the password thicket technical and market failures in
play

The password thicket: technical and market failures in human - PowerPoint PPT Presentation

The password thicket: technical and market failures in human authentication on the web Joseph Bonneau S oren Preibusch {jcb82,sdp36}@cl.cam.ac.uk Computer Laboratory WEIS 2010 The Ninth Workshop on the Economics of Information Security


  1. The password thicket: technical and market failures in human authentication on the web Joseph Bonneau S¨ oren Preibusch {jcb82,sdp36}@cl.cam.ac.uk Computer Laboratory WEIS 2010 The Ninth Workshop on the Economics of Information Security Boston, MA, USA June 7, 2010 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 1 / 28

  2. Password authentication is losing viability Twitter hack July 2009 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  3. Password authentication is losing viability RockYou SQL injection hack January 2010 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  4. Password authentication is losing viability Zuckerberg e-mail hacking 2005 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  5. Password authentication is losing viability Twitter mass reset February 2010 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28

  6. A thicket 30 years in the making We’ve conducted experiments to try to determine typical users’ habits in the choice of passwords . . . The results were disappointing, except to the bad guy. —Morris and Thompson, 1979 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 3 / 28

  7. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 hardware tokens client certs smartphone Single sign-on limited 4 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  8. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 hardware tokens client certs smartphone Single sign-on limited 4 Passfaces J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  9. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 hardware tokens client certs smartphone Cronto Single sign-on limited 4 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  10. Conventional wisdom is gloomy Users can’t manage 1 re-use weak passwords post-it notes sharing Free alternatives hard 2 graphical cognitive 2-factor too expensive 3 OpenID/OAuth stack hardware tokens client certs smartphone Single sign-on limited 4 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28

  11. ✽ Pr❡✐❜✉s❝❤✱ ❇♦♥♥❡❛✉ Password collection remains ubiquitous 100% prevention of password sharing amongst top US sites 80% 60% sites collecting passwords sites blocking password sharing 40% 20% 0% 0 100 200 300 400 500 600 700 800 900 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 5 / 28 ❋✐❣✉r❡ ✶✳ Pr♦♣♦rt✐♦♥ ♦❢ s✐t❡s ❝♦❧❧❡❝t✐♥❣ ♣❛ss✇♦r❞s ❛♥❞ ❛♠♦♥❣st t❤❡s❡ ♦❢ s✐t❡s ❜❧♦❝❦✐♥❣ ♣❛ss✇♦r❞ s❤❛r✐♥❣✳ ❘❛t✐♦s ❣✐✈❡♥ ❢♦r t♦♣ ❯❙ s✐t❡s ✇✐t❤ ✉♣ t♦ ✾✵✵✳ ❇✉♠♣s ❛r❡ ❛rt❡❢❛❝ts ♦❢ t❤❡ ✐♥❝r❡❛s✐♥❣ ✇✐♥❞♦✇ s✐③❡ ❢♦r t❤❡ ❛r✐t❤♠❡t✐❝ ♠❡❛♥✳

  12. Supply side of the market remains poorly understood How does the user experience vary from site to site? 1 What implementation weaknesses exist? 2 Which circumstantial factors affect sites’ implementation choices? 3 How do sites’ security requirements affect their choices? 4 Why do websites choose to collect passwords? 5 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 6 / 28

  13. Coarse classification of password deployment cases Identity J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28

  14. Coarse classification of password deployment cases E-commerce J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28

  15. Coarse classification of password deployment cases Content J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28

  16. Random study sample designed for depth, breadth J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 8 / 28

  17. Site classification allows for feature overlap Feature I E C Tot. News displayed 15 0 49 64 Products for sale 4 50 1 55 Payment details stored 7 30 2 39 Social networking 28 1 2 31 Premium accounts available 17 3 8 28 Email accounts provided 17 0 2 19 Discussion forums 16 1 2 19 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 9 / 28

  18. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements recovery 4 backup auth. replacement attacks 5 user probing p. guessing IKEA J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  19. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication IKEA p. requirements recovery 4 backup auth. replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  20. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements recovery 4 IKEA backup auth. replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  21. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements recovery 4 backup auth. IKEA replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  22. Complete evaluation of visible password security enrolment 1 p. advice data collected login 2 data transmission update 3 re-authentication p. requirements IKEA recovery 4 backup auth. replacement attacks 5 user probing p. guessing J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28

  23. Semi-automated human-in-the-loop evaluation Mozilla Firefox v 3.5.8 with: Autofill Forms 0.9.5.2 CipherFox 2.3.0 Cookie Monster 0.98.0 DOM Inspector 2.0.4 Greasemonkey 0.8.20100211.5 Screengrab 0.96.2 Tamper Data 11.0.1 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28

  24. Findings How does the user experience vary from site to site? 1 What implementation weaknesses exist? 2 Which circumstantial factors affect sites’ implementation choices? 3 How do sites’ security requirements affect their choices? 4 Why do websites choose to collect passwords? 5 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28

  25. User experience varies considerably WSJ 1996 WSJ 2010 Bare-bones password entry is universal Advice rare and inconsistent J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  26. User experience varies considerably Advice I E C Tot. Use digits 9 6 3 18 Use symbols 9 2 3 14 Graphical strength indicator 9 0 2 11 Difficult to guess 5 2 2 9 Not a dictionary word 6 0 2 8 Change regularly 4 0 1 5 Any 18 8 7 33 Bare-bones password entry is universal Advice rare and inconsistent J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  27. Findings How does the user experience vary from site to site? 1 What implementation weaknesses exist? 2 Which circumstantial factors affect sites’ implementation choices? 3 How do sites’ security requirements affect their choices? 4 Why do websites choose to collect passwords? 5 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  28. TLS deployment sparse and inconsistent Facebook J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28

  29. TLS deployment sparse and inconsistent TLS Deployment I E C Tot. Full 10 39 10 59 Full/POST 3 1 1 5 Inconsistent 14 6 5 25 None 23 4 34 61 J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28

  30. No standard for password length 1 . 0 Identity sites E-commerce sites Proportion of sites accepting passwords of length n Content sites 0 . 8 Payment sites Premium sites All sites 0 . 6 0 . 4 0 . 2 0 . 0 7 1 2 3 4 5 6 8 Password length n J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28

Recommend


More recommend