24 research outputs found
Interpretable Probabilistic Password Strength Meters via Deep Learning
Probabilistic password strength meters have been proved to be the most
accurate tools to measure password strength. Unfortunately, by construction,
they are limited to solely produce an opaque security estimation that fails to
fully support the user during the password composition. In the present work, we
move the first steps towards cracking the intelligibility barrier of this
compelling class of meters. We show that probabilistic password meters
inherently own the capability of describing the latent relation occurring
between password strength and password structure. In our approach, the security
contribution of each character composing a password is disentangled and used to
provide explicit fine-grained feedback for the user. Furthermore, unlike
existing heuristic constructions, our method is free from any human bias, and,
more importantly, its feedback has a clear probabilistic interpretation. In our
contribution: (1) we formulate the theoretical foundations of interpretable
probabilistic password strength meters; (2) we describe how they can be
implemented via an efficient and lightweight deep learning framework suitable
for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the
25th European Symposium on Research in Computer Security (ESORICS) 202
Improving Password Guessing via Representation Learning
Learning useful representations from unstructured data is one of the core
challenges, as well as a driving force, of modern data-driven approaches. Deep
learning has demonstrated the broad advantages of learning and harnessing such
representations. In this paper, we introduce a deep generative model
representation learning approach for password guessing. We show that an
abstract password representation naturally offers compelling and versatile
properties that can be used to open new directions in the extensively studied,
and yet presently active, password guessing field. These properties can
establish novel password generation techniques that are neither feasible nor
practical with the existing probabilistic and non-probabilistic approaches.
Based on these properties, we introduce:(1) A general framework for conditional
password guessing that can generate passwords with arbitrary biases; and (2) an
Expectation Maximization-inspired framework that can dynamically adapt the
estimated password distribution to match the distribution of the attacked
password set.Comment: This paper appears in the proceedings of the 42nd IEEE Symposium on
Security and Privacy (Oakland) S&P 202
Quantifying the Security of Recognition Passwords: Gestures and Signatures
Gesture and signature passwords are two-dimensional figures created by
drawing on the surface of a touchscreen with one or more fingers. Prior results
about their security have used resilience to either shoulder surfing, a human
observation attack, or dictionary attacks. These evaluations restrict
generalizability since the results are: non-comparable to other password
systems (e.g. PINs), harder to reproduce, and attacker-dependent. Strong
statements about the security of a password system use an analysis of the
statistical distribution of the password space, which models a best-case
attacker who guesses passwords in order of most likely to least likely.
Estimating the distribution of recognition passwords is challenging because
many different trials need to map to one password. In this paper, we solve this
difficult problem by: (1) representing a recognition password of continuous
data as a discrete alphabet set, and (2) estimating the password distribution
through modeling the unseen passwords. We use Symbolic Aggregate approXimation
(SAX) to represent time series data as symbols and develop Markov chains to
model recognition passwords. We use a partial guessing metric, which
demonstrates how many guesses an attacker needs to crack a percentage of the
entire space, to compare the security of the distributions for gestures,
signatures, and Android unlock patterns. We found the lower bounds of the
partial guessing metric of gestures and signatures are much higher than the
upper bound of the partial guessing metric of Android unlock patterns
A Survey on Password Guessing
Text password has served as the most popular method for user authentication
so far, and is not likely to be totally replaced in foreseeable future.
Password authentication offers several desirable properties (e.g., low-cost,
highly available, easy-to-implement, reusable). However, it suffers from a
critical security issue mainly caused by the inability to memorize complicated
strings of humans. Users tend to choose easy-to-remember passwords which are
not uniformly distributed in the key space. Thus, user-selected passwords are
susceptible to guessing attacks. In order to encourage and support users to use
strong passwords, it is necessary to simulate automated password guessing
methods to determine the passwords' strength and identify weak passwords. A
large number of password guessing models have been proposed in the literature.
However, little attention was paid to the task of providing a systematic survey
which is necessary to review the state-of-the-art approaches, identify gaps,
and avoid duplicate studies. Motivated by that, we conduct a comprehensive
survey on all password guessing studies presented in the literature from 1979
to 2022. We propose a generic methodology map to present an overview of
existing methods. Then, we explain each representative approach in detail. The
experimental procedures and available datasets used to evaluate password
guessing models are summarized, and the reported performances of representative
studies are compared. Finally, the current limitations and the open problems as
future research directions are discussed. We believe that this survey is
helpful to both experts and newcomers who are interested in password securityComment: 35 pages, 5 figures, 5 table
The Interplay between Humans, Technology and User Authentication: A Cognitive Processing Perspective
This paper investigates the interplay among human cognitive processing differences (field dependence vs. field independence), alternative interaction device types (desktop vs. touch) and user authentication schemes (textual vs. graphical) towards task completion efficiency and effectiveness. A four-month user study (N=164) was performed under the light of the field dependence-independence theory which underpins human cognitive differences in visual perceptiveness as well as differences in handling contextual information in a holistic or analytic manner. Quantitative and qualitative analysis of results revealed that field independent (FI) users outperformed field dependent users (FD) in graphical authentication, FIs authenticated similarly well on desktop computers as on touch devices, while touch devices negatively affected textual password entry performance of FDs. Users’ feedback from a post-study survey further showed that FD users had memorability issues with graphical authentication and perceived the added difficulty when interacting with textual passwords on touch devices, in contrast to FI users that did not have significant usability and memorability issues on both authentication and interaction device types. Findings highlight the necessity to improve current approaches of knowledge-based user authentication research by incorporating human cognitive factors in both design and run-time. Such an approach is also proposed in this paper