the human element in computer security graphical
play

The Human Element in Computer Security - Graphical Passcodes as a - PowerPoint PPT Presentation

Jan 11, 2023 •161 likes •1.11k views

The Human Element in Computer Security - Graphical Passcodes as a Means to Create Secure Authentication systems Steffen Werner University of Idaho Why Research on User Authentication? The applied appeal Growing importance of stored

  2. The Human Element in Computer Security - Graphical Passcodes as a Means to Create Secure Authentication systems Steffen Werner University of Idaho

  3. Why Research on User Authentication? • The applied appeal –Growing importance of stored assets • Shift to web-based services, cybersecurity –Increased need for computer security • Increase in attacks –Increasing rigor of authentication protocols

  4. Why Research on Passwords? • The theoretical appeal –Ideal scenario for human-technology optimization –Quantitative definition of engineering goals –Problem open to multiple solutions –Large body of relevant psychological literature • Different types of memory systems • Free recall vs. cued recall vs. recognition tests • Visual perception, visual attention, visual memory

  5. Overview of the Talk • Approaches to authentication • What makes a good password system? – Maximization of actual password entropy – Elimination of predictable user choices – Elimination of other unsafe user behavior • Overview of graphical approaches to password systems • 4 studies evaluating aspects of our new CSA graphical password system against alternative approaches

  6. Current Approaches to Authentication • Passwords • Token-based authentication • Biometric authentication • Behavioral analysis and combinations through ... • Two-factor (multi-factor) authentication

  7. Password Authentication is Cognitive Authentication • The user possesses unique knowledge • Relies on memory storage of information* • Problems: forgetting, phishing, guessing, theft (shoulder surfing) *unless written down

  8. Hardware Token-based Authentication • Token identifies user (passport) • One-time passwords (OTP) • Usually used in combination with pin or other password • Problems: theft, loss, failure, difficult to replace (time, cost)

  9. Biometric Authentication • Authentication through a physical characteristic of the user • Examples: fingerprint, retinal scan, iris scan, vascular patterns, voice recognition, DNA • Problems: cost, limited replaceability, user acceptance, stability of biometric parameters

  10. Authentication through Behavioral Analysis • Authentication through a unique behavioral patter of the user • Keystroke, mouse, or signature dynamics, voice recognition, gate, posture, etc. • Problems: Changes (fatigue, illness), injury, aging

  11. What Makes a Good Password? • Increase effective password entropy • Decrease forgetting of passwords • Enable safe and fast entry of password • The current password problem: Inverse relation between safety of password and memorability

  12. Theoretical vs. Effective Entropy in Alphanumeric Passwords n ! H ( X ) = − p ( X i ) log 2 p ( X i ) i = 1 • Theoretical password space = #chars password length • Human users restrict their password choices to a small subset of possible passwords, reducing effective entropy – preference for short passwords (6-7 characters) – use of lower-case letters or digits only – use of dictionary words and personally relevant dates

  13. RockYou Password Leak The top 20 passwords of 32 million Rank password total Rank password total 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 16 Lovely 14950 6 princess 35231 17 michael 14898 7 rockyou 22588 18 Ashley 14329 8 1234567 21726 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856 Imperva (2010). Consumer Password Worst Practices

  14. Distribution of Password Lengths 5 6 7 8 9 10 11 12 32 Million passwords of RockYou users, 2010 13 14 10,000 leaked Hotmail Passwords, 2009 15 16 0% 10% 20% 30%

  15. Distribution of Password Types 100% 32 Million passwords of RockYou users, 2010 32 Million passwords of RockYou users, 2010 10,000 leaked Hotmail Passwords, 2009 75% 545,000 users, Microsoft study, 2006/7 50% 25% 0% lower case letters & digits numeric only strong

  16. Theoretical bit-strength for different logins 50% Florencio & Herley, Microsoft, 2007 40% 30% 20% 10% 0% 20 30 40 50 60 70 80 90 bit-strength of password

  17. Where do Security Policies come from? Analysis of 75 different (large) websites Dinei Florencio and Cormac Herley, Microsoft, 2010 • greater security demands not a factor • size of site, num of users, value of assets protected and attack frequency show no correl with strength • sites with most restrictive password policies don’t have greater security concerns, they are simply better insulated from the consequences of poor usability • median password policy strengths: .com sites = 19.9 bits banks = 31.0 bits .edu = 43.7 bits and .gov = 47.6 bits

  18. What about Password Forgetting? • Estimate of 4.3% of active Yahoo users forget their password within a three month period • Company statistics are not publicly available • User strategies to fight forgetting –Choice of meaningful passwords –Password reuse between multiple sites –Password reset as a common procedure –External storage of password

  19. Summary of Current Status • Inverse relation between security and memorability for alphanumeric passwords – Users choose easily predictable passwords – Users can’t remember secure (complex and random) passwords – Attempts to enforce secure password practice are often circumvented • Content requirements ➠ Passwords are written down • Change regimes ➠ Highly similar passwords • Allowing user selection decreases security

  20. The Promise of Graphical Passcodes • Visual material is easy to remember - Picture Superiority Effect – Shepard (1967). Recognition memory for words, sentences, and pictures showed superiority of pictures • Visual long-term memory has a vast capacity – Standing et al (1970): 2,560 pictures tested – Standing (1973): up to 10,000 pictures tested • Visual long-term memory shows little decay – Nickerson (1968): Retention tested up to 1 year

  21. Graphical Passcodes: The Pesky Details 1 Picture superiority requires heterogeneous set of stimuli Goldstein & Chance (1970) testing memory for faces, snowflakes and crystals with poor memory performance http://www.its.caltech.edu/~atomic/snowcrystals

  22. Graphical Passcodes: The Pesky Details 1I Visual information is often not encoded at all Change blindness (Rensink et al., 1997; Simons and Levin, 1997)

  23. Graphical Passcodes: The Pesky Details 1I Visual information is often not encoded at all Change blindness (Rensink et al., 1997; Simons and Levin, 1997)

  24. Graphical Passcodes: The Pesky Details III Human observers extract gist of pictures rapidly and remember gist well Meaning of a scene can be identified within 0.1s (Potter, 1975) Graphical Passcodes: The Pesky Details IV Object interactions and consistency within a scene guide scene interpretation Coherent scenes are easier to interpret (Biederman et al.,1974)

  25. Main Types of Graphical Authentication • Visual recognition paradigm – Enrollment: User learns password image set – Authentication: User has to select the presented images • Spatial passcodes - cued recall – Enrollment: User learns sequence of locations within a visual scene / a set of images – Authentication: User has to replay the sequence • Gestural passcodes - cued or free recall – User has to reproduce a specific set of doodles/signature – Might use more procedural memory

  26. VIP (De Angeli et al., 2005) “select the images from your password set”

  27. Passfaces “select the face from your password set”

  28. Deja Vu (Dhamija & Perrig, 2000) “select the images from your password set” Fig. 5. D´ ej` a Vu [Dhamija and Perrig 2000].

  29. PassPoints (Wiedenbeck et al., 2005) “click on the points in the image that constitute your password” ·

  30. Draw-a-Secret: Gestural Authentication (Jermyn et at., 1999) “recreate the drawing that you use as a password” Fig. 1. Draw-A-Secret [Jermyn et al. 1999]

  31. Stubblefield & Simons Inkblot Creatures (2004) • Name each blob • Determine the first and last letter of each name • Concatenate the letters to form a password http://research.microsoft.com/en-us/news/features/inkblots.aspx

  32. Image-based Authentication through ImageShield™ (formerly myVidoop) • At registration the user selects categories of images • At authentication , the user – is presented with a grid of randomly generated images – chooses the images that match their categories – enters the corresponding letter or number • This creates a secure, one-time access code

  33. Category Selection at Registration

  34. Image Search for Authentication

  35. Composite Scene Authentication (CSA) Johnson and Werner (2006, 2007) • Composite Scenes as Passwords – A scene combines n scene-elements into one picture – Scene elements are randomly selected, one from n different categories – Each scene-element needs to be selected out of m choices during authentication – Strength of password (bits) = n * log 2 (m) • Authentication – Sequence of n challenge screens – Each challenge screen is organized by category – User has to select 1 scene-element per screen

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
Fundamentals of Human-Computer Interaction Introduction History Psychology 101 Graphical

Fundamentals of Human-Computer Interaction Introduction History Psychology 101 Graphical

Master Informatique - Universit Paris-Sud Outline Fundamentals of Human-Computer Interaction Introduction History Psychology 101 Graphical interaction Post-WIMP interaction Photos/collage by Jack L. Moffet in Dan R. Olsen, Interacting in

373 views • 4 slides
Human Element update on HEiSC Luciana Maccarrone dAmico Societ di Navigazione HEiSC Chairman

Human Element update on HEiSC Luciana Maccarrone dAmico Societ di Navigazione HEiSC Chairman

Human Element update on HEiSC Luciana Maccarrone dAmico Societ di Navigazione HEiSC Chairman Leading the way; Making a difference Human Element Committee (HEiSC) Formed in 2007 25 seats with members from 14 countries Plus

374 views • 25 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
GUIs A graphical user interface (GUI) in Java is created with at least three kinds of objects

GUIs A graphical user interface (GUI) in Java is created with at least three kinds of objects

9/8/10 GUIs A graphical user interface (GUI) in Java is created with at least three kinds of objects components, events, listeners A component is a graphical screen element label, button, text field, check box, etc. Some

488 views • 4 slides
Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12, 2009 Joseph Bonneau, Computer Laboratory Today I) Culture gap on social networks is hurting security II) The future of the internet is social

762 views • 17 slides
Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a software system interacts with its users . Command Line Graphical User Interface - GUI Touch User Interface - TUI Multimedia (voice, animation,

690 views • 49 slides
A database of reference values of trace element levels in a population of provinces for

A database of reference values of trace element levels in a population of provinces for

A database of reference values of trace element levels in a population of provinces for forecasting of human health and environmental pollution Human biomonitoring can be defined as the method for assessing human exposure to chemicals or their

104 views • 8 slides
1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN SECURITY CONCEPT According to the human security principles PROTECTION OBJECTIVE TOP-DOWN Support the formulation of public policies (gender,

1.15k views • 14 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
Graphical > Tangible? What are their limitations? 93 94 Graphical > Tangible? Graphical

Graphical > Tangible? What are their limitations? 93 94 Graphical > Tangible? Graphical

Tangible User Interfaces Graphical > Tangible? What are their limitations? 93 94 Graphical > Tangible? Graphical > Tangible? Dynamicity, Flexibility Reality based interaction Price Compromise with software when it

623 views • 12 slides
Computer Science Let me be provocative Probabilistic graphical models is how we do probabilistic

Computer Science Let me be provocative Probabilistic graphical models is how we do probabilistic

Computer Science Let me be provocative Probabilistic graphical models is how we do probabilistic AI! Graphical models of variable-level (in)dependence are a broken abstraction. [VdB KRR15] Let me be provocative Probabilistic graphical models

782 views • 63 slides
ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT

ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT

REFSQ17, Essen, Germany March 2nd, 2017 ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT Katsiaryna Labunets 1 , Fabio Massacci 1 , Federica Paci 2 1 University of Trento, Italy

482 views • 13 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT

Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT

Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT CTOR OR Hussein Hassanali Chief Information Security Officer, Bank AL Habib Limited & President, ISACA Karachi Chapter UBL Funds Culture

376 views • 19 slides
memory Stroke Services Education December 2018 Toni Heinemann Testing your skills. Session

memory Stroke Services Education December 2018 Toni Heinemann Testing your skills. Session

Cognition it is more than just memory Stroke Services Education December 2018 Toni Heinemann Testing your skills. Session contents General overview of cognition Why cognition is so important What it might look like OT

539 views • 25 slides
The Effect of Age on False Memory Recall and Recognition Amy Palinski Lorain County Community

The Effect of Age on False Memory Recall and Recognition Amy Palinski Lorain County Community

The Effect of Age on False Memory Recall and Recognition Amy Palinski Lorain County Community College Elyria, OH False Memory False memory has been defined by the Oxford Dictionary (n.d.) as a distorted recollection of an event which

701 views • 21 slides
ATCC 4356 Probiotic with Modified Citrus Pectin Alginate on Faecal Lactobacilli in Balb/C Mice

ATCC 4356 Probiotic with Modified Citrus Pectin Alginate on Faecal Lactobacilli in Balb/C Mice

The Effect of Lactobacillus acidophilus ATCC 4356 Probiotic with Modified Citrus Pectin Alginate on Faecal Lactobacilli in Balb/C Mice Frederick Odun-Ayo , PhD tel: +27 11 4621363 email:

243 views • 9 slides
17 th October 2017 1 TISTR organization Divided into 4 groups 1) Research and Development for

17 th October 2017 1 TISTR organization Divided into 4 groups 1) Research and Development for

Narin Chansawang 17 th October 2017 1 TISTR organization Divided into 4 groups 1) Research and Development for Bio-industries Group 2) Research and Development for Sustainable Development Group 3) Industrial Services Group 4) Administration

880 views • 25 slides
Name of material: Care of self, others and the environment Image(s): Photo(s) courtesy of

Name of material: Care of self, others and the environment Image(s): Photo(s) courtesy of

Name of material: Care of self, others and the environment Image(s): Photo(s) courtesy of Montessori Child. Visit www.montessorichild.com.au to purchase this material. Video : Point(s) of interest: The appeal of using high quality, smaller

481 views • 7 slides
ITSR Road/Rail Vehicle Workshop V/Line Hi-Rail Project Allen Fleckner October 2012

ITSR Road/Rail Vehicle Workshop V/Line Hi-Rail Project Allen Fleckner October 2012

ITSR Road/Rail Vehicle Workshop V/Line Hi-Rail Project Allen Fleckner October 2012 Introduction Overview of RRV usage in V/Line Experiences Recent RRV incident - Kyneton August 2012 Explore weakness Look at strengths to

595 views • 20 slides
Procedural Generation of Infinite 3D Worlds for Games Lus Miguel Coelho e Magalhes Mestrado

Procedural Generation of Infinite 3D Worlds for Games Lus Miguel Coelho e Magalhes Mestrado

F ACULDADE DE E NGENHARIA DA U NIVERSIDADE DO P ORTO Procedural Generation of Infinite 3D Worlds for Games Lus Miguel Coelho e Magalhes Mestrado Integrado em Engenharia Informtica e Computao Supervisor: Joo Tiago Pinheiro Neto Jacob

1.1k views • 94 slides
Content Curation What do I do with all this information? KRISTY BURROUGH ELEARNING MANAGER

Content Curation What do I do with all this information? KRISTY BURROUGH ELEARNING MANAGER

Content Curation What do I do with all this information? KRISTY BURROUGH ELEARNING MANAGER P.J. SIHARATH INSTRUCTIONAL TECHNOLOGIST Define Curation Objectives Explain current information trends Discuss curation for

583 views • 29 slides

More recommend