2016 2010 this talk what it is about password composition
play

? ? 2016 2010 This talk What it is about Password Composition - PowerPoint PPT Presentation

Mar 08, 2023 •344 likes •637 views

A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016 Peter Mayer, Jan Kirchner, Melanie Volkamer ? ? 2016 2010 This talk What it is about Password Composition Policies (PCP) Replication of

  1. A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016 Peter Mayer, Jan Kirchner, Melanie Volkamer ? ? 2016 2010

  2. This talk What it is about § Password Composition Policies (PCP) § Replication of study by Florêncio & Herley (SOUPS‘10) Outline 1. Description of original study 2. Description of our replication study 3. Conclusions 2 | Peter Mayer | SOUPS 2017 | 13.07.2017

  3. Original study – Overview Motivation § Unknown what influences PCP strength Goal § Identify website features’ influence on PCP strength 3 | Peter Mayer | SOUPS 2017 | 13.07.2017

  4. Original study – Method Investigated Features Hypothesized Website feature Actual effect on PCP strength effect Observation and evidence Size of the service User name public Value of the resources ↑ protected ? Extractable value of the resources protected Who lives with the consequences of a breach Advertising accepted Site advertises ↓ User has choice 4 | Peter Mayer | SOUPS 2017 | 13.07.2017

  5. Original study – Method Investigated Features Hypothesized Website feature Actual effect on PCP strength effect Observation and evidence Size of the service User name public Value of the resources ↑ protected ? Extractable value of the resources protected Who lives with the consequences of a breach Advertising accepted Site advertises ↓ User has choice 5 | Peter Mayer | SOUPS 2017 | 13.07.2017

  6. Original study – Method Investigated Features Hypothesized Website feature Actual effect on PCP strength effect Observation and evidence Size of the service User name public Value of the resources ↑ protected ? Extractable value of the resources protected Who lives with the consequences of a breach Advertising accepted Site advertises ↓ User has choice 6 | Peter Mayer | SOUPS 2017 | 13.07.2017

  7. Original study – Method Website Sampling § Quantcast traffic rank § Top (rank 1 – 20) § High (rank 101 - 110) § Medium (rank 1001 - 1010) § Website type § Largest Banks § Biggest Universities § Top computer science departments § Government 7 | Peter Mayer | SOUPS 2017 | 13.07.2017

  8. Original study – Method Identification of PCPs § Searched websites for policy § Created account whenever possible § If no PCP could be found: Internet search § First PCP found used in study 8 | Peter Mayer | SOUPS 2017 | 13.07.2017

  9. Original study – Method Determining strength and features Measuring PCP strength 𝑂 "#$ ∗ 𝑚𝑝𝑕 ) 𝐷 "#$ ( 𝑂 "#$ : minimum length, 𝐷 "#$ : minimum character set ) Evaluation of website features § Some based on analyses § Some based on argumentation 9 | Peter Mayer | SOUPS 2017 | 13.07.2017

  10. Original study – Results Hypothesised Website feature Actual effect on PCP strength effect Observation and evidence - Size of the service - User name public - ↑ Value of the resources protected - Extractable value of the resources protected - Who lives with the consequences of a breach - Advertising accepted ↓ Site advertises ↓ ↓ User has choice ↓ 10 | Peter Mayer | SOUPS 2017 | 13.07.2017

  11. Replication study – Overview Motivation § Several years since original study § Only websites from the USA Goal § Replication of study Over time: à 2010 2016 Actual effect on PCP strength Hypothesized Website feature effect USA 2010 USA 2016 Germany 2016 Across country borders: à 11 | Peter Mayer | SOUPS 2017 | 13.07.2017

  12. Replication study – Method Website sampling § USA 2010 (original sample) § USA 2016 § Same websites as USA 2010 sample (minus 5 websites) § Updated PCP strength values § Germany 2016 § Sampled from the same categories § German traffic ranks, banks, universities 12 | Peter Mayer | SOUPS 2017 | 13.07.2017

  13. Replication study – Method Deviations § Use of Alexa ranks instead of Quantcast ranks § Manual check whether websites accept advertising 13 | Peter Mayer | SOUPS 2017 | 13.07.2017

  14. Replication study – Research Questions Over time: à 2010 2016 RQ1: Has the average PCP strength in the USA sample changed since the original study? RQ2: Do the effects of the website features on the PCP strength from the original study still apply to the USA 2016 sample? Across countries: à RQ3: How do the German and USA samples compare in terms of PCP strength? RQ4: Do the effects of the website features on the PCP strength from the original study translate to the German sample? 14 | Peter Mayer | SOUPS 2017 | 13.07.2017

  15. Replication study – Results RQ1: Strength over time 80 USA USA Category 2010 2016 70 Minimum Password Strength 2016 (bits) Top traffic 19.9 26.6 60 Traffic High traffic 19.9 41.5 50 Medium 36.2 46.5 traffic 40 Bank 31.0 35.7 Website type 30 Education 41.7 47.6 20 Government 47.6 52.7 10 Others 19.9 29.9 0 Overall 35.7 41.4 0 10 20 30 40 50 60 70 80 Minimum Password Strength 2010 (bits) 15 | Peter Mayer | SOUPS 2017 | 13.07.2017

  16. Replication study – Results RQ1: Strength over time 80 USA USA Category 2010 2016 70 Minimum Password Strength 2016 (bits) Top traffic 19.9 26.6 60 Traffic High traffic 19.9 41.5 50 Yes, the average PCP strength has increased Medium 36.2 46.5 traffic 40 significantly since the original study. Bank 31.0 35.7 Website type 30 Education 41.7 47.6 20 Government 47.6 52.7 10 Others 19.9 29.9 0 Overall 35.7 41.4 0 10 20 30 40 50 60 70 80 Minimum Password Strength 2010 (bits) 16 | Peter Mayer | SOUPS 2017 | 13.07.2017

  17. Replication study – Results RQ2: Features over time Actual effect on PCP strength Hypothesised Website feature effect USA 2010 USA 2016 Observation and evidence - - Size of the service - - User name public - - Value of the resources protected - - ↑ Extractable value of the resources - - protected Who lives with the consequences of a - - breach Advertising accepted ↓ ↓ Site advertises ↓ ↓ - User has choice ↓ ↓ 17 | Peter Mayer | SOUPS 2017 | 13.07.2017

  18. Replication study – Results RQ2: Features over time Actual effect on PCP strength Hypothesised Website feature effect USA 2010 USA 2016 Observation and evidence - - Size of the service - - User name public - - Only one website feature seems to have Value of the resources protected - - ↑ changed. Extractable value of the resources - - protected Who lives with the consequences of a - - breach Advertising accepted ↓ ↓ Site advertises ↓ ↓ - User has choice ↓ ↓ 18 | Peter Mayer | SOUPS 2017 | 13.07.2017

  19. Replication study – Results RQ3: Strength across countries USA USA Germany Category 2010 2016 2016 Top traffic 19.9 26.6 26.6 Traffic High traffic 19.9 41.5 26.6 Medium traffic 36.2 46.5 19.9 Bank 31.0 35.7 16.6 Website type Education 41.7 47.6 30.8 Government 47.6 52.7 47.6 Others 19.9 29.9 26.6 Overall 35.7 41.4 26.6 19 | Peter Mayer | SOUPS 2017 | 13.07.2017

  20. Replication study – Results RQ3: Strength across countries USA USA Germany Category 2010 2016 2016 Top traffic 19.9 26.6 26.6 Traffic High traffic 19.9 41.5 26.6 Medium traffic 36.2 46.5 19.9 Bank 31.0 35.7 16.6 Website type Education 41.7 47.6 30.8 Government 47.6 52.7 47.6 Others 19.9 29.9 26.6 Overall 35.7 41.4 26.6 20 | Peter Mayer | SOUPS 2017 | 13.07.2017

  21. Replication study – Results RQ3: Strength across countries ~2x 21 | Peter Mayer | SOUPS 2017 | 13.07.2017

  22. Replication study – Results RQ3: Strength across countries ~2x The German sample has generally weaker PCPs than the USA 2016 sample - in some instances even weaker than in the USA 2010 sample. 22 | Peter Mayer | SOUPS 2017 | 13.07.2017

  23. Replication study – Results RQ4: Features across countries Actual effect on PCP strength Hyp. Website feature USA USA Germany effect 2010 2016 2016 Observation and evidence - - - Size of the service - - - User name public - - - ↑ Value of the resources protected - - - Extractable value of the resources protected - - - Who lives with the consequences of a breach - - - Advertising accepted ↓ ↓ - Site advertises ↓ ↓ - - User has choice ↓ ↓ ↓ 23 | Peter Mayer | SOUPS 2017 | 13.07.2017

  24. Replication study – Results RQ4: Features across countries Actual effect on PCP strength Hyp. Website feature USA USA Germany effect 2010 2016 2016 Observation and evidence - - - Size of the service - - - User name public - - - Only one feature translates to the German sample. ↑ Value of the resources protected - - - Extractable value of the resources protected - - - Who lives with the consequences of a breach - - - Advertising accepted ↓ ↓ - Site advertises ↓ ↓ - - User has choice ↓ ↓ ↓ 24 | Peter Mayer | SOUPS 2017 | 13.07.2017

  25. Conclusions RQ1 & RQ2 - Over time: à 2010 2016 § PCP strength in the USA has risen § Not all features translate over time § No effect of features hyp. to increase PCP strength ➜ Open questions § Which features actually increase PCP strength? 25 | Peter Mayer | SOUPS 2017 | 13.07.2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Composition of Password-based Protocols ephanie Delaune 1 , Steve Kremer 1 and Mark Ryan 2 St 1

Composition of Password-based Protocols ephanie Delaune 1 , Steve Kremer 1 and Mark Ryan 2 St 1

Composition of Password-based Protocols ephanie Delaune 1 , Steve Kremer 1 and Mark Ryan 2 St 1 LSV, ENS de Cachan, CNRS & INRIA, France 2 School of Computer Science, University of Birmingham, UK CSF08, Pittsburgh June 2008

403 views • 27 slides
THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, AND WANG PRESENTED BY: CODY

THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, AND WANG PRESENTED BY: CODY

THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, AND WANG PRESENTED BY: CODY FRENZEL AND JP WHEELER INTRODUCTION Easy to guess passwords undermine security Many online services offer password composition policies and

331 views • 19 slides
Problems in Software Composition Stephen Kell Stephen.Kell@cl.cam.ac.uk Problems in Software

Problems in Software Composition Stephen Kell Stephen.Kell@cl.cam.ac.uk Problems in Software

Problems in Software Composition Stephen Kell Stephen.Kell@cl.cam.ac.uk Problems in Software Composition p.1/12 About this talk This talk is an introduction to some problem areas about questions, not answers supposed to be interesting to

396 views • 12 slides
In the talk: - Models of pulsars as sources of high energy photons. - Why the composition of pulsar

In the talk: - Models of pulsars as sources of high energy photons. - Why the composition of pulsar

Bronek Rudak CAMK and CA UMK, Toru Tango in Paris, May 4-6, 2009 In the talk: - Models of pulsars as sources of high energy photons. - Why the composition of pulsar winds (e content in the context of CR positrons) is connected to the pulsed

438 views • 29 slides
Talk from outcome of Coordination Group HL-LHC Coordination Group Composition Representative(s) of

Talk from outcome of Coordination Group HL-LHC Coordination Group Composition Representative(s) of

H. Burkhardt, 2nd Joint HiLumi-LHC-LARP Collaboration Meeting, Frascati 16/11/2012 Talk from outcome of Coordination Group HL-LHC Coordination Group Composition Representative(s) of HL-LHC, chair L. Rossi (chair), O. Brning Scientific

602 views • 12 slides
Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016

Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016

Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016 Key management on whiteboard Password hashing in these slides Announcement Project 2 part 1 due today Passwords Tension between usability and

166 views • 16 slides
Marion County Waste Composition 2016 February 27, 2018 Peter Spendelow Oregon Department of

Marion County Waste Composition 2016 February 27, 2018 Peter Spendelow Oregon Department of

Oregon Waste Composition Study 2016 Marion County Waste Composition 2016 February 27, 2018 Peter Spendelow Oregon Department of Environmental Quality Materials Management Oregon Waste Composition Study 2016 Oregon Waste Composition Study

568 views • 42 slides
Code-Assisted Music Composition with Python and Logic Pro X Marcelo Cicconet, IMPA, Feb 2019

Code-Assisted Music Composition with Python and Logic Pro X Marcelo Cicconet, IMPA, Feb 2019

Code-Assisted Music Composition with Python and Logic Pro X Marcelo Cicconet, IMPA, Feb 2019 Background IMPA, 2007-2010 Background M. Cicconet, P .C. Carvalho IVAPP 2010 Background Georgia Tech, 2011 Background NYU, 2012-2016

168 views • 14 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
On the Fixed-Parameter Tractability of Composition-Consistent Tournament Solutions Hans Georg

On the Fixed-Parameter Tractability of Composition-Consistent Tournament Solutions Hans Georg

On the Fixed-Parameter Tractability of Composition-Consistent Tournament Solutions Hans Georg Seedig COMSOC 2010 August 14, 2010 Joint work with Felix Brandt and Markus Brill Overview Tournaments Components and Decomposition

648 views • 27 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides
Automated Web Service Composition in Practice: from Composition Requirements Specification to

Automated Web Service Composition in Practice: from Composition Requirements Specification to

Outline Automated Web Service Composition The Amazon-MPS Case study Conclusions and Future Works Automated Web Service Composition in Practice: from Composition Requirements Specification to Process Run. Annapaola Marconi , Marco Pistore and

730 views • 59 slides
Composition osition of Fore restry stry staffs fs Data 2010-Ministry of Forestry Most of

Composition osition of Fore restry stry staffs fs Data 2010-Ministry of Forestry Most of

Women Empowerment and Green Initiative A Case Study, Indonesia Abidah Billah Setyowati, WOCAN Composition osition of Fore restry stry staffs fs Data 2010-Ministry of Forestry Most of woman is working as administration 29% women

475 views • 16 slides
The Ten Golden Rules of Internet Marketing by Jay Berkowitz What is TenGoldenRules.com?

The Ten Golden Rules of Internet Marketing by Jay Berkowitz What is TenGoldenRules.com?

The Ten Golden Rules of Internet Marketing by Jay Berkowitz What is TenGoldenRules.com? Marketing Consultants Drive more visits to your site Convert the visits to sales Strategy, Creative, Web 2.0, Landing Pages, Search,

1.18k views • 61 slides
Quick Guide Step 1: Purchasing an RSSeo! membership Step 2: Download RSSeo! Step 3: Installing

Quick Guide Step 1: Purchasing an RSSeo! membership Step 2: Download RSSeo! Step 3: Installing

Quick Guide Step 1: Purchasing an RSSeo! membership Step 2: Download RSSeo! Step 3: Installing RSSeo! 3.1 Installing the component 3.2 Minimum requirements Step 4: RSSeo! settings 4.1 Add the license code 4.2 Seo Performance settings

347 views • 22 slides
Since 1996, Italys number one football site. The best source for italian and international news

Since 1996, Italys number one football site. The best source for italian and international news

Since 1996, Italys number one football site. The best source for italian and international news About us CALCIOMERCATO.COM was made in 1996 by Carlo Pallavicino , football agent, as the first professional site entirely dedicated to

486 views • 20 slides
Riding the waves of change in teaching tertiary mathematics 2018 Ansie Harding The secret of

Riding the waves of change in teaching tertiary mathematics 2018 Ansie Harding The secret of

Riding the waves of change in teaching tertiary mathematics 2018 Ansie Harding The secret of change is to focus all of your energy, not on fighting the old but on building the new Socrates 1.Change towards diagnostic testing 2.Change to a

707 views • 69 slides
Latin American DNS Observatory Hugo Salgado, NIC Chile, hugo@nic.cl ICANN 53, Buenos Aires, june

Latin American DNS Observatory Hugo Salgado, NIC Chile, hugo@nic.cl ICANN 53, Buenos Aires, june

Latin American DNS Observatory Hugo Salgado, NIC Chile, hugo@nic.cl ICANN 53, Buenos Aires, june 2015 History LAC Strategic Plan 2013-2016 Experience on Observatorio de Resiliencia de .CL LObservatoire sur la rsilience

530 views • 10 slides
The Public Launch of JODI-Gas Meeting of the G20 Energy Sustainability Working Group 29 May 2014

The Public Launch of JODI-Gas Meeting of the G20 Energy Sustainability Working Group 29 May 2014

The Public Launch of JODI-Gas Meeting of the G20 Energy Sustainability Working Group 29 May 2014 Sydney, Australia Contents Support for the four pillars of energy data transparency and JODI-Gas

682 views • 29 slides
Calling all high street businesses ITS TIME TO UNITE 1 What is OFFiGO? OFFiGO is the UKs

Calling all high street businesses ITS TIME TO UNITE 1 What is OFFiGO? OFFiGO is the UKs

Calling all high street businesses ITS TIME TO UNITE 1 What is OFFiGO? OFFiGO is the UKs first digital platform designed to bring all high street businesses together in a bid to increase footfall and spend in our local towns. The popularity

499 views • 12 slides
Investor and Analyst Meet June 2014 Safe Harbor Certain statements in this document may be

Investor and Analyst Meet June 2014 Safe Harbor Certain statements in this document may be

Vaibhav Global Limited Global Retailer of Fashion and Lifestyle Accessories on Home TV and e-Commerce Platforms Investor and Analyst Meet June 2014 Safe Harbor Certain statements in this document may be forward-looking statements. Such

795 views • 38 slides

More recommend