Shoulder-surfing – using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information – is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user’s password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.

Humans are unable to generate and remember strong secrets, and thus have difficulty managing cryptographic keys. To address this problem, numerous proposals have been suggested to enable people to reliably generate high-entropy cryptographic keys from measurements of their physiology or behavior. Typically, evaluators argue that these Biometric Cryptographic Key Generators (BKGs) achieve some notion of security, for example, that the biometric input resists forgery, or that the keys have high entropy. Unfortunately, despite these arguments, many BKGs succumb to attacks in practice. The goal of this work is to understand why typical security arguments fail to identify practical attacks. We revisit the security requirements of BKGs and show that common arguments overlook practical subtleties. We provide examples of such oversights by examining three general classes of adversaries. First, we study the impact of humans who can replicate other users ’ biometrics with high accuracy, and demonstrate why typical evaluation techniques fail to identify these forgers. Second, we explore Generative techniques that combine information about a target user with population statistics to create forgeries. We show that these forgeries can subvert BKGs with high likelihood. Third, we propose an

In this thesis we investigate applications of natural language processing (NLP) techniques to information security problems. We present our results in this direction for two important areas: password authentication, and information hiding in natural language text. We have limited this thesis to the realm of language engineering, i.e., our emphasis is on adapting the existing NLP techniques for our purposes, rather than in developing new NLP techniques. Our password mnemonics system helps users to remember random passwords, hence making it possible to implement organizational policies that mandate strong password choices by users. Moreover, in our system password changes do not necessitate a new mnemonic, thereby further easing the users’ task of memorizing their respective mnemonics. Our robust natural language text watermarking system can avoid the removal of the watermark text by an automated adversary, in the same way used by authentication systems to avoid an automated adversary’s compromise of the password string hidden within the password mnemonic. We have also laid the groundwork for followup research in this area.

Authentication systems for public terminals – and thus public spaces – have to be fast, easy and secure. Security is of utmost importance since the public setting allows manifold attacks from simple shoulder surfing to advanced manipulations of the terminals. In this work, we present Eye-PassShapes, an eye tracking authentication method that has been designed to meet these requirements. Instead of using standard eye tracking input methods that require precise and expensive eye trackers, EyePassShapes uses eye gestures. This input method works well with data about the relative eye movement, which is much easier to detect than the precise position of the user’s gaze and works with cheaper hardware. Different evaluations on technical aspects, usability, security and memorability show that EyePassShapes can significantly increase security while being easy to use and fast at the same time.

is permitted for educational or research use on condition that this copyright notice is included in any copy. Publications in the FI MU Report Series are in general accessible via WWW: