2. Passwords and Usable Security
• People have difficulties remembering passwords
– NYTimes site 100k readers forget password each week
• 15% of “new” readers were old readers
that had forgotten their passwords
– Gartner reported one company had 30% of help desk
calls related to passwords, ~$17 / call
3. Basic Coping Strategies
• Choose simple passwords
– password, letmein, qwerty, but easy to guess
• Reuse passwords
– But break one password, break them all
– Phishers attacking Facebook, twitter, other targets
• Write down passwords
– Depending on
threat model,
might not be bad
4. WebTicket
• Observation #1
– People who couldn’t remember
their passwords, let alone what
site to go to
• Observation #2
– People already writing down passwords,
can we help them do this more securely?
– And have positive side effects:
• Phish resistance
• Stronger, unique passwords
• Faster login times
5. WebTicket
• Idea: Print out passwords on “business card”
– QR Code has encrypted URL, username, password
– Strong password is generated for you
– Only requires printer and web cam
– Encrypted to work with your computers only
7. WebTicket Pros and Cons
• Advantages
– Commodity devices (webcam, printer)
– Don’t know own password, phish resistance
– Compatible with today’s web sites
– Stronger passwords
• Disadvantages
– Scale, number of tickets
– Attackers with cameras
– Weaker than other 2FA
• Not claiming solves all authentication problems,
just that it’s better than many current practices today
8. Evaluation of WebTicket
• 20 people
– age 21-57 (mean=32), 11M and 9F
– Paid $10 + $3 per successful login
• Method
– Warmup task to understand WebTicket
– Session 1: Go to site, create account, and login
• Two different sites, password and WebTicket
• Told that sites had credit card info, and login week later
– Session 2: One week later, go back to site, login
• Had 10 WebTickets in wallet / purse / bag
• 2 minutes to login
10. Logins
• Success rate in logging in
• Time to login
– Note that people tended to go to website first to login
for WebTicket
11. Perceptions
• Perceived ease of use and perceived time
– Higher numbers better for both
– WebTicket statistically significantly better in both cases
13. Use Your Illusion Authentication
• Again, passwords hard to remember
• Image based authentication
– Rely on human recognition over recall
– However, may be easy for
attackers to recognize
• Idea: blur images
– People can recognize
their tokens, but harder
for attackers to guess
• Demonstrate the claims
made above
14. Evaluation of Use Your Illusion
• Individualized educated guesses
– Recognize a specific person’s image tokens
– Analogy: if you know a person’s birthday or spouse,
can guess possible text passwords
– Ex. Pictures of their spouse, pet, house, or car
• Group educated guesses
– Biases in general for specific kinds of image tokens
– Analogy: people tend to choose words in dictionary
for text passwords
– Ex. Pictures of animals, buildings, etc
15. Use Your Illusion (Undistorted)
Choose your three tokens (unordered)
17. Individualized Educated Guesses
• Recruited pairs of friends
– One of the pair tried to guess friend’s image tokens
Other of the pair tried to guess stranger’s image tokens
– In both cases, guessed two sets, undistorted and distorted
– Guess the 3 tokens out of 27
18. Results
• Original undistorted images were easy to guess
– People tended to choose image tokens similar in
some way, e.g. lighting, background, object, etc
– Despite being told about the study
• Distorted images more resilient
– One person got very lucky
– * means statistically significantly better than chance
20. Summary
• WebTicket
– Helping people manage passwords
– Login using webcam + tickets
– Mobile phone version
• Use Your Illusion
– Recognize blurred images
– Showed that blurred
images more
resilient to guesses