usable security and passwords, cylab corporate partners oct 2009

Usable Security and Passwords

Jason HongCarnegie Mellon University

Passwords and Usable Security

• People have difficulties remembering passwords– NYTimes site 100k readers forget password each week

• 15% of “new” readers were old readers that had forgotten their passwords

– Gartner reported one company had 30% of help desk calls related to passwords, ~$17 / call

Basic Coping Strategies

• Choose simple passwords– password, letmein, qwerty, but easy to guess

• Reuse passwords– But break one password, break them all– Phishers attacking Facebook, twitter, other targets

• Write down passwords– Depending on

threat model, might not be bad

WebTicket

• Observation #1– People who couldn’t remember

their passwords, let alone what site to go to

• Observation #2– People already writing down passwords,

can we help them do this more securely?

– And have positive side effects:• Phish resistance• Stronger, unique passwords• Faster login times

WebTicket

• Idea: Print out passwords on “business card”– QR Code has encrypted URL, username, password– Strong password is generated for you– Only requires printer and web cam– Encrypted to work with your computers only

WebTicket Login Process

1 2

3

WebTicket Pros and Cons

• Advantages– Commodity devices (webcam, printer)– Don’t know own password, phish resistance– Compatible with today’s web sites– Stronger passwords

• Disadvantages– Scale, number of tickets– Attackers with cameras– Weaker than other 2FA

• Not claiming solves all authentication problems,just that it’s better than many current practices today

Evaluation of WebTicket

• 20 people– age 21-57 (mean=32), 11M and 9F

– Paid $10 + $3 per successful login

• Method– Warmup task to understand WebTicket

– Session 1: Go to site, create account, and login• Two different sites, password and WebTicket• Told that sites had credit card info, and login week later

– Session 2: One week later, go back to site, login• Had 10 WebTickets in wallet / purse / bag• 2 minutes to login

Account Creation Time

• WebTicket is slower for creating new accounts

Logins

• Success rate in logging in

• Time to login

– Note that people tended to go to website first to loginfor WebTicket

Perceptions

• Perceived ease of use and perceived time

– Higher numbers better for both

– WebTicket statistically significantly better in both cases

Ongoing Work

• Phone version of WebTicket to scale up passwords

Use Your Illusion Authentication

• Again, passwords hard to remember• Image based authentication

– Rely on human recognition over recall

– However, may be easy for attackers to recognize

• Idea: blur images– People can recognize

their tokens, but harder for attackers to guess

• Demonstrate the claimsmade above

Evaluation of Use Your Illusion

• Individualized educated guesses– Recognize a specific person’s image tokens

– Analogy: if you know a person’s birthday or spouse, can guess possible text passwords

– Ex. Pictures of their spouse, pet, house, or car

• Group educated guesses– Biases in general for specific kinds of image tokens

– Analogy: people tend to choose words in dictionary for text passwords

– Ex. Pictures of animals, buildings, etc

Use Your Illusion (Undistorted)

Choose your three tokens (unordered)

Use Your Illusion (Distorted)

Choose your three tokens (unordered)

Individualized Educated Guesses

• Recruited pairs of friends– One of the pair tried to guess friend’s image tokens

Other of the pair tried to guess stranger’s image tokens

– In both cases, guessed two sets, undistorted and distorted

– Guess the 3 tokens out of 27

Results

• Original undistorted images were easy to guess– People tended to choose image tokens similar in

some way, e.g. lighting, background, object, etc

– Despite being told about the study

• Distorted images more resilient– One person got very lucky

– * means statistically significantly better than chance

Distortion Reduces Correct Guesses

Summary

• WebTicket– Helping people manage passwords

– Login using webcam + tickets

– Mobile phone version

• Use Your Illusion– Recognize blurred images

– Showed that blurredimages more resilient to guesses

Logging in with WebTicket