Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use. Among broad authentication research directions to follow, we first suggest better means to concretely identify actual requirements (surprisingly overlooked to date) and weight their relative importance in target scenarios; this will support approaches aiming to identify best-fit mechanisms in light of requirements. Second, for scenarios where indeed passwords appear to be the best-fit solution, we suggest designing better means to support passwords themselves. We highlight the need for more systematic research, and how the premature conclusion that passwords are dead has lead to the neglect of important research questions. 1

“Cryptography is typically bypassed, not

We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength. We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement. 1.

OpenID and InfoCard are two mainstream Web single signon (SSO) solutions intended for Internet-scale adoption. While they are technically sound, the business model of these solutions does not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). In addition, the pressure from users and identity providers (IdPs) is not strong enough to drive CSPs toward adopting Web SSO. As a result, there are currently over one billion OpenID-enabled user accounts provided by major CSPs, but only a few relying parties. In this paper, we discuss the problem of Web SSO adoption for RPs and argue that solutions in this space must offer RPs sufficient business incentives and trustworthy identity services in order to succeed. We suggest future Web SSO development should investigate and fulfill RPs ’ business needs, identify IdP business models, and build trust frameworks. Moreover, we propose that Web SSO technology should build identity support into browsers in order to facilitate RPs ’ adoption.

Abstract. From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can’t abandon passwords until we come up with an alternative method of user authentication that is both usable and secure. We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn’t merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication ” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging. 1 Why users are right to be fed up Remembering an unguessable and un-brute-force-able password was a manageable task twenty or thirty years ago, when each of us had to use only one or two. Since then, though, two trends in computing have made this endeavour much harder. First, computing power has grown by several orders of magnitude: once upon a time, eight characters were considered safe from brute force 1; nowadays, passwords that are truly safe from brute force and from advanced guessing attacks 2 typically exceed the ability of ordinary users to remember them 3 4. Second, and most important, the number of computer-based services with which It’s OK to skip all these gazillions of footnotes.

Despite neglecting even basic security measures, close to two billion people use the Internet, and only a small fraction appear to be victimized each year. This paper suggests that an explanation lies in the economics of attacks. We distinguish between scalable attacks, where costs are almost independent of the number of users attacked, and non-scalable (or targeted) attacks, which involve per-user effort. Scalable attacks reach orders of magnitude more users. To compensate for her disadvantage in terms of reach the targeted attacker must target users with higher than average value. To accomplish this she needs that value be both visible and very concentrated, with few users having very high value while most have little. In this she is fortunate: power-law longtail distributions that describe the distributions of wealth, fame and other phenomena are extremely concentrated. However, in these distributions only a tiny fraction of the population have above average value. For example, fewer than 2 % of people have above average wealth in the US. Thus, when attacking assets where value is concentrated, the targeted attacker ignores the vast majority of users, since attacking them hurts rather than helps her requirement to extract greater than average value. This helps explain why many users escape harm, even when they neglect security precautions: most users never experience most attacks. Attacks that involve per-user effort will be seen by only a tiny fraction of users. No matter how clever the exploit, unless the expected value is high, there is little place for per-user effort in this world of mass-produced attacks. 1.

Researchers have recently begun to study the economics of the markets for illicit digital goods to better understand how to invest resources in the most effective mitigations. This line of work in security economics can greatly benefit from data gathering methodologies used for the study of another underground economy, which has been analyzed for the better part of a century: the illicit drug trade. We describe “promises ” and “puzzles ” in the use of observational data for computer security research, that have been encountered previously in drug policy research, and highlight possible lessons we can learn from this different field. We then outline potential opportunities for security research to avoid pitfalls in data collection that drug policy studies have uncovered. Finally, we argue that failure to tackle problems with observational data runs the risk of creating incorrect “mythical numbers ” that can have lasting effects on public policy surrounding computer security. 1.

The fact that a majority of Internet users appear unharmed each year is difficult to reconcile with a weakestlink analysis. We seek to explain this enormous gap between potential and actual harm. The answer, we find, lies in the fact that an Internet attacker, who attacks en masse, faces a sum-of-effort rather than a weakestlink defense. Large-scale attacks must be profitable in expectation, not merely in particular scenarios. For example, knowing the dog’s name may open an occasional bank account, but the cost of determining one million users ’ dogs ’ names is far greater than that information is worth. The strategy that appears simple in isolation leads to bankruptcy in expectation. Many attacks cannot be made profitable, even when many profitable targets exist. We give several examples of insecure practices which should be exploited by a weakest-link attacker but are extremely difficult to turn into profitable attacks.

We present the results of an experiment examining the extent to which individuals will tolerate delays when told that such delays are for security purposes. In our experiment, we asked 800 Amazon Mechanical Turk users to count the total number of times a certain term was repeated in a multipage document. The task was designed to be conducive to cheating. We assigned subjects to eight between-subjects conditions: one of these offered a concrete security reason (virus-scanning) for the delay, another offered only a vague security explanation, while the remaining conditions either offered non-security explanations for the delay or no delay at all—in the case of the control condition. We found that subjects were significantly more likely to cheat or abandon the task when provided with non-security explanations or a vague security explanation for the delay. However, when subjects were provided more explanation about the threat model and the protection ensured by the delay, they were not more likely to cheat than subjects in the control condition who faced no such delay. Our results thus contribute to the nascent literature on soft paternalistic solutions to security and privacy problems by suggesting that, when security mitigations cannot be made “free ” for users, designers may incentivize compliant users ’ behavior by intentionally drawing attention to the mitigation itself. 1.

Abstract. We carry out a hybrid lab and field study of a password manager program, and report on usability and security. Our study explores iPMAN, a browser-based password manager that in addition uses a graphical password scheme for the master password. We present our findings as a set of observations and insights expected to be of interest both to those exploring password managers, and graphical passwords. Motivated by our findings, but also of independent interest, we also present a new salt generation method using blind signatures, to protect against offline attacks, decreasing user inconvenience by generating salt significantly faster than earlier work (Halderman et al. 2005).