Usable Security
and Passwords
Jason Hong
Carnegie Mellon University
Passwords and Usable Security
• People have difficulties remembering passwords
– NYTimes site 100k readers forget password...
Basic Coping Strategies
• Choose simple passwords
– password, letmein, qwerty, but easy to guess
• Reuse passwords
– But b...
WebTicket
• Observation #1
– People who couldn’t remember
their passwords, let alone what
site to go to
• Observation #2
–...
WebTicket
• Idea: Print out passwords on “business card”
– QR Code has encrypted URL, username, password
– Strong password...
WebTicket Login Process
1 2
3
WebTicket Pros and Cons
• Advantages
– Commodity devices (webcam, printer)
– Don’t know own password, phish resistance
– C...
Evaluation of WebTicket
• 20 people
– age 21-57 (mean=32), 11M and 9F
– Paid $10 + $3 per successful login
• Method
– Warm...
Account Creation Time
• WebTicket is slower for creating new accounts
Logins
• Success rate in logging in
• Time to login
– Note that people tended to go to website first to login
for WebTicket
Perceptions
• Perceived ease of use and perceived time
– Higher numbers better for both
– WebTicket statistically signific...
Ongoing Work
• Phone version of WebTicket to scale up passwords
Use Your Illusion Authentication
• Again, passwords hard to remember
• Image based authentication
– Rely on human recognit...
Evaluation of Use Your Illusion
• Individualized educated guesses
– Recognize a specific person’s image tokens
– Analogy: ...
Use Your Illusion (Undistorted)
Choose your three tokens (unordered)
Use Your Illusion (Distorted)
Choose your three tokens (unordered)
Individualized Educated Guesses
• Recruited pairs of friends
– One of the pair tried to guess friend’s image tokens
Other ...
Results
• Original undistorted images were easy to guess
– People tended to choose image tokens similar in
some way, e.g. ...
Distortion Reduces Correct Guesses
Summary
• WebTicket
– Helping people manage passwords
– Login using webcam + tickets
– Mobile phone version
• Use Your Ill...
Logging in with WebTicket
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
Upcoming SlideShare
Loading in...5
×

Usable Security and Passwords, Cylab Corporate Partners Oct 2009

84

Published on

A brief overview of some of my group's work on improving the security and usability of authentication.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
84
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Usable Security and Passwords, Cylab Corporate Partners Oct 2009

  1. 1. Usable Security and Passwords Jason Hong Carnegie Mellon University
  2. 2. Passwords and Usable Security • People have difficulties remembering passwords – NYTimes site 100k readers forget password each week • 15% of “new” readers were old readers that had forgotten their passwords – Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call
  3. 3. Basic Coping Strategies • Choose simple passwords – password, letmein, qwerty, but easy to guess • Reuse passwords – But break one password, break them all – Phishers attacking Facebook, twitter, other targets • Write down passwords – Depending on threat model, might not be bad
  4. 4. WebTicket • Observation #1 – People who couldn’t remember their passwords, let alone what site to go to • Observation #2 – People already writing down passwords, can we help them do this more securely? – And have positive side effects: • Phish resistance • Stronger, unique passwords • Faster login times
  5. 5. WebTicket • Idea: Print out passwords on “business card” – QR Code has encrypted URL, username, password – Strong password is generated for you – Only requires printer and web cam – Encrypted to work with your computers only
  6. 6. WebTicket Login Process 1 2 3
  7. 7. WebTicket Pros and Cons • Advantages – Commodity devices (webcam, printer) – Don’t know own password, phish resistance – Compatible with today’s web sites – Stronger passwords • Disadvantages – Scale, number of tickets – Attackers with cameras – Weaker than other 2FA • Not claiming solves all authentication problems, just that it’s better than many current practices today
  8. 8. Evaluation of WebTicket • 20 people – age 21-57 (mean=32), 11M and 9F – Paid $10 + $3 per successful login • Method – Warmup task to understand WebTicket – Session 1: Go to site, create account, and login • Two different sites, password and WebTicket • Told that sites had credit card info, and login week later – Session 2: One week later, go back to site, login • Had 10 WebTickets in wallet / purse / bag • 2 minutes to login
  9. 9. Account Creation Time • WebTicket is slower for creating new accounts
  10. 10. Logins • Success rate in logging in • Time to login – Note that people tended to go to website first to login for WebTicket
  11. 11. Perceptions • Perceived ease of use and perceived time – Higher numbers better for both – WebTicket statistically significantly better in both cases
  12. 12. Ongoing Work • Phone version of WebTicket to scale up passwords
  13. 13. Use Your Illusion Authentication • Again, passwords hard to remember • Image based authentication – Rely on human recognition over recall – However, may be easy for attackers to recognize • Idea: blur images – People can recognize their tokens, but harder for attackers to guess • Demonstrate the claims made above
  14. 14. Evaluation of Use Your Illusion • Individualized educated guesses – Recognize a specific person’s image tokens – Analogy: if you know a person’s birthday or spouse, can guess possible text passwords – Ex. Pictures of their spouse, pet, house, or car • Group educated guesses – Biases in general for specific kinds of image tokens – Analogy: people tend to choose words in dictionary for text passwords – Ex. Pictures of animals, buildings, etc
  15. 15. Use Your Illusion (Undistorted) Choose your three tokens (unordered)
  16. 16. Use Your Illusion (Distorted) Choose your three tokens (unordered)
  17. 17. Individualized Educated Guesses • Recruited pairs of friends – One of the pair tried to guess friend’s image tokens Other of the pair tried to guess stranger’s image tokens – In both cases, guessed two sets, undistorted and distorted – Guess the 3 tokens out of 27
  18. 18. Results • Original undistorted images were easy to guess – People tended to choose image tokens similar in some way, e.g. lighting, background, object, etc – Despite being told about the study • Distorted images more resilient – One person got very lucky – * means statistically significantly better than chance
  19. 19. Distortion Reduces Correct Guesses
  20. 20. Summary • WebTicket – Helping people manage passwords – Login using webcam + tickets – Mobile phone version • Use Your Illusion – Recognize blurred images – Showed that blurred images more resilient to guesses
  21. 21. Logging in with WebTicket
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×