690 likes | 985 Views
Theory Lunch . Usable and Secure Password Management. Jeremiah Blocki Spring 2012. Password Management. Competing Goals:. A Challenging Problem. Traditional Security Advice. Use numbers and letters. Use special symbols. Don’t Reuse Passwords. Don’t use words/names. Not too short.
E N D
Theory Lunch Usable and Secure Password Management Jeremiah Blocki Spring 2012
Password Management Competing Goals:
A Challenging Problem • Traditional Security Advice Use numbers and letters Use special symbols Don’t Reuse Passwords Don’t use words/names Not too short Don’t Write it Down Use mix of lower/upper case letters Change your passwords every 90 days
Reevaluate Traditional Advice? XKCD Source: http://www.xkcd.com/936/ [Munroe]
Experiment #0 • Memorize a random 10 character password • Case Sensitive! L[IbCGa_ND
Experiment #1 Chaplin, Newspapers (plural) Cedric, Scanner
Experiment #2 Boats, Brie March (“Marching” – “ing”) Swim (not Michael Phelps)
Outline • Introduction and Experiments • Memory and Usability • Four Big Factors • Analyzing Security • Our Password Management Scheme
Factor 1: Chunking • Memorize: nbccbsabc • Memorize: tkqizrlwp • 3 Chunks vs. 9 Chunks! • Usability Goal: Minimize Number of Chunks in Password Source: The magical number seven, plus or minus two [Miller, 56]
Chunking Source: http://www.xkcd.com/936/ [Munroe]
Factor 2: Cue Strength • Cue: context when a memory is stored • Surrounding Environment • Sounds • Visual Surroundings • Web Site • …. • As time passes we forget some of this context…
Mathematical Model (Cues) i {music, desk, password, amazon,…}
Mathematical Model (Associative Memory) Add the cue-association pair to memory (M) Find the memory associated with the given cue in M
Retrieval from Partial Cue Original Cue Cue Strength Retrieval Cue
Retrieval from Partial Cue Probability of Recall Partial Cue Fraction Source: Simple memory: a theory for archicortex [Marr]
Factor 3: Interference Cue jblocki, l3tm3in jblocki, unbr3akabl3 jblocki, Tr0ub4dor&3 … jblocki, horsebatterystaplecorrect
Interference (Example) Impossible to identify which memory is associated with the cue! If the contexts are only “slightly different” there will still be significant interference!
Factor 4: Rehearsal Strengthens Associations Password may be linked to different contexts (cues) Goal: minimize the number of rehearsals necessary to remember passwords
Rehearsal • It helps if part of the context is consistent across all rehearsals/retrieval
Usability Desiderata • Minimize #chunks per password • Ensure that a large part of the original cue is always available at retrieval time • Minimize Interference • Minimize the required number of rehearsals
How Do People Pick Passwords? Source: Science of Password Selection (Hunt, 2011)
Password Management Competing Goals:
Competing Goals • Usability – “easy” for user to create and remember his passwords • Security – “hard” for adversary to learn passwords. • After many guesses • Even after seeing other passwords
Outline • Introduction and Experiments • Memory and Usability • Analyzing Security • Our Password Management Scheme
Security (what could go wrong?) Three Types of Attacks Danger
Online Attack 1234 Limit Guesses: Three Strike Policy
Offline Dictionary Attack “UnBr3akabl3” “UnBr3akabl3” MD5(“UnBr3akabl3”) + “UnBr3akabl3” Source: CERT Incident Note IN-98.03: Password Cracking Activity
Malicious Sites/Phishing pwd pwd PayPaul.com + Source: CERT Incident Note IN-98.03: Password Cracking Activity
Measuring Security • Past Measurements and Their Weaknesses • Password Strength Meters • Entropy • Min Entropy • Our Definition of Security
Password Strength Meters mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm Impossible to know what background knowledge the adversary will have! Our Approach: Measure the security of the password generator instead Source: https://www.microsoft.com/security/pc-security/password-checker.aspx
Entropy Average # Bits to encode password x Intuition: 30 bits of entropy => Average # Guesses ~ 230 # Bits to encode password x Source: The mathematical theory of communication (Shannon, 1959)
Entropy • Example:
Entropy (Weaknesses) Both password generators have same entropy! One guess breaks scheme one half of the time!
Entropy (Weaknesses) mmmm mmmm mmmm G1 has high entropy, but is insecure!
Entropy (Weaknesses) • High Entropy Does Not Guarantee Safety!
Min-Entropy # Bits to encode most likely password x # Bits to encode password x
Min Entropy (Strengths) “horsebatterystaplecorrect” MD5(pwd) +
Min Entropy (Strengths) • High Minimum Entropy
Min-Entropy (Weaknesses) Hmin(G1) = 2n = Hmin(G2) Min-Entropy ignores correlations between passwords
Min-Entropy (Weaknesses) x x PayPaul.com x
Our Security Approach • Dangerous World Assumption • Not enough to defend against existing adversaries • Adversary can adapt after learning the user’s new password management strategy • Provide guarantees even when things go wrong • Offline attacks should fail with high probability • Limit damage of a successful phishing attack
The Adversary’s Game • Adversary can compromise at most k sites (phishing). • Adversary can execute offline attacks against at most t additional sites • Resource Constraints => at most M guesses • Adversary wins if he can compromise any new sites. pwd MD5(pwd)
(k,t,M,)-Security We say that a password management scheme is (k,t,M,)-Secure if for any adversary Adv t = # M = # Guesses k = # Offline Attacks Phishing Attacks
Example: (1,1,M,)-Security t=1 PayPaul.com + M guesses k=1
Outline • Introduction and Experiments • Memory and Usability • Analyzing Security • Our Password Management Scheme