Your SlideShare is downloading. ×
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Usable Security and Passwords, Cylab Corporate Partners Oct 2009


Published on

A brief overview of some of my group's work on improving the security and usability of authentication.

A brief overview of some of my group's work on improving the security and usability of authentication.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Usable Security and Passwords Jason Hong Carnegie Mellon University
  • 2. Passwords and Usable Security • People have difficulties remembering passwords – NYTimes site 100k readers forget password each week • 15% of “new” readers were old readers that had forgotten their passwords – Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call
  • 3. Basic Coping Strategies • Choose simple passwords – password, letmein, qwerty, but easy to guess • Reuse passwords – But break one password, break them all – Phishers attacking Facebook, twitter, other targets • Write down passwords – Depending on threat model, might not be bad
  • 4. WebTicket • Observation #1 – People who couldn’t remember their passwords, let alone what site to go to • Observation #2 – People already writing down passwords, can we help them do this more securely? – And have positive side effects: • Phish resistance • Stronger, unique passwords • Faster login times
  • 5. WebTicket • Idea: Print out passwords on “business card” – QR Code has encrypted URL, username, password – Strong password is generated for you – Only requires printer and web cam – Encrypted to work with your computers only
  • 6. WebTicket Login Process 1 2 3
  • 7. WebTicket Pros and Cons • Advantages – Commodity devices (webcam, printer) – Don’t know own password, phish resistance – Compatible with today’s web sites – Stronger passwords • Disadvantages – Scale, number of tickets – Attackers with cameras – Weaker than other 2FA • Not claiming solves all authentication problems, just that it’s better than many current practices today
  • 8. Evaluation of WebTicket • 20 people – age 21-57 (mean=32), 11M and 9F – Paid $10 + $3 per successful login • Method – Warmup task to understand WebTicket – Session 1: Go to site, create account, and login • Two different sites, password and WebTicket • Told that sites had credit card info, and login week later – Session 2: One week later, go back to site, login • Had 10 WebTickets in wallet / purse / bag • 2 minutes to login
  • 9. Account Creation Time • WebTicket is slower for creating new accounts
  • 10. Logins • Success rate in logging in • Time to login – Note that people tended to go to website first to login for WebTicket
  • 11. Perceptions • Perceived ease of use and perceived time – Higher numbers better for both – WebTicket statistically significantly better in both cases
  • 12. Ongoing Work • Phone version of WebTicket to scale up passwords
  • 13. Use Your Illusion Authentication • Again, passwords hard to remember • Image based authentication – Rely on human recognition over recall – However, may be easy for attackers to recognize • Idea: blur images – People can recognize their tokens, but harder for attackers to guess • Demonstrate the claims made above
  • 14. Evaluation of Use Your Illusion • Individualized educated guesses – Recognize a specific person’s image tokens – Analogy: if you know a person’s birthday or spouse, can guess possible text passwords – Ex. Pictures of their spouse, pet, house, or car • Group educated guesses – Biases in general for specific kinds of image tokens – Analogy: people tend to choose words in dictionary for text passwords – Ex. Pictures of animals, buildings, etc
  • 15. Use Your Illusion (Undistorted) Choose your three tokens (unordered)
  • 16. Use Your Illusion (Distorted) Choose your three tokens (unordered)
  • 17. Individualized Educated Guesses • Recruited pairs of friends – One of the pair tried to guess friend’s image tokens Other of the pair tried to guess stranger’s image tokens – In both cases, guessed two sets, undistorted and distorted – Guess the 3 tokens out of 27
  • 18. Results • Original undistorted images were easy to guess – People tended to choose image tokens similar in some way, e.g. lighting, background, object, etc – Despite being told about the study • Distorted images more resilient – One person got very lucky – * means statistically significantly better than chance
  • 19. Distortion Reduces Correct Guesses
  • 20. Summary • WebTicket – Helping people manage passwords – Login using webcam + tickets – Mobile phone version • Use Your Illusion – Recognize blurred images – Showed that blurred images more resilient to guesses
  • 21. Logging in with WebTicket