197 research outputs found
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
The average user has between 90-130 online accounts, and around passwords are in use this year. Most people are terrible at
remembering "random" passwords, so they reuse or create similar passwords using
a combination of predictable words, numbers, and symbols. Previous
password-generation or management protocols have imposed so large a cognitive
load that users have abandoned them in favor of insecure yet simpler methods
(e.g., writing them down or reusing minor variants).
We describe a range of candidate human-computable "hash" functions suitable
for use as password generators - as long as the human (with minimal education
assumptions) keeps a single, easily-memorizable "master" secret - and rate them
by various metrics, including effective security.
These functions hash master-secrets with user accounts to produce sub-secrets
that can be used as passwords; s, takes a website
, produces a password , parameterized by master secret , which may or
may not be a string.
We exploit the unique configuration of each user's associative and
implicit memory (detailed in section 2) to ensure that sources of randomness
unique to each user are present in each master-secret . An adversary
cannot compute or verify efficiently since is unique to each
individual; in that sense, our hash function is similar to a physically
unclonable function. For the algorithms we propose, the user need only complete
primitive operations such as addition, spatial navigation or searching.
Critically, most of our methods are also accessible to neurodiverse, or
cognitively or physically differently-abled persons.
We present results from a survey (n=134 individuals) investigating real-world
usage of these methods and how people currently come up with their passwords,
we also survey 400 websites to collate current password advice
Usable Security: Why Do We Need It? How Do We Get It?
Security experts frequently refer to people as âthe weakest link in the chainâ of system
security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password,
because it âwas easier to dupe people into revealing itâ by employing a range of social
engineering techniques. Often, such failures are attributed to usersâ carelessness and
ignorance. However, more enlightened researchers have pointed out that current security
tools are simply too complex for many users, and they have made efforts to improve
user interfaces to security tools. In this chapter, we aim to broaden the current perspective,
focusing on the usability of security tools (or products) and the process of designing
secure systems for the real-world context (the panorama) in which they have to operate.
Here we demonstrate how current human factors knowledge and user-centered design
principles can help security designers produce security solutions that are effective in practice
Identification and Authentication: Technology and Implementation Issues
Computer-based information systems in general, and Internet e-commerce and e-business systems in particular, employ many types of resources that need to be protected against access by unauthorized users. Three main components of access control are used in most information systems: identification, authentication, and authorization. In this paper we focus on authentication, which is the most problematic component. The three main approaches to user authentication are: knowledge-based, possession-based, and biometric-based. We review and compare the various authentication mechanisms of these approaches and the technology and implementation issues they involve. Our conclusion is that there is no silver bullet solution to user authentication problems. Authentication practices need improvement. Further research should lead to a better understanding of user behavior and the applied psychology aspects of computer security
Usability and Trust in Information Systems
The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness
Security and Online learning: to protect or prohibit
The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable
Towards Human Computable Passwords
An interesting challenge for the cryptography community is to design
authentication protocols that are so simple that a human can execute them
without relying on a fully trusted computer. We propose several candidate
authentication protocols for a setting in which the human user can only receive
assistance from a semi-trusted computer --- a computer that stores information
and performs computations correctly but does not provide confidentiality. Our
schemes use a semi-trusted computer to store and display public challenges
. The human user memorizes a random secret mapping
and authenticates by computing responses
to a sequence of public challenges where
is a function that is easy for the
human to evaluate. We prove that any statistical adversary needs to sample
challenge-response pairs to recover , for
a security parameter that depends on two key properties of . To
obtain our results, we apply the general hypercontractivity theorem to lower
bound the statistical dimension of the distribution over challenge-response
pairs induced by and . Our lower bounds apply to arbitrary
functions (not just to functions that are easy for a human to evaluate),
and generalize recent results of Feldman et al. As an application, we propose a
family of human computable password functions in which the user
needs to perform primitive operations (e.g., adding two digits or
remembering ), and we show that .
For these schemes, we prove that forging passwords is equivalent to recovering
the secret mapping. Thus, our human computable password schemes can maintain
strong security guarantees even after an adversary has observed the user login
to many different accounts.Comment: Fixed bug in definition of Q^{f,j} and modified proofs accordingl
Password Habits and Cracking Toolkit
Passwords comprise important pieces of information nowadays. They are on the basis of many
access control systems and are often the first, something-you-know factor of authentication
mechanisms. They comprise keys to computer systems, confidential information or even physical
facilities, and their widespread adoption makes of their discovery one of the main objectives
of the initial phase of computer attacks and an interesting research topic. On the one hand,
since passwords are sequences of characters with which the input of users have to be compared
to, their representations have to be stored in computer systems; on the other, given their
sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves,
it is common and preferable to save transformations of these sequences of characters,
which should be obtained using functions with stringent properties such as the ones of cryptographically
secure hash or encryption functions. There are many known methods available and
documented nowadays for such task, scrutinized in the literature and considered secure, though
they are not always correctly employed. Obtaining a password from a representation is thus,
normally, a computationally unfeasible task. Cracking a password often refers to the procedure
of submitting several known passwords (using dictionaries or compendiums) or patterns (using
brute force attacks) to the transformation procedure and compare the result with a representation,
until a match is obtained, if ever. As such, the security of the mechanism used to obtain
the representations is also dependent of how guessable the passwords are.
This dissertation addresses the topics of habits for construction of passwords and tools for cracking
them. Several specialized tools for cracking are available nowadays, most of them free or
open source, designed for command line interaction only. One of the main contributions of
this work comprised the development of a Graphical User Interface (GUI) for several cracking
tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting
features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI,
was then used in the cracking attempt of several Databases (DBs) with password representations
that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they
were to the procedure, and also the contemporary habits of people in terms of construction of
passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared
and delivered to 64 participants. This analysis of password habits constitutes another
contribution of this work.
PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional,
easy to use and made freely available as an open-source project. It was written in Java and
tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked
DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries
and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak
passwords also contributed for this number (e.g., a significant number of 4 digits long passwords
was found in one of the DBs). The results from the survey corroborate other works in the
area, namely in terms of stereotypes. For example, the answers suggest that men use longer
and more diverse (in terms of character sets) passwords than women. Nonetheless, several
contracting aspects lead to the conclusion that the participants may be claiming to construct
stronger passwords than they really use.As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação.
Estas estĂŁo muitas vezes na base de mecanismos de controlo de acesso e constituem frequentemente
o primeiro factor something you know de mecanismos de autenticação. São chaves
para computadores, sistemas de software, informação confidĂȘncial e atĂ© para edifĂcios, e a
sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de
ataques informåticos e uma årea de investigação muito interessante. Por um lado, dado que
as palavras-passe sĂŁo sequĂȘncias de caracteres com as quais valores fornecidos por utilizadores
tĂȘm de ser comparados, a sua representação tem de ser guardada em sistemas computacionais;
por outro, dada a sua natureza sensĂvel, estas tĂȘm de ser guardadas de uma forma segura.
Ao invĂ©s de guardar as palavras-passe em texto limpo, Ă© comum e preferĂvel guardar transformaçÔes
destas sequĂȘncias de caracteres, obtidas atravĂ©s de funçÔes com propriedades muito
especificas, tais como funçÔes de cifra ou resumo criptogråficas. Existem vårios métodos conhecidos
e documentados hoje em dia para a execução desta tarefa, descritos na literatura da
especialidade e considerados seguros, embora estas nĂŁo sejam sempre corretamente utilizadas.
Assim, a obtenção de uma palavras-passe a partir da representação constitui normalmente uma
tarefa computacionalmente inviĂĄvel. O compromentimento de palavras-passe (do inglĂȘs password
cracking) é então tentado através da submissão repetida de diversas palavras jå conhecidas
(usando dicionårios ou compendios) ou padrÔes à função de transformação, comparando o seu
resultado com a representação capturada, atĂ© que uma correspondĂȘncia seja encontrada ou
as possibilidades se esgotem. Assim, a segurança dos mecanismos usados para a obtenção das
representaçÔes estĂĄ dependente do quĂŁo previsĂveis as palavras-passe sĂŁo.
Esta dissertação aborda temas relacionados com håbitos de construção de palavras-passe e ferramentas
de password cracking. Muitas ferramentas especializadas de cracking estĂŁo disponĂveis
nos dia de hoje, sendo muitas delas gratuidas ou código aberto, desenhadas apenas para interação
em linha de comandos. Uma das principais contribuiçÔes deste trabalho foi o desenvolvimento
de uma interface grĂĄfica para diversas ferramentas de cracking (como o Hashcat, John
the Ripper e RainbowCrack), reunindo as suas funcionalidades mais interessantes de uma forma
concisa e inteligente. A ferramenta desenvolvida, designada por PassCRackGUI, foi usada com o
intuito de descobrir palavras-passe em diversas bases de dados contendo representaçÔes, e que
vazaram para a Internet em 2014 e 2015. Este estudo foi feito com a intenção de analisar o quão
expostas as respetivas palavras-passe estão e também de perceber os håbitos dos utilizadores
na construção destas sequĂȘncias de caracteres. Para um melhor estudo deste Ășltimo tĂłpico,
foi preparado e entregue um questionĂĄrio a 64 participantes. A anĂĄlise dos resultados deste
questionårio constitui outra contribuição deste trabalho.
PassCrackGUI Ă© o principal resultado deste programa de mestrado. Ă totalmente funcional, fĂĄcil de usar e estĂĄ disponĂvel gratuitamente como um projeto open source. Foi desenvolvido em
Java e testado nos sistemas operativos Linux, Windows e Mac OS. Quando usado na tentativa
de cracking das bases de dados vazadas, foi possĂvel recuperar 36% de 4233 representaçÔes de
palavras-passe, apenas utilizando dicionĂĄrios e simples regras num computador portĂĄtil vulgar.
Parte do problema reside nos mecanismos adotados para a obtenção das representaçÔes, jå ultrapassados
na maioria dos casos; enquanto que a existĂȘncia de palavras-passe fracas tambĂ©m
contribuiu para este nĂșmero (e.g., um significante nĂșmero de palavras-passe eram constituĂdas
por 4 dĂgitos apenas). Os resultados do questionĂĄrio estĂŁo em conformidade com outros trabalhos
nesta ĂĄrea, nomeadamente em termos de esteriĂłtipos. Por exemplo, as respostas sugerem
que os homens usam palavras-passe com maior diversidade e comprimento do que as mulheres.
Ainda assim, vĂĄrios aspectos contraditĂłrios nas respostas levam Ă conclusĂŁo que os participantes
parecem estar a alegar usar palavras-passe mais fortes do que usam realmente
User habitation in keystroke dynamics based authentication
Most computer systems use usernames and passwords for authentication and access control. For long, password security has been framed as a tradeoff between user experience and password security. Trading off one for the other appears to be an inevitable dilemma for single password based security applications. As a new biometric for authenticating access, keystroke dynamics offers great promises in hardening the password mechanism. Our research first investigate the keystroke dynamics based password security by conducting an incremental study on user\u27s habituation process for keystroke dynamics analysis using two distinct types of passwords. The study shows that (1) long and complex passwords are more efficient to be employed in keystroke dynamics systems; and (2) there is a habituation and acclimation process before the user obtains a stable keystroke pattern and the system collects enough training data. Then, based on our findings, we propose a two passwords mechanism that attempts to strike the right balance over user experience and password security by adopting a conventional easy-to-memorize password followed by a long-and-complex phrase for keystroke dynamics verification. Analysis and experimental studies successfully demonstrate the effectiveness of our proposed approach
- âŠ