On Enhancing Security of Password-Based Authentication

Password has been the dominant authentication scheme for more than 30 years, and it will not be easily replaced in the foreseeable future. However, password authentication has long been plagued by the dilemma between security and usability, mainly due to human memory limitations. For example, a user often chooses an easy-to-guess (weak) password since it is easier to remember. The ever increasing number of online accounts per user even exacerbates this problem. In this dissertation, we present four research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays a very important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. We create a new metric---Coverage---to quantify the personal information in passwords. Armed with this knowledge, we develop a novel password cracker named Personal-PCFG (Probabilistic Context-Free Grammars) that leverages personal information for targeted password guessing. Experiments show that Personal-PCFG is much more efficient than the original PCFG in cracking passwords. The second project aims to ease the password management hassle for a user. Password managers are introduced so that users need only one password (master password) to access all their other passwords. However, the password manager induces a single point of failure and is potentially vulnerable to data breach. To address these issues, we propose BluePass, a decentralized password manager that features a dual-possession security that involves a master password and a mobile device. In addition, BluePass enables a hand-free user experience by retrieving passwords from the mobile device through Bluetooth communications. In the third project, we investigate an overlooked aspect in the password lifecycle, the password recovery procedure. We study the password recovery protocols in the Alexa top 500 websites, and report interesting findings on the de facto implementation. We observe that the backup email is the primary way for password recovery, and the email becomes a single point of failure. We assess the likelihood of an account recovery attack, analyze the security policy of major email providers, and propose a security enhancement protocol to help securing password recovery emails by two factor authentication. \newline Finally, we focus on a more fundamental level, user identity. Password-based authentication is just a one-time checking to ensure that a user is legitimate. However, a user\u27s identity could be hijacked at any step. For example, an attacker can leverage a zero-day vulnerability to take over the root privilege. Thus, tracking the user behavior is essential to examine the identity legitimacy. We develop a user tracking system based on OS-level logs inside an enterprise network, and apply a variety of techniques to generate a concise and salient user profile for identity examination

Exploring the Acceptability of Graphical Passwords for People with Dyslexia

Alphanumeric passwords are still the most common form of user authentication despite well-known usability issues. These issues, including weak composition and poor memorability, have been well-established across different user groups, yet users with dyslexia have not been studied despite making up approximately 10% of the population. In this paper, we focus on understanding the user authentication experiences of people with dyslexia (PwD) in order to better understanding their attitudes towards a graphical password system that may provide a more inclusive experience. Through interactive interviews, participants were encouraged to try three different knowledge-based authentication systems (PIN, password, and graphical password) and then discuss their strategies behind code composition. We found that PwD employed potentially dangerous workarounds when composing passwords, in particular an over-reliance on pattern-based composition. We report on how PwD do not immediately see the benefits of graphical passwords, but upon experiencing the mechanism we see opportunities for more inclusive authentication

Costs and benefits of authentication advice

When it comes to passwords, conflicting advice can be found everywhere. Different sources give different types of advice related to authentication. In this paper such advice is studied. First, using a sample collection of authentication advice, we observe that different organizations' advice is often contradictory and at odds with current research. We highlight the difficulties organizations and users have when determining which advice is worth following. Consequently, we develop a model for identifying costs of advice. Our model incorporates factors that affect organizations and users, including, for example, usability aspects. Similarly, we model the security benefits brought by such advice. We then apply these models to our taxonomy of advice to indicate the potential effectiveness of the security recommendations. We find that organizations experience fewer costs than users as a result of authentication policies. Reassuringly, the advice our model has classified as good or bad, is in line with the NIST 2017 digital authentication guidelines

Verificação da robustez das palavras-passe de forma distribuída e voluntária através da WWW

A segurança da informação tem vindo a ganhar cada vez mais importância nas organizações, e esse aumento é devido aos processos de negócios e o suporte de funções por sistemas informação informatizados. Um dos mecanismos de controlo de acesso mais usados no mundo da segurança da informação é a autenticação por palavra-passe. No entanto, é também um dos mecanismos de autenticação mais problemáticos, porque sua segurança depende da robustez da palavra-passe escolhida. As organizações devem se preocupar com a qualidade das palavras-passe e determinar a robustez das palavras-passe como medida de segurança. Este trabalho pretende aplicar computação distribuída através da Web, utilizando navegadores da Web e computação voluntária, para verificar a robustez das palavras-chave. Usa um servidor Web Node.js e através do Javascript permite gerir as tarefas que são distribuídas e executadas por utilizadores finais voluntários. O suporte técnico é baseado em WebWorkers no navegador da Web. Pretende-se avaliar a qualidade do sistema proposto em comparação com os resultados obtidos com outras ferramentas, como "John the Ripper" e "Hashcat". Desta forma, podemos ver se a computação distribuída baseada no navegador da Web, pode ser um valor acrescentado em contribuir para a segurança da informação através da contribuição para promover palavras-passe mais robustas.Information security has become increasingly important in organizations, and this increase is mostly due to business processes and functions supported by computerized information systems. One of the most commonly used access control mechanisms in the world of information security is password-based authentication. However, it is also one of the most problematic authentication mechanisms, because its security depends mostly on the robustness of the selected password. Organizations should be concerned with the quality of passwords and determine the robustness of passwords as a security measure. This work intends to apply Web distributed computing, using Web browsers and voluntary computing, to verify passwords robustness. It uses a Node.js web server and implements Javascript logic to enable and manage the tasks that are distributed and executed by voluntary end-users. The system is based on Web Workers within the Web browser. In order to validate the developed system its results were compared with other tools such as “John the Ripper” and “Hash cat”. This way, it will be possible to validate if the distributed computation based on the Web browser, can contribute to information security through the promotion of more robust passwords