35,659 research outputs found
Usability of Humanly Computable Passwords
Reusing passwords across multiple websites is a common practice that
compromises security. Recently, Blum and Vempala have proposed password
strategies to help people calculate, in their heads, passwords for different
sites without dependence on third-party tools or external devices. Thus far,
the security and efficiency of these "mental algorithms" has been analyzed only
theoretically. But are such methods usable? We present the first usability
study of humanly computable password strategies, involving a learning phase (to
learn a password strategy), then a rehearsal phase (to login to a few
websites), and multiple follow-up tests. In our user study, with training,
participants were able to calculate a deterministic eight-character password
for an arbitrary new website in under 20 seconds
A comprehensive study of the usability of multiple graphical passwords
Recognition-based graphical authentication systems (RBGSs) using
images as passwords have been proposed as one potential solution to the need
for more usable authentication. The rapid increase in the technologies requiring
user authentication has increased the number of passwords that users have to
remember. But nearly all prior work with RBGSs has studied the usability of a
single password. In this paper, we present the first published comparison of the
usability of multiple graphical passwords with four different image types:
Mikon, doodle, art and everyday objects (food, buildings, sports etc.). A longi-tudinal experiment was performed with 100 participants over a period of 8
weeks, to examine the usability performance of each of the image types. The re-sults of the study demonstrate that object images are most usable in the sense of
being more memorable and less time-consuming to employ, Mikon images are
close behind but doodle and art images are significantly inferior. The results of
our study complement cognitive literature on the picture superiority effect, vis-ual search process and nameability of visually complex images
Centralized vs Decentralized Multi-Agent Guesswork
We study a notion of guesswork, where multiple agents intend to launch a
coordinated brute-force attack to find a single binary secret string, and each
agent has access to side information generated through either a BEC or a BSC.
The average number of trials required to find the secret string grows
exponentially with the length of the string, and the rate of the growth is
called the guesswork exponent. We compute the guesswork exponent for several
multi-agent attacks. We show that a multi-agent attack reduces the guesswork
exponent compared to a single agent, even when the agents do not exchange
information to coordinate their attack, and try to individually guess the
secret string using a predetermined scheme in a decentralized fashion. Further,
we show that the guesswork exponent of two agents who do coordinate their
attack is strictly smaller than that of any finite number of agents
individually performing decentralized guesswork.Comment: Accepted at IEEE International Symposium on Information Theory (ISIT)
201
Why Botnets Work: Distributed Brute-Force Attacks Need No Synchronization
In September 2017, McAffee Labs quarterly report estimated that brute force
attacks represent 20\% of total network attacks, making them the most prevalent
type of attack ex-aequo with browser based vulnerabilities. These attacks have
sometimes catastrophic consequences, and understanding their fundamental limits
may play an important role in the risk assessment of password-secured systems,
and in the design of better security protocols. While some solutions exist to
prevent online brute-force attacks that arise from one single IP address,
attacks performed by botnets are more challenging. In this paper, we analyze
these distributed attacks by using a simplified model. Our aim is to understand
the impact of distribution and asynchronization on the overall computational
effort necessary to breach a system. Our result is based on Guesswork, a
measure of the number of queries (guesses) required of an adversary before a
correct sequence, such as a password, is found in an optimal attack. Guesswork
is a direct surrogate for time and computational effort of guessing a sequence
from a set of sequences with associated likelihoods. We model the lack of
synchronization by a worst-case optimization in which the queries made by
multiple adversarial agents are received in the worst possible order for the
adversary, resulting in a min-max formulation. We show that, even without
synchronization, and for sequences of growing length, the asymptotic optimal
performance is achievable by using randomized guesses drawn from an appropriate
distribution. Therefore, randomization is key for distributed asynchronous
attacks. In other words, asynchronous guessers can asymptotically perform
brute-force attacks as efficiently as synchronized guessers.Comment: Accepted to IEEE Transactions on Information Forensics and Securit
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
- …