Yimin Guo

Bio: Yimin Guo is an academic researcher from Chinese Academy of Sciences. The author has contributed to research in topics: Computer science & Authentication (law). The author has an hindex of 4, co-authored 6 publications receiving 51 citations.

LPSE: Lightweight password-strength estimation for password meters

Abstract: User-created strong passwords are the key to guaranteeing the security of password authentication. In practice, users often choose passwords that feel safe and that they can remember easily. However, the user's perception of the strength of passwords is inconsistent with the actual strength of these passwords. To encourage users to create strong passwords, many websites use password meters to visualize the strengths of user-chosen passwords, whereas the existing password meters have limited accuracy. The state-of-the-art password-guessing approaches have high accuracy in testing the strengths of passwords, but these algorithms are not suitable for detecting user password strength directly on the client side, due to the long running time and the data storage problem. In this paper, we propose a lightweight password-strength estimation method (LPSE). By testing the strong and weak passwords selected by a state-of-the-art password cracking-algorithm, we observed that our LPSE algorithm is superior to the existing lightweight password-strength estimation algorithms in the accurate identification of strong passwords and weak passwords. Moreover, the LPSE algorithm requires notably little storage space and is sufficiently fast for client-side measurement of password strength.

Optiwords: A new password policy for creating memorable and strong passwords

Abstract: User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.

Nudging personalized password policies by understanding users’ personality

Abstract: Password composition policies are used to prevent users from picking weak passwords. A website usually provides a unified password policy for each user but ignores the fact that people have a variety of preferences due to individual differences, which makes it difficult to achieve the expected strong password goals. In order to improve the effectiveness of password composition policies, we propose a dynamic personalized password policy (DPPP), which can personally recommend different password policies according to the user’s personality traits. We conduct an online study to evaluate the security and usability of DPPP and the two common password composition policies Basic8 and 3class8. The study results show that DPPP is more effective than Basic8 and 3class8 in resisting online and offline guessing attacks. DPPP is inferior to Basic8 and 3class8 only in the creation time and outperforms 3class8 in creating difficulty with significant differences.

Fog-Centric Authenticated Key Agreement Scheme Without Trusted Parties

Abstract: Fog computing can effectively provide a variety of application support for the fast-growing number of Internet of Things devices. However, the unique characteristics of fog computing also bring new security problems, especially the identity authentication in fog computing will face new challenges: Low latency (cloud servers should not be involved in authentication); fog servers are not completely trusted; robustness (no user reregistration is required when a fog server leaves fog) and lightweight (fog devices have constrained resources). In order to solve these problems faced by identity authentication in fog computing, we propose an authentication scheme suitable for fog computing environment, which implements mutual authentication between fog users and fog devices with the cooperation of incompletely trusted fog servers. Formal security analysis using the extended real-or-random (ROR) model shows that the proposed scheme is provably secure, and informal security analysis shows that the proposed scheme can resist known attacks. Compared with existing schemes, the proposed scheme supports more functionality features. In addition, a comparative analysis of the communication costs and calculation costs of various schemes shows that our scheme is more suitable for application in fog computing environment than the existing schemes.

SecFHome: Secure remote authentication in fog-enabled smart home environment

Abstract: Fog computing is the best solution for IoT applications with low latency and real-time interaction. Fog can endow smart home with many smart functions and services. One of the most important services is that users can remotely access and control smart devices. Since remote users and smart homes communicate through insecure channels, it is necessary to design a secure and effective remote authentication scheme to guarantee secure communications. The existing authentication schemes designed for smart homes have some security issues and are not suitable for fog-enabled smart home environments. Therefore, this paper designs a secure remote user authentication scheme, SecFHome. It supports secure communication at the edge of the network and remote authentication in fog-enabled smart home systems. Specifically, We present an efficient authentication mode in the fog-enabled environment, which includes the edge negotiation phase and the authentication phase. SecFHome adds updated information to the authenticator, which can verify the message synchronization simultaneously with the authentication, thus improving the authentication efficiency. In addition, SecFHome does not store sensitive information of users and smart devices in the memory of the smart gateway, which can avoid various attacks caused by the compromised gateway. The formal security proof and informal security analysis show that the SecFHome is secure and can resist known attacks. Compared with the related authentication schemes, SecFHome only needs fewer communication costs and computation costs, and achieves more security features.

On the Accuracy of Password Strength Meters

Abstract: Password strength meters are an important tool to help users choose secure passwords. Strength meters can only then provide reasonable guidance when they are accurate, i.e., their score correctly reflect password strength. A strength meter with low accuracy may do more harm than good and guide the user to choose passwords with a high score but low actual security. While a substantial number of different strength meters is proposed in the literature and deployed in practice, we are lacking a clear picture of which strength meters provide high accuracy, and thus are most helpful for guiding users. Furthermore, we lack a clear understanding of how to compare accuracies of strength meters. In this work, (i) we propose a set of properties that a strength meter needs to fulfill to be considered to have high accuracy, (ii) we use these properties to select a suitable measure that can determine the accuracy of strength meters, and (iii) we use the selected measure to compare a wide range of strength meters proposed in the academic literature, provided by password managers, operating systems, and those used on websites. We expect our work to be helpful in the selection of good password strength meters by service operators, and to aid the further development of improved strength meters.

Replication Materials for SOUPS 2016 paper "Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites"

Abstract: From email to online banking, passwords are an essential component of modern internet use. Yet, users do not always have good password security practices, leaving their accounts vulnerable to attack. We conducted a study which combines self-report survey responses with measures of actual online behavior gathered from 134 participants over the course of six weeks. We find that people do tend to re-use each password on 1.7-3.4 different websites, they reuse passwords that are more complex, and mostly they tend to re-use passwords that they have to enter frequently. We also investigated whether self-report measures are accurate indicators of actual behavior, finding that though people understand password security, their self-reported intentions have only a weak correlation with reality. These findings suggest that users manage the challenge of having many passwords by choosing a complex password on a website where they have to enter it frequently in order to memorize that password, and then re-using that strong password across other websites.

A security and privacy scheme based on node and message authentication and trust in fog-enabled VANET

Abstract: Security and privacy are the most important concerns related to vehicular ad hoc network (VANET), as it is an open-access and self-organized network. The presence of ‘selfish’ nodes distributed in the network are taken into account as an important challenge and as a security threat in VANET. A selfish node is a legitimate vehicle node which tries to achieve the most benefit from the network by broadcasting wrong information. An efficient and proper security model can be useful to tackle advances from attackers, as well as selfish nodes. In this study, a privacy-preserving node and message authentication scheme, along with a trust model was developed. The proposed node authentication ensures the legitimacy of the vehicle nodes, whereas the message authentication was developed to ensure the message's integrity. To deal with selfish nodes, an experience-based trust model was also designed. Additionally, to fulfill the privacy-preserving aspect, the mapping of each vehicle was performed using a different pseudo-identity. In this paper, fog nodes instead of road-side units (RSUs), were distributed along the roadside. This was mainly because of the fact that fog computing reduces latency, and results in increased throughput. Security analysis indicated that our scheme met the VANETs' security requirements. In addition, the performance analysis showed that the proposed scheme had a lower communication and computation overhead, compared to the other related works. Monte-Carlo simulation results were applied to estimate the false-positive rates (FPR), which also proved the validity of the proposed security scheme.

Optiwords: A new password policy for creating memorable and strong passwords

Abstract: User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.

Nudging personalized password policies by understanding users’ personality

Abstract: Password composition policies are used to prevent users from picking weak passwords. A website usually provides a unified password policy for each user but ignores the fact that people have a variety of preferences due to individual differences, which makes it difficult to achieve the expected strong password goals. In order to improve the effectiveness of password composition policies, we propose a dynamic personalized password policy (DPPP), which can personally recommend different password policies according to the user’s personality traits. We conduct an online study to evaluate the security and usability of DPPP and the two common password composition policies Basic8 and 3class8. The study results show that DPPP is more effective than Basic8 and 3class8 in resisting online and offline guessing attacks. DPPP is inferior to Basic8 and 3class8 only in the creation time and outperforms 3class8 in creating difficulty with significant differences.