Your SlideShare is downloading. ×
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Usable Security and Passwords, Cylab Corporate Partners Oct 2009


Published on

A brief overview of some of my group's work on improving the security and usability of authentication.

A brief overview of some of my group's work on improving the security and usability of authentication.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Usable Security and Passwords Jason Hong Carnegie Mellon University
  • 2. Passwords and Usable Security • People have difficulties remembering passwords – NYTimes site 100k readers forget password each week • 15% of “new” readers were old readers that had forgotten their passwords – Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call
  • 3. Basic Coping Strategies • Choose simple passwords – password, letmein, qwerty, but easy to guess • Reuse passwords – But break one password, break them all – Phishers attacking Facebook, twitter, other targets • Write down passwords – Depending on threat model, might not be bad
  • 4. WebTicket • Observation #1 – People who couldn’t remember their passwords, let alone what site to go to • Observation #2 – People already writing down passwords, can we help them do this more securely? – And have positive side effects: • Phish resistance • Stronger, unique passwords • Faster login times
  • 5. WebTicket • Idea: Print out passwords on “business card” – QR Code has encrypted URL, username, password – Strong password is generated for you – Only requires printer and web cam – Encrypted to work with your computers only
  • 6. WebTicket Login Process 1 2 3
  • 7. WebTicket Pros and Cons • Advantages – Commodity devices (webcam, printer) – Don’t know own password, phish resistance – Compatible with today’s web sites – Stronger passwords • Disadvantages – Scale, number of tickets – Attackers with cameras – Weaker than other 2FA • Not claiming solves all authentication problems, just that it’s better than many current practices today
  • 8. Evaluation of WebTicket • 20 people – age 21-57 (mean=32), 11M and 9F – Paid $10 + $3 per successful login • Method – Warmup task to understand WebTicket – Session 1: Go to site, create account, and login • Two different sites, password and WebTicket • Told that sites had credit card info, and login week later – Session 2: One week later, go back to site, login • Had 10 WebTickets in wallet / purse / bag • 2 minutes to login
  • 9. Account Creation Time • WebTicket is slower for creating new accounts
  • 10. Logins • Success rate in logging in • Time to login – Note that people tended to go to website first to login for WebTicket
  • 11. Perceptions • Perceived ease of use and perceived time – Higher numbers better for both – WebTicket statistically significantly better in both cases
  • 12. Ongoing Work • Phone version of WebTicket to scale up passwords
  • 13. Use Your Illusion Authentication • Again, passwords hard to remember • Image based authentication – Rely on human recognition over recall – However, may be easy for attackers to recognize • Idea: blur images – People can recognize their tokens, but harder for attackers to guess • Demonstrate the claims made above
  • 14. Evaluation of Use Your Illusion • Individualized educated guesses – Recognize a specific person’s image tokens – Analogy: if you know a person’s birthday or spouse, can guess possible text passwords – Ex. Pictures of their spouse, pet, house, or car • Group educated guesses – Biases in general for specific kinds of image tokens – Analogy: people tend to choose words in dictionary for text passwords – Ex. Pictures of animals, buildings, etc
  • 15. Use Your Illusion (Undistorted) Choose your three tokens (unordered)
  • 16. Use Your Illusion (Distorted) Choose your three tokens (unordered)
  • 17. Individualized Educated Guesses • Recruited pairs of friends – One of the pair tried to guess friend’s image tokens Other of the pair tried to guess stranger’s image tokens – In both cases, guessed two sets, undistorted and distorted – Guess the 3 tokens out of 27
  • 18. Results • Original undistorted images were easy to guess – People tended to choose image tokens similar in some way, e.g. lighting, background, object, etc – Despite being told about the study • Distorted images more resilient – One person got very lucky – * means statistically significantly better than chance
  • 19. Distortion Reduces Correct Guesses
  • 20. Summary • WebTicket – Helping people manage passwords – Login using webcam + tickets – Mobile phone version • Use Your Illusion – Recognize blurred images – Showed that blurred images more resilient to guesses
  • 21. Logging in with WebTicket