The Simple English guide to human-generated secrets Computers try to - - PowerPoint PPT Presentation

HUMAN-GENERATED SECRET DATA

Joseph Bonneau jcb82@cl.cam.ac.uk

Computer Laboratory Security and Human Behaviour Cambridge, UK June 29, 2010

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 1 / 15

The Simple English guide to human-generated secrets

1

Computers try to tell humans apart by asking for secret memories. They can ask for other things, but those are very expensive.

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 2 / 15

Two-factor authentication remains far too expensive

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 2 / 15

The Simple English guide to human-generated secrets

1

Computers try to tell humans apart by asking for secret data. They can ask for other things, but these are very expensive.

2

Many computer scientists use something called “entropy” to measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea.

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 3 / 15

Measuring Security Against Guessing

Which is “harder” to guess: Surname of randomly chosen Internet user Randomly chosen 4-digit PIN

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 4 / 15

Measuring Security Against Guessing

Which is “harder” to guess: Surname of randomly chosen Internet user

H1(surname) = 16.2 bits

Randomly chosen 4-digit PIN

H1(PIN) = 13.3 bits

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 4 / 15

Shannon Entropy

H1(X) = −

N

• i=1

pi lg pi H1(surname) = 16.2 bits H1(PIN) = 13.3 bits Meaning: Expected number of queries “Is X ∈ S?” for arbitrary subsets S ⊆ X needed to guess X. (Source-Coding Theorem)

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 5 / 15

Guessing Entropy

G(X) = E

• #guesses(X

R

← X)

• =

N

• i=1

pi · i G(surname) ≈ 137000 guesses G(PIN) ≈ 5000 guesses Meaning: Expected number of queries “Is X = xi?” for i = 1, 2, . . . , N (optimal sequential guessing)

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 6 / 15

Alternate attack models not captured

What if we only want a 50% chance of breaking a given account? PIN: ≈ 5000 guesses Surname: ≈ 8000 guesses

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 7 / 15

Alternate attack models not captured

What if we only want a 10% chance of breaking a given account? PIN: ≈ 1000 guesses Surname: ≈ 89 guesses

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 7 / 15

Need specific metrics for attackers who may give up

Marginal Guesswork Give up after reaching probability α of success: µα(X) = min   j ∈ [1, N]

• j
• i=1

pi ≥ α    Can convert to bitstrength: ˜ µα(X) = lg

• µα(X)

α

• Joseph Bonneau (University of Cambridge)

Human secrets June 29, 2010 8 / 15

Example

U16 X65 H1 4 4 ˜ G 4 5.1 ˜ µ 1

2

4 1 ˜ µ 3

4

4 5.46

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 9 / 15

The complete picture

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 1 2 3 4 5 6 7 8 marginal guesswork ˜ µα

X65 U16

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 10 / 15

The complete picture

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 marginal guesswork ˜ µα

PIN Surname

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 10 / 15

Some theorems to wake you up in the morning

Theorem (adapted from Pliam)

Given any m > 0, β > 0 and 0 < α < 1, there exists a distribution X such that ˜ µα(X) < H1(X) − m and ˜ λβ(X) < H1(X) − m.

Theorem (adapted from Boztas ¸)

Given any m > 0, β > 0 and 0 < α < 1, there exists a distribution X such that ˜ µα(X) < ˜ G(X) − m and ˜ λβ(X) < ˜ G(X) − m.

Theorem (from [BJM] FC 2010 paper)

Given any m > 0, α1 > 0, and α2 > 0 with 0 < α1 < α2 < 1, there exists a distribution X such that ˜ µα1(X) < ˜ µα1(X) − m.

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 11 / 15

The Simple English guide to human-generated secrets

1

Computers try to tell humans apart by asking for secret data. They can ask for other things, but these are very expensive.

2

Many computer scientists use something called “entropy” to measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea.

3

Things that good people can remember aren’t unpredictable enough to prevent bad people from guessing them.

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 12 / 15

Comparing human-memorable secrets

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 13 / 15

Comparing human-memorable secrets

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 13 / 15

Comparing human-memorable secrets

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces Surname Forename

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 13 / 15

The Simple English guide to human-generated secrets

1

Computers try to tell humans apart by asking for secret data. They can ask for other things, but these are very expensive.

2

Many computer scientists use something called “entropy” to measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea.

3

Things that good people can remember aren’t unpredictable enough to prevent bad people from guessing them.

4

People at a gaming website called RockYou got pwned. Researchers now have many passwords to study.

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 14 / 15

RockYou loses a list of 32 M passwords

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

RockYou loses a list of 32 M passwords

290729 123456 79076 12345 76789 123456789 59462 password 49952 iloveyou 33291 princess 21725 1234567 20901 rockyou 20553 12345678 16648 abc123 16227 nicole 15308 daniel 15163 babygirl 14726 monkey 14331 lovely

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

RockYou loses a list of 32 M passwords

49952 iloveyou 13134 iloveu 5589 iloveme 3998 iloveyou2 3700 iloveyou1 2042 iloveu2 2007 ilovehim 1510 ilovejesus 1441 ilovegod 1358 iloveyou! 1096 iloveu1 1061 iloveme1 922 ilovemyself 908 iloveboys 894 ilovechris

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

RockYou loses a list of 32 M passwords

830 lovesucks 680 lifesucks 166 schoolsucks 101 thissucks 71 luvsucks 58 sucks 43 mylifesucks 33 aolsucks 30 emosucks 23 bebosucks 19 l0vesucks 18 skoolsucks 16 love sucks 16 worksucks 15 lov3sucks

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

RockYou loses a list of 32 M passwords

28 joeishot 11 joeismine 10 joeisfit 9 joeissexy 8 joeiscool 6 joeisgay 6 joeishot1 4 joeis#1 3 joeis1 3 joeisa 3 joeisastud 3 joeiscool1 3 joeissexy1 3 joeissohot 3 joeisthebest

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

RockYou loses a list of 32 M passwords

1023 fresita 1023 mookie 1022 leelee 1021 tequieromucho 1020 giovanni 1020 harry 1018 celticfc 1018 ranger 1017 austin1 1017 newcastle 1017 preston 1017 snuggles 1017 tagged 1016 erica 1016 sniper

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

RockYou loses a list of 32 M passwords

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces Surname Forename Password [RockYou]

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15

The Simple English guide to human-generated secrets

1

Computers try to tell humans apart by asking for secret data. They can ask for other things, but these are very expensive.

2

Many computer scientists use something called “entropy” to measure security for this secret data, but there are a lot of mathematical equations which say this is a bad idea.

3

Things that good people can remember aren’t unpredictable enough to prevent bad people from guessing them.

4

People at a gaming website called RockYou got pwned. Researchers now have many passwords to study.

5

Computer scientists have never studied how people pick banking PINs, but people are very bad at picking 4-digit numbers for other things, and so they might be bad at picking banking PINs too.

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 16 / 15

How bad might user-chosen PINs be?

grep -E "([^0-9]|^)[0-9]{4}([^0-9]|$)" < rockyou.txt

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

How bad might user-chosen PINs be?

2000 4000 6000 8000 10000 PIN 5 10 15 20 − log2 p(PIN)

0000 7171 3333 6666 2007 9999 2323 9494 5656 8989 5150 4869 1313 0808 5678 3636 6969 6464 0065 7777 8520 2121 9292 5454 8888 1111 7000 8282 4444 0607 8080 4200 6000 7272 9595 3456 6789 5254 5000 4747 6288 9876 0405 7575 3737 3232 2468 2727 9898 1010 2222 9393 5555 1717 3000 1212 5566 8383 4000 1234 4567 9696 4321 5858 0123 9191 1515 7890 9000 7410 8181 0506 7676 8701 3838 1858 6052 0838 9961 9066 7058 3062 8439 4764 3934

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

How bad might user-chosen PINs be?

00 05 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95

First two PIN digits

00 05 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95

Second two PIN digits 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 − log2 p(PIN)

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

How bad might user-chosen PINs be?

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces Surname Forename Password [RockYou] PIN [raw]

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

How bad might user-chosen PINs be?

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces Surname Forename Password [RockYou] PIN [raw] PIN [refined]

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

How bad might user-chosen PINs be?

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces Surname Forename Password [RockYou] PIN [raw] PIN [refined] PIN [uniform]

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

Steering users away from the easiest choices

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 17 / 15

Steering users away from the easiest choices

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 16 / 15

Steering users away from the easiest choices

Joseph Bonneau (University of Cambridge) Human secrets June 29, 2010 15 / 15