safe passwords made easy to use
play

Safe passwords made easy to use Nicolas K. Blanchard 1 , Leila - PowerPoint PPT Presentation

Mar 02, 2024 •338 likes •747 views

Safe passwords made easy to use Nicolas K. Blanchard 1 , Leila Gabasova 2 , Clment Malaingre 3 , Ted Selker 4 , Eli Sennesh 5 1 IRIF, Universit Paris Diderot 2 Institut de Plantologie et dAstrophysique de Grenoble 3 Teads France 4

  1. Safe passwords made easy to use Nicolas K. Blanchard 1 , Leila Gabasova 2 , Clément Malaingre 3 , Ted Selker 4 , Eli Sennesh 5 1 IRIF, Université Paris Diderot 2 Institut de Planétologie et d’Astrophysique de Grenoble 3 Teads France 4 University of California, Berkeley 5 Northeastern University Stanford EE Computer Systems Colloquium November 28th, 2018

  2. Passwords are bad, m’kay ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 1/27

  3. Because of this: • High rate of re-use (75% of users) • Lots of sharing (40% of users) • Frequent loss of passwords (40% to 60% reinitialised every 3 months) Too many passwords State of password use: • Average user has ∼ 100 accounts • Creates 50 passwords per year on average • Often counterproductive constraints, avoided by users (e.g. 1@MyPassword) Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 2/27

  4. Too many passwords State of password use: • Average user has ∼ 100 accounts • Creates 50 passwords per year on average • Often counterproductive constraints, avoided by users (e.g. 1@MyPassword) Because of this: • High rate of re-use (75% of users) • Lots of sharing (40% of users) • Frequent loss of passwords (40% to 60% reinitialised every 3 months) Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 2/27

  5. Methods to make passwords better: • Salt + variable ending: soon vulnerable • Blum’s algorithm: costly • Passphrases: not compatible with constraints Authentication methods Multiple alternatives to secure access: • Biometrics: have been durably hackable • Defer to a service (Facebook connect): trust issues • Physical devices: introduce other vulnerabilities • Password managers: single point of failure • Passwords re-use: extremely vulnerable Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 3/27

  6. Authentication methods Multiple alternatives to secure access: • Biometrics: have been durably hackable • Defer to a service (Facebook connect): trust issues • Physical devices: introduce other vulnerabilities • Password managers: single point of failure • Passwords re-use: extremely vulnerable Methods to make passwords better: • Salt + variable ending: soon vulnerable • Blum’s algorithm: costly • Passphrases: not compatible with constraints Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 3/27

  7. Passwords vs Passphrases Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 4/27

  8. It seems we’re stuck with passwords! Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 4/27

  9. Constraints Constraints for a good password management algorithm: • High entropy for each password • High residual entropy against stolen clear-text passwords • Memorable even without frequent use (hence deterministic) • Easy to understand by non-Turing-award-winners • Compatible with frequent constraints Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 5/27

  10. Idea: mentally extract entropy from a large secret Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 5/27

  11. Cue-Pin-Select High level view : • Create one high-enropy passphrase and a 4-digit PIN • Create a 4-letter cue for each service • Deterministically extract 4 trigrams from the sentence using the PIN and the cue Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 6/27

  12. Example run Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 7/27

  13. Main Algorithm Data: Passphrase P of at least 6 random words PIN K of 4 random digits service name N Result: String S of 12 characters begin From N , create string M of four characters L ← − Length ( P ) , V ← − 0, S ← − “” for i = 0 ; i < 4 ; i + + do X ← − M [ i ] while X / ∈ P do X ← − letter following X in the alphabet V ← − index of next occurrence of X ∈ P after V V ← − V + K [ i ] + 3 mod ( L ) S ← → Concatenate ( S , P [ V − 2 ] , P [ V − 1 ] , P [ V ]) Print S Algorithm 1: Cue-Pin-Select Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 8/27

  14. Security analysis Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 8/27

  15. Bruteforcing Cue-Pin-Select Today’s standard for web services : 36-42 bits (30 years at 1000 tries/s). Brute-force against Cue-Pin-Select : • Naive against a password → 56 bits • Optimised dictionary against a password → 52 bits • Naive against passphrase → 210 bits • Dictionary against passphrase → 111 bits Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 9/27

  16. Clear-text attacks To simplify analysis, Very strong adversary model, who knows: • 1+ passwords • Length of the passphrase • Position of each revealed trigram in the sentence Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 10/27

  17. Residual entropy (empirical on 10 000 tries) 1000 800 Occurrences 600 400 200 0 40 50 60 70 80 Bits of entropy Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 11/27

  18. Residual entropy (empirical on 10 000 tries) Two plain-texts Three plain-texts 600 500 Occurrences 400 300 200 100 0 0 10 20 30 40 50 60 Bits of entropy Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 11/27

  19. User experiment After 4-day experiment: • High initial cost (82s on average), and multiple errors initially • Quick speed-up, down to 42s after two days, with pen and paper • Increase when shift to mental computation only (86s) • Speed-up over the last day (down to 57s), no errors • Large variability, 24s-71s Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 12/27

  20. Adaptability Algorithm can be extended to handle: • Number and special characters • Length constraints • Frequent changes Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 13/27

  21. Cue-Pin-Select Summary Cue-Pin-Select: • 52 bits security per password • Guaranteed resistance to single clear-text attack, probable resistance to 2-3 clear-text • Can create 500+ passwords without high risk of strong partial collision • Quick learning process to get under 1 min • According to models, strongly memorable • Natural extension to handle frequent constraints • Other extension to improve security Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 14/27

  22. How to choose a passphrase ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 14/27

  23. Second possibility: random generation Limits : • Small dictionary if we want to make sure people know all words • Harder to memorise Current methods to make passphrase First possibility: let people choose them Problems: • Sentences from literature (songs/poems) • Famous sentences (2 . 55 % of users chose the same sentence in a large experiment) • Low entropy sentences with common words Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 15/27

  24. Current methods to make passphrase First possibility: let people choose them Problems: • Sentences from literature (songs/poems) • Famous sentences (2 . 55 % of users chose the same sentence in a large experiment) • Low entropy sentences with common words Second possibility: random generation Limits : • Small dictionary if we want to make sure people know all words • Harder to memorise Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 15/27

  25. What if we take the best of both world ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 15/27

  26. Passphrase choice experiment We show 20 or 100 words to users, they have to pick – and remember – six. Questions : • What factors influence their choices ? • What is the effect on entropy ? • What are the most frequent mistakes ? • How is memorisation affected ? Introduction Cue-Pin-Select Security and usability Passphrase choice Empirical results Entropy Conclusion 16/27

Recommend

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy Welcome! Welcome! Housekeeping Webinar polling Recording will be a ailable available http://www.healthyutah.org/ programs/seminars.php

387 views • 19 slides
- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking statements and are subject to numerous risks and uncertainties including but not limited to a lack of adequate capital to enable the Company to

531 views • 24 slides
- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking

- Travel Made Easy - SAFE HARBOR: Statements in this presentation may constitute forward looking statements and are subject to numerous risks and uncertainties including but not limited to a lack of adequate capital to enable the Company to

519 views • 25 slides
User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of

Good Passwords, Bad Passwords, and How to See the Difference David Klaftenegger Department of Information Technology Uppsala University, Sweden 20. January 2020 Caveat Auditor Background Passwords this talk contains opinions Diceware

447 views • 43 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens Reduced water use Same footprint as our WD 290 Compatible with WD 290 racks and carts Compatible with WA 290 and SISO

303 views • 17 slides
Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

354 views • 13 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase ROI 3 - Provide DATA and Reports Statistics Analysis Statistics Made Easy Statistics Made Easy Statistics Made Easy Statistics Made Easy

335 views • 18 slides
iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure and easy to access. TOTAL RECALL BENEFITS Keychain &amp; Safari are integral to Apples operating systems. (IOS for iPad/iPhone and OS X for

442 views • 9 slides
Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2 19/01/2012 Q2 ION Metals Analysis Made Easy System overview Properties &amp; Features Technology Ultra-compact design, patented

785 views • 19 slides
AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain valuable industry insight Robert Morris Chief Communications Officer Georgia Ports Authority BRIDGING THE GAP Slido is an easy-to-use Q&amp;A and

293 views • 4 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
CYBER - SECURITY PART 2 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer,

CYBER - SECURITY PART 2 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer,

CYBER - SECURITY PART 2 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer, Essex Police Barry Linton, Thorpe Bay U3A Thorpe Bay U3A HOW DO I PROTECT MYSELF 2 ALL ABOUT PASSWORDS Change your passwords regularly.

425 views • 27 slides
The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of

The Long and Short of Passwords The Long and Short of Passwords Rich Shay November 5, 2009 1 / 34 The Long and Short of Passwords Motivation for Studying Passwords Outline Motivation for Studying Passwords 1 2 Overview of Password Failure

373 views • 36 slides
Logic It s so easy even Through the computers can Looking Glass do it! 0 SAFE test Can

Logic It s so easy even Through the computers can Looking Glass do it! 0 SAFE test Can

Logic It s so easy even Through the computers can Looking Glass do it! 0 SAFE test Can you see the Welcome quiz on SAFE? A. Yes :-) B. No :-/ Story So Far x Winged(x) Flies(x) Pink(x) Alice FALSE FALSE FALSE

511 views • 24 slides
Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use Easy-to-Install Easy on the Budget OrecX Call Recording The issue is simple: You want to comply with regulatory requirements and improve customer service by

204 views • 9 slides
Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value Ease confusion Reduce mistakes Make it easier for our customers to engage What about the money? Revenue neutral Difficult to model

532 views • 22 slides
IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit for Arduino pinout JORDI JOFRE NFC READERS NFC EVERYWHERE 11/07/2017 PUBLIC IoT and smart home adoption today 1 The Internet of Things in

590 views • 29 slides
FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your skin! Relieves rashes, simple sun burn and eczema HONEY Honey, did I tell you I Love You! TEA BAGS They spell relief or make tea CLING

355 views • 32 slides

More recommend