the password thicket technical and market failures in
play

The password thicket: technical and market failures in human - PowerPoint PPT Presentation

Mar 26, 2023 •505 likes •1.23k views

The password thicket: technical and market failures in human authentication on the web Joseph Bonneau S oren Preibusch {jcb82,sdp36}@cl.cam.ac.uk Computer Laboratory WEIS 2010 The Ninth Workshop on the Economics of Information Security

  1. The password thicket: technical and market failures in human authentication on the web Joseph Bonneau S¨ oren Preibusch {jcb82,sdp36}@cl.cam.ac.uk Computer Laboratory WEIS 2010 The Ninth Workshop on the Economics of Information Security Boston, MA, USA June 7, 2010 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 1 / 28

  2. Password authentication is losing viability Twitter hack July 2009 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  3. Password authentication is losing viability RockYou SQL injection hack January 2010 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  4. Password authentication is losing viability Zuckerberg e-mail hacking 2005 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  5. Password authentication is losing viability Twitter mass reset February 2010 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  6. A thicket 30 years in the making We’ve conducted experiments to try to determine typical users’ habits in the choice of passwords . . . The results were disappointing, except to the bad guy. —Morris and Thompson, 1979 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 3 / 28

  7. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 hardware tokens client certs smartphone Single sign-on limited 4 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  8. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 hardware tokens client certs smartphone Single sign-on limited 4 Passfaces J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  9. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 hardware tokens client certs smartphone Cronto Single sign-on limited 4 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  10. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 OpenID/OAuth stack hardware tokens client certs smartphone Single sign-on limited 4 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  11. ✽ Pr❡✐❜✉s❝❤✱ ❇♦♥♥❡❛✉ Password collection remains ubiquitous 100% prevention of password sharing amongst top US sites 80% 60% sites collecting passwords sites blocking password sharing 40% 20% 0% 0 100 200 300 400 500 600 700 800 900 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 5 / 28 ❋✐❣✉r❡ ✶✳ Pr♦♣♦rt✐♦♥ ♦❢ s✐t❡s ❝♦❧❧❡❝t✐♥❣ ♣❛ss✇♦r❞s ❛♥❞ ❛♠♦♥❣st t❤❡s❡ ♦❢ s✐t❡s ❜❧♦❝❦✐♥❣ ♣❛ss✇♦r❞ s❤❛r✐♥❣✳ ❘❛t✐♦s ❣✐✈❡♥ ❢♦r t♦♣ ❯❙ s✐t❡s ✇✐t❤ ✉♣ t♦ ✾✵✵✳ ❇✉♠♣s ❛r❡ ❛rt❡❢❛❝ts ♦❢ t❤❡ ✐♥❝r❡❛s✐♥❣ ✇✐♥❞♦✇ s✐③❡ ❢♦r t❤❡ ❛r✐t❤♠❡t✐❝ ♠❡❛♥✳

  12. Supply side of the market remains poorly understood How does the user experience vary from site to site? 1 What implementation weaknesses exist? 2 Which circumstantial factors affect sites’ implementation choices? 3 How do sites’ security requirements affect their choices? 4 Why do websites choose to collect passwords? 5 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 6 / 28

  13. Coarse classification of password deployment cases Identity J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28

  14. Coarse classification of password deployment cases E-commerce J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28

  15. Coarse classification of password deployment cases Content J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28

  16. Random study sample designed for depth, breadth J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 8 / 28

  17. Site classification allows for feature overlap Feature I E C Tot. News displayed 15 0 49 64 Products for sale 4 50 1 55 Payment details stored 7 30 2 39 Social networking 28 1 2 31 Premium accounts available 17 3 8 28 Email accounts provided 17 0 2 19 Discussion forums 16 1 2 19 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 9 / 28

  18. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements recovery 4 backup auth. replacement attacks 5 user probing p. guessing IKEA J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  19. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication IKEA p. requirements recovery 4 backup auth. replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  20. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements recovery 4 IKEA backup auth. replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  21. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements recovery 4 backup auth. IKEA replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  22. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements IKEA recovery 4 backup auth. replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  23. Semi-automated human-in-the-loop evaluation Mozilla Firefox v 3.5.8 with: Autofill Forms 0.9.5.2 CipherFox 2.3.0 Cookie Monster 0.98.0 DOM Inspector 2.0.4 Greasemonkey 0.8.20100211.5 Screengrab 0.96.2 Tamper Data 11.0.1 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28

  24. Findings How does the user experience vary from site to site? 1 What implementation weaknesses exist? 2 Which circumstantial factors affect sites’ implementation choices? 3 How do sites’ security requirements affect their choices? 4 Why do websites choose to collect passwords? 5 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28

  25. User experience varies considerably WSJ 1996 WSJ 2010 Bare-bones password entry is universal Advice rare and inconsistent J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  26. User experience varies considerably Advice I E C Tot. Use digits 9 6 3 18 Use symbols 9 2 3 14 Graphical strength indicator 9 0 2 11 Difficult to guess 5 2 2 9 Not a dictionary word 6 0 2 8 Change regularly 4 0 1 5 Any 18 8 7 33 Bare-bones password entry is universal Advice rare and inconsistent J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  27. Findings How does the user experience vary from site to site? 1 What implementation weaknesses exist? 2 Which circumstantial factors affect sites’ implementation choices? 3 How do sites’ security requirements affect their choices? 4 Why do websites choose to collect passwords? 5 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  28. TLS deployment sparse and inconsistent Facebook J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  29. TLS deployment sparse and inconsistent TLS Deployment I E C Tot. Full 10 39 10 59 Full/POST 3 1 1 5 Inconsistent 14 6 5 25 None 23 4 34 61 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28

  30. No standard for password length 1 . 0 Identity sites E-commerce sites Proportion of sites accepting passwords of length n Content sites 0 . 8 Payment sites Premium sites All sites 0 . 6 0 . 4 0 . 2 0 . 0 7 1 2 3 4 5 6 8 Password length n J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

s rsrt Market failures Tyler Moore

s rsrt Market failures Tyler Moore

s rsrt Market failures Tyler Moore When markets fail Market failures occur when the free-market outcome is inefficient Monopolies/oligopolies Public goods Information

301 views • 15 slides
Political Market Failures and Corruption November 2008 () Political Market Failures and

Political Market Failures and Corruption November 2008 () Political Market Failures and

Political Market Failures and Corruption November 2008 () Political Market Failures and Corruption November 2008 1 / 9 When Does Political Competition Lead to Optimal Provision of Public Goods? Political economy models predict that policy in

103 views • 9 slides
Market Failures Capitalism University of Virginia Matthias Brinkmann Contents 1. Game Results

Market Failures Capitalism University of Virginia Matthias Brinkmann Contents 1. Game Results

Market Failures Capitalism University of Virginia Matthias Brinkmann Contents 1. Game Results 2. Discussion Market Failures 2 03/10/2019 Games 1 to 3 Game 1 Game 2 Game 3 Avg. consumer valuation 77.5 145 232.5 Avg. producer cost

588 views • 10 slides
Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
MARKET FAILURES AND PUBLIC POLICY Jean Tirole, December 8, 2014 Nobel Lecture in Economic

MARKET FAILURES AND PUBLIC POLICY Jean Tirole, December 8, 2014 Nobel Lecture in Economic

MARKET FAILURES AND PUBLIC POLICY Jean Tirole, December 8, 2014 Nobel Lecture in Economic Sciences Dedicated to the memory of Jean-Jacques Laffont 1 I. INTRODUCTION II. RESTRAINING MARKET POWER III. TWO-SIDED MARKETS IV. INTELLECTUAL

718 views • 37 slides
Identifying Resilience Market Failures and Services Sue Tierney Workshop on Economic Approaches

Identifying Resilience Market Failures and Services Sue Tierney Workshop on Economic Approaches

Identifying Resilience Market Failures and Services Sue Tierney Workshop on Economic Approaches to Understanding and Addressing Resilience in the Bulk Power System Resources for the Future & R Street Institute May 30, 2018 Resilience

386 views • 11 slides
Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

SYSC 5801 Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path failures Link failures Node failures Results: packet losses, waste of resources, and higher delay. What IGP does in the event

721 views • 35 slides
Main cases of market failures 1. Incomplete markets 2. Externalities 3. Non-exclusion 4.

Main cases of market failures 1. Incomplete markets 2. Externalities 3. Non-exclusion 4.

Main cases of market failures 1. Incomplete markets 2. Externalities 3. Non-exclusion 4. Non-rival consumption 5. Asymmetric information Characteristics Rival Non-rival of goods/bads Excludable Private Non-excludable Public

77 views • 3 slides
Learning from failures Kripa Krishnan Technical Program Director Sep.3.2014 Google Confidential

Learning from failures Kripa Krishnan Technical Program Director Sep.3.2014 Google Confidential

Learning from failures Kripa Krishnan Technical Program Director Sep.3.2014 Google Confidential and Proprietary Topics DiRT: Disaster simulation exercise at Google What we learned Applying these lessons Google Confidential

431 views • 17 slides
Adjoint Folds and Unfolds Or: Scything Through the Thicket of Morphisms Ralf Hinze Computing

Adjoint Folds and Unfolds Or: Scything Through the Thicket of Morphisms Ralf Hinze Computing

Adjoint Folds and Unfolds Prologue MPC 2010 Adjoint Folds and Unfolds Or: Scything Through the Thicket of Morphisms Ralf Hinze Computing Laboratory, University of Oxford Wolfson Building, Parks Road, Oxford, OX1 3QD, England

736 views • 48 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Failures and Consensus Failures and Consensus Coordination Coordination If the solution to

Failures and Consensus Failures and Consensus Coordination Coordination If the solution to

Failures and Consensus Failures and Consensus Coordination Coordination If the solution to availability and scalability is to decentralize and replicate functions and data, how do we coordinate the nodes? data consistency update

712 views • 36 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
Pumps, Maps and Pea Soup: Spatio-temporal methods in environmental epidemiology Gavin Shaddick

Pumps, Maps and Pea Soup: Spatio-temporal methods in environmental epidemiology Gavin Shaddick

Pumps, Maps and Pea Soup: Spatio-temporal methods in environmental epidemiology Gavin Shaddick Department of Mathematical Sciences University of Bath 2012-13 van Eeden lecture Thanks Constance van Eeden Fund Department of Statistics,

940 views • 39 slides
Filtering EECS 442 Prof. David Fouhey Winter 2019, University of Michigan

Filtering EECS 442 Prof. David Fouhey Winter 2019, University of Michigan

Filtering EECS 442 Prof. David Fouhey Winter 2019, University of Michigan http://web.eecs.umich.edu/~fouhey/teaching/EECS442_W19/ Note: Ill ask the front row on the right to participate in a demo. All you have to do is say a number that

1.06k views • 72 slides
Joint FERC NRC Meeting Robert Snow , PE Office of Energy Policy and Innovation Federal

Joint FERC NRC Meeting Robert Snow , PE Office of Energy Policy and Innovation Federal

Joint FERC NRC Meeting Robert Snow , PE Office of Energy Policy and Innovation Federal Energy Regulatory Commission June 15, 2012 Slide 1 Generator Bids Slide 2 Nuclear Resources and Significant Contingencies Slide 3 Wind Resources

314 views • 10 slides
Scripting with R in high-performance computing: An Example using littler UseR! 2008 conference

Scripting with R in high-performance computing: An Example using littler UseR! 2008 conference

Introduction Scripting MPI Scripting with R in high-performance computing: An Example using littler UseR! 2008 conference Dirk Eddelbuettel TU Dortmund August 13, 2008 Dirk Eddelbuettel R and high-performancs computing scripting / UseR!

602 views • 16 slides
Uncertainty AIMA Chapter 13 Outline Uncertainty Uncertainty Probability Syntax and

Uncertainty AIMA Chapter 13 Outline Uncertainty Uncertainty Probability Syntax and

Uncertainty Uncertainty AIMA Chapter 13 Outline Uncertainty Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule Uncertainty Uncertainty Let action A t = leave for airport t minutes before

999 views • 46 slides
HyADS : A tool for estimating nationwide exposures to emissions from large numbers of sources

HyADS : A tool for estimating nationwide exposures to emissions from large numbers of sources

HyAD HyADS : A tool for estimating nationwide exposures to emissions from large numbers of sources Lucas Henneman (and many others) Department of Environmental Health, Harvard School of Public Health CMAS 21 October, 2019 The Team Project 4

423 views • 20 slides
Pennsylvania House of Representatives Environmental Resources & Energy Committee Public

Pennsylvania House of Representatives Environmental Resources & Energy Committee Public

Pennsylvania House of Representatives Environmental Resources & Energy Committee Public Hearing August 24, 2020 Testimony of Roger Caiazza Retired Air Pollution Meteorologist Roger Caiazza Background Air pollution meteorologist in

433 views • 11 slides
Looking at the farmers market data IMP R OVIN G YOU R DATA VISU AL IZATION S IN P YTH ON Nick

Looking at the farmers market data IMP R OVIN G YOU R DATA VISU AL IZATION S IN P YTH ON Nick

Looking at the farmers market data IMP R OVIN G YOU R DATA VISU AL IZATION S IN P YTH ON Nick Stra y er Instr u ctor First e x plorations of a dataset Take a broad v ie w Sho w as m u ch info as possible Don ' t f u ss o v er appearances

880 views • 45 slides

More recommend