702 research outputs found
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
The true cost of unusable password policies: password use in the wild
HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use
Passwords and the evolution of imperfect authentication
Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939
Costs and benefits of authentication advice
When it comes to passwords, conflicting advice can be found everywhere.
Different sources give different types of advice related to authentication. In
this paper such advice is studied. First, using a sample collection of
authentication advice, we observe that different organizations' advice is often
contradictory and at odds with current research. We highlight the difficulties
organizations and users have when determining which advice is worth following.
Consequently, we develop a model for identifying costs of advice. Our model
incorporates factors that affect organizations and users, including, for
example, usability aspects. Similarly, we model the security benefits brought
by such advice. We then apply these models to our taxonomy of advice to
indicate the potential effectiveness of the security recommendations. We find
that organizations experience fewer costs than users as a result of
authentication policies. Reassuringly, the advice our model has classified as
good or bad, is in line with the NIST 2017 digital authentication guidelines
Password Habits and Cracking Toolkit
Passwords comprise important pieces of information nowadays. They are on the basis of many
access control systems and are often the first, something-you-know factor of authentication
mechanisms. They comprise keys to computer systems, confidential information or even physical
facilities, and their widespread adoption makes of their discovery one of the main objectives
of the initial phase of computer attacks and an interesting research topic. On the one hand,
since passwords are sequences of characters with which the input of users have to be compared
to, their representations have to be stored in computer systems; on the other, given their
sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves,
it is common and preferable to save transformations of these sequences of characters,
which should be obtained using functions with stringent properties such as the ones of cryptographically
secure hash or encryption functions. There are many known methods available and
documented nowadays for such task, scrutinized in the literature and considered secure, though
they are not always correctly employed. Obtaining a password from a representation is thus,
normally, a computationally unfeasible task. Cracking a password often refers to the procedure
of submitting several known passwords (using dictionaries or compendiums) or patterns (using
brute force attacks) to the transformation procedure and compare the result with a representation,
until a match is obtained, if ever. As such, the security of the mechanism used to obtain
the representations is also dependent of how guessable the passwords are.
This dissertation addresses the topics of habits for construction of passwords and tools for cracking
them. Several specialized tools for cracking are available nowadays, most of them free or
open source, designed for command line interaction only. One of the main contributions of
this work comprised the development of a Graphical User Interface (GUI) for several cracking
tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting
features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI,
was then used in the cracking attempt of several Databases (DBs) with password representations
that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they
were to the procedure, and also the contemporary habits of people in terms of construction of
passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared
and delivered to 64 participants. This analysis of password habits constitutes another
contribution of this work.
PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional,
easy to use and made freely available as an open-source project. It was written in Java and
tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked
DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries
and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak
passwords also contributed for this number (e.g., a significant number of 4 digits long passwords
was found in one of the DBs). The results from the survey corroborate other works in the
area, namely in terms of stereotypes. For example, the answers suggest that men use longer
and more diverse (in terms of character sets) passwords than women. Nonetheless, several
contracting aspects lead to the conclusion that the participants may be claiming to construct
stronger passwords than they really use.As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação.
Estas estão muitas vezes na base de mecanismos de controlo de acesso e constituem frequentemente
o primeiro factor something you know de mecanismos de autenticação. São chaves
para computadores, sistemas de software, informação confidêncial e até para edifícios, e a
sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de
ataques informáticos e uma área de investigação muito interessante. Por um lado, dado que
as palavras-passe são sequências de caracteres com as quais valores fornecidos por utilizadores
têm de ser comparados, a sua representação tem de ser guardada em sistemas computacionais;
por outro, dada a sua natureza sensível, estas têm de ser guardadas de uma forma segura.
Ao invés de guardar as palavras-passe em texto limpo, é comum e preferível guardar transformações
destas sequências de caracteres, obtidas através de funções com propriedades muito
especificas, tais como funções de cifra ou resumo criptográficas. Existem vários métodos conhecidos
e documentados hoje em dia para a execução desta tarefa, descritos na literatura da
especialidade e considerados seguros, embora estas não sejam sempre corretamente utilizadas.
Assim, a obtenção de uma palavras-passe a partir da representação constitui normalmente uma
tarefa computacionalmente inviável. O compromentimento de palavras-passe (do inglês password
cracking) é então tentado através da submissão repetida de diversas palavras já conhecidas
(usando dicionários ou compendios) ou padrões à função de transformação, comparando o seu
resultado com a representação capturada, até que uma correspondência seja encontrada ou
as possibilidades se esgotem. Assim, a segurança dos mecanismos usados para a obtenção das
representações está dependente do quão previsíveis as palavras-passe são.
Esta dissertação aborda temas relacionados com hábitos de construção de palavras-passe e ferramentas
de password cracking. Muitas ferramentas especializadas de cracking estão disponíveis
nos dia de hoje, sendo muitas delas gratuidas ou código aberto, desenhadas apenas para interação
em linha de comandos. Uma das principais contribuições deste trabalho foi o desenvolvimento
de uma interface gráfica para diversas ferramentas de cracking (como o Hashcat, John
the Ripper e RainbowCrack), reunindo as suas funcionalidades mais interessantes de uma forma
concisa e inteligente. A ferramenta desenvolvida, designada por PassCRackGUI, foi usada com o
intuito de descobrir palavras-passe em diversas bases de dados contendo representações, e que
vazaram para a Internet em 2014 e 2015. Este estudo foi feito com a intenção de analisar o quão
expostas as respetivas palavras-passe estão e também de perceber os hábitos dos utilizadores
na construção destas sequências de caracteres. Para um melhor estudo deste último tópico,
foi preparado e entregue um questionário a 64 participantes. A análise dos resultados deste
questionário constitui outra contribuição deste trabalho.
PassCrackGUI é o principal resultado deste programa de mestrado. É totalmente funcional, fácil de usar e está disponível gratuitamente como um projeto open source. Foi desenvolvido em
Java e testado nos sistemas operativos Linux, Windows e Mac OS. Quando usado na tentativa
de cracking das bases de dados vazadas, foi possível recuperar 36% de 4233 representações de
palavras-passe, apenas utilizando dicionários e simples regras num computador portátil vulgar.
Parte do problema reside nos mecanismos adotados para a obtenção das representações, já ultrapassados
na maioria dos casos; enquanto que a existência de palavras-passe fracas também
contribuiu para este número (e.g., um significante número de palavras-passe eram constituídas
por 4 dígitos apenas). Os resultados do questionário estão em conformidade com outros trabalhos
nesta área, nomeadamente em termos de esteriótipos. Por exemplo, as respostas sugerem
que os homens usam palavras-passe com maior diversidade e comprimento do que as mulheres.
Ainda assim, vários aspectos contraditórios nas respostas levam à conclusão que os participantes
parecem estar a alegar usar palavras-passe mais fortes do que usam realmente
- …