SLIDE 1
Passpet
Convenient Password Management and Phishing Protection Ka-Ping Yee ping@zesty.ca Kragen Sitaker kragen@pobox.com
Passpet Convenient Password Management and Phishing Protection - - PowerPoint PPT Presentation
Passpet Convenient Password Management and Phishing Protection - - PowerPoint PPT Presentation
Passpet Convenient Password Management and Phishing Protection Ka-Ping Yee Kragen Sitaker ping@zesty.ca kragen@pobox.com problems: design: solutions: practical matters: evaluation: problems: the big 5 problems: the big 5 1 many
SLIDE 2
SLIDE 3
problems: the big 5
SLIDE 4
problems: the big 5
1 many passwords
SLIDE 5
problems: the big 5
1 many passwords 2 dictionary attack
SLIDE 6
problems: the big 5
1 many passwords 2 dictionary attack 3 password entry in webpages
SLIDE 7
SLIDE 8
problems: the big 5
1 many passwords 2 dictionary attack 3 password entry in webpages 4 site impersonation
SLIDE 9
SLIDE 10
SLIDE 11
SLIDE 12
problems: the big 5
1 many passwords 2 dictionary attack 3 password entry in webpages 4 site impersonation 5 UI spoofing
SLIDE 13
SLIDE 14
problems: the big 5
1 many passwords 2 dictionary attack 3 password entry in webpages 4 site impersonation 5 UI spoofing
SLIDE 15
design:
SLIDE 16
design:
logging in setting up a new password setting up Passpet
SLIDE 17
solutions:
SLIDE 18
solutions:
1 many passwords
SLIDE 19
master secret site name site-specific password
⊕
SLIDE 20
master secret site name site-specific password
⊕
SLIDE 21
master secret site name site-specific password
⊕
SLIDE 22
solutions:
1 many passwords 2 dictionary attack
SLIDE 23
master secret site name site-specific password
⊕
SLIDE 24
? site name site-specific password
⊕
SLIDE 25
? site name site-specific password
+
SLIDE 26
master secret site-specific password
+
site name
SLIDE 27
master secret site-specific password
+
site name
+
SLIDE 28
master secret site name site-specific password
+ +
master secret user name
Password Multiplier (Halderman, 2005)
SLIDE 29
Passpet: variable-strength password hash
SLIDE 30
Give responsive feedback
- n password strength.
SLIDE 31
solutions:
1 many passwords 2 dictionary attack 3 password entry in webpages
SLIDE 32
SLIDE 33
solutions:
1 many passwords 2 dictionary attack 3 password entry in webpages 4 site impersonation
SLIDE 34
Petname Tool (Close, 2005)
SLIDE 35
Passpet: use site label for hashing
SLIDE 36
Help users rely on information from the user, not an attacker.
SLIDE 37
solutions:
1 many passwords 2 dictionary attack 3 password entry in webpages 4 site impersonation 5 UI spoofing
SLIDE 38
Dynamic Security Skins (Dhamija, 2005)
SLIDE 39
Passpet: interact directly with custom icon
SLIDE 40
Passpet: interact directly with custom icon
SLIDE 41
Get the user to interact with something personalized.
SLIDE 42
contributions:
1 variable-strength hashing 2 password strength feedback 3 use user-assigned labels for hashing 4 personalized security agent 5 direct interaction with customized UI
SLIDE 43
practical matters:
SLIDE 44
practical matters:
What if you want to use another computer?
SLIDE 45
practical matters:
What if someone gets your password file?
SLIDE 46
practical matters:
What if you want to use another computer?
Firefox Passpet
encrypted site labels
Passpet Server
encrypted site labels
SLIDE 47
practical matters:
What if you want to use existing websites?
SLIDE 48
practical matters:
What if you need to change a password?
SLIDE 49
evaluation:
SLIDE 50
evaluation:
Passpet for Internet Explorer: tested at HP labs with 15 users main complaint: want to use other computers Passpet for Firefox: not yet usability-tested
SLIDE 51
thanks:
Tyler Close (Petname Tool) Alan Karp (Passpet user study) David Wagner (design and cryptography)
- J. Alex Halderman (Password Multiplier)