usable and secure password management jeremiah blocki spring 2012 theory lunch
TRANSCRIPT
Usable and Secure Password Management
Jeremiah Blocki
Spring 2012
Theory Lunch
2
Password Management
Competing Goals:
Security
Usability
3
A Challenging Problem Traditional Security Advice
Not too short
Use mix of lower/upper case letters
Change your passwords every 90 days
Use numbers and letters
Don’t use words/names
Use special symbols
Don’t Write it Down
Don’t Reuse Passwords
4
Reevaluate Traditional Advice?
Source: http://www.xkcd.com/936/ [Munroe]
XKC
D
5
Experiment #0 Memorize a random 10 character
password Case Sensitive!
L[IbCGa_ND
6
Experiment #1
Chaplin, Newspapers (plural)Cedric, Scanner
7
Experiment #2
March (“Marching” – “ing”)Boats, BrieSwim (not Michael Phelps)
9
Experiment #3
Cue Action Object
Manuel Blum torturing lion
10
Experiment #4
Cue Action Object
Stephen Rudich destroying shark
13
Outline Introduction and Experiments
Memory and Usability Four Big Factors
Analyzing Security
Our Password Management Scheme
14
Factor 1: Chunking Memorize: nbccbsabc
Memorize: tkqizrlwp
3 Chunks vs. 9 Chunks!
Usability Goal: Minimize Number of Chunks in Password
Source: The magical number seven, plus or minus two [Miller, 56]
16
Human Memory is Associative
?
17
Factor 2: Cue Strength Cue: context when a memory is stored
Surrounding Environment Sounds Visual Surroundings Web Site ….
As time passes we forget some of this context…
18
Mathematical Model (Cues)
1
1
1
1
1
ic
1
ii
ii
i
w
cwc
i {music, desk, password, amazon,…}
19
Mathematical Model (Associative Memory)
Add the cue-association pair to memory (M)
1
1
1
1
1
v
TvcMMvcLink
:),(
k
kk
kk
Tk
kk
nvnc
vc
vcM
][][
]1[]1[
MccFind T)(
Find the memory associated with the given cue in M
),(),,(),( 22112211 vcwLinkvcwLinkvcwcwLink
20
Retrieval from Partial Cue
rwcwc inextext
'' rwcwc inextext
Original Cue
Retrieval Cue
),( vcLink
MrwcwcFind Tinextext )'()'(
Cue Strength
21
Retrieval from Partial Cue
Tk
kk
TT
Tinextext
vccvcc
MrwcwcFind
''
)'()'(
Noisevnw
Noisevccw
ext
extTextext
2
2
22
Retrieval from Partial CuePro
babili
ty o
f R
eca
ll
Source: Simple memory: a theory for archicortex [Marr]
Partial Cue Fraction
23
Factor 3: Interference
Cue
jblocki, l3tm3in
jblocki, unbr3akabl3
jblocki, Tr0ub4dor&3
jblocki, horsebatterystaplecorrect
…
24
Interference (Example)
Impossible to identify which memory is associated with the cue!
If the contexts are only “slightly different” there will still be significant interference!
),( 1vcLink
),( 2vcLink
NoisevvncFind )()( 21
26
Factor 4: Rehearsal
Strengthens Associations
Goal: minimize the number of rehearsals necessary to remember passwords
Password may be linkedto different contexts (cues)
27
Rehearsal
It helps if part of the context is consistent across all rehearsals/retrieval
1,...,1 kirwcwc iinextexti
kivcLink i ,...,1),(
NoisevnkwcFind extk 2)(
28
Usability Desiderata Minimize #chunks per password
Ensure that a large part of the original cue is always available at retrieval time
Minimize Interference
Minimize the required number of rehearsals
29
How Do People Pick Passwords?
Source: Science of Password Selection (Hunt, 2011)
Pers
on N
ame
Plac
e Nam
e
Dictio
nary
Wor
d
Numbe
r
Double
Wor
d
E-Mail A
ddre
ssTo
tal
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Fraction of Passwords
30
Password Management
Competing Goals:
Security
Usability
31
Competing Goals Usability – “easy” for user to create and
remember his passwords
Security – “hard” for adversary to learn passwords. After many guesses Even after seeing other passwords
Security
Usability
32
Outline Introduction and Experiments
Memory and Usability
Analyzing Security
Our Password Management Scheme
33
Security (what could go wrong?)
Online Offline Phishing
Danger
Three Types of Attacks
34
Online Attack
1234
Limit Guesses: Three Strike Policy
35
Offline Dictionary Attack
Source: CERT Incident Note IN-98.03: Password Cracking Activity
MD5(“UnBr3akabl3”)
+
“UnBr3akabl3”
“UnBr3akabl3”
“UnBr3akabl3”
36
Malicious Sites/Phishing
Source: CERT Incident Note IN-98.03: Password Cracking Activity
PayPaul.com
+
pwd
pwd
37
Measuring Security Past Measurements and Their Weaknesses
Password Strength Meters Entropy Min Entropy
Our Definition of Security
38
Password Strength Meters
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
Impossible to know what background knowledge the adversary will have!
Source: https://www.microsoft.com/security/pc-security/password-checker.aspx
Our Approach: Measure the security of the password generator instead
39
Password Generator (G)
40
Entropy
)(2 ]Pr[
1log]Pr[)(
GRangex xxGH
Source: The mathematical theory of communication (Shannon, 1959)
Intuition:
30 bits of entropy => Average # Guesses ~ 230
# Bits to encode password x
Average # Bits to encode password x
41
Entropy
Example:
nn pwxRG 2.}1,0{)(
n
xxGH
n
n
x
nn
x
}1,0{
}1,0{
2log2
]Pr[
1log]Pr[
43
Entropy (Weaknesses)
1222
21
1 2.}1,0{
.)(
nn pwx
pwmmmmRG
nn pwxRG 2.}1,0{)(2
Both password generators have same entropy!
One guess breaks scheme one half of the time!)(
)12(2
1
2
1
)12(22
1
]|Pr[
1log]|Pr[2log
2
1)(
2
}1,0{
12
}1,0{ 111
22
12
GH
n
n
n
GxGxGH
n
n
x
n
x
44
Entropy (Weaknesses)
mmmm
mmmm
mmmm
1222
21
1 2.}1,0{
.)(
nn pwx
pwmmmmRG
G1 has high entropy, but is insecure!
45
Entropy (Weaknesses) High Entropy Does Not Guarantee Safety!
Online Offline Phishing
46
Min-Entropy
]Pr[
1logmin)( 2)(
min xGH
GRangex
nGHGH )(1)( 2min1min
# Bits to encode most likely password x
# Bits to encode password x
47
Min Entropy (Strengths)
+
“horsebatterystaplecorrect”
MD5(pwd)
48
Min Entropy (Strengths) High Minimum Entropy
Online Offline Phishing
50
Min-Entropy (Weaknesses)
Hmin(G1) = 2n = Hmin(G2)
nnn pwzyRG 22 2.}1,0{}1,0{),()(
nnn pwxxRG 2221 2.}1,0{}1,0{),()(
Min-Entropy ignores correlations between passwords
51
Min-Entropy (Weaknesses)
nnn pwxxRG 2221 2.}1,0{}1,0{),()(
PayPaul.com
x
x
x
52
Our Security Approach Dangerous World Assumption
Not enough to defend against existing adversaries Adversary can adapt after learning the user’s new
password management strategy
Provide guarantees even when things go wrong Offline attacks should fail with high probability Limit damage of a successful phishing attack
53
The Adversary’s Game Adversary can compromise at most k sites
(phishing).
Adversary can execute offline attacks against at most t additional sites Resource Constraints => at most M guesses
Adversary wins if he can compromise any new sites.
pwd
MD5(pwd)
54
(k,t,M,)-Security
],,|Pr[ tkMAdvWins
We say that a password management scheme is (k,t,M,)-Secure if for any adversary Adv
k = #t = #Offline Attacks Phishing Attacks
M = # Guesses
55
Example: (1,1,M,)-Security
PayPaul.com
+M guessesk=1
t=1
56
Outline Introduction and Experiments
Memory and Usability
Analyzing Security
Our Password Management Scheme
57
Review Usability Desiderata Minimize #chunks per password
Ensure that a large part of the original cue is always available at retrieval time
Minimize Interference
What mnemonic techniques do the memory experts use?
58
Memory Palace
Memory champions like Dominic O'Brien regularly use memory palaces
59
Memory Palace Idea: Humans have excellent visual/spatial
memory
Memorize a list of words Memorize: Mentally walk through your house and
“store” one word in each location Recall: Mentally walk past each location to
recover each word
Key Point: By associating each word with a familiar location we can always recover part of the original cue Source: Rhetorica ad Herennium [Cicero?]
60
Memory Palace Interference? Don’t reuse the same memory palace very
often!
Memory Champions have hundreds of memory palaces! Spend time mentally “clearing” each palace
before a competition
Usability: A typical user doesn’t have time to prepare hundreds of memory palaces!
Source: Moonwalking with Einstein [Foer, 2010]
61
Our Approach Idea: Use pictures as cues instead
Don’t have to remember the cue! Store it externally!
Liquor, Wounded, Sunk
62
Secure Password Management SchemePublic Knowledge Private (Password)
Am
azo
neB
ay
……
Random Words (Independently Selected)
Random Words (Independently Selected)
……
63
Usability Four chunks per password
Independent Cues Reduces Interference
Partial Cue (picture) is stored externally and is always available
64
Security Password Strength
Strong Password: 4 random words from common dictionary
Stronger than a truly random ten character password
Password Independence Independent of Cues Independent of Other Passwords
(t,k,M,)-security for large t,k!
65
Experiment #0 Can anybody remember the 10 character
password?
L[IbCGa_ND
66
Experiment #1
67
Experiment #2
69
Experiment #3
Cue Action Object
Manuel Blum
70
Experiment #4
Cue Action Object
Stephen Rudich
72
Personal Experience I have created 25+ unique (strong) passwords
using this technique
Tricks to overcome common restrictions Substitute 3 for e, etc… Use first 4 letters of each word
Difficulties Word Order Confuse verb tense Plural vs. Singular Semantically Similar Words
73
Future Work Can we quantify and measure the
usability of a password management scheme?
Share cues across sites (security/usability tradeoff)
Accepting close passwords
User Studies
75
Questions?