on the usability and security of password based user
play

On the Usability and Security of Password-Based User Authentication - PowerPoint PPT Presentation

Jul 01, 2023 •277 likes •619 views

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

  1. On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019

  2. User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password , PIN) Biometrics (Fingerprint, Face) Possession (Security Key) Reinforced by: 2-Factor Authentication Risk-based Authentication 3 [Ref. 1] Joseph Bonneau et al.: The Quest to Replace Passwords : Bochum , May 29, 2019 | Thesis Defense ‘19 A Framework for Comparative Evaluation of Web Authentication Schemes. (SP '12)

  3. Passwords Are Not Dead Primary means of authentication on the Web. [2] • Accounts: ~ 24 • Passwords: 6-8 Memorability Issues Coping Weak Reused Passwords Passwords 5 Bochum , May 29, 2019 | Thesis Defense ‘19 [Ref. 2] Sarah Pearman et al.: Let's Go in For a Closer Look: Observing Passwords in Their Natural Habitat . (CCS ‘17)

  4. Overview Thesis Password Password Mobile Management Strength Authentication CCS 16 CCS 18, SP 19 USEC 17, USEC 19, CCS 19* Password Password Access Recovery Reuse Control PW 15, NDSS 17, USEC 19 CCS 18 USENIX Sec. 18 Workshops : Rate-Limiting, Semantics of Passwords, Strength Meter 6 [*] Under review Bochum , May 29, 2019 | Thesis Defense ‘19

  5. Overview Today Password Password Mobile Management Strength Authentication CCS 16 CCS 18, SP 19 USEC 17, USEC 19, CCS 19* Password Password Access Recovery Reuse Control PW 15, NDSS 17, USEC 19 CCS 18 USENIX Sec. 18 Workshops : Rate-Limiting, Semantics of Passwords, Strength Meter 7 [*] Under review Bochum , May 29, 2019 | Thesis Defense ‘19

  6. Outline Reuse Notifications Strength Meter Introduction 8 Bochum , May 29, 2019 | Thesis Defense ‘19

  7. How Users Choose Passwords • Well-defined process • Misconceptions in mental model “Adding ‘!’ to the end instantly makes it secure.” [3] • Estimating strength not easy 9 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure” : Observing Password Creation in the Lab. (SOUPS ‘15) Bochum , May 29, 2019 | Thesis Defense ‘19

  8. Estimating the Strength of a Password is Tough “Adding ‘!’ to the end instantly makes it secure.” [3] Password 1: Password 2: iloveyou88 ieatkale88 Options : A. Password 1 is stronger B. Password 2 is stronger C. They are equally strong 10 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure” : Observing Password Creation in the Lab. (SOUPS ‘15) Bochum , May 29, 2019 | Thesis Defense ‘19

  9. Estimating the Strength of a Password is Tough “Adding ‘!’ to the end instantly makes it secure.” [3] Password 1: Password 2: > iloveyou88 ieatkale88 Guess Number: Guess Number: 1.5 x 10 4 3.1 x 10 9 12 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure” : Observing Password Creation in the Lab. (SOUPS ‘15) Bochum , May 29, 2019 | Thesis Defense ‘19

  10. Support Users in Choosing Secure Passwords St Strength Meter 13 Bochum , May 29, 2019 | Thesis Defense ‘19

  11. But They Are Not Always Accurate 14 Bochum , May 29, 2019 | Thesis Defense ‘19

  12. How to Measure Accuracy? Reference Strength Meter 123456 Ranking Ranking 15 Bochum , May 29, 2019 | Thesis Defense ‘19

  13. LUDS-based Meter: Strong Password1 L: U: D: S: 17 Bochum , May 29, 2019 | Thesis Defense ‘19

  14. Password “Strength” Reference : Guess number Meter : ??? . Meter Example Text Weak, Medium, Strong Colors Red, Orange, Green Percentages 42% Scores 1-5 Time 12 d, 9h, 47m Entropy 82 bits Guess number 1 018 291 guesses 18 Bochum , May 29, 2019 | Thesis Defense ‘19

  15. Simulation Dataset Passwords Count Password 1 044 164 123456 176 120 password 88 076 12345678 78 720 111111 ... … 356 charlie22 356 mickey7 … … 1 ~!@#!?~!@ 19 Bochum , May 29, 2019 | Thesis Defense ‘19

  16. Simulate Common Errors Observed in Real-World Meters Monotonic Transformations Quantization Reference Meter Disturbances Random sampling 20 Bochum , May 29, 2019 | Thesis Defense ‘19

  17. After: Quantized Output Reference Meter 63 40 19 30 Weak 9 20 Medium 3 20 Good 2 10 Strong 1 10 … … (Count) (Bin) 22 Bochum , May 29, 2019 | Thesis Defense ‘19

  18. Result: Compare Ranking Recommendation: Large-Scale Comparison • Compare relative ranking only 81 implementations • • Academia Weight passwords by importance • Websites Weighted and ranked metrics • PW Manager (e.g., weighted Spearman correlation) • Operating Systems • Previous Work What can we do with this information? password-meter-comparison.org 24 Bochum , May 29, 2019 | Thesis Defense ‘19

  19. Outline Reuse Notifications Strength Meter Introduction 25 Bochum , May 29, 2019 | Thesis Defense ‘19

  20. 26 Bochum , May 29, 2019 | Thesis Defense ‘19

  21. Reuse Attacks? Email Cracked SHA-1 Hiking91 jenny@gmail.com R0cky!17 joe oe@mail il.com ILoveBananas! john@hotmail.com 1 guess can be ... ... enough! I used “ R0cky!17 ” everywhere! Email Secure Argon2i Hash joe@mail.com $argon2i$v=19$m=4096,… … … 27 Bochum , May 29, 2019 | Thesis Defense ‘19

  22. 28 Bochum , May 29, 2019 | Thesis Defense ‘19

  23. “Stolen From Another Site” 29 Bochum , May 29, 2019 | Thesis Defense ‘19

  24. Study 1: Previously Sent Notifications Understanding Feelings Actions Perceptions Effectiveness Delivery Method Legitimacy MTurk, 15min, 180 respondents, $2.50 30 Bochum , May 29, 2019 | Thesis Defense ‘19

  25. “You've got e - mail! ... shall I deal with it now?” Concerning and a priority (83% very high or high) 31 Bochum , May 29, 2019 | Thesis Defense ‘19

  26. “Should I worry?” 32 Bochum , May 29, 2019 | Thesis Defense ‘19

  27. “Something happened and you need to click ‘OK’ to get on with things.” [6] What may have caused you to receive this notification? [Multi select] 60% Account hacked 21% New device (false alarm) 21% Data breach 19% Reuse 33 [Ref. 6] by Johnathan Nightingale – Firefox Software Engineer at Mozilla; [Img 1.] Guy Fawkes by Carlotta Rosi - thecirqle.com Bochum , May 29, 2019 | Thesis Defense ‘19

  28. Call a Spade a Spade! Don’t mention reuse Allude to reuse 0 - 4% 48 - 56% respondents respondents listed reuse as a cause for receiving this notification. 34 Bochum , May 29, 2019 | Thesis Defense ‘19

  29. Incomplete Mental Models “The chances of someone guessing that I use the same password are still incredibly low.” (R171) Current password-reuse notifications: cause concern explain the situation 36 Bochum , May 29, 2019 | Thesis Defense ‘19

  30. Study 2: Components of Notifications Delivery Medium Pus ush / In In-App / Em Email il Incident Unr Unrelated / Ou Our / - Account Activity No o sus suspicious / Sus Suspicious s / - Remediation Cr Create ne new / Recommend Other Accounts Cha Change all all / - Extra Actions MTurk, 588 Respondents Ena Enable 2F 2FA + + Manager / - 37 Bochum , May 29, 2019 | Thesis Defense ‘19

  31. … Unhealthy Behavior What would you do about it? What would your new password be? 90% Change it 68% Modified password 6% Keep it the same 13% Reused password 4% Don’t know 11% Use manager/browser 6% Other 2% Completely new 39 Bochum , May 29, 2019 | Thesis Defense ‘19

  32. Incomplete Mental Models “The hack wasn't specific to this company so it doesn't worry me.” (R69) After seeing a reuse notification, users would change password … but ineffectively have incomplete mental models 41 Bochum , May 29, 2019 | Thesis Defense ‘19

  33. Mockup 42 Bochum , May 29, 2019 | Thesis Defense ‘19

  34. Conclusion Reuse Notifications Passwords Strength Meter 43 Bochum , May 29, 2019 | Thesis Defense ‘19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU WILL HAVE WORKED THROUGH THE LYNDA.COM UX-1 SECTION. FOR THIS CLASS USABILITY WHAT is Usability? WHY is Usability important? USER

611 views • 21 slides
Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016

Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016

Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016 Key management on whiteboard Password hashing in these slides Announcement Project 2 part 1 due today Passwords Tension between usability and

166 views • 16 slides
Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement

Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement

Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement Project 2 to be released Thursday Midterm grades announced at end of week Passwords Tension between usability and security choose random and choose

528 views • 20 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from their respective districts must visit www.wbppms.gov.in. 2. In the web portal click on either Get Started or Signin in the upper right

408 views • 9 slides
Topics L1: usability L2: user-centered

Topics L1: usability L2: user-centered

Topics L1: usability L2: user-centered design, user & task analysis L3: MVC, observer, view hierarchy L4: component, stroke & pixel models, redraw, double-

310 views • 5 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security Good user experience design and good security cannot exist without each other Everyone deserves to be secure without being experts We need to

1.34k views • 112 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Kamouflage Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Stanford University 1 I am

Kamouflage Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Stanford University 1 I am

Kamouflage Elie Bursztein, Hristo Bojinov, Dan Boneh, Xavier Boyen Stanford University 1 I am aware that what I am about to say is controversial 54 Millions of smartphone sold during the 1Q 2010 Browsers password managers Elie Bursztein,

468 views • 32 slides
Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics

CSE 484 / CSE M 584 Computer Security: Passwords TA: Adrian Sham adrsham@cs Thanks to Franzi for slides. Logistics / Reminders Class tomorrow at PCAR 290 Lab #2 due 5/20,5pm (next Wednesday) Next office hour: Michael and

574 views • 22 slides
Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay Old Cryptography Scytale (ancient Greece) Caesar Cipher 100 BC - 44 BC Cryptanalysis (simple frequency analysis) of Caesar cipher by

368 views • 13 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides
Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK

S TATISTICAL METRICS FOR INDIVIDUAL PASSWORD STRENGTH Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Security Protocols Workshop Cambridge, UK April 12, 2012 Joseph Bonneau (University of Cambridge) Individual password strength

361 views • 21 slides
Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing

Attacking Passwords Richard Frovarp About Me Senior Software Engineer - Enterprise Computing & Infrastructure - NDSU Systems Administrator - EduTech Dabbler in Enterprise Wireless Member Apache Software Foundation 2 Standard Disclaimer

436 views • 32 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides

More recommend