the human element in computer security graphical
play

The Human Element in Computer Security - Graphical Passcodes as a - PowerPoint PPT Presentation

Jan 11, 2023 •161 likes •1.11k views

The Human Element in Computer Security - Graphical Passcodes as a Means to Create Secure Authentication systems Steffen Werner University of Idaho Why Research on User Authentication? The applied appeal Growing importance of stored

  2. The Human Element in Computer Security - Graphical Passcodes as a Means to Create Secure Authentication systems Steffen Werner University of Idaho

  3. Why Research on User Authentication? • The applied appeal –Growing importance of stored assets • Shift to web-based services, cybersecurity –Increased need for computer security • Increase in attacks –Increasing rigor of authentication protocols

  4. Why Research on Passwords? • The theoretical appeal –Ideal scenario for human-technology optimization –Quantitative definition of engineering goals –Problem open to multiple solutions –Large body of relevant psychological literature • Different types of memory systems • Free recall vs. cued recall vs. recognition tests • Visual perception, visual attention, visual memory

  5. Overview of the Talk • Approaches to authentication • What makes a good password system? – Maximization of actual password entropy – Elimination of predictable user choices – Elimination of other unsafe user behavior • Overview of graphical approaches to password systems • 4 studies evaluating aspects of our new CSA graphical password system against alternative approaches

  6. Current Approaches to Authentication • Passwords • Token-based authentication • Biometric authentication • Behavioral analysis and combinations through ... • Two-factor (multi-factor) authentication

  7. Password Authentication is Cognitive Authentication • The user possesses unique knowledge • Relies on memory storage of information* • Problems: forgetting, phishing, guessing, theft (shoulder surfing) *unless written down

  8. Hardware Token-based Authentication • Token identifies user (passport) • One-time passwords (OTP) • Usually used in combination with pin or other password • Problems: theft, loss, failure, difficult to replace (time, cost)

  9. Biometric Authentication • Authentication through a physical characteristic of the user • Examples: fingerprint, retinal scan, iris scan, vascular patterns, voice recognition, DNA • Problems: cost, limited replaceability, user acceptance, stability of biometric parameters

  10. Authentication through Behavioral Analysis • Authentication through a unique behavioral patter of the user • Keystroke, mouse, or signature dynamics, voice recognition, gate, posture, etc. • Problems: Changes (fatigue, illness), injury, aging

  11. What Makes a Good Password? • Increase effective password entropy • Decrease forgetting of passwords • Enable safe and fast entry of password • The current password problem: Inverse relation between safety of password and memorability

  12. Theoretical vs. Effective Entropy in Alphanumeric Passwords n ! H ( X ) = − p ( X i ) log 2 p ( X i ) i = 1 • Theoretical password space = #chars password length • Human users restrict their password choices to a small subset of possible passwords, reducing effective entropy – preference for short passwords (6-7 characters) – use of lower-case letters or digits only – use of dictionary words and personally relevant dates

  13. RockYou Password Leak The top 20 passwords of 32 million Rank password total Rank password total 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 16 Lovely 14950 6 princess 35231 17 michael 14898 7 rockyou 22588 18 Ashley 14329 8 1234567 21726 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856 Imperva (2010). Consumer Password Worst Practices

  14. Distribution of Password Lengths 5 6 7 8 9 10 11 12 32 Million passwords of RockYou users, 2010 13 14 10,000 leaked Hotmail Passwords, 2009 15 16 0% 10% 20% 30%

  15. Distribution of Password Types 100% 32 Million passwords of RockYou users, 2010 32 Million passwords of RockYou users, 2010 10,000 leaked Hotmail Passwords, 2009 75% 545,000 users, Microsoft study, 2006/7 50% 25% 0% lower case letters & digits numeric only strong

  16. Theoretical bit-strength for different logins 50% Florencio & Herley, Microsoft, 2007 40% 30% 20% 10% 0% 20 30 40 50 60 70 80 90 bit-strength of password

  17. Where do Security Policies come from? Analysis of 75 different (large) websites Dinei Florencio and Cormac Herley, Microsoft, 2010 • greater security demands not a factor • size of site, num of users, value of assets protected and attack frequency show no correl with strength • sites with most restrictive password policies don’t have greater security concerns, they are simply better insulated from the consequences of poor usability • median password policy strengths: .com sites = 19.9 bits banks = 31.0 bits .edu = 43.7 bits and .gov = 47.6 bits

  18. What about Password Forgetting? • Estimate of 4.3% of active Yahoo users forget their password within a three month period • Company statistics are not publicly available • User strategies to fight forgetting –Choice of meaningful passwords –Password reuse between multiple sites –Password reset as a common procedure –External storage of password

  19. Summary of Current Status • Inverse relation between security and memorability for alphanumeric passwords – Users choose easily predictable passwords – Users can’t remember secure (complex and random) passwords – Attempts to enforce secure password practice are often circumvented • Content requirements ➠ Passwords are written down • Change regimes ➠ Highly similar passwords • Allowing user selection decreases security

  20. The Promise of Graphical Passcodes • Visual material is easy to remember - Picture Superiority Effect – Shepard (1967). Recognition memory for words, sentences, and pictures showed superiority of pictures • Visual long-term memory has a vast capacity – Standing et al (1970): 2,560 pictures tested – Standing (1973): up to 10,000 pictures tested • Visual long-term memory shows little decay – Nickerson (1968): Retention tested up to 1 year

  21. Graphical Passcodes: The Pesky Details 1 Picture superiority requires heterogeneous set of stimuli Goldstein & Chance (1970) testing memory for faces, snowflakes and crystals with poor memory performance http://www.its.caltech.edu/~atomic/snowcrystals

  22. Graphical Passcodes: The Pesky Details 1I Visual information is often not encoded at all Change blindness (Rensink et al., 1997; Simons and Levin, 1997)

  23. Graphical Passcodes: The Pesky Details 1I Visual information is often not encoded at all Change blindness (Rensink et al., 1997; Simons and Levin, 1997)

  24. Graphical Passcodes: The Pesky Details III Human observers extract gist of pictures rapidly and remember gist well Meaning of a scene can be identified within 0.1s (Potter, 1975) Graphical Passcodes: The Pesky Details IV Object interactions and consistency within a scene guide scene interpretation Coherent scenes are easier to interpret (Biederman et al.,1974)

  25. Main Types of Graphical Authentication • Visual recognition paradigm – Enrollment: User learns password image set – Authentication: User has to select the presented images • Spatial passcodes - cued recall – Enrollment: User learns sequence of locations within a visual scene / a set of images – Authentication: User has to replay the sequence • Gestural passcodes - cued or free recall – User has to reproduce a specific set of doodles/signature – Might use more procedural memory

  26. VIP (De Angeli et al., 2005) “select the images from your password set”

  27. Passfaces “select the face from your password set”

  28. Deja Vu (Dhamija & Perrig, 2000) “select the images from your password set” Fig. 5. D´ ej` a Vu [Dhamija and Perrig 2000].

  29. PassPoints (Wiedenbeck et al., 2005) “click on the points in the image that constitute your password” ·

  30. Draw-a-Secret: Gestural Authentication (Jermyn et at., 1999) “recreate the drawing that you use as a password” Fig. 1. Draw-A-Secret [Jermyn et al. 1999]

  31. Stubblefield & Simons Inkblot Creatures (2004) • Name each blob • Determine the first and last letter of each name • Concatenate the letters to form a password http://research.microsoft.com/en-us/news/features/inkblots.aspx

  32. Image-based Authentication through ImageShield™ (formerly myVidoop) • At registration the user selects categories of images • At authentication , the user – is presented with a grid of randomly generated images – chooses the images that match their categories – enters the corresponding letter or number • This creates a secure, one-time access code

  33. Category Selection at Registration

  34. Image Search for Authentication

  35. Composite Scene Authentication (CSA) Johnson and Werner (2006, 2007) • Composite Scenes as Passwords – A scene combines n scene-elements into one picture – Scene elements are randomly selected, one from n different categories – Each scene-element needs to be selected out of m choices during authentication – Strength of password (bits) = n * log 2 (m) • Authentication – Sequence of n challenge screens – Each challenge screen is organized by category – User has to select 1 scene-element per screen

Recommend

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
Fundamentals of Human-Computer Interaction Introduction History Psychology 101 Graphical

Fundamentals of Human-Computer Interaction Introduction History Psychology 101 Graphical

Master Informatique - Universit Paris-Sud Outline Fundamentals of Human-Computer Interaction Introduction History Psychology 101 Graphical interaction Post-WIMP interaction Photos/collage by Jack L. Moffet in Dan R. Olsen, Interacting in

373 views • 4 slides
Human Element update on HEiSC Luciana Maccarrone dAmico Societ di Navigazione HEiSC Chairman

Human Element update on HEiSC Luciana Maccarrone dAmico Societ di Navigazione HEiSC Chairman

Human Element update on HEiSC Luciana Maccarrone dAmico Societ di Navigazione HEiSC Chairman Leading the way; Making a difference Human Element Committee (HEiSC) Formed in 2007 25 seats with members from 14 countries Plus

374 views • 25 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
GUIs A graphical user interface (GUI) in Java is created with at least three kinds of objects

GUIs A graphical user interface (GUI) in Java is created with at least three kinds of objects

9/8/10 GUIs A graphical user interface (GUI) in Java is created with at least three kinds of objects components, events, listeners A component is a graphical screen element label, button, text field, check box, etc. Some

488 views • 4 slides
Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12, 2009 Joseph Bonneau, Computer Laboratory Today I) Culture gap on social networks is hurting security II) The future of the internet is social

762 views • 17 slides
Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a software system interacts with its users . Command Line Graphical User Interface - GUI Touch User Interface - TUI Multimedia (voice, animation,

690 views • 49 slides
A database of reference values of trace element levels in a population of provinces for

A database of reference values of trace element levels in a population of provinces for

A database of reference values of trace element levels in a population of provinces for forecasting of human health and environmental pollution Human biomonitoring can be defined as the method for assessing human exposure to chemicals or their

104 views • 8 slides
1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN

1.IMPLEMENTING THE HUMAN SECURITY CONCEPT 2. PROGRAM PROGRESS 1. IMPLEMENTING THE HUMAN SECURITY CONCEPT According to the human security principles PROTECTION OBJECTIVE TOP-DOWN Support the formulation of public policies (gender,

1.15k views • 14 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
Graphical > Tangible? What are their limitations? 93 94 Graphical > Tangible? Graphical

Graphical > Tangible? What are their limitations? 93 94 Graphical > Tangible? Graphical

Tangible User Interfaces Graphical > Tangible? What are their limitations? 93 94 Graphical > Tangible? Graphical > Tangible? Dynamicity, Flexibility Reality based interaction Price Compromise with software when it

623 views • 12 slides
Computer Science Let me be provocative Probabilistic graphical models is how we do probabilistic

Computer Science Let me be provocative Probabilistic graphical models is how we do probabilistic

Computer Science Let me be provocative Probabilistic graphical models is how we do probabilistic AI! Graphical models of variable-level (in)dependence are a broken abstraction. [VdB KRR15] Let me be provocative Probabilistic graphical models

782 views • 63 slides
ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT

ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT

REFSQ17, Essen, Germany March 2nd, 2017 ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT Katsiaryna Labunets 1 , Fabio Massacci 1 , Federica Paci 2 1 University of Trento, Italy

482 views • 13 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT

Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT

Cyber Cybersecurity security Wher here do w e do we stand? e stand? HUMAN HUMAN FACT CTOR OR Hussein Hassanali Chief Information Security Officer, Bank AL Habib Limited & President, ISACA Karachi Chapter UBL Funds Culture

376 views • 19 slides
Psychology of Security Security as human behaviour and experience Stefan Schumacher

Psychology of Security Security as human behaviour and experience Stefan Schumacher

Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base Psychology of Security Security as human behaviour and experience Stefan Schumacher

721 views • 43 slides
Psychology of Security Security as human behaviour and experience Stefan Schumacher

Psychology of Security Security as human behaviour and experience Stefan Schumacher

Intro Fundamental Research Organizational Development and Security Cultural Differences Didactics of Security Knowledge Base Psychology of Security Security as human behaviour and experience Stefan Schumacher

495 views • 34 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Human Factors Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Human Factors Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Human Factors Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Discuss the practical consideration of usability of security

459 views • 31 slides
Computer Graphics Seminar MTAT.03.305 Fall 2019 Raimond Tunnel Computer Graphics Graphical

Computer Graphics Seminar MTAT.03.305 Fall 2019 Raimond Tunnel Computer Graphics Graphical

Computer Graphics Seminar MTAT.03.305 Fall 2019 Raimond Tunnel Computer Graphics Graphical illusion via the computer Displaying something meaningful (incl art) Math Computers are good at... computing. To do computer graphics, we

851 views • 53 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Diverse Particle Selection for High-Dimensional Inference in Graphical Models Erik Sudderth UC

Diverse Particle Selection for High-Dimensional Inference in Graphical Models Erik Sudderth UC

Diverse Particle Selection for High-Dimensional Inference in Graphical Models Erik Sudderth UC Irvine Computer Science Collaborators: Particle Max-Product: Jason Pacheco, MIT Human Pose: Silvia Zuffi & Michael Black, MPI Tubingen

830 views • 69 slides

More recommend