SlideShare uma empresa Scribd logo

Usable Security and Passwords, Cylab Corporate Partners Oct 2009

Transferir como PPT, PDF
Jason Hong
Jason Hong

A brief overview of some of my group's work on improving the security and usability of authentication.

Tecnologia
1 de 24
Usable Security and Passwords Jason Hong Carnegie Mellon University
Passwords and Usable Security • People have difficulties remembering passwords – NYTimes site 100k readers forget password each week • 15% of “new” readers were old readers that had forgotten their passwords – Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call
Basic Coping Strategies • Choose simple passwords – password, letmein, qwerty, but easy to guess • Reuse passwords – But break one password, break them all – Phishers attacking Facebook, twitter, other targets • Write down passwords – Depending on threat model, might not be bad
WebTicket • Observation #1 – People who couldn’t remember their passwords, let alone what site to go to • Observation #2 – People already writing down passwords, can we help them do this more securely? – And have positive side effects: • Phish resistance • Stronger, unique passwords • Faster login times
WebTicket • Idea: Print out passwords on “business card” – QR Code has encrypted URL, username, password – Strong password is generated for you – Only requires printer and web cam – Encrypted to work with your computers only
WebTicket Login Process 1 2 3
WebTicket Pros and Cons • Advantages – Commodity devices (webcam, printer) – Don’t know own password, phish resistance – Compatible with today’s web sites – Stronger passwords • Disadvantages – Scale, number of tickets – Attackers with cameras – Weaker than other 2FA • Not claiming solves all authentication problems, just that it’s better than many current practices today
Evaluation of WebTicket • 20 people – age 21-57 (mean=32), 11M and 9F – Paid $10 + $3 per successful login • Method – Warmup task to understand WebTicket – Session 1: Go to site, create account, and login • Two different sites, password and WebTicket • Told that sites had credit card info, and login week later – Session 2: One week later, go back to site, login • Had 10 WebTickets in wallet / purse / bag • 2 minutes to login
Account Creation Time • WebTicket is slower for creating new accounts
Logins • Success rate in logging in • Time to login – Note that people tended to go to website first to login for WebTicket
Perceptions • Perceived ease of use and perceived time – Higher numbers better for both – WebTicket statistically significantly better in both cases
Ongoing Work • Phone version of WebTicket to scale up passwords
Use Your Illusion Authentication • Again, passwords hard to remember • Image based authentication – Rely on human recognition over recall – However, may be easy for attackers to recognize • Idea: blur images – People can recognize their tokens, but harder for attackers to guess • Demonstrate the claims made above
Evaluation of Use Your Illusion • Individualized educated guesses – Recognize a specific person’s image tokens – Analogy: if you know a person’s birthday or spouse, can guess possible text passwords – Ex. Pictures of their spouse, pet, house, or car • Group educated guesses – Biases in general for specific kinds of image tokens – Analogy: people tend to choose words in dictionary for text passwords – Ex. Pictures of animals, buildings, etc
Use Your Illusion (Undistorted) Choose your three tokens (unordered)
Use Your Illusion (Distorted) Choose your three tokens (unordered)
Individualized Educated Guesses • Recruited pairs of friends – One of the pair tried to guess friend’s image tokens Other of the pair tried to guess stranger’s image tokens – In both cases, guessed two sets, undistorted and distorted – Guess the 3 tokens out of 27
Results • Original undistorted images were easy to guess – People tended to choose image tokens similar in some way, e.g. lighting, background, object, etc – Despite being told about the study • Distorted images more resilient – One person got very lucky – * means statistically significantly better than chance
Distortion Reduces Correct Guesses
Summary • WebTicket – Helping people manage passwords – Login using webcam + tickets – Mobile phone version • Use Your Illusion – Recognize blurred images – Showed that blurred images more resilient to guesses
Logging in with WebTicket

Recomendados

Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
Prototyping is an attitude
Prototyping is an attitudePrototyping is an attitude
Prototyping is an attitudeWith Company
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Online Discussion: Ways to Address Online Privacy and Security
Online Discussion: Ways to Address Online Privacy and SecurityOnline Discussion: Ways to Address Online Privacy and Security
Online Discussion: Ways to Address Online Privacy and SecurityJonathan Bacon
 
Cybersecurity additional activities
Cybersecurity additional activitiesCybersecurity additional activities
Cybersecurity additional activitiesYumonomics
 
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxvrickens
 

Recomendados

Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
Prototyping is an attitude
Prototyping is an attitudePrototyping is an attitude
Prototyping is an attitudeWith Company
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer Experience10 Insightful Quotes On Designing A Better Customer Experience
10 Insightful Quotes On Designing A Better Customer ExperienceYuan Wang
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Online Discussion: Ways to Address Online Privacy and Security
Online Discussion: Ways to Address Online Privacy and SecurityOnline Discussion: Ways to Address Online Privacy and Security
Online Discussion: Ways to Address Online Privacy and SecurityJonathan Bacon
 
Cybersecurity additional activities
Cybersecurity additional activitiesCybersecurity additional activities
Cybersecurity additional activitiesYumonomics
 
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxvrickens
 
Computer / Internet Security WHPL
Computer / Internet Security WHPLComputer / Internet Security WHPL
Computer / Internet Security WHPLWest Haven Public Library
 
protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal lifeNathan Lesser
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber securityHagerstown Chamber Business Expo
 
Improving Usable Authentication
Improving Usable AuthenticationImproving Usable Authentication
Improving Usable AuthenticationJason Hong
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Introduction to Privacy and Social Networking
Introduction to Privacy and Social NetworkingIntroduction to Privacy and Social Networking
Introduction to Privacy and Social NetworkingJason Hong
 
2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security AwarenessPedro Serrano
 
Risky business cybersecurity 1
Risky business cybersecurity 1Risky business cybersecurity 1
Risky business cybersecurity 1Yumonomics
 
Finalised refresh digital champion training
Finalised refresh digital champion trainingFinalised refresh digital champion training
Finalised refresh digital champion trainingIrene Mackintosh
 
everybody-password-cracking-101.pdf bbgg
everybody-password-cracking-101.pdf bbggeverybody-password-cracking-101.pdf bbgg
everybody-password-cracking-101.pdf bbggankomahg434
 
Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSAPedro Serrano
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
 
Exploiting Fast and Slow Thinking
Exploiting Fast and Slow ThinkingExploiting Fast and Slow Thinking
Exploiting Fast and Slow ThinkingRebecca Wirfs-Brock
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology NEHA SINGH
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
Passwords
PasswordsPasswords
PasswordsGrittyCC
 
International Data Privacy Day 2017
International Data Privacy Day 2017International Data Privacy Day 2017
International Data Privacy Day 2017Cherlowe Reinard Ramirez, MCTS
 
Isys20261 lecture 13
Isys20261 lecture 13Isys20261 lecture 13
Isys20261 lecture 13Wiliam Ferraciolli
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Mais conteúdo relacionado

Semelhante a Usable Security and Passwords, Cylab Corporate Partners Oct 2009

protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal lifeNathan Lesser
 
Improving Usable Authentication
Improving Usable AuthenticationImproving Usable Authentication
Improving Usable AuthenticationJason Hong
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Infosecurity2010
 
Introduction to Privacy and Social Networking
Introduction to Privacy and Social NetworkingIntroduction to Privacy and Social Networking
Introduction to Privacy and Social NetworkingJason Hong
 
2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security AwarenessPedro Serrano
 
Risky business cybersecurity 1
Risky business cybersecurity 1Risky business cybersecurity 1
Risky business cybersecurity 1Yumonomics
 
Finalised refresh digital champion training
Finalised refresh digital champion trainingFinalised refresh digital champion training
Finalised refresh digital champion trainingIrene Mackintosh
 
everybody-password-cracking-101.pdf bbgg
everybody-password-cracking-101.pdf bbggeverybody-password-cracking-101.pdf bbgg
everybody-password-cracking-101.pdf bbggankomahg434
 
Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSAPedro Serrano
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
 
Exploiting Fast and Slow Thinking
Exploiting Fast and Slow ThinkingExploiting Fast and Slow Thinking
Exploiting Fast and Slow ThinkingRebecca Wirfs-Brock
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology NEHA SINGH
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 

Semelhante a Usable Security and Passwords, Cylab Corporate Partners Oct 2009 (20)

Computer / Internet Security WHPL
Computer / Internet Security WHPLComputer / Internet Security WHPL
Computer / Internet Security WHPL
 
protecting your digital personal life
protecting your digital personal lifeprotecting your digital personal life
protecting your digital personal life
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber security
 
Improving Usable Authentication
Improving Usable AuthenticationImproving Usable Authentication
Improving Usable Authentication
 
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
 
Introduction to Privacy and Social Networking
Introduction to Privacy and Social NetworkingIntroduction to Privacy and Social Networking
Introduction to Privacy and Social Networking
 
2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness
 
Risky business cybersecurity 1
Risky business cybersecurity 1Risky business cybersecurity 1
Risky business cybersecurity 1
 
Finalised refresh digital champion training
Finalised refresh digital champion trainingFinalised refresh digital champion training
Finalised refresh digital champion training
 
everybody-password-cracking-101.pdf bbgg
everybody-password-cracking-101.pdf bbggeverybody-password-cracking-101.pdf bbgg
everybody-password-cracking-101.pdf bbgg
 
Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSA
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...
 
Exploiting Fast and Slow Thinking
Exploiting Fast and Slow ThinkingExploiting Fast and Slow Thinking
Exploiting Fast and Slow Thinking
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 
Passwords
PasswordsPasswords
Passwords
 
International Data Privacy Day 2017
International Data Privacy Day 2017International Data Privacy Day 2017
International Data Privacy Day 2017
 
Isys20261 lecture 13
Isys20261 lecture 13Isys20261 lecture 13
Isys20261 lecture 13
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

Usable Security and Passwords, Cylab Corporate Partners Oct 2009

  • 1. Usable Security and Passwords Jason Hong Carnegie Mellon University
  • 2. Passwords and Usable Security • People have difficulties remembering passwords – NYTimes site 100k readers forget password each week • 15% of “new” readers were old readers that had forgotten their passwords – Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call
  • 3. Basic Coping Strategies • Choose simple passwords – password, letmein, qwerty, but easy to guess • Reuse passwords – But break one password, break them all – Phishers attacking Facebook, twitter, other targets • Write down passwords – Depending on threat model, might not be bad
  • 4. WebTicket • Observation #1 – People who couldn’t remember their passwords, let alone what site to go to • Observation #2 – People already writing down passwords, can we help them do this more securely? – And have positive side effects: • Phish resistance • Stronger, unique passwords • Faster login times
  • 5. WebTicket • Idea: Print out passwords on “business card” – QR Code has encrypted URL, username, password – Strong password is generated for you – Only requires printer and web cam – Encrypted to work with your computers only
  • 7. WebTicket Pros and Cons • Advantages – Commodity devices (webcam, printer) – Don’t know own password, phish resistance – Compatible with today’s web sites – Stronger passwords • Disadvantages – Scale, number of tickets – Attackers with cameras – Weaker than other 2FA • Not claiming solves all authentication problems, just that it’s better than many current practices today
  • 8. Evaluation of WebTicket • 20 people – age 21-57 (mean=32), 11M and 9F – Paid $10 + $3 per successful login • Method – Warmup task to understand WebTicket – Session 1: Go to site, create account, and login • Two different sites, password and WebTicket • Told that sites had credit card info, and login week later – Session 2: One week later, go back to site, login • Had 10 WebTickets in wallet / purse / bag • 2 minutes to login
  • 9. Account Creation Time • WebTicket is slower for creating new accounts
  • 10. Logins • Success rate in logging in • Time to login – Note that people tended to go to website first to login for WebTicket
  • 11. Perceptions • Perceived ease of use and perceived time – Higher numbers better for both – WebTicket statistically significantly better in both cases
  • 12. Ongoing Work • Phone version of WebTicket to scale up passwords
  • 13. Use Your Illusion Authentication • Again, passwords hard to remember • Image based authentication – Rely on human recognition over recall – However, may be easy for attackers to recognize • Idea: blur images – People can recognize their tokens, but harder for attackers to guess • Demonstrate the claims made above
  • 14. Evaluation of Use Your Illusion • Individualized educated guesses – Recognize a specific person’s image tokens – Analogy: if you know a person’s birthday or spouse, can guess possible text passwords – Ex. Pictures of their spouse, pet, house, or car • Group educated guesses – Biases in general for specific kinds of image tokens – Analogy: people tend to choose words in dictionary for text passwords – Ex. Pictures of animals, buildings, etc
  • 15. Use Your Illusion (Undistorted) Choose your three tokens (unordered)
  • 16. Use Your Illusion (Distorted) Choose your three tokens (unordered)
  • 17. Individualized Educated Guesses • Recruited pairs of friends – One of the pair tried to guess friend’s image tokens Other of the pair tried to guess stranger’s image tokens – In both cases, guessed two sets, undistorted and distorted – Guess the 3 tokens out of 27
  • 18. Results • Original undistorted images were easy to guess – People tended to choose image tokens similar in some way, e.g. lighting, background, object, etc – Despite being told about the study • Distorted images more resilient – One person got very lucky – * means statistically significantly better than chance
  • 20. Summary • WebTicket – Helping people manage passwords – Login using webcam + tickets – Mobile phone version • Use Your Illusion – Recognize blurred images – Showed that blurred images more resilient to guesses
  • 21.
  • 22.
  • 23.
  • 24. Logging in with WebTicket