Naturally Rehearsing Passwords

We introduce quantitative usability and security models to guide the design of password management schemes --- systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and validated through empirical studies. Given rehearsal requirements and a user's visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues--- a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals

The true cost of unusable password policies: password use in the wild

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use

Passwords and the evolution of imperfect authentication

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

Costs and benefits of authentication advice

When it comes to passwords, conflicting advice can be found everywhere. Different sources give different types of advice related to authentication. In this paper such advice is studied. First, using a sample collection of authentication advice, we observe that different organizations' advice is often contradictory and at odds with current research. We highlight the difficulties organizations and users have when determining which advice is worth following. Consequently, we develop a model for identifying costs of advice. Our model incorporates factors that affect organizations and users, including, for example, usability aspects. Similarly, we model the security benefits brought by such advice. We then apply these models to our taxonomy of advice to indicate the potential effectiveness of the security recommendations. We find that organizations experience fewer costs than users as a result of authentication policies. Reassuringly, the advice our model has classified as good or bad, is in line with the NIST 2017 digital authentication guidelines

Password Habits and Cracking Toolkit

Passwords comprise important pieces of information nowadays. They are on the basis of many access control systems and are often the first, something-you-know factor of authentication mechanisms. They comprise keys to computer systems, confidential information or even physical facilities, and their widespread adoption makes of their discovery one of the main objectives of the initial phase of computer attacks and an interesting research topic. On the one hand, since passwords are sequences of characters with which the input of users have to be compared to, their representations have to be stored in computer systems; on the other, given their sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves, it is common and preferable to save transformations of these sequences of characters, which should be obtained using functions with stringent properties such as the ones of cryptographically secure hash or encryption functions. There are many known methods available and documented nowadays for such task, scrutinized in the literature and considered secure, though they are not always correctly employed. Obtaining a password from a representation is thus, normally, a computationally unfeasible task. Cracking a password often refers to the procedure of submitting several known passwords (using dictionaries or compendiums) or patterns (using brute force attacks) to the transformation procedure and compare the result with a representation, until a match is obtained, if ever. As such, the security of the mechanism used to obtain the representations is also dependent of how guessable the passwords are. This dissertation addresses the topics of habits for construction of passwords and tools for cracking them. Several specialized tools for cracking are available nowadays, most of them free or open source, designed for command line interaction only. One of the main contributions of this work comprised the development of a Graphical User Interface (GUI) for several cracking tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI, was then used in the cracking attempt of several Databases (DBs) with password representations that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they were to the procedure, and also the contemporary habits of people in terms of construction of passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared and delivered to 64 participants. This analysis of password habits constitutes another contribution of this work. PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional, easy to use and made freely available as an open-source project. It was written in Java and tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak passwords also contributed for this number (e.g., a significant number of 4 digits long passwords was found in one of the DBs). The results from the survey corroborate other works in the area, namely in terms of stereotypes. For example, the answers suggest that men use longer and more diverse (in terms of character sets) passwords than women. Nonetheless, several contracting aspects lead to the conclusion that the participants may be claiming to construct stronger passwords than they really use.As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação. Estas estão muitas vezes na base de mecanismos de controlo de acesso e constituem frequentemente o primeiro factor something you know de mecanismos de autenticação. São chaves para computadores, sistemas de software, informação confidêncial e até para edifícios, e a sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de ataques informáticos e uma área de investigação muito interessante. Por um lado, dado que as palavras-passe são sequências de caracteres com as quais valores fornecidos por utilizadores têm de ser comparados, a sua representação tem de ser guardada em sistemas computacionais; por outro, dada a sua natureza sensível, estas têm de ser guardadas de uma forma segura. Ao invés de guardar as palavras-passe em texto limpo, é comum e preferível guardar transformações destas sequências de caracteres, obtidas através de funções com propriedades muito especificas, tais como funções de cifra ou resumo criptográficas. Existem vários métodos conhecidos e documentados hoje em dia para a execução desta tarefa, descritos na literatura da especialidade e considerados seguros, embora estas não sejam sempre corretamente utilizadas. Assim, a obtenção de uma palavras-passe a partir da representação constitui normalmente uma tarefa computacionalmente inviável. O compromentimento de palavras-passe (do inglês password cracking) é então tentado através da submissão repetida de diversas palavras já conhecidas (usando dicionários ou compendios) ou padrões à função de transformação, comparando o seu resultado com a representação capturada, até que uma correspondência seja encontrada ou as possibilidades se esgotem. Assim, a segurança dos mecanismos usados para a obtenção das representações está dependente do quão previsíveis as palavras-passe são. Esta dissertação aborda temas relacionados com hábitos de construção de palavras-passe e ferramentas de password cracking. Muitas ferramentas especializadas de cracking estão disponíveis nos dia de hoje, sendo muitas delas gratuidas ou código aberto, desenhadas apenas para interação em linha de comandos. Uma das principais contribuições deste trabalho foi o desenvolvimento de uma interface gráfica para diversas ferramentas de cracking (como o Hashcat, John the Ripper e RainbowCrack), reunindo as suas funcionalidades mais interessantes de uma forma concisa e inteligente. A ferramenta desenvolvida, designada por PassCRackGUI, foi usada com o intuito de descobrir palavras-passe em diversas bases de dados contendo representações, e que vazaram para a Internet em 2014 e 2015. Este estudo foi feito com a intenção de analisar o quão expostas as respetivas palavras-passe estão e também de perceber os hábitos dos utilizadores na construção destas sequências de caracteres. Para um melhor estudo deste último tópico, foi preparado e entregue um questionário a 64 participantes. A análise dos resultados deste questionário constitui outra contribuição deste trabalho. PassCrackGUI é o principal resultado deste programa de mestrado. É totalmente funcional, fácil de usar e está disponível gratuitamente como um projeto open source. Foi desenvolvido em Java e testado nos sistemas operativos Linux, Windows e Mac OS. Quando usado na tentativa de cracking das bases de dados vazadas, foi possível recuperar 36% de 4233 representações de palavras-passe, apenas utilizando dicionários e simples regras num computador portátil vulgar. Parte do problema reside nos mecanismos adotados para a obtenção das representações, já ultrapassados na maioria dos casos; enquanto que a existência de palavras-passe fracas também contribuiu para este número (e.g., um significante número de palavras-passe eram constituídas por 4 dígitos apenas). Os resultados do questionário estão em conformidade com outros trabalhos nesta área, nomeadamente em termos de esteriótipos. Por exemplo, as respostas sugerem que os homens usam palavras-passe com maior diversidade e comprimento do que as mulheres. Ainda assim, vários aspectos contraditórios nas respostas levam à conclusão que os participantes parecem estar a alegar usar palavras-passe mais fortes do que usam realmente