1
play

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical - PDF document

Sep 26, 2023 •679 likes •1.55k views

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

  1. 11/17/09 1 1

  2. 11/17/09 2 2

  3. 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3

  4. 11/17/09 - basic outline -problems with password usability and security -how various graphical password systems address them. Usability includes memorability – this will be a big chunk of my talk – and ease of entry Security includes issues of social engineering, cracking, and shoulder-surfing -The picture- password system I developed for my master’s thesis 4 4

  5. 11/17/09 5 5

  6. 11/17/09 It in our terminology this boils down to… 6 6

  7. 11/17/09 7 7

  8. 11/17/09 8 8

  9. 11/17/09 Rich covered this in our last student presentation, and I’ll be building on that a little bit. You can talk about the entropy of individual characters, but they have to be entered in the right order, so you end up needing to know the probabilities of entire passwords. When this concept is applied to passwords it is also called the “guessing entropy” 9 9

  10. 11/17/09 …which is well -explained in chapter 9 of our book. So, the more entropy in our passwords the harder they are to guess. Looking at this, if you are in charge of a password system, you’d want to 10 10

  11. 11/17/09 …increase the entropy of your passwords. Here are some ways to increase entropy… (discuss) One way to increase entropy (check if passwords match) 11 11

  12. 11/17/09 There is an assumption being made here, that the attacker has perfect strategy, but this assumes the above. Something I want you to think about: Is this a good assumption? And I want you to think about that as I talk about 12 12

  13. 11/17/09 13 13

  14. 11/17/09 Hashing is used in almost all standard password systems. 14 14

  15. 11/17/09 Hashing is used in almost all standard password systems. - System doesn’t even know your password. An admin looking at the password file doesn’t know your password… - But if an admin sees two hashes in the file that are the same… 15 15

  16. 11/17/09 So we add salt. This makes the hashes different between users and even across systems, so you can use the same password on multiple systems or two people could have the same password and no one will know, even if they know the salts (which are typically stored in the password file). 16 16

  17. 11/17/09 17 17

  18. 11/17/09 Given that we can hash passwords to hide this information, is entropy the right way to think about passwords? And remember what entropy analysis does 18 18

  19. 11/17/09 …it produces policies like this. (discuss) Given what you’ve learned so far, do policies like this make sense? -Does anything on this list seem unnecessary? -Does anything seem necessary? 19 19

  20. 11/17/09 Jeff Yan in chapter 7 and in other papers says that about 10% of a population will always be non- compliant… 20 20

  21. 11/17/09 21 21

  22. 11/17/09 22

  23. 11/17/09 23

  24. 11/17/09 Consolidation is a term from neuroscience that describes how memories can be strengthened over time... -graphical passwords often have training interfaces -holding all else equal, 10 minutes will always win This is straightforward. 24 24

  25. 11/17/09 Now lets talk about picture superiority. Most graphical-password systems use pictures because of this effect. 25 25

  26. 11/17/09 The PSE is a heavily studied and verified phenomenon in psychology which states that pictures are remembered better than words. -continuum (transitivity) -what makes items memorable? 26 26

  27. 11/17/09 There are many facets to the PSE that have been experimentally verified. I am going to run through them now because they all impact memory for pictures in different ways. 27 27

  28. 11/17/09 This can be seen in the paper assigned for today (Passpoints)… A picture of an apple is easier to remember than the word “apple” (but only if you try to remember the word “apple” and not the thing “apple”) 28 28

  29. 11/17/09 29

  30. 11/17/09 This was a popular theory during the 70s and 80s but has since been mostly refuted… … but there is evidence that multiple encodings encourage redintegration… - mnemonic passwords and muscle memory 30 30

  31. 11/17/09 31 31

  32. 11/17/09 Polysemy is a major problem with pictures and it has to do with similarity. It is hard to remember things that don’t stand out. Or, if you have to remember a subset of items in a larger set, the items can be confused on these three levels. 32 32

  33. 11/17/09 This is a major problem with pictures and it has to do with similarity. This is an example of schematic similarity 33 33

  34. 11/17/09 34 34

  35. 11/17/09 What is this a picture of? How many think it’s a crocodile? How many think it’s an alligator? How many are not sure?... 35 35

  36. 11/17/09 Even though pictures have all these features that can make them easy to remember, when you apply them to passwords you can run into a problem. If you want to remember pictures in a specific order you have to work with serial memory (native ASL-signers story). -impact on PassPoints -unordered passwords 36 36

  37. 11/17/09 37 37

  38. 11/17/09 A lot of graphical password systems rely on recognition, but pictures are actually better than text at both. In fact, the relative advantage of pictures in recall tasks is greater than their advantage for recognition tasks (though recognition always performs better than recall). 38 38

  39. 11/17/09 39 39

  40. 11/17/09 -Passwords and lack of feedback. -Repeated input problem 40 40

  41. 11/17/09 -inputs from study -best example -Why is this a problem? 41 41

  42. 11/17/09 -attacker inputs vs innocent user 42 42

  43. 11/17/09 In Chapter 7 of our book, the authors use the term passphrase to refer to something that I call a mnemonic password, but I don’t think that is typical. Here I’m referring to a password that is composed of several words strung together. -Passphrase length vs brute force -Passphrase and semantic units -Passphrases and entropy -Passphrases and typos (typographical error rate of 20% for 15-character passphrases) 43 43

  44. 11/17/09 Login time is time to a successful login. Login time is relevant to passphrases because more characters takes longer to input. It’s also relevant because typos mean the user has to try again and this increases login time. Graphical password systems often have novel input methods and several screens. 44 44

  45. 11/17/09 PassPoints has the user click five points in order on a single image. 45 45

  46. 11/17/09 The Déjà vu system has the user select 5 images from their portfolio (I’ll talk about that later) from a set of 25 that are presented. The other 20 are “decoys”. 46 46

  47. 11/17/09 Click 5 times. -password is 5 icons, systems shows 3-5 per round, 5 rounds to authenticate. -game-like system, animation 47 47

  48. 11/17/09 48 48

  49. 11/17/09 The déjà vu system uses “random art” (an algorithmic way to generate nonrepresentational art images) A benefit of using images like this is that, seemingly, they cannot be written down. (discuss) Can they be written down? (discuss) Does this solve the social engineering problem? 49 49

  50. 11/17/09 The contest. Dictionary word = 1 point Strong password = 2 points Passfaces password = 2 points Cristian’s password = 5 points - Paper found PassFaces extremely hard to surf but the current version of PassFaces required inclusion of my own pictures which should make it easier. 50 50

  51. 11/17/09 Pictures of PassFaces screens 51 51

  52. 11/17/09 52

  53. 11/17/09 53

  54. 11/17/09 54

  55. 11/17/09 55

  56. 11/17/09 This is the spy-resistant keyboard. -same principle as Passfaces -meant for Microsoft Surface and large touchscreen displays 56 56

  57. 11/17/09 So the spy-resistant keyboard is what I would call a shoulder-surfing resistant system. If you record the authentication, you can figure out the password. There are other systems which I would call shoulder-surfing immune. These are systems which, even if you record the authentication process, you won’t be able to figure out the password. 57 57

  58. 11/17/09 This is such a system. It's calledthe Convex Hull Click system. -passicons -5 screens 58

  59. 11/17/09 59

  60. 11/17/09 60

  61. 11/17/09 61

  62. 11/17/09 62

  63. 11/17/09 63

  64. 11/17/09 64

  65. 11/17/09 -because the system needs to know the password 65 65

  66. 11/17/09 …and you have systems like convex hull click which are not hashable and some, like PassPoints that don’t employ hashing. 66 66

  67. 11/17/09 And by “hashed” I mean stored as a hash and not storing the password explicitly. 67 67

  68. 11/17/09 Both PassFaces and PassPoints have been studied from a security perspective and in both cases, user-selected passwords were easily guessed. 68 68

  69. 11/17/09 69 69

  70. 11/17/09 70 70

  71. 11/17/09 This is the login screen for my picture password system. My goal was to try to design the best password system. 71 71

  72. 11/17/09 -emphasize random assignment 72 72

  73. 11/17/09 73

  74. 11/17/09 74

  75. 11/17/09 75 75

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits The new features Remote Surveillance Software Live Demo TPMkit Who we are Peter Kleissner: - Independent Operating System Developer - 1 year at

843 views • 23 slides
Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Wireless dj vu Jason S. Chao, Ernst & Young LLP Panel: Implications for Valuation: Part 1 TFI Asset Valuation Conference and Seminar 2013 January 24, 2013 Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions

177 views • 3 slides
DEJA-VU : DOUBLE FEATURE PRESENTATION AND ITERATED LOSS IN DEEP TRANSFORMER NETWORKS Andros

DEJA-VU : DOUBLE FEATURE PRESENTATION AND ITERATED LOSS IN DEEP TRANSFORMER NETWORKS Andros

DEJA-VU : DOUBLE FEATURE PRESENTATION AND ITERATED LOSS IN DEEP TRANSFORMER NETWORKS Andros Tjandra 1* , Chunxi Liu 2 , Frank Zhang 2 , Xiaohui Zhang 2 , Yongqiang Wang 2 , Gabriel Synnaeve 2 , Satoshi Nakamura 1 , Goeffrey Zweig 2 1) NAIST,

414 views • 17 slides
Ahmed Rami Melhem Alex Jones Abousamra University of Pittsburgh Dj Vu Switching for

Ahmed Rami Melhem Alex Jones Abousamra University of Pittsburgh Dj Vu Switching for

Ahmed Rami Melhem Alex Jones Abousamra University of Pittsburgh Dj Vu Switching for Multiplane NoCs NOCS12 Power efficiency has become a primary concern in the design of CMPs. The NoC of Intels TeraFLOPS processor consumes more than

515 views • 33 slides
Isolating Failure-Inducing Thread Schedules Andreas Zeller Jong-Deok Choi

Isolating Failure-Inducing Thread Schedules Andreas Zeller Jong-Deok Choi

0/12 International Symposium on Software Testing and Analysis (ISSTA), Rome, Italy, 2002 Isolating Failure-Inducing Thread Schedules Andreas Zeller Jong-Deok Choi Lehrstuhl f ur Softwaretechnik IBM T. J. Watson Research

384 views • 20 slides
CS70: Jean Walrand: Lecture 34. Conditional Expectation CS70: Jean Walrand: Lecture 34.

CS70: Jean Walrand: Lecture 34. Conditional Expectation CS70: Jean Walrand: Lecture 34.

CS70: Jean Walrand: Lecture 34. Conditional Expectation CS70: Jean Walrand: Lecture 34. Conditional Expectation 1. Review: joint distribution, LLSE 2. Definition of Conditional expectation 3. Properties of CE 4. Applications: Diluting,

2.19k views • 191 slides
3 Ways to Improve RFP Responses When Working Remotely Presented by David Blume RFPIO Sr.

3 Ways to Improve RFP Responses When Working Remotely Presented by David Blume RFPIO Sr.

L I V E W E B I N A R 3 Ways to Improve RFP Responses When Working Remotely Presented by David Blume RFPIO Sr. Director of Sales David Blume RFPIO Sr. Director of Sales Outside of RFPIO, David has over 30 years of international sales

239 views • 9 slides
CS70: Lecture 35. Regression (contd.): Linear and Beyond CS70: Lecture 35. Regression (contd.):

CS70: Lecture 35. Regression (contd.): Linear and Beyond CS70: Lecture 35. Regression (contd.):

CS70: Lecture 35. Regression (contd.): Linear and Beyond CS70: Lecture 35. Regression (contd.): Linear and Beyond 1. Review: Linear Regression (LR), LLSE 2. LR: Examples 3. Beyond LR: Quadratic Regression 4. Conditional Expectation (CE) and

2.12k views • 132 slides
Stat 5101 Lecture Slides Deck 3 Charles J. Geyer School of Statistics University of Minnesota

Stat 5101 Lecture Slides Deck 3 Charles J. Geyer School of Statistics University of Minnesota

Stat 5101 Lecture Slides Deck 3 Charles J. Geyer School of Statistics University of Minnesota 1 Deja Vu Now we go back to the beginning and do everything again. 2 Probability Mass Functions A probability mass function (PMF) is a function

1.77k views • 164 slides
SOLID SERVICES Ond ej Kraj ek @hedragon @ysoftdevs A Little Disclaimer Today, I am

SOLID SERVICES Ond ej Kraj ek @hedragon @ysoftdevs A Little Disclaimer Today, I am

SOLID SERVICES Ond ej Kraj ek @hedragon @ysoftdevs A Little Disclaimer Today, I am trying to give you a perspective or - say - a point of view. What I am presenting today are my own opinions. But I am not presenting a new

904 views • 43 slides
Does data security rule out high performance? Adam Huffman 2018-02-04 FOSDEM HPC & Big Data

Does data security rule out high performance? Adam Huffman 2018-02-04 FOSDEM HPC & Big Data

Does data security rule out high performance? Adam Huffman 2018-02-04 FOSDEM HPC & Big Data Dev Room Adam Huffman 04/02/2018 Agenda The background brains of HPC More ambitious science HPC meets the Real World Data security dj

376 views • 36 slides
Family Reunion Incognito Pit Stops In Life Joseph will God does not pay at experience

Family Reunion Incognito Pit Stops In Life Joseph will God does not pay at experience

Family Reunion Incognito Pit Stops In Life Joseph will God does not pay at experience a divinely appointed dj vu. the end of the day, The dust of 20 plus but at the end, He pays (Anonymous years of memories 16 th Century

405 views • 15 slides
More Mechanisms for Generating Optimization Power-Law Distributions Minimal Cost Mandelbrot vs.

More Mechanisms for Generating Optimization Power-Law Distributions Minimal Cost Mandelbrot vs.

More Power-Law Mechanisms More Mechanisms for Generating Optimization Power-Law Distributions Minimal Cost Mandelbrot vs. Simon Assumptions Principles of Complex Systems Model Analysis Course 300, Fall, 2008 Extra Robustness HOT theory

1.02k views • 56 slides
SCIENTIFIC WRITING IN LINGUISTICS: WRITING ABSTRACTS Prof. Dr. Shanley Allen University of

SCIENTIFIC WRITING IN LINGUISTICS: WRITING ABSTRACTS Prof. Dr. Shanley Allen University of

SCIENTIFIC WRITING IN LINGUISTICS: WRITING ABSTRACTS Prof. Dr. Shanley Allen University of Kaiserslautern PART 1: ABSTRACTS IN GENERAL WHAT IS AN ABSTRACT? Short summary of your work for: journal article book chapter thesis /

511 views • 31 slides
More $ (caches, yes) Trick or treat! Midterm

More $ (caches, yes) Trick or treat! Midterm

University of Washington More $ (caches, yes) Trick or treat! Midterm ques>ons? Note: prac+ce midterms posted HW 2 due today Lab

1.15k views • 70 slides
OSPF Traffic Engineering (TE) Express Path draft-giacalone-ospf-te-express-path-00.txt

OSPF Traffic Engineering (TE) Express Path draft-giacalone-ospf-te-express-path-00.txt

OSPF Traffic Engineering (TE) Express Path draft-giacalone-ospf-te-express-path-00.txt Spencer Giacalone, Alia Atlas, John Drake, Dave Ward Agenda Introduction to OSPF TE Express Path Background Problem Protocol overview

382 views • 14 slides
DMTCP Transparent Checkpointing for Cluster Computations and the Desktop Jason Ansel 1 Kapil Arya

DMTCP Transparent Checkpointing for Cluster Computations and the Desktop Jason Ansel 1 Kapil Arya

DMTCP Transparent Checkpointing for Cluster Computations and the Desktop Jason Ansel 1 Kapil Arya 2 Gene Cooperman 2 1 MIT 2 Northeastern University May 26, 2009 Jason Ansel (MIT) DMTCP May 26, 2009 1 / 39 Introduction Outline Introduction

1.49k views • 114 slides
Repeating Boom and Bust Cycles Characterize Oil Source: Medlock, K.B., Amy Jaffe, The price of

Repeating Boom and Bust Cycles Characterize Oil Source: Medlock, K.B., Amy Jaffe, The price of

H 2 Sustainable Transportation Energy Pathways (STEPS) Natural Gas in Transportation Webinar Amy Myers Jaffe, Executive Director, Energy and Sustainability Rosa Dominquez-Faus, Post Doctoral Fellow www.steps.ucdavis.edu Repeating Boom

177 views • 15 slides
Disclosures Clinical trials research funding support from: Bristol-Meyer Squibb Recent

Disclosures Clinical trials research funding support from: Bristol-Meyer Squibb Recent

2/15/2019 Disclosures Clinical trials research funding support from: Bristol-Meyer Squibb Recent Advances in Agios Neurology Abbvie Neuro-Oncology Case Presentation NEUROLOGY AND NEUROLOGICAL SURGERY Jennie W Taylor, MD, MPH

148 views • 11 slides
Interprocess Communication Primitives Message Passing: issues Communication

Interprocess Communication Primitives Message Passing: issues Communication

CPSC-662 Distributed Computing Interprocess Communication Interprocess Communication Primitives Message Passing: issues Communication Schemes Reading: Colouris, Chapter 4 Interprocess Communication (IPC) communicate by

372 views • 6 slides
Agency Technology Management Amal Khatri South African National Space Agency [SANSA] 11

Agency Technology Management Amal Khatri South African National Space Agency [SANSA] 11

South African National Space Agency Technology Management Amal Khatri South African National Space Agency [SANSA] 11 December 2017 Space Exploration: Unforgettable Dj Vu Earth, th, the Only y Habita itable le Planet.. net.. For

857 views • 26 slides
RPC in the modern world CS 414: Advanced Systems Oliver Kennedy RPC Overview Remote procedures

RPC in the modern world CS 414: Advanced Systems Oliver Kennedy RPC Overview Remote procedures

RPC in the modern world CS 414: Advanced Systems Oliver Kennedy RPC Overview Remote procedures can be called as if local. ... but they execute remotely The RPC system deals with the network so you dont have to. Can we do better? Object

377 views • 22 slides
CS654 Advanced Computer Architecture Lec 1 - Introduction Peter Kemper Adapted from the slides

CS654 Advanced Computer Architecture Lec 1 - Introduction Peter Kemper Adapted from the slides

CS654 Advanced Computer Architecture Lec 1 - Introduction Peter Kemper Adapted from the slides of EECS 252 by Prof. David Patterson Electrical Engineering and Computer Sciences University of California, Berkeley Outline Computer Science

388 views • 15 slides
Enrico Herrmann [Carrasco, Johansson: 1106.4711] [Bourjaily, Langer, EH, McLeod, [Bern,

Enrico Herrmann [Carrasco, Johansson: 1106.4711] [Bourjaily, Langer, EH, McLeod, [Bern,

Enrico Herrmann [Carrasco, Johansson: 1106.4711] [Bourjaily, Langer, EH, McLeod, [Bern, Rozowsky, Yan: 9702424] Trnka: arXiv:1909.09131] [Bern, EH, Litsey, Stankowicz, Trnka: 1512.08591] [Bern, EH, Litsey, Stankowicz, Trnka: 1412.858]

175 views • 16 slides

More recommend