Usable and Secure Password Management

Jeremiah Blocki

Spring 2012

Theory Lunch

2

Password Management

Competing Goals:

Security

Usability

3

A Challenging Problem Traditional Security Advice

Not too short

Use mix of lower/upper case letters

Change your passwords every 90 days

Use numbers and letters

Don’t use words/names

Use special symbols

Don’t Write it Down

Don’t Reuse Passwords

4

Reevaluate Traditional Advice?

Source: http://www.xkcd.com/936/ [Munroe]

XKC

D

5

Experiment #0 Memorize a random 10 character

password Case Sensitive!

L[IbCGa_ND

6

Experiment #1

Chaplin, Newspapers (plural)Cedric, Scanner

7

Experiment #2

March (“Marching” – “ing”)Boats, BrieSwim (not Michael Phelps)

9

Experiment #3

Cue Action Object

Manuel Blum torturing lion

10

Experiment #4

Cue Action Object

Stephen Rudich destroying shark

13

Outline Introduction and Experiments

Memory and Usability Four Big Factors

Analyzing Security

Our Password Management Scheme

14

Factor 1: Chunking Memorize: nbccbsabc

Memorize: tkqizrlwp

3 Chunks vs. 9 Chunks!

Usability Goal: Minimize Number of Chunks in Password

Source: The magical number seven, plus or minus two [Miller, 56]

15

Chunking

Source: http://www.xkcd.com/936/ [Munroe]

16

Human Memory is Associative

?

17

Factor 2: Cue Strength Cue: context when a memory is stored

Surrounding Environment Sounds Visual Surroundings Web Site ….

As time passes we forget some of this context…

18

Mathematical Model (Cues)

1

1

1

1

1

ic

1

ii

ii

i

w

cwc

i {music, desk, password, amazon,…}

19

Mathematical Model (Associative Memory)

Add the cue-association pair to memory (M)

1

1

1

1

1

v

TvcMMvcLink

:),(

k

kk

kk

Tk

kk

nvnc

vc

vcM

][][

]1[]1[

MccFind T)(

Find the memory associated with the given cue in M

),(),,(),( 22112211 vcwLinkvcwLinkvcwcwLink

20

Retrieval from Partial Cue

rwcwc inextext

'' rwcwc inextext

Original Cue

Retrieval Cue

),( vcLink

MrwcwcFind Tinextext )'()'(

Cue Strength

21

Retrieval from Partial Cue

Tk

kk

TT

Tinextext

vccvcc

MrwcwcFind

''

)'()'(

Noisevnw

Noisevccw

ext

extTextext

2

2

22

Retrieval from Partial CuePro

babili

ty o

f R

eca

ll

Source: Simple memory: a theory for archicortex [Marr]

Partial Cue Fraction

23

Factor 3: Interference

Cue

jblocki, l3tm3in

jblocki, unbr3akabl3

jblocki, Tr0ub4dor&3

jblocki, horsebatterystaplecorrect

…

24

Interference (Example)

Impossible to identify which memory is associated with the cue!

If the contexts are only “slightly different” there will still be significant interference!

),( 1vcLink

),( 2vcLink

NoisevvncFind )()( 21

26

Factor 4: Rehearsal

Strengthens Associations

Goal: minimize the number of rehearsals necessary to remember passwords

Password may be linkedto different contexts (cues)

27

Rehearsal

It helps if part of the context is consistent across all rehearsals/retrieval

1,...,1 kirwcwc iinextexti

kivcLink i ,...,1),(

NoisevnkwcFind extk 2)(

28

Usability Desiderata Minimize #chunks per password

Ensure that a large part of the original cue is always available at retrieval time

Minimize Interference

Minimize the required number of rehearsals

29

How Do People Pick Passwords?

Source: Science of Password Selection (Hunt, 2011)

Pers

on N

ame

Plac

e Nam

e

Dictio

nary

Wor

d

Numbe

r

Double

Wor

d

E-Mail A

ddre

ssTo

tal

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

Fraction of Passwords

30

Password Management

Competing Goals:

Security

Usability

31

Competing Goals Usability – “easy” for user to create and

remember his passwords

Security – “hard” for adversary to learn passwords. After many guesses Even after seeing other passwords

Security

Usability

32

Outline Introduction and Experiments

Memory and Usability

Analyzing Security

Our Password Management Scheme

33

Security (what could go wrong?)

Online Offline Phishing

Danger

Three Types of Attacks

34

Online Attack

1234

Limit Guesses: Three Strike Policy

35

Offline Dictionary Attack

Source: CERT Incident Note IN-98.03: Password Cracking Activity

MD5(“UnBr3akabl3”)

+

“UnBr3akabl3”

“UnBr3akabl3”

“UnBr3akabl3”

36

Malicious Sites/Phishing

Source: CERT Incident Note IN-98.03: Password Cracking Activity

PayPaul.com

+

pwd

pwd

37

Measuring Security Past Measurements and Their Weaknesses

Password Strength Meters Entropy Min Entropy

Our Definition of Security

38

Password Strength Meters

mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

Impossible to know what background knowledge the adversary will have!

Source: https://www.microsoft.com/security/pc-security/password-checker.aspx

Our Approach: Measure the security of the password generator instead

39

Password Generator (G)

40

Entropy

)(2 ]Pr[

1log]Pr[)(

GRangex xxGH

Source: The mathematical theory of communication (Shannon, 1959)

Intuition:

30 bits of entropy => Average # Guesses ~ 230

# Bits to encode password x

Average # Bits to encode password x

41

Entropy

Example:

nn pwxRG 2.}1,0{)(

n

xxGH

n

n

x

nn

x

}1,0{

}1,0{

2log2

]Pr[

1log]Pr[

43

Entropy (Weaknesses)

1222

21

1 2.}1,0{

.)(

nn pwx

pwmmmmRG

nn pwxRG 2.}1,0{)(2

Both password generators have same entropy!

One guess breaks scheme one half of the time!)(

)12(2

1

2

1

)12(22

1

]|Pr[

1log]|Pr[2log

2

1)(

2

}1,0{

12

}1,0{ 111

22

12

GH

n

n

n

GxGxGH

n

n

x

n

x

44

Entropy (Weaknesses)

mmmm

mmmm

mmmm

1222

21

1 2.}1,0{

.)(

nn pwx

pwmmmmRG

G1 has high entropy, but is insecure!

45

Entropy (Weaknesses) High Entropy Does Not Guarantee Safety!

Online Offline Phishing

46

Min-Entropy

]Pr[

1logmin)( 2)(

min xGH

GRangex

nGHGH )(1)( 2min1min

# Bits to encode most likely password x

# Bits to encode password x

47

Min Entropy (Strengths)

+

“horsebatterystaplecorrect”

MD5(pwd)

48

Min Entropy (Strengths) High Minimum Entropy

Online Offline Phishing

50

Min-Entropy (Weaknesses)

Hmin(G1) = 2n = Hmin(G2)

nnn pwzyRG 22 2.}1,0{}1,0{),()(

nnn pwxxRG 2221 2.}1,0{}1,0{),()(

Min-Entropy ignores correlations between passwords

51

Min-Entropy (Weaknesses)

nnn pwxxRG 2221 2.}1,0{}1,0{),()(

PayPaul.com

x

x

x

52

Our Security Approach Dangerous World Assumption

Not enough to defend against existing adversaries Adversary can adapt after learning the user’s new

password management strategy

Provide guarantees even when things go wrong Offline attacks should fail with high probability Limit damage of a successful phishing attack

53

The Adversary’s Game Adversary can compromise at most k sites

(phishing).

Adversary can execute offline attacks against at most t additional sites Resource Constraints => at most M guesses

Adversary wins if he can compromise any new sites.

pwd

MD5(pwd)

54

(k,t,M,)-Security

],,|Pr[ tkMAdvWins

We say that a password management scheme is (k,t,M,)-Secure if for any adversary Adv

k = #t = #Offline Attacks Phishing Attacks

M = # Guesses

55

Example: (1,1,M,)-Security

PayPaul.com

+M guessesk=1

t=1

56

Outline Introduction and Experiments

Memory and Usability

Analyzing Security

Our Password Management Scheme

57

Review Usability Desiderata Minimize #chunks per password

Ensure that a large part of the original cue is always available at retrieval time

Minimize Interference

What mnemonic techniques do the memory experts use?

58

Memory Palace

Memory champions like Dominic O'Brien regularly use memory palaces

59

Memory Palace Idea: Humans have excellent visual/spatial

memory

Memorize a list of words Memorize: Mentally walk through your house and

“store” one word in each location Recall: Mentally walk past each location to

recover each word

Key Point: By associating each word with a familiar location we can always recover part of the original cue Source: Rhetorica ad Herennium [Cicero?]

60

Memory Palace Interference? Don’t reuse the same memory palace very

often!

Memory Champions have hundreds of memory palaces! Spend time mentally “clearing” each palace

before a competition

Usability: A typical user doesn’t have time to prepare hundreds of memory palaces!

Source: Moonwalking with Einstein [Foer, 2010]

61

Our Approach Idea: Use pictures as cues instead

Don’t have to remember the cue! Store it externally!

Liquor, Wounded, Sunk

62

Secure Password Management SchemePublic Knowledge Private (Password)

Am

azo

neB

ay

……

Random Words (Independently Selected)

Random Words (Independently Selected)

……

63

Usability Four chunks per password

Independent Cues Reduces Interference

Partial Cue (picture) is stored externally and is always available

64

Security Password Strength

Strong Password: 4 random words from common dictionary

Stronger than a truly random ten character password

Password Independence Independent of Cues Independent of Other Passwords

(t,k,M,)-security for large t,k!

65

Experiment #0 Can anybody remember the 10 character

password?

L[IbCGa_ND

66

Experiment #1

67

Experiment #2

69

Experiment #3

Cue Action Object

Manuel Blum

70

Experiment #4

Cue Action Object

Stephen Rudich

72

Personal Experience I have created 25+ unique (strong) passwords

using this technique

Tricks to overcome common restrictions Substitute 3 for e, etc… Use first 4 letters of each word

Difficulties Word Order Confuse verb tense Plural vs. Singular Semantically Similar Words

73

Future Work Can we quantify and measure the

usability of a password management scheme?

Share cues across sites (security/usability tradeoff)

Accepting close passwords

User Studies

75

Questions?