Jeremiah Blocki Intel Tech Talk 9272016 Memory Experiment 1 2 Person Bill Clinton Action Tickling Object Peach Memory Experiment 3 3 Person Albert Einstein Action Kissing Object ID: 657011
Download Presentation The PPT/PDF document "Usable and Secure Human Authentication" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Usable and Secure Human Authentication
Jeremiah Blocki
Intel Tech Talk
9/27/2016Slide2
Memory Experiment 1
2
Person
Bill
ClintonActionTicklingObjectPeachSlide3
Memory Experiment 3
3
Person
Albert Einstein
ActionKissing
Object
PiranhaSlide4
Password Management
Competing Goals:
4
…Slide5
Security (what could go wrong?)
Danger
Three Types of Attacks
5Slide6
Online Attack
password
6
123456
123456
Guess Limit: k-strikes policySlide7
Offline Dictionary Attack
7
Username
jblocki
+
jblocki,
Unbr3akabl3
SHA1(Unbr3akabl389d978034a3f6)=75fe9ccf4a568f31e66b8597b8eb97c2e915e6b1 Hash75fe9ccf4a568f31e66b8597b8eb97c2e915e6b1Salt89d978034a3f6Slide8
A Common Problem
Password breaches at major companies have affected millions of users.
8Slide9
Security Problem
Password breaches at major companies have affected millions of users.Slide10
Security Problem
Password breaches at major companies have affected millions of users.Slide11
Why Should Intel Care
?
Source: CERT Incident Note IN-98.03: Password Cracking Activity
SHA1(“UnBr3akabl3”)
+
“UnBr3akabl3”
“UnBr3akabl3”
“UnBr3akabl3”
11Slide12
Plaintext Recovery Attack
PayPaul.com
12
pwd
pwdSlide13
A Challenging Problem
13
Traditional Security Advice
Not too short
Use mix of lower/upper case letters
Change your passwords every 90 days
Use numbers and letters
Don’t use words/namesUse special symbolsDon’t Write it DownDon’t Reuse PasswordsSlide14
User Frustration
14Slide15
Can We Do Better?
My Answer:
Yes, we can.Slide16
Human memory is not a hard disk
Platters
Read/Write Head
Slide Credit [BS14]Slide17
Human Memory is Vast but
Lossy
Rehearse or Forget!
Does a typical user get sufficient natural rehearsal to remember all of his passwords?
pamazonpgoogle
????
17Slide18
Memory Capability
18
Source: Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords [BKCD15]
Succeeded(i)/Returned(i)
Day050100
150Slide19
Rehearsal Requirement
Expanding Rehearsal Assumption:
user maintains cue-association pair by rehearsing during each interval
[
si, si+1].Day: 1 2 4 5 8
Visit Amazon: Natural Rehearsal
Google
19
Source:
Optimization of Repetition Spacing in the Practice of Learning [WG, 94]Slide20
Rehearsal Requirement
Day: 1 2 4 5 8
Reuse Password
Independent Passwords
Sufficient Rehearsal?
Yes
No
20Slide21
Usability Results
21
Reuse
Password
Strong Random IndependentActive0.0022,938Typical0.0232,974Occasional0.1093,135Infrequent3.2394,024
Usable Unusable
E
[X]: Extra Rehearsals to maintain all passwords over lifetime.m = 75 accounts, s=1.5 Slide22
Our Approach
Object: bike
Public Cue
Private
Action: kicking
Object: penguinSlide23
Login
23Slide24
Login
24Slide25
Sharing Cues
Usability Advantages
Fewer stories to remember!
More Natural Rehearsals!
Security?Day: 1 2 4 5 8
25Slide26
Sharing Cues
Combinatorial Design: Each pairs of accounts has at most
𝛄
secret stories in common.
26Source: Naturally Rehearsing Passwords [BBD13]Slide27
(n,
,
)-Sharing Set Family
m – number of passwords {S1,…,Sm}.n – total #secrets the user memorizesl – #secrets per password– max intersection
– secrets for account i.
n n
27Slide28
PAO
Stories
#
Passwords
Security414How Many Passwords?Slide29
PAO
Stories
#
Passwords
Security414How Many Passwords?Adversary with one password is unlikely to guess any other passwordSlide30
7
75+
15
75+
43
75+
PAO
Stories#PasswordsSecurity414
How Many Passwords?30Slide31
Usability Results
31
Reuse
Strong Random Independent
[SC-1]15 PAO Stories[SC-0]7 PAO StoriesActive02,9389.84.0Typical02,974
11.84.5Occasional
03,13515.25.5
Infrequent3.24,02493.225.7ReuseStrong Random Independent[SC-1]15 PAO Stories[SC-0]7 PAO StoriesActive2,9389.84.0
Typical2,97411.84.5Occasional3,13515.25.5Infrequent3.24,02493.225.7E[X]: Extra Rehearsals to maintain all
passwords over lifetime. Slide32
Future Directions
Shared Cues as Browser Extension
Gradual Password Strengthening
Recovering Forgotten Secrets
Intrusion DetectionSlide33
Other Research Interests
Making Hashed Passwords as hard as possible to crack
Memory Hard Functions
Security Games
Human Computable Challenge-Response Style AuthenticationSlide34
Thanks for Listening!
34Slide35