Results 1 - 10
of
37
The quest to replace passwords: A framework for comparative evaluation of web authentication schemes
"... Abstract—We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including ..."
Abstract
-
Cited by 88 (13 self)
- Add to MetaCart
(Show Context)
Abstract—We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals. Keywords-authentication; computer security; human computer interaction; security and usability; deployability; economics; software engineering. I.
The science of guessing: analyzing an anonymized corpus of 70 million passwords
- IEEE Symp. Security and Privacy
, 2012
"... Abstract—We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage charac ..."
Abstract
-
Cited by 86 (9 self)
- Add to MetaCart
(Show Context)
Abstract—We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker’s desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists. Keywords-computer security; authentication; statistics; information theory; data mining; I.
A research agenda acknowledging the persistence of passwords
- IEEE Security & Privacy
, 2012
"... Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instance ..."
Abstract
-
Cited by 47 (7 self)
- Add to MetaCart
(Show Context)
Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use. Among broad authentication research directions to follow, we first suggest better means to concretely identify actual requirements (surprisingly overlooked to date) and weight their relative importance in target scenarios; this will support approaches aiming to identify best-fit mechanisms in light of requirements. Second, for scenarios where indeed passwords appear to be the best-fit solution, we suggest designing better means to support passwords themselves. We highlight the need for more systematic research, and how the premature conclusion that passwords are dead has lead to the neglect of important research questions. 1
Pico: No more passwords
- in Proc. Sec. Protocols Workshop 2011, ser. LNCS
"... Abstract. From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never ..."
Abstract
-
Cited by 19 (6 self)
- Add to MetaCart
(Show Context)
Abstract. From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can’t abandon passwords until we come up with an alternative method of user authentication that is both usable and secure. We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn’t merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication ” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging. 1 Why users are right to be fed up Remembering an unguessable and un-brute-force-able password was a manageable task twenty or thirty years ago, when each of us had to use only one or two. Since then, though, two trends in computing have made this endeavour much harder. First, computing power has grown by several orders of magnitude: once upon a time, eight characters were considered safe from brute force 1; nowadays, passwords that are truly safe from brute force and from advanced guessing attacks 2 typically exceed the ability of ordinary users to remember them 3 4. Second, and most important, the number of computer-based services with which It’s OK to skip all these gazillions of footnotes.
The tangled web of password reuse. In
- Symposium on Network and Distributed System Security (NDSS),
, 2014
"... Abstract-Today's Internet services rely heavily on text-based passwords for user authentication. The pervasiveness of these services coupled with the difficulty of remembering large numbers of secure passwords tempts users to reuse passwords at multiple sites. In this paper, we investigate for ..."
Abstract
-
Cited by 19 (1 self)
- Add to MetaCart
(Show Context)
Abstract-Today's Internet services rely heavily on text-based passwords for user authentication. The pervasiveness of these services coupled with the difficulty of remembering large numbers of secure passwords tempts users to reuse passwords at multiple sites. In this paper, we investigate for the first time how an attacker can leverage a known password from one site to more easily guess that user's password at other sites. We study several hundred thousand leaked passwords from eleven web sites and conduct a user survey on password reuse; we estimate that 43-51% of users reuse the same password across multiple sites. We further identify a few simple tricks users often employ to transform a basic password between sites which can be used by an attacker to make password guessing vastly easier. We develop the first cross-site password-guessing algorithm, which is able to guess 30% of transformed passwords within 100 attempts compared to just 14% for a standard password-guessing algorithm without cross-site password knowledge.
Honeywords: Making Password-Cracking Detectable
, 2013
"... Version 2.0 We suggest a simple method for improving the security of hashed passwords: the maintenance of additional “honeywords” (false passwords) associated with each user’s account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the pa ..."
Abstract
-
Cited by 18 (1 self)
- Add to MetaCart
(Show Context)
Version 2.0 We suggest a simple method for improving the security of hashed passwords: the maintenance of additional “honeywords” (false passwords) associated with each user’s account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the “honeychecker”) can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
The Benefits of Understanding Passwords
"... We study passwords from the perspective of how they are generated, with the goal of better understanding how to distinguish good passwords from bad ones. Based on reviews of large quantities of passwords, we argue that users produce passwords using a small set of rules and types of components, both ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
We study passwords from the perspective of how they are generated, with the goal of better understanding how to distinguish good passwords from bad ones. Based on reviews of large quantities of passwords, we argue that users produce passwords using a small set of rules and types of components, both of which we describe herein. We build a parser of passwords, and show how this can be used to gain a better understanding of passwords, as well as to block weak passwords. 1
Linguistic properties of multi-word passphrases
- WORKSHOP ON USABLE SECURITY (USEC ) 2012
, 2012
"... We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon’s registration page, which prohibits using any phrase already registered by another use ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
(Show Context)
We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon’s registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four- word phrases for which we see rapidly diminishing returns.
C.: An administrator’s guide to internet password research
- 28th USENIX conference on Large Installation System Administration (LISA’14
"... Abstract. The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literat ..."
Abstract
-
Cited by 7 (3 self)
- Add to MetaCart
(Show Context)
Abstract. The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of user effort, occur in much more limited circumstances than is generally believed (and in only a minority of recently-reported breaches). We find that an enormous gap exists between the effort needed to withstand online and offline attacks, with probable safety occurring when a password can survive 10 6 and 10 14 guesses respectively. In this gap, eight orders of magnitude wide, there is little return on user effort: exceeding the online threshold but falling short of the offline one represents wasted effort. We find that guessing resistance above the online threshold is also wasted at sites that store passwords in plaintext or reversibly encrypted: there is no attack scenario where the extra effort protects the account.
Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts
- In Proc. USENIX Security
, 2014
"... Abstract. We explore how to manage a portfolio of pass-words. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore impor-tant attack vectors (e.g ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
Abstract. We explore how to manage a portfolio of pass-words. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore impor-tant attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we pro-pose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We find, for example, that a portfolio strategy ruling out weak pass-words or password re-use is sub-optimal. We give an op-timal solution for how to group accounts for re-use, and model-based principles for portfolio management. 1
