safe passwords made easy to use
play

Safe passwords made easy to use Nicolas K. Blanchard 1 , Leila - PowerPoint PPT Presentation

Mar 02, 2024 •338 likes •747 views

Safe passwords made easy to use Nicolas K. Blanchard 1 , Leila Gabasova 2 , Clment Malaingre 3 , Ted Selker 4 , Eli Sennesh 5 1 IRIF, Universit Paris Diderot 2 Institut de Plantologie et dAstrophysique de Grenoble 3 Teads France 4

  1. Safe passwords made easy to use Nicolas K. Blanchard 1 , Leila Gabasova 2 , Clément Malaingre 3 , Ted Selker 4 , Eli Sennesh 5 1 IRIF, Université Paris Diderot 2 Institut de Planétologie et d’Astrophysique de Grenoble 3 Teads France 4 University of California, Berkeley 5 Northeastern University Stanford EE Computer Systems Colloquium November 28th, 2018

  2. Passwords are bad, m’kay ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 1/27

  3. Because of this: • High rate of re-use (75% of users) • Lots of sharing (40% of users) • Frequent loss of passwords (40% to 60% reinitialised every 3 months) Too many passwords State of password use: • Average user has ∼ 100 accounts • Creates 50 passwords per year on average • Often counterproductive constraints, avoided by users (e.g. 1@MyPassword) Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 2/27

  4. Too many passwords State of password use: • Average user has ∼ 100 accounts • Creates 50 passwords per year on average • Often counterproductive constraints, avoided by users (e.g. 1@MyPassword) Because of this: • High rate of re-use (75% of users) • Lots of sharing (40% of users) • Frequent loss of passwords (40% to 60% reinitialised every 3 months) Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 2/27

  5. Methods to make passwords better: • Salt + variable ending: soon vulnerable • Blum’s algorithm: costly • Passphrases: not compatible with constraints Authentication methods Multiple alternatives to secure access: • Biometrics: have been durably hackable • Defer to a service (Facebook connect): trust issues • Physical devices: introduce other vulnerabilities • Password managers: single point of failure • Passwords re-use: extremely vulnerable Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 3/27

  6. Authentication methods Multiple alternatives to secure access: • Biometrics: have been durably hackable • Defer to a service (Facebook connect): trust issues • Physical devices: introduce other vulnerabilities • Password managers: single point of failure • Passwords re-use: extremely vulnerable Methods to make passwords better: • Salt + variable ending: soon vulnerable • Blum’s algorithm: costly • Passphrases: not compatible with constraints Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 3/27

  7. Passwords vs Passphrases Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 4/27

  8. It seems we’re stuck with passwords! Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 4/27

  9. Constraints Constraints for a good password management algorithm: • High entropy for each password • High residual entropy against stolen clear-text passwords • Memorable even without frequent use (hence deterministic) • Easy to understand by non-Turing-award-winners • Compatible with frequent constraints Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 5/27

  10. Idea: mentally extract entropy from a large secret Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 5/27

  11. Cue-Pin-Select High level view : • Create one high-enropy passphrase and a 4-digit PIN • Create a 4-letter cue for each service • Deterministically extract 4 trigrams from the sentence using the PIN and the cue Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 6/27

  12. Example run Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 7/27

  13. Main Algorithm Data: Passphrase P of at least 6 random words PIN K of 4 random digits service name N Result: String S of 12 characters begin From N , create string M of four characters L ← − Length ( P ) , V ← − 0, S ← − “” for i = 0 ; i < 4 ; i + + do X ← − M [ i ] while X / ∈ P do X ← − letter following X in the alphabet V ← − index of next occurrence of X ∈ P after V V ← − V + K [ i ] + 3 mod ( L ) S ← → Concatenate ( S , P [ V − 2 ] , P [ V − 1 ] , P [ V ]) Print S Algorithm 1: Cue-Pin-Select Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 8/27

  14. Security analysis Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 8/27

  15. Bruteforcing Cue-Pin-Select Today’s standard for web services : 36-42 bits (30 years at 1000 tries/s). Brute-force against Cue-Pin-Select : • Naive against a password → 56 bits • Optimised dictionary against a password → 52 bits • Naive against passphrase → 210 bits • Dictionary against passphrase → 111 bits Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 9/27

  16. Clear-text attacks To simplify analysis, Very strong adversary model, who knows: • 1+ passwords • Length of the passphrase • Position of each revealed trigram in the sentence Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 10/27

  17. Residual entropy (empirical on 10 000 tries) 1000 800 Occurrences 600 400 200 0 40 50 60 70 80 Bits of entropy Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 11/27

  18. Residual entropy (empirical on 10 000 tries) Two plain-texts Three plain-texts 600 500 Occurrences 400 300 200 100 0 0 10 20 30 40 50 60 Bits of entropy Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 11/27

  19. User experiment After 4-day experiment: • High initial cost (82s on average), and multiple errors initially • Quick speed-up, down to 42s after two days, with pen and paper • Increase when shift to mental computation only (86s) • Speed-up over the last day (down to 57s), no errors • Large variability, 24s-71s Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 12/27

  20. Adaptability Algorithm can be extended to handle: • Number and special characters • Length constraints • Frequent changes Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 13/27

  21. Cue-Pin-Select Summary Cue-Pin-Select: • 52 bits security per password • Guaranteed resistance to single clear-text attack, probable resistance to 2-3 clear-text • Can create 500+ passwords without high risk of strong partial collision • Quick learning process to get under 1 min • According to models, strongly memorable • Natural extension to handle frequent constraints • Other extension to improve security Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 14/27

  22. How to choose a passphrase ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 14/27

  23. Second possibility: random generation Limits : • Small dictionary if we want to make sure people know all words • Harder to memorise Current methods to make passphrase First possibility: let people choose them Problems: • Sentences from literature (songs/poems) • Famous sentences (2 . 55 % of users chose the same sentence in a large experiment) • Low entropy sentences with common words Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 15/27

  24. Current methods to make passphrase First possibility: let people choose them Problems: • Sentences from literature (songs/poems) • Famous sentences (2 . 55 % of users chose the same sentence in a large experiment) • Low entropy sentences with common words Second possibility: random generation Limits : • Small dictionary if we want to make sure people know all words • Harder to memorise Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 15/27

  25. What if we take the best of both world ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 15/27

  26. Passphrase choice experiment We show 20 or 100 words to users, they have to pick – and remember – six. Questions : • What factors influence their choices ? • What is the effect on entropy ? • What are the most frequent mistakes ? • How is memorisation affected ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 16/27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy Welcome! Welcome! Housekeeping Webinar polling Recording will be a ailable available http://www.healthyutah.org/ programs/seminars.php

387 views • 19 slides
- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking statements and are subject to numerous risks and uncertainties including but not limited to a lack of adequate capital to enable the Company to

531 views • 24 slides
- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking statements and are subject to numerous risks and uncertainties including but not limited to a lack of adequate capital to enable the Company to

519 views • 25 slides
User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens Reduced water use Same footprint as our WD 290 Compatible with WD 290 racks and carts Compatible with WA 290 and SISO

303 views • 17 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase ROI 3 - Provide DATA and Reports Statistics Analysis Statistics Made Easy Statistics Made Easy Statistics Made Easy Statistics Made Easy

335 views • 18 slides
iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure and easy to access. TOTAL RECALL BENEFITS Keychain &amp; Safari are integral to Apples operating systems. (IOS for iPad/iPhone and OS X for

442 views • 9 slides
Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2 19/01/2012 Q2 ION Metals Analysis Made Easy System overview Properties &amp; Features Technology Ultra-compact design, patented

785 views • 19 slides
AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain valuable industry insight Robert Morris Chief Communications Officer Georgia Ports Authority BRIDGING THE GAP Slido is an easy-to-use Q&amp;A and

293 views • 4 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Vector Semantics, Part 3 Re-cap: Skip-Gram Training Training sentence: ... lemon, a tablespoon of

Vector Semantics, Part 3 Re-cap: Skip-Gram Training Training sentence: ... lemon, a tablespoon of

Dan Jurafsky and James Martin Speech and Language Processing Chapter 6 Vector Semantics, Part 3 Re-cap: Skip-Gram Training Training sentence: ... lemon, a tablespoon of apricot jam a pinch ... c1 c2 t c3 c4 positive

508 views • 34 slides
Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh

Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh

Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh Properties of the leader election protocol for leader election protocol for any Number of Processes any Number of Processes Douglas Graham Douglas

597 views • 40 slides
Peculiar velocities with type Ia supernovae from the Nearby Supernova Factory XII th Rencontres du

Peculiar velocities with type Ia supernovae from the Nearby Supernova Factory XII th Rencontres du

Peculiar velocities with type Ia supernovae from the Nearby Supernova Factory XII th Rencontres du Vietnam - Large Scale Structure and Galaxy Flows Ulrich Feindt, Oskar Klein Centre, Stockholm July 4th 2016 on the behalf of SNfactory SNfactory

595 views • 22 slides
Partition Cast - Modelling and Optimizing the Distribution of Large Data Sets in PC Clusters

Partition Cast - Modelling and Optimizing the Distribution of Large Data Sets in PC Clusters

Partition Cast - Modelling and Optimizing the Distribution of Large Data Sets in PC Clusters Felix Rauch Christian Kurmann, Thomas M. Stricker Laboratory for Computer Systems, ETH Zrich CoPs project: http://www.cs.inf.ethz.ch/CoPs/

444 views • 32 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
CS 337 Project 2 Human-To-Host Simulator Instructor: Plaxton Judah De Paula Greg Plaxton Due

CS 337 Project 2 Human-To-Host Simulator Instructor: Plaxton Judah De Paula Greg Plaxton Due

CS 337 Project 2 Human-To-Host Simulator Instructor: Plaxton Judah De Paula Greg Plaxton Due March 8 (Monday) at 8:00pm 1 Overview Your task is to simulate a system in which a dynamic collection of humans access a dynamic collection of

388 views • 6 slides
Section ?: More Wireshark, advanced SSH CSE 461 Computer Networks Wireshark (Not that) advanced

Section ?: More Wireshark, advanced SSH CSE 461 Computer Networks Wireshark (Not that) advanced

Section ?: More Wireshark, advanced SSH CSE 461 Computer Networks Wireshark (Not that) advanced SSH ssh user@server -p port SSH Keys SSH Encryption SSH uses symmetrical encryption The session key is negotiated securely under

530 views • 25 slides
Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted] [encrypted] Who uses it? https://freedom.press/securedrop/directory Threat Model Assets Sources identity Confidentiality &amp; integrity

782 views • 35 slides

More recommend