passwords
play

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli - PowerPoint PPT Presentation

Feb 22, 2023 •378 likes •901 views

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

  1. PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1

  2. Passwords • Passwords is a user authentication mechanism that is widely adopted for many years • Methods for user authentication: • Something you know (password) • Something you have (mobile phone) • Something you are (biometrics) 3/9/2020 Passwords 2

  3. 1 st Paper: The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Scheme Bonneau J., Herley C., Van Oorschot P. C., Stajano F. 3/9/2020 Passwords 3

  4. 1 st Paper Overview • Introduction • Problem • Proposal • Framework Analysis • Properties • Weights • Schemes Evaluation • Conclusion 3/9/2020 Passwords 4

  5. Introduction – Problem • Passwords are plagued with security problems • Passwords are not replaced by any of the numerous proposals from the research community 3/9/2020 Passwords 5

  6. Introduction – Proposal • The authors propose a framework which provides an evaluation of already proposed password-replacement schemes • It can be used as a benchmark for future password replacement proposals • 25 different properties where tested against 35 password- replacement schemes (9 of them are analyzed in the paper) 3/9/2020 Passwords 6

  7. Framework Analysis - Benefits • Each scheme is rated as either offering or not offering the benefit • Example of “Quasi”: • Memorywise-Effortless: Users of the scheme do not have to remember any secrets at all. • Quasi-Memorywise-Effortless: Users have to remember one secret for everything. • Framework analysis has 3 categories: Usability, Deployability, Security 3/9/2020 Passwords 7

  8. Properties – Usability 1. Memorywise-Effortless 2. Scalable-for-Users 3. Nothing-to-Carry 4. Physically-Effortless 5. Easy-to-Learn 6. Efficient-to-Use 7. Infrequent-Errors 8. Easy-Recovery-from-Loss 3/9/2020 Passwords 8

  9. Properties – Deployability 1. Accessible 2. Negligible-Cost-per-User 3. Server-Compatible 4. Browser-Compatible 5. Mature 6. Non-Proprietary 3/9/2020 Passwords 9

  10. Properties – Security 1. Resilient-to-Physical-Observation 2. Resilient-to-Targeted-Impersonation 3. Resilient-to-Throttled-Guessing 4. Resilient-to-Unthrottled-Guessing 5. Resilient-to-Internal-Observation 3/9/2020 Passwords 10

  11. Properties – Security 6. Resilient-to-Leaks-from-Other-Verifiers 7. Resilient-to-Phishing 8. Resilient-to-Theft 9. No-Trusted-Third-Party 10. Requiring-Explicit-Consent 11. Unlinkable 3/9/2020 Passwords 11

  12. Weights • Some benefits are more important than others depending on the specific goal for which the scheme is being compared STEP1 • Examine and score each individual scheme on each benefit • Compare competing schemes to identify precisely which benefits each offers over the other STEP2 • Determinate a ranking with weights that take into account the relative importance of the benefit STEP3 3/9/2020 Passwords 12

  13. Weights 3/9/2020 Passwords 13

  14. Evaluation – Legacy Passwords ARE ARE NOT 1. Nothing-to-Carry 1. Memory-Effortless 2. Easy-to-Learn 2. Scalable-for-Users 3. Efficient-to-Use 3. Physically-Effortless 4. Easy-Recovery-from-Lost 4. Resilient-to-Physical-Observation 5. Accessible 5. Resilient-to-Throttled-Guessing 6. Negligible-Cost-per-User 6. Resilient-to-Unthrottled-Guessing 7. Server-Compatible 7. Resilient-to-Internal-Observation 8. Browser-Compatible 8. Resilient-to-Leaks-from-Other-Verifiers 9. Mature 9. Resilient-to-Phishing 10.Non-Proprietary 11.Resilient-to-Theft 12.No-Trusted-Third-Party 13.Unlinkable 3/9/2020 Passwords 14

  15. Evaluation – Encrypted password managers: Mozilla Firefox Website 1 password master password Mozilla Firefox Website 2 User password Website 3 password 3/9/2020 Passwords 15

  16. Evaluation – Encrypted password managers: Mozilla Firefox IS IS NOT 1. Scalable-for-Users 1. Easy-Recovery-from-Loss 2. Easy-to-Learn 2. Resilient-to-Throttled-Guessing 3. Efficient-to-Use 3. Resilient-to-Unthrottled-Guessing 4. Infrequent-Errors 4. Resilient-to-Internal-Observation 5. Resilient-to-Phishing 5. Resilient-to-Leaks-from-Other-Verifiers 6. Resilient-to-Theft 6. Browser-Compatible 7. No-Trusted-Third-Party 8. Requiring-Explicit-Consent 9. Unlinkable 10. Negligible-Cost-per-User 11. Mature 12. Accessible 13. Server-Compatible 14. Non-Proprietary 15. Quasi-Memorywise-Effortless 16. Quasi-Nothing-To-Carry 17. Quasi-Physically-Effortless 18. Quasi-Resilient-to-Physical-Observation 19. Quasi-Resilient-to-Targeted-Impersonation 3/9/2020 Passwords 16

  17. Evaluation – Federated Single Sign-On: OpenID Website 1 Single Sign-On Website 2 User Website 3 3/9/2020 Passwords 17

  18. Evaluation – Federated Single Sign-On: OpenID IS IS NOT 1. Scalable-for-Users 1. Server-Compatible 2. Nothing-to-Carry 2. Resilient-to-Internal-Observation 3. Efficient-to-Use 3. Resilient-to-Phishing 4. Infrequent-Errors 4. Unlinkable 5. Easy-Recovery-from-Loss 5. No-Trusted-Third-Party 6. Accessible 7. Negligible-Cost-per-User 8. Mature 9. Non-Proprietary 10. Browser-Compatible 11. Quasi-Memorywise-Effortless 12. Quasi-Physically-Effortless 13. Quasi-Easy-to-Learn 14. Resilient-to-Leaks-from-Other-Verifiers 15. Quasi-Resilient-to-Throttled-Guessing 16. Quasi-Resilient-to-Unthrottled-Guessing 17. Quasi-Resilient-to-Targeted-Impersonation 18. Quasi-Resilient-to-Physical-Observation 3/9/2020 Passwords 18

  19. Evaluation – Graphical Passwords: PCCP User Login 3/9/2020 Passwords 19

  20. Evaluation – Graphical Passwords: PCCP IS IS NOT 1. Easy-to-Learn 1. Memorywise-Effortless 2. Negligible-Cost-per-User 2. Scalable-for-Users 3. Browser-Compatible 3. Accessible 4. Non-Proprietary 4. Server-Compatible 5. Resilient-to-Targeted-Impersonation 5. Mature 6. Resilient-to-Leaks-from-Other-Verifiers 6. Resilient-to-Physical-Observation 7. Resilient-to-Phishing 7. Resilient-to-Unthrottled-Guessing 8. Unlinkable 8. Resilient-to-Internal-Observation 3/9/2020 Passwords 20

  21. Evaluation – Cognitive authentication: GrIDsure 2 4 5 6 4 6 8 0 5 4 Write the pattern Choose a pattern User User 9 6 4 6 7 8 5 4 7 9 5 7 8 0 5 3/9/2020 Passwords 21

  22. Evaluation – Cognitive authentication: GrIDsure IS IS NOT 1. Nothing-to-Carry 1. Memory-Effortless 2. Easy-to-Learn 2. Scalable-for-Users 3. Easy-Recovery-from-Lost 3. Physically-Effortless 4. Negligible-Cost-per-User 4. Accessible 5. Browser-Compatible 5. Server-Compatible 6. Resilient-to-Targeted-Impersonation 6. Mature 7. Resilient-to-Throttled-Guessing 7. Non-Proprietary 8. Resilient-to-Unthrottled-Guessing 8. Resilient-to-Physical-Observation 9. Quasi- Efficient-to-Use 9. Resilient-to-Internal-Observation 3/9/2020 Passwords 22

  23. Evaluation – Other schemes 1. Proxy – Based: URRSA 2. Paper tokens: OTPW 3. Hardware tokens: RSA SecureID 4. Mobile-Phone-based: Phoolproof 5. Biometrics: Fingerprint recognition 3/9/2020 Passwords 23

  24. 3/9/2020 Passwords 24

  25. Conclusions • Most schemes do better than passwords on security • Every scheme does worse than passwords on deployability • This paper can help research community to evaluate their user authentication proposal using this framework and adjusting it to their needs: • Add weights • Add more benefits 3/9/2020 Passwords 25

  26. 2 nd Paper: The Tangled Web of Password Reuse Das, A., Bonneau, J., Caesar, M., Borisov, N., & Wang, X. (2014, February) 3/9/2020 Passwords 26

  27. 2 nd Paper Overview • Introduction • Relative Work • Measurement Study • Survey • Guessing Algorithm • Conclusions 3/9/2020 Passwords 27

  28. Introduction • In this paper the authors: • Estimate the rate of password reuse • Examine how reusing passwords can benefit the attackers • Analyze the similarity of non-identical passwords • Developed a password-guessing algorithm 3/9/2020 Passwords 28

  29. Relative Work • Zhang et al. • Drawback: Their password analysis is based on a single source so they examine one password composition policy • Florencio et al. • Drawback: Only considered identical passwords and not related ones (with modifications) • Weir et al. • Drawback: Focus on cracking passwords in an offline scenario 3/9/2020 Passwords 29

  30. • A typical Internet user estimated to have 25 distinct online account • Users often reuse passwords across accounts on different online service 3/9/2020 Passwords 30

  31. Measurement Study • Understand how often users reuse passwords across sites • Understand the specific approaches the users use to vary their password at different sites • In the measurement study the authors take into consideration the password composition policies 3/9/2020 Passwords 31

  32. Password Composition policies • In order to increase the security over the websites, online services often use composition policies or metrics, as it is proven that they do help users to choose stronger passwords. • Example: • Passwords must not contain the user’s entire name/user ID • At least n characters • Passwords must contain characters from two or more of the following categories: • Uppercase characters • Lowercase characters • Base 10 digits • Non-alphanumeric ASCII characters 3/9/2020 Passwords 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of Passwords Motivation for Studying Passwords Outline Motivation for Studying Passwords 1 2 Overview of Password Failure

373 views • 36 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
Sesame: A Secure and Convenient Mobile Solution for Passwords Dr. Mehrdad Aliasgari , Nick Sabol,

Sesame: A Secure and Convenient Mobile Solution for Passwords Dr. Mehrdad Aliasgari , Nick Sabol,

Sesame: A Secure and Convenient Mobile Solution for Passwords Dr. Mehrdad Aliasgari , Nick Sabol, and Ashutosh Sharma California State University, Long Beach MobiSecServ Feb. 2015 Passwords CSU Long Beach 2 Most Popular Passwords of 2014*

683 views • 20 slides
OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE.

OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE.

The purpose of todays presentation is to provide tools in ARTS to help monitor activity within your office. OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE. Do not publicly post passwords.

332 views • 29 slides
Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb

Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb

Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb smb 1 Problem Area Clients and servers frequently store plaintext passwords Used for

289 views • 9 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Replacing passwords with FIDO2 Nils Amiet June 29, 2020 Who am I? Nils Amiet

Replacing passwords with FIDO2 Nils Amiet June 29, 2020 Who am I? Nils Amiet

Replacing passwords with FIDO2 Nils Amiet June 29, 2020 Who am I? Nils Amiet Research team @ 2 Passwords are a problem 71% of accounts are guarded by password used on multiple 62% of breaches involved the use of

1.19k views • 63 slides
FCC TEST REPORT For DOLVIS Intelligent Technology Co., LTD. Product Name: Cordless Power

FCC TEST REPORT For DOLVIS Intelligent Technology Co., LTD. Product Name: Cordless Power

SHENZHEN POCE TECHNOLOGY CO., LTD. REPORT NO.: POCE19030636HRF FCC TEST REPORT For DOLVIS Intelligent Technology Co., LTD. Product Name: Cordless Power Precision Screw Driver Model No.:DPT01 D2 Prepared for : DOLVIS

386 views • 14 slides
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) etworks (WPANs)

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) etworks (WPANs)

March 2004 doc.: IEEE 802.15-04/140r0 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) etworks (WPANs) Project: IEEE P802.15 Working Group for Wireless Personal Area N Submission Title: [DS-UWB Proposal Update]

435 views • 32 slides
SAFESIDE project presentation SAFESIDE Workshop, Dunkirk, 19th September 2019 AVEC LE SOUTIEN DU

SAFESIDE project presentation SAFESIDE Workshop, Dunkirk, 19th September 2019 AVEC LE SOUTIEN DU

PROGRAMME DE COOPRATION TRANSFRONTALIRE GRENSOVERSCHRIJDEND SAMENWERKINKSPROGRAMMA SAFESIDE project presentation SAFESIDE Workshop, Dunkirk, 19th September 2019 AVEC LE SOUTIEN DU FONDS EUROPEN DE DVELOPPEMENT RGIONAL MET STEUN VAN

451 views • 28 slides
Project L.A.K.E. Logging of Acoustic Keyboard Emanations Team A2: Ronit Banerjee, Kevin

Project L.A.K.E. Logging of Acoustic Keyboard Emanations Team A2: Ronit Banerjee, Kevin

Project L.A.K.E. Logging of Acoustic Keyboard Emanations Team A2: Ronit Banerjee, Kevin DeVincentis, James Zhang Using Sound as a Keylogger Determine what a person is typing based on the sound of their keystrokes Exploit small

290 views • 11 slides
WGHS Parent Information WGHS School Reopening Plan and 2020-21 School Year Information Contacts

WGHS Parent Information WGHS School Reopening Plan and 2020-21 School Year Information Contacts

WGHS Parent Information WGHS School Reopening Plan and 2020-21 School Year Information Contacts CONTACT US AT 314.963.6400 Dr. Matt Irvin, Principal ext. 11901 Mr. John E. Thomas, Room 124 ext. 11954 A-E Dr.

769 views • 20 slides
Presentation Instructions Your paper has been assigned as either a lecture or a poster

Presentation Instructions Your paper has been assigned as either a lecture or a poster

Presentation Instructions Your paper has been assigned as either a lecture or a poster presentation. At ICIP, papers are scheduled into lecture and poster sessions based on thematic coherence rather than by paper quality. In either case, the

222 views • 4 slides
Title: A-SSCC 2010 Slide Preparation Guideline Masao Fukuma and Shen-Iuan Liu (Author list)

Title: A-SSCC 2010 Slide Preparation Guideline Masao Fukuma and Shen-Iuan Liu (Author list)

Title: A-SSCC 2010 Slide Preparation Guideline Masao Fukuma and Shen-Iuan Liu (Author list) A-SSCC 10 TPC chairs (Affiliation) Outline Background Page setup Fonts and colors General guideline for good slides Text and

359 views • 14 slides
Selection of irrelevant navigation paths during digital reading: Underlying cognitive processes

Selection of irrelevant navigation paths during digital reading: Underlying cognitive processes

Selection of irrelevant navigation paths during digital reading: Underlying cognitive processes Ladislao Salmern ERI Lectura, University of Valencia, Spain ProcessDataConf2019 Overview Navigation paths Indicators Interpretation

548 views • 42 slides

More recommend