SlideShare a Scribd company logo

It's no Secret

Nuno Loureiro
Nuno Loureiro

Measuring the security and reliability of authentication via secret questions.

Technology
1 of 21
Download to read offline
Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1 Thursday, November 26, 2009
SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2 Thursday, November 26, 2009
SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3 Thursday, November 26, 2009
SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4 Thursday, November 26, 2009
WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5 Thursday, November 26, 2009
MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6 Thursday, November 26, 2009
MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7 Thursday, November 26, 2009
STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8 Thursday, November 26, 2009
POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9 Thursday, November 26, 2009
MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10 Thursday, November 26, 2009
MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11 Thursday, November 26, 2009
STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12 Thursday, November 26, 2009
GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13 Thursday, November 26, 2009
GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14 Thursday, November 26, 2009
SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15 Thursday, November 26, 2009
IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16 Thursday, November 26, 2009
ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17 Thursday, November 26, 2009
YAHOO! Special Topics in Applied Security Nuno Loureiro 18 Thursday, November 26, 2009
GMAIL Special Topics in Applied Security Nuno Loureiro 19 Thursday, November 26, 2009
SAPO Special Topics in Applied Security Nuno Loureiro 20 Thursday, November 26, 2009
THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21 Thursday, November 26, 2009

Recommended

From the Unknown to the Known
From the Unknown to the KnownFrom the Unknown to the Known
From the Unknown to the KnownBen Gardner
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
From Search to Semantics
From Search to SemanticsFrom Search to Semantics
From Search to SemanticsBen Gardner
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Sashi Sivam
 
Usabilidad y diseño para formularios
Usabilidad y diseño para formulariosUsabilidad y diseño para formularios
Usabilidad y diseño para formulariosalfonsogu
 
¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?alfonsogu
 

Recommended

From the Unknown to the Known
From the Unknown to the KnownFrom the Unknown to the Known
From the Unknown to the KnownBen Gardner
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
From Search to Semantics
From Search to SemanticsFrom Search to Semantics
From Search to SemanticsBen Gardner
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Sashi Sivam
 
Usabilidad y diseño para formularios
Usabilidad y diseño para formulariosUsabilidad y diseño para formularios
Usabilidad y diseño para formulariosalfonsogu
 
¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?alfonsogu
 
The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
12
1212
12Alp Eryürek
 
Marca global china
Marca global chinaMarca global china
Marca global chinaalfonsogu
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Developmentchristopherfairbairn
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Ben Gardner
 
Funny Toilet
Funny ToiletFunny Toilet
Funny Toiletwebhittler
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introductionBen Gardner
 
meet Jessica
meet Jessicameet Jessica
meet JessicaBen Gardner
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportalfonsogu
 
Historia del crm
Historia del crmHistoria del crm
Historia del crmalfonsogu
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Ben Gardner
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010JulioB
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalBen Gardner
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

More Related Content

Viewers also liked

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
Marca global china
Marca global chinaMarca global china
Marca global chinaalfonsogu
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Developmentchristopherfairbairn
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Ben Gardner
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introductionBen Gardner
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportalfonsogu
 
Historia del crm
Historia del crmHistoria del crm
Historia del crmalfonsogu
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Ben Gardner
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010JulioB
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalBen Gardner
 

Viewers also liked (17)

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web Authentication
 
12
1212
12
 
Marca global china
Marca global chinaMarca global china
Marca global china
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key Repository
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password Management
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Development
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?
 
Funny Toilet
Funny ToiletFunny Toilet
Funny Toilet
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing Portfolio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introduction
 
meet Jessica
meet Jessicameet Jessica
meet Jessica
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_report
 
Historia del crm
Historia del crmHistoria del crm
Historia del crm
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legal
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

It's no Secret

  • 1. Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1 Thursday, November 26, 2009
  • 2. SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2 Thursday, November 26, 2009
  • 3. SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3 Thursday, November 26, 2009
  • 4. SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4 Thursday, November 26, 2009
  • 5. WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5 Thursday, November 26, 2009
  • 6. MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6 Thursday, November 26, 2009
  • 7. MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7 Thursday, November 26, 2009
  • 8. STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8 Thursday, November 26, 2009
  • 9. POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9 Thursday, November 26, 2009
  • 10. MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10 Thursday, November 26, 2009
  • 11. MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11 Thursday, November 26, 2009
  • 12. STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12 Thursday, November 26, 2009
  • 13. GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13 Thursday, November 26, 2009
  • 14. GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14 Thursday, November 26, 2009
  • 15. SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15 Thursday, November 26, 2009
  • 16. IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16 Thursday, November 26, 2009
  • 17. ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17 Thursday, November 26, 2009
  • 18. YAHOO! Special Topics in Applied Security Nuno Loureiro 18 Thursday, November 26, 2009
  • 19. GMAIL Special Topics in Applied Security Nuno Loureiro 19 Thursday, November 26, 2009
  • 20. SAPO Special Topics in Applied Security Nuno Loureiro 20 Thursday, November 26, 2009
  • 21. THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21 Thursday, November 26, 2009