isys20261 lecture 14
TRANSCRIPT
![Page 1: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/1.jpg)
Computer Security Management(ISYS20261)Lecture 14 – More on Passwords
Module Leader: Dr Xiaoqi Ma
School of Science and Technology
![Page 2: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/2.jpg)
Computer Security ManagementPage 2
Last week …
• Passwords
• PINs
• Challenge-response
![Page 3: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/3.jpg)
Computer Security ManagementPage 3
Today
• Captchas
• Graphical passwords
• How to recover a forgotten password
![Page 4: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/4.jpg)
Computer Security ManagementPage 4
Captchas (1)
• Completely Automated Public Turing test to tell Computers and Humans Apart (von Ahn, Blum, Hopper and Langford, 2000)
• Challenge-response test to ensure that the user is a human– E.g. to prevent automated account harvesting
• Captcha is a computer generated puzzle, i.e. a distorted image of a number/character sequence
• User has to type in the number/character sequence
• Most humans can read the image but current software can’t
• Examples:
![Page 5: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/5.jpg)
Computer Security ManagementPage 5
Captchas (2)
• Sequence:
"squestra"
request
authenticated
System
• Problems:– Blind or visually impaired users?
– Mobile devices with limited hardware capabilities?
![Page 6: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/6.jpg)
Computer Security ManagementPage 6
How to crack Captchas
• Human operators (“Sweatshop”)
• Forward captcha from original site onto attackers web site and let users unwittingly solve the puzzle! (in real time)
"squestra"
request to logon toAttacker's 'free' site
authenticated
Attacker'sweb site
System
request to logon to'protected' site
"squestra"
authenticated
![Page 7: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/7.jpg)
Computer Security ManagementPage 7
Graphical authentication
• Human memory for images is better than for words
• New approach: graphical (image based) authentication
• Graphical passwords– Recognition based
– User to select picture among a set of distractors
– Example: PassFaces
• Position based passwords– Click on right region on an image (challenge)
– Chose the correct pattern
– Example: GrIDsure
![Page 8: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/8.jpg)
Computer Security ManagementPage 8
Password recovery
• Passwords are often forgotten– Infrequent use
– Forced change (due to password policy)
– etc
• Password (credential) needs to be recovered
• Easy option: send me a new (or my old) password via email
• Not really secure!
• Need for authentication
• Better option: challenge-response based recovery
![Page 9: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/9.jpg)
Computer Security ManagementPage 9
Credential recovery
• User-triggered process to reset forgotten passwords
• Uses knowledge-based authentication
• Two varieties– Answering enrolled challenges
– Recovery without enrolment
![Page 10: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/10.jpg)
Computer Security ManagementPage 10
Recovery with enrolment
• Users enrol set of challenges and responses
• On re-set they have to prove their identity by answering challenges
• Issues– Which challenge-responses should be used?
– Who chooses them?
![Page 11: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/11.jpg)
Computer Security ManagementPage 11
Recovery without enrolment
• Probing knowledge shared between system and user:– Probing recent interactions with the system, e.g. “what was last transaction?”
– Personal history, e.g. calendar entries
– Recognition of items user should be familiar with, e.g. own photo from a set of mixed ones
![Page 12: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/12.jpg)
Computer Security ManagementPage 12
Security aspects of challenge-response pairs
• Guessing difficulty– low expectation for a successful guess within a small number of attempts
– answer should come from a uniform distribution – is this realistic?
• Observation difficulty– it should be difficult for an attacker to retrieve or observe the answer
– answers should not be available from public sources, e.g. social networking websites
– observation difficulty will differ for individuals, e.g. family, friends, colleagues or strangers
• Capture difficulty– Covert recording of answers
– How many recovery attempts does an attacker have to observe in order to launch a successful attack?
![Page 13: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/13.jpg)
Computer Security ManagementPage 13
Questions
• Fixed– Administrator-chosen to Prevents choice of poor questions
• Open– User-chosen personally memorable content
• Controlled – Fixed set of questions but user can select and modify
– Often combined with hints
![Page 14: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/14.jpg)
Computer Security ManagementPage 14
Answers
• Fixed – User chooses one answer from a set
– Common answers need to be barred!
• Open– Free form text
• Controlled– User-modified answer
– Format of answer is controlled
![Page 15: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/15.jpg)
Computer Security ManagementPage 15
Challenge-response pairs
• Fixed-controlled
• Fixed-open
• Controlled-fixed
![Page 16: Isys20261 lecture 14](https://reader034.vdocuments.net/reader034/viewer/2022051314/555a28d4d8b42a900d8b4a4b/html5/thumbnails/16.jpg)
Computer Security ManagementPage 16
Comments
• Credential recovery systems need to be carefully planned and designed
• Infrequent usage– mechanism should be forgiving
– users may remember cues, but not details (e. g. word but not upper/lower case)
• Consider cost of setting up and maintaining system
• Currently text-based, but could involve photos or music
• Can be combined with other techniques, e.g. captchas