1 / 20

Password Reminder Systems

Password Reminder Systems. Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud. The Cast. Ronald Well-endowed (with money) good guy Uses online banking Jeremy Less than well-endowed (ethically) bad guy Works in Ronald’s office. Introduction. Password Protected Services

cardea
Download Presentation

Password Reminder Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud

  2. The Cast • Ronald • Well-endowed (with money) good guy • Uses online banking • Jeremy • Less than well-endowed (ethically) bad guy • Works in Ronald’s office

  3. Introduction • Password Protected Services • Finances • Retail • Personal Communications (email, chat) • Entertainment

  4. Existing Work • Little research on password reminder Schemes • Vulnerabilities arise from • Information Requested (who knows it) • Method of Delivery

  5. Things to come! • Evaluation of forgotten password schemes • A good forgotten password scheme • An insufficient forgotten password scheme • Challenge: Dave’s Bank Account • The ultimate forgotten password scheme: • Information Concealing Universal Protocol

  6. Evaluating Password Schemes • Split sites into categories • Financial • Consumer Retail • Personal Communication, etc. • Strength of security provided, varies for each site category

  7. Prominent Security Measures • Server displays or e-mails password if user correctly answers information queries • User chooses new password after correctly answering information queries • User receives password after speaking with a customer service rep and verifying identity

  8. Requested Information • Low Security • Name, address, email, date of birth • Medium Security • Mother’s maiden name, recent purchases, SSN • High Security • PIN/account number, answer to private question

  9. Password Reminder Example 1 • Amazon.com • Must identify easily discovered information • Must identify one of last 5 purchases • Create New Password • Only a stalker could know so much about you • Quality Scheme

  10. Password Reminder Example 2 • AOL Instant Messenger • Requires Screen Name • Password E-mailed to Owner • Is AOL worthy of more security?

  11. Bank Account Locking • Reasons for servers to lock account • Successive failed attempts to access account • Assumes malicious intent (fails safely) • Problems created by account lock • Unlocking process irritating to users • Malicious harassment by 3rd party • User must open new bank account

  12. Challenge: Dave’s Account • Break into Dave’s Online Account using • A voided check (supplied by Dave) • Our own Madskillz • The Challenge • Transfer all money to offshore account • Go to Tahiti and drink!

  13. Dave’s Account • What we have • Name and Address • Account and routing number • What we don’t have • Date of birth • SSN • Mother’s Maiden Name

  14. End Result • We are sober and penniless.

  15. Got Privacy? Information Concealing Universal Protocol

  16. E-mail and Security • Make e-mail the strength of the protocol, not the weakness. • Use e-mail to confirm the user’s identity, but avoid e-mailing the password.

  17. Strengths of the Protocol • If a user forgets their password, they have to: • Provide personal information • Receive e-mail (Must know e-mail password) • Reply to e-mail (An imposter cannot just snoop incoming e-mail packets.)

  18. Server sends email to user containing key K2 Server sends key K1 to user through browser Server sends email to address in profile User sends username, K1, K2 through browser User requests new password User provides information User replies to email User submits new password Server requests information to verify identity ICUP Protocol F/T Server User

  19. In Conclusion • Your online passwords are not safe – we already know them • Current schemes vary in degree of security, oftentimes conflicting with psychological acceptability • In most cases, your passwords are only as safe as your email

More Related