Naturally Rehearsing Passwords

We introduce quantitative usability and security models to guide the design of password management schemes --- systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and validated through empirical studies. Given rehearsal requirements and a user's visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues--- a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals

Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

The average user has between 90-130 online accounts, and around $3 \times 10^{11}$ passwords are in use this year. Most people are terrible at remembering "random" passwords, so they reuse or create similar passwords using a combination of predictable words, numbers, and symbols. Previous password-generation or management protocols have imposed so large a cognitive load that users have abandoned them in favor of insecure yet simpler methods (e.g., writing them down or reusing minor variants). We describe a range of candidate human-computable "hash" functions suitable for use as password generators - as long as the human (with minimal education assumptions) keeps a single, easily-memorizable "master" secret - and rate them by various metrics, including effective security. These functions hash master-secrets with user accounts to produce sub-secrets that can be used as passwords; $F_R($s$, w) \longrightarrow y$, takes a website $w$, produces a password $y$, parameterized by master secret $s$, which may or may not be a string. We exploit the unique configuration $R$ of each user's associative and implicit memory (detailed in section 2) to ensure that sources of randomness unique to each user are present in each master-secret $F_R$. An adversary cannot compute or verify $F_R$ efficiently since $R$ is unique to each individual; in that sense, our hash function is similar to a physically unclonable function. For the algorithms we propose, the user need only complete primitive operations such as addition, spatial navigation or searching. Critically, most of our methods are also accessible to neurodiverse, or cognitively or physically differently-abled persons. We present results from a survey (n=134 individuals) investigating real-world usage of these methods and how people currently come up with their passwords, we also survey 400 websites to collate current password advice

Usable Security: Why Do We Need It? How Do We Get It?

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice

Identification and Authentication: Technology and Implementation Issues

Computer-based information systems in general, and Internet e-commerce and e-business systems in particular, employ many types of resources that need to be protected against access by unauthorized users. Three main components of access control are used in most information systems: identification, authentication, and authorization. In this paper we focus on authentication, which is the most problematic component. The three main approaches to user authentication are: knowledge-based, possession-based, and biometric-based. We review and compare the various authentication mechanisms of these approaches and the technology and implementation issues they involve. Our conclusion is that there is no silver bullet solution to user authentication problems. Authentication practices need improvement. Further research should lead to a better understanding of user behavior and the applied psychology aspects of computer security

Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness

Security and Online learning: to protect or prohibit

The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable

Towards Human Computable Passwords

An interesting challenge for the cryptography community is to design authentication protocols that are so simple that a human can execute them without relying on a fully trusted computer. We propose several candidate authentication protocols for a setting in which the human user can only receive assistance from a semi-trusted computer --- a computer that stores information and performs computations correctly but does not provide confidentiality. Our schemes use a semi-trusted computer to store and display public challenges $C_i\in[n]^k$. The human user memorizes a random secret mapping $\sigma:[n]\rightarrow\mathbb{Z}_d$ and authenticates by computing responses $f(\sigma(C_i))$ to a sequence of public challenges where $f:\mathbb{Z}_d^k\rightarrow\mathbb{Z}_d$ is a function that is easy for the human to evaluate. We prove that any statistical adversary needs to sample $m=\tilde{\Omega}(n^{s(f)})$ challenge-response pairs to recover $\sigma$, for a security parameter $s(f)$ that depends on two key properties of $f$. To obtain our results, we apply the general hypercontractivity theorem to lower bound the statistical dimension of the distribution over challenge-response pairs induced by $f$ and $\sigma$. Our lower bounds apply to arbitrary functions $f$ (not just to functions that are easy for a human to evaluate), and generalize recent results of Feldman et al. As an application, we propose a family of human computable password functions $f_{k_1,k_2}$ in which the user needs to perform $2k_1+2k_2+1$ primitive operations (e.g., adding two digits or remembering $\sigma(i)$), and we show that $s(f) = \min\{k_1+1, (k_2+1)/2\}$. For these schemes, we prove that forging passwords is equivalent to recovering the secret mapping. Thus, our human computable password schemes can maintain strong security guarantees even after an adversary has observed the user login to many different accounts.Comment: Fixed bug in definition of Q^{f,j} and modified proofs accordingl

Password Habits and Cracking Toolkit

Passwords comprise important pieces of information nowadays. They are on the basis of many access control systems and are often the first, something-you-know factor of authentication mechanisms. They comprise keys to computer systems, confidential information or even physical facilities, and their widespread adoption makes of their discovery one of the main objectives of the initial phase of computer attacks and an interesting research topic. On the one hand, since passwords are sequences of characters with which the input of users have to be compared to, their representations have to be stored in computer systems; on the other, given their sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves, it is common and preferable to save transformations of these sequences of characters, which should be obtained using functions with stringent properties such as the ones of cryptographically secure hash or encryption functions. There are many known methods available and documented nowadays for such task, scrutinized in the literature and considered secure, though they are not always correctly employed. Obtaining a password from a representation is thus, normally, a computationally unfeasible task. Cracking a password often refers to the procedure of submitting several known passwords (using dictionaries or compendiums) or patterns (using brute force attacks) to the transformation procedure and compare the result with a representation, until a match is obtained, if ever. As such, the security of the mechanism used to obtain the representations is also dependent of how guessable the passwords are. This dissertation addresses the topics of habits for construction of passwords and tools for cracking them. Several specialized tools for cracking are available nowadays, most of them free or open source, designed for command line interaction only. One of the main contributions of this work comprised the development of a Graphical User Interface (GUI) for several cracking tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI, was then used in the cracking attempt of several Databases (DBs) with password representations that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they were to the procedure, and also the contemporary habits of people in terms of construction of passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared and delivered to 64 participants. This analysis of password habits constitutes another contribution of this work. PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional, easy to use and made freely available as an open-source project. It was written in Java and tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak passwords also contributed for this number (e.g., a significant number of 4 digits long passwords was found in one of the DBs). The results from the survey corroborate other works in the area, namely in terms of stereotypes. For example, the answers suggest that men use longer and more diverse (in terms of character sets) passwords than women. Nonetheless, several contracting aspects lead to the conclusion that the participants may be claiming to construct stronger passwords than they really use.As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação. Estas estão muitas vezes na base de mecanismos de controlo de acesso e constituem frequentemente o primeiro factor something you know de mecanismos de autenticação. São chaves para computadores, sistemas de software, informação confidêncial e até para edifícios, e a sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de ataques informáticos e uma área de investigação muito interessante. Por um lado, dado que as palavras-passe são sequências de caracteres com as quais valores fornecidos por utilizadores têm de ser comparados, a sua representação tem de ser guardada em sistemas computacionais; por outro, dada a sua natureza sensível, estas têm de ser guardadas de uma forma segura. Ao invés de guardar as palavras-passe em texto limpo, é comum e preferível guardar transformações destas sequências de caracteres, obtidas através de funções com propriedades muito especificas, tais como funções de cifra ou resumo criptográficas. Existem vários métodos conhecidos e documentados hoje em dia para a execução desta tarefa, descritos na literatura da especialidade e considerados seguros, embora estas não sejam sempre corretamente utilizadas. Assim, a obtenção de uma palavras-passe a partir da representação constitui normalmente uma tarefa computacionalmente inviável. O compromentimento de palavras-passe (do inglês password cracking) é então tentado através da submissão repetida de diversas palavras já conhecidas (usando dicionários ou compendios) ou padrões à função de transformação, comparando o seu resultado com a representação capturada, até que uma correspondência seja encontrada ou as possibilidades se esgotem. Assim, a segurança dos mecanismos usados para a obtenção das representações está dependente do quão previsíveis as palavras-passe são. Esta dissertação aborda temas relacionados com hábitos de construção de palavras-passe e ferramentas de password cracking. Muitas ferramentas especializadas de cracking estão disponíveis nos dia de hoje, sendo muitas delas gratuidas ou código aberto, desenhadas apenas para interação em linha de comandos. Uma das principais contribuições deste trabalho foi o desenvolvimento de uma interface gráfica para diversas ferramentas de cracking (como o Hashcat, John the Ripper e RainbowCrack), reunindo as suas funcionalidades mais interessantes de uma forma concisa e inteligente. A ferramenta desenvolvida, designada por PassCRackGUI, foi usada com o intuito de descobrir palavras-passe em diversas bases de dados contendo representações, e que vazaram para a Internet em 2014 e 2015. Este estudo foi feito com a intenção de analisar o quão expostas as respetivas palavras-passe estão e também de perceber os hábitos dos utilizadores na construção destas sequências de caracteres. Para um melhor estudo deste último tópico, foi preparado e entregue um questionário a 64 participantes. A análise dos resultados deste questionário constitui outra contribuição deste trabalho. PassCrackGUI é o principal resultado deste programa de mestrado. É totalmente funcional, fácil de usar e está disponível gratuitamente como um projeto open source. Foi desenvolvido em Java e testado nos sistemas operativos Linux, Windows e Mac OS. Quando usado na tentativa de cracking das bases de dados vazadas, foi possível recuperar 36% de 4233 representações de palavras-passe, apenas utilizando dicionários e simples regras num computador portátil vulgar. Parte do problema reside nos mecanismos adotados para a obtenção das representações, já ultrapassados na maioria dos casos; enquanto que a existência de palavras-passe fracas também contribuiu para este número (e.g., um significante número de palavras-passe eram constituídas por 4 dígitos apenas). Os resultados do questionário estão em conformidade com outros trabalhos nesta área, nomeadamente em termos de esteriótipos. Por exemplo, as respostas sugerem que os homens usam palavras-passe com maior diversidade e comprimento do que as mulheres. Ainda assim, vários aspectos contraditórios nas respostas levam à conclusão que os participantes parecem estar a alegar usar palavras-passe mais fortes do que usam realmente

User habitation in keystroke dynamics based authentication

Most computer systems use usernames and passwords for authentication and access control. For long, password security has been framed as a tradeoff between user experience and password security. Trading off one for the other appears to be an inevitable dilemma for single password based security applications. As a new biometric for authenticating access, keystroke dynamics offers great promises in hardening the password mechanism. Our research first investigate the keystroke dynamics based password security by conducting an incremental study on user\u27s habituation process for keystroke dynamics analysis using two distinct types of passwords. The study shows that (1) long and complex passwords are more efficient to be employed in keystroke dynamics systems; and (2) there is a habituation and acclimation process before the user obtains a stable keystroke pattern and the system collects enough training data. Then, based on our findings, we propose a two passwords mechanism that attempts to strike the right balance over user experience and password security by adopting a conventional easy-to-memorize password followed by a long-and-complex phrase for keystroke dynamics verification. Analysis and experimental studies successfully demonstrate the effectiveness of our proposed approach