ZETA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology

Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context

Interpretable Probabilistic Password Strength Meters via Deep Learning

Probabilistic password strength meters have been proved to be the most accurate tools to measure password strength. Unfortunately, by construction, they are limited to solely produce an opaque security estimation that fails to fully support the user during the password composition. In the present work, we move the first steps towards cracking the intelligibility barrier of this compelling class of meters. We show that probabilistic password meters inherently own the capability of describing the latent relation occurring between password strength and password structure. In our approach, the security contribution of each character composing a password is disentangled and used to provide explicit fine-grained feedback for the user. Furthermore, unlike existing heuristic constructions, our method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. In our contribution: (1) we formulate the theoretical foundations of interpretable probabilistic password strength meters; (2) we describe how they can be implemented via an efficient and lightweight deep learning framework suitable for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the 25th European Symposium on Research in Computer Security (ESORICS) 202

A Survey on Password Guessing

Text password has served as the most popular method for user authentication so far, and is not likely to be totally replaced in foreseeable future. Password authentication offers several desirable properties (e.g., low-cost, highly available, easy-to-implement, reusable). However, it suffers from a critical security issue mainly caused by the inability to memorize complicated strings of humans. Users tend to choose easy-to-remember passwords which are not uniformly distributed in the key space. Thus, user-selected passwords are susceptible to guessing attacks. In order to encourage and support users to use strong passwords, it is necessary to simulate automated password guessing methods to determine the passwords' strength and identify weak passwords. A large number of password guessing models have been proposed in the literature. However, little attention was paid to the task of providing a systematic survey which is necessary to review the state-of-the-art approaches, identify gaps, and avoid duplicate studies. Motivated by that, we conduct a comprehensive survey on all password guessing studies presented in the literature from 1979 to 2022. We propose a generic methodology map to present an overview of existing methods. Then, we explain each representative approach in detail. The experimental procedures and available datasets used to evaluate password guessing models are summarized, and the reported performances of representative studies are compared. Finally, the current limitations and the open problems as future research directions are discussed. We believe that this survey is helpful to both experts and newcomers who are interested in password securityComment: 35 pages, 5 figures, 5 table

On Improving the Memorability of System-Assigned Recognition-Based Passwords

User-chosen passwords reflecting common strategies and patterns ease memorization but offer uncertain and often weak security, while system-assigned passwords provide higher security guarantee but suffer from poor memorability. We thus examine the technique to enhance password memorability that incorporates a scientific understanding of long-term memory. In particular, we examine the efficacy of providing users with verbal cues—real-life facts corresponding to system-assigned keywords. We also explore the usability gain of including images related to the keywords along with verbal cues. In our multi-session lab study with 52 participants, textual recognition-based scheme offering verbal cues had a significantly higher login success rate (94.23%) compared to the control condition, i.e., textual recognition without verbal cues (61.54%). We found that when users were provided with verbal cues, adding images contributed to faster recognition of the assigned keywords, and thus had an overall improvement in usability. So, we conducted a field study with 54 participants to further examine the usability of graphical recognition-based scheme offering verbal cues, which showed an average login success rate of 98% in a real-life setting and an overall improvement in login performance with more login sessions. These findings show a promising research direction to gain high memorability for system-assigned passwords

Kreiranje lozinki: između prototipne perpektive i konceptualnog prostora LJUBAVI

Aided by the instruments of prototype theory, the current study sets out to determine whether in password creation there is a common underlying cognitive pattern in the categorization of the elusive natural language concept of LOVE. Our framework combines free listing, a method providing critical information about the words that are more generally associated with a concept, and analysis of prototype rating surveys. The results obtained are compared to a dataset of randomly selected passwords to determine the semantic associations of the concept of LOVE and clarify the semantic processes involved in the structure of passwords. Results suggest that, in categorizing LOVE, password users have compatible representations that afford a meeting of minds. We conclude that LOVE acts as a fixpoint in the mental processing of this CONCEPTUAL SPACE and that it takes, with password users, idealized forms of representations rather than individual experience-based representations, as might be expected. Our investigation method has facilitated the collection of data on how LOVE prototypes specify more exhaustively the mode of synthesis and the cognitive mapping under which these may occur.Primjenjujući instrumente teorije prototipova, u ovoj se studiji nastoji utvrditi postoji li pri kreiranju lozinki zajednički kognitivni uzorak na temelju kojega se kategorizira pojam LJUBAVI. Analitičku okosnicu rada čini kombinacija metode slobodnog nabrajanja, kojom se izlučilo ključne informacije o riječima koje se općenito vezuju uz pojam i analize rezultata rangiranja prototipnosti. Dobiveni su rezultati uspoređeni s bazom nasumično odabranih lozinki kako bi se utvrdile semantičke asocijacije pojma LJUBAVI i razjasnili semantički procesi u strukturi lozinki. Rezultati ukazuju na to da u kategorizaciji LJUBAVI korisnici lozinki imaju sukladne konceptualne prikaze koji omogućuju susret umova. Zaključak je studije da LJUBAV djeluje kao svojevrsno sidršte u mentalnoj obradi dotičnog KONCEPTUALNOG PROSTORA te da ga u korisnika lozinki obilježava idealiziran oblik prikaza, a ne, protivno očekivanjima, prikazi temeljeni na pojedinačnim iskustvima. Naš je analitički pristup omogućio prikupljanje podataka o tome na koji način prototipovi LJUBAVI elaboriraju način sintetiziranja i kognitivnih preslikavanja unutar kojih se oni mogu pojaviti

International Conference on Computer Science and Communication Engineering

UBT Annual International Conference is the 8th international interdisciplinary peer reviewed conference which publishes works of the scientists as well as practitioners in the area where UBT is active in Education, Research and Development. The UBT aims to implement an integrated strategy to establish itself as an internationally competitive, research-intensive university, committed to the transfer of knowledge and the provision of a world-class education to the most talented students from all background. The main perspective of the conference is to connect the scientists and practitioners from different disciplines in the same place and make them be aware of the recent advancements in different research fields, and provide them with a unique forum to share their experiences. It is also the place to support the new academic staff for doing research and publish their work in international standard level. This conference consists of sub conferences in different fields like: – Computer Science and Communication Engineering– Management, Business and Economics– Mechatronics, System Engineering and Robotics– Energy Efficiency Engineering– Information Systems and Security– Architecture – Spatial Planning– Civil Engineering , Infrastructure and Environment– Law– Political Science– Journalism , Media and Communication– Food Science and Technology– Pharmaceutical and Natural Sciences– Design– Psychology– Education and Development– Fashion– Music– Art and Digital Media– Dentistry– Applied Medicine– Nursing This conference is the major scientific event of the UBT. It is organizing annually and always in cooperation with the partner universities from the region and Europe. We have to thank all Authors, partners, sponsors and also the conference organizing team making this event a real international scientific event. Edmond Hajrizi, President of UBTUBT – Higher Education Institutio

PassViz: A Visualisation System for Analysing Leaked Passwords

Passwords remain the most widely used form of user authentication, despite advancements in other methods. However, their limitations, such as susceptibility to attacks, especially weak passwords defined by human users, are well-documented. The existence of weak human-defined passwords has led to repeated password leaks from websites, many of which are of large scale. While such password leaks are unfortunate security incidents, they provide security researchers and practitioners with good opportunities to learn valuable insights from such leaked passwords, in order to identify ways to improve password policies and other security controls on passwords. Researchers have proposed different data visualisation techniques to help analyse leaked passwords. However, many approaches rely solely on frequency analysis, with limited exploration of distance-based graphs. This paper reports PassViz, a novel method that combines the edit distance with the t-SNE (t-distributed stochastic neighbour embedding) dimensionality reduction algorithm for visualising and analysing leaked passwords in a 2-D space. We implemented PassViz as an easy-to-use command-line tool for visualising large-scale password databases, and also as a graphical user interface (GUI) to support interactive visual analytics of small password databases. Using the "000webhost" leaked database as an example, we show how PassViz can be used to visually analyse different aspects of leaked passwords and to facilitate the discovery of previously unknown password patterns. Overall, our approach empowers researchers and practitioners to gain valuable insights and improve password security through effective data visualisation and analysis