[PPT] - On the Usability and Security of Password-Based User Authentication PowerPoint Presentation

SLIDE 1

On the Usability and Security of Password-Based User Authentication

Maximilian Golla

Thesis Defense, Bochum, Germany, May 29, 2019

SLIDE 2

Bochum, May 29, 2019 | Thesis Defense ‘19

User Authentication

Competing requirements of security and usability. [1] Common Factors: Knowledge (Password, PIN) Biometrics (Fingerprint, Face) Possession (Security Key) Reinforced by: 2-Factor Authentication Risk-based Authentication

3 [Ref. 1] Joseph Bonneau et al.: The Quest to Replace Passwords:

A Framework for Comparative Evaluation of Web Authentication Schemes. (SP '12)

SLIDE 3

Bochum, May 29, 2019 | Thesis Defense ‘19

5

Passwords Are Not Dead

Accounts: ~24
Passwords: 6-8

Primary means of authentication on the Web. [2]

Weak Passwords Reused Passwords

[Ref. 2] Sarah Pearman et al.: Let's Go in For a Closer Look: Observing Passwords in Their Natural Habitat. (CCS ‘17)

Coping Memorability Issues

SLIDE 4

Bochum, May 29, 2019 | Thesis Defense ‘19

6

Password Recovery Password Strength Password Reuse Password Management

PW 15, NDSS 17, USEC 19 CCS 16 CCS 18, SP 19 CCS 18

Mobile Authentication Access Control

USENIX Sec. 18

Thesis

Overview

Workshops: Rate-Limiting, Semantics of Passwords, Strength Meter

USEC 17, USEC 19, CCS 19*

[*] Under review

SLIDE 5

Bochum, May 29, 2019 | Thesis Defense ‘19

7

Password Recovery Password Strength Password Reuse Password Management

PW 15, NDSS 17, USEC 19 CCS 16 CCS 18, SP 19 CCS 18

Mobile Authentication Access Control

USENIX Sec. 18

Today

Overview

Workshops: Rate-Limiting, Semantics of Passwords, Strength Meter

USEC 17, USEC 19, CCS 19*

[*] Under review

SLIDE 6

Bochum, May 29, 2019 | Thesis Defense ‘19

8

Outline

Introduction Strength Meter Reuse Notifications

SLIDE 7

Bochum, May 29, 2019 | Thesis Defense ‘19

How Users Choose Passwords

9

Well-defined process
Misconceptions in mental model
Estimating strength not easy

“Adding ‘!’ to the end instantly makes it secure.” [3]

[Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. (SOUPS ‘15)

SLIDE 8

Bochum, May 29, 2019 | Thesis Defense ‘19

Estimating the Strength of a Password is Tough

10 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. (SOUPS ‘15)

iloveyou88 ieatkale88 Password 1: Password 2: Options:

A. Password 1 is stronger
B. Password 2 is stronger
C. They are equally strong

“Adding ‘!’ to the end instantly makes it secure.” [3]

SLIDE 9

Bochum, May 29, 2019 | Thesis Defense ‘19

Estimating the Strength of a Password is Tough

12 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. (SOUPS ‘15)

>

iloveyou88 ieatkale88 Password 1: Password 2:

Guess Number:

3.1 x 109

Guess Number:

1.5 x 104

“Adding ‘!’ to the end instantly makes it secure.” [3]

SLIDE 10

Bochum, May 29, 2019 | Thesis Defense ‘19

Support Users in Choosing Secure Passwords

13

St Strength Meter

SLIDE 11

Bochum, May 29, 2019 | Thesis Defense ‘19

But They Are Not Always Accurate

14

SLIDE 12

Bochum, May 29, 2019 | Thesis Defense ‘19

How to Measure Accuracy?

15

123456

Reference

Strength Meter

Ranking Ranking

SLIDE 13

Bochum, May 29, 2019 | Thesis Defense ‘19

17

LUDS-based Meter: L: U: D: S:

Strong Password1

SLIDE 14

Bochum, May 29, 2019 | Thesis Defense ‘19

Password “Strength”

18

Reference: Guess number Meter: ??? . Meter Example Text Weak, Medium, Strong Colors Red, Orange, Green Percentages 42% Scores 1-5 Time 12 d, 9h, 47m Entropy 82 bits Guess number 1 018 291 guesses

SLIDE 15

Bochum, May 29, 2019 | Thesis Defense ‘19

Simulation Dataset

19

Count Password 1 044 164 123456 176 120 password 88 076 12345678 78 720 111111 ... … 356 charlie22 356 mickey7 … … 1 ~!@#!?~!@

Passwords

SLIDE 16

Bochum, May 29, 2019 | Thesis Defense ‘19

Simulate Common Errors Observed in Real-World Meters

20

Reference Meter Monotonic Transformations Quantization Disturbances

Random sampling

SLIDE 17

Bochum, May 29, 2019 | Thesis Defense ‘19

After: Quantized Output

22

Reference Meter 63 40 19 30 9 20 3 20 2 10 1 10 … …

(Count) (Bin) Weak Strong Good Medium

SLIDE 18

Bochum, May 29, 2019 | Thesis Defense ‘19

Result: Compare Ranking

24

Large-Scale Comparison 81 implementations

Academia
Websites
PW Manager
Operating Systems
Previous Work

password-meter-comparison.org

Recommendation:

Compare relative ranking only
Weight passwords by importance

Weighted and ranked metrics

(e.g., weighted Spearman correlation)

What can we do with this information?

SLIDE 19

Bochum, May 29, 2019 | Thesis Defense ‘19

25

Outline

Introduction Strength Meter Reuse Notifications

SLIDE 20

Bochum, May 29, 2019 | Thesis Defense ‘19

26

SLIDE 21

Bochum, May 29, 2019 | Thesis Defense ‘19

Reuse Attacks?

27

Email Cracked SHA-1 jenny@gmail.com Hiking91 joe

e@mail

il.com R0cky!17 john@hotmail.com ILoveBananas! ... ... Email Secure Argon2i Hash joe@mail.com $argon2i$v=19$m=4096,… … …

1 guess can be enough!

I used “R0cky!17” everywhere!

SLIDE 22

Bochum, May 29, 2019 | Thesis Defense ‘19

28

SLIDE 23

Bochum, May 29, 2019 | Thesis Defense ‘19

“Stolen From Another Site”

29

SLIDE 24

Bochum, May 29, 2019 | Thesis Defense ‘19

Study 1: Previously Sent Notifications

Understanding Feelings Actions Perceptions Effectiveness Delivery Method Legitimacy

30

MTurk, 15min, 180 respondents, $2.50

SLIDE 25

Bochum, May 29, 2019 | Thesis Defense ‘19

Concerning and a priority (83% very high or high)

31

“You've got e-mail! ... shall I deal with it now?”

SLIDE 26

Bochum, May 29, 2019 | Thesis Defense ‘19

32

“Should I worry?”

SLIDE 27

Bochum, May 29, 2019 | Thesis Defense ‘19

“Something happened and you need to click ‘OK’ to get on with things.” [6]

33

What may have caused you to receive this notification?

[Multi select]

60% Account hacked 21% New device (false alarm) 21% Data breach 19% Reuse

[Ref. 6] by Johnathan Nightingale – Firefox Software Engineer at Mozilla; [Img 1.] Guy Fawkes by Carlotta Rosi - thecirqle.com

SLIDE 28

Bochum, May 29, 2019 | Thesis Defense ‘19

Call a Spade a Spade!

34

Allude to reuse Don’t mention reuse 0 - 4% respondents listed reuse as a cause for receiving this notification. 48 - 56% respondents

SLIDE 29

Bochum, May 29, 2019 | Thesis Defense ‘19

Incomplete Mental Models

36

“The chances of someone guessing that I use the same password are still incredibly low.” (R171)

Current password-reuse notifications: cause concern explain the situation

SLIDE 30

Bochum, May 29, 2019 | Thesis Defense ‘19

Study 2: Components of Notifications

Delivery Medium

Pus ush / In In-App / Em Email il

Incident

Unr Unrelated / Ou Our / -

Account Activity

No

sus

suspicious / Sus Suspicious s / -

Remediation

Cr Create ne new / Recommend

Other Accounts

Cha Change all all / -

Extra Actions

Ena Enable 2F 2FA + + Manager / -

37

MTurk, 588 Respondents

SLIDE 31

Bochum, May 29, 2019 | Thesis Defense ‘19

… Unhealthy Behavior

39

What would you do about it? 90% Change it 6% Keep it the same 4% Don’t know What would your new password be? 68% Modified password 13% Reused password 11% Use manager/browser 6% Other 2% Completely new

SLIDE 32

Bochum, May 29, 2019 | Thesis Defense ‘19

Incomplete Mental Models

41

“The hack wasn't specific to this company so it doesn't worry me.” (R69)

After seeing a reuse notification, users would change password … but ineffectively have incomplete mental models

SLIDE 33

Bochum, May 29, 2019 | Thesis Defense ‘19

42

Mockup

SLIDE 34

Bochum, May 29, 2019 | Thesis Defense ‘19

43