Tulokset paljastivat että noin 6 % Wif-tukipisteistä käytetään liian heikkoa salasanaa. Tämä löytö on linjassa aiemmin Oulussa tehdyn tutkimuksen kanssa, jossa kyseinen tutkimus osoitti että lähes 14.78 % laitteista puuttuu salasanasuojaus ja laitteet toimivat noissa tapauksissa avoimina tukiasemina. [1

Why do Individuals Continue Using Mobile Payments - A Qualitative Study in China

Many financial and mobile service providers are viewing mobile payment (MP) as a strategic growth area for their business. In order to realize this anticipated growth potential, users must initially adopt and then continue to use MP systems. However, a rich and detailed user perspective of MP continuance behavior is lacking. We address part of this research gap by content-analyzing interview transcripts of 38 MP users. The findings indicate that perceived usefulness and risk, disconfirmation, satisfaction, subjective norm, and habit are important when users making MP continuance decisions

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems

A World Full of Privacy and Security (Mis)conceptions? Findings of a Representative Survey in 12 Countries

Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 countries on four continents. By investigating influencing factors of misconceptions around eight common security and privacy topics (including E2EE, Wi-Fi, VPN, and malware), we find the country of residence to be the strongest estimate for holding misconceptions. We also identify differences between non-Western and Western countries, demonstrating the need for region-specific research on user security knowledge, perceptions, and behavior. While we did not observe many outright misconceptions, we did identify a lack of understanding and uncertainty about several fundamental privacy and security topics