Showing papers on "Password published in 2010"

Smudge attacks on smartphone touch screens

Abstract: Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred. In this paper we examine the feasibility of such smudge attacks on touch screens for smartphones, and focus our analysis on the Android password pattern. We first investigate the conditions (e.g., lighting and camera orientation) under which smudges are easily extracted. In the vast majority of settings, partial or complete patterns are easily retrieved. We also emulate usage situations that interfere with pattern identification, and show that pattern smudges continue to be recognizable. Finally, we provide a preliminary analysis of applying the information learned in a smudge attack to guessing an Android password pattern.

Testing metrics for password creation policies by attacking large sets of revealed passwords

Abstract: In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.

The true cost of unusable password policies: password use in the wild

Abstract: HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use.

Encountering stronger password requirements: user attitudes and behaviors

Abstract: Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users' opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users' behavior in response to those rules.

The OAuth 1.0 Protocol

Abstract: OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third- party access to their server resources without sharing their credentials (typically, a username and password pair), using user- agent redirections. This document is not an Internet Standards Track specification; it is published for informational purposes.

Password Strength: An Empirical Analysis

Abstract: It is a well known fact that user-chosen passwords are somewhat predictable: by using tools such as dictionaries or probabilistic models, attackers and password recovery tools can drastically reduce the number of attempts needed to guess a password. Quite surprisingly, however, existing literature does not provide a satisfying answer to the following question: given a number of guesses, what is the probability that a state-of-the-art attacker will be able to break a password? To answer the former question, we compare and evaluate the effectiveness of currently known attacks using various datasets of known passwords. We find that a "diminishing returns" principle applies: in the absence of an enforced password strength policy, weak passwords are common; on the other hand, as the attack goes on, the probability that a guess will succeed decreases by orders of magnitude. Even extremely powerful attackers won't be able to guess a substantial percentage of the passwords. The result of this work will help in evaluating the security of authentication means based on user- chosen passwords, and our methodology for estimating password strength can be used as a basis for creating more effective proactive password checkers for users and security auditing tools for administrators.

Implicit authentication through learning user behavior

Abstract: Users are increasingly dependent on mobile devices. However, current authentication methods like password entry are significantly more frustrating and difficult to perform on these devices, leading users to create and reuse shorter passwords and pins, or no authentication at all. We present implicit authentication - authenticating users based on behavior patterns. We describe our model for performing implicit authentication and assess our techniques using more than two weeks of collected data from over 50 subjects.

Soft Biometric Traits for Continuous User Authentication

Abstract: Most existing computer and network systems authenticate a user only at the initial login session. This could be a critical security weakness, especially for high-security systems because it enables an impostor to access the system resources until the initial user logs out. This situation is encountered when the logged in user takes a short break without logging out or an impostor coerces the valid user to allow access to the system. To address this security flaw, we propose a continuous authentication scheme that continuously monitors and authenticates the logged in user. Previous methods for continuous authentication primarily used hard biometric traits, specifically fingerprint and face to continuously authenticate the initial logged in user. However, the use of these biometric traits is not only inconvenient to the user, but is also not always feasible due to the user's posture in front of the sensor. To mitigate this problem, we propose a new framework for continuous user authentication that primarily uses soft biometric traits (e.g., color of user's clothing and facial skin). The proposed framework automatically registers (enrolls) soft biometric traits every time the user logs in and fuses soft biometric matching with the conventional authentication schemes, namely password and face biometric. The proposed scheme has high tolerance to the user's posture in front of the computer system. Experimental results show the effectiveness of the proposed method for continuous user authentication.

Systems and methods for providing authentication and authorization utilizing a personal wireless communication device

Abstract: An authorization and authentication system utilizing a mobile communication device. The authentication and authorization system enables a trusted server, in conjunction with a user controlled mobile communication device (which has been registered with the trusted site), to authorize a transaction carried out at a transaction management system. An identity of the user is authenticated by a verification that the user is in possession of the mobile communication device. In this way, the transaction management system is able to effectuate an authorized transaction with confidence that the authorization was from the user and not a third party. In variations, the authentication is a multi-factor authentication, i.e., the user must both possess the mobile communication device and information, e.g., a password.

The Password Thicket: Technical and Market Failures in Human Authentication on the Web.

Abstract: We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with moresecure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication. WEIS 2010 The Ninth Workshop on the Economics of Information Security

The security of modern password expiration: an algorithmic framework and empirical analysis

Abstract: This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.

Multi-touch authentication on tabletops

Abstract: The introduction of tabletop interfaces has given rise to the need for the development of secure and usable authentication techniques that are appropriate for the co-located collaborative settings for which they have been designed. Most commonly, user authentication is based on something you know, but this is a particular problem for tabletop interfaces, as they are particularly vulnerable to shoulder surfing given their remit to foster co-located collaboration. In other words, tabletop users would typically authenticate in full view of a number of observers. In this paper, we introduce and evaluate a number of novel tabletop authentication schemes that exploit the features of multi-touch interaction in order to inhibit shoulder surfing. In our pilot work with users, and in our formal user-evaluation, one authentication scheme - Pressure-Grid - stood out, significantly enhancing shoulder surfing resistance when participants used it to enter both PINs and graphical passwords.

Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords

Abstract: We present Cued Gaze-Points (CGP) as a shoulder-surfing resistant cued-recall graphical password scheme where users gaze instead of mouse-click. This approach has several advantages over similar eye-gaze systems, including a larger password space and its cued-recall nature that can help users remember multiple distinct passwords. Our 45-participant lab study is the first evaluation of gaze-based password entry via user-selected points on images. CGP's usability is potentially acceptable, warranting further refinement and study.

Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks

Abstract: We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want--so long as it's not already too popular with other users. We create an oracle to identify undesirably popular passwords using an existing data structure known as a count-min sketch, which we populate with existing users' passwords and update with each new user password. Unlike most applications of probabilistic data structures, which seek to achieve only a maximum acceptable rate false-positives, we set a minimum acceptable false-positive rate to confound attackers who might query the oracle or even obtain a copy of it.

The psychology of password management: a tradeoff between security and convenience

Abstract: Despite technological advances, humans remain the weakest link in Internet security. In this study, we examined five password-management behaviours to answer questions about user knowledge of password quality, motivation behind password selection and the effect of account type on password-management behaviour. First, we found that users know what constitutes a good/bad password and know which common password-management practices are (in)appropriate. Second, users are motivated to engage in these bad password-management behaviours because they do not see any immediate negative consequences to themselves (negative externalities) and because of the convenience-security tradeoff. Applying Construal Level Theory, we found that this tradeoff can be positively influenced by imposing a time frame factor, i.e. whether the password change will take place immediately (which results in weaker passwords) or in the future (which results in stronger passwords). Third, we found a time frame effect only for more important (online banking) accounts.

A closer look at recognition-based graphical passwords on mobile devices

Abstract: Graphical password systems based on the recognition of photographs are candidates to alleviate current over-reliance on alphanumeric passwords and PINs. However, despite being based on a simple concept -- and user evaluations consistently reporting impressive memory retention -- only one commercial example exists and overall take-up is low. Barriers to uptake include a perceived vulnerability to observation attacks; issues regarding deployability; and the impact of innocuous design decisions on security not being formalized. Our contribution is to dissect each of these issues in the context of mobile devices -- a particularly suitable application domain due to their increasing significance, and high potential to attract unauthorized access. This produces: 1) A novel yet simple solution to the intersection attack that permits greater variability in login challenges; 2) Detailed analysis of the shoulder surfing threat that considers both simulated and human testing; 3) A first look at image processing techniques to contribute towards automated photograph filtering. We operationalize our observations and gather data in a field context where decentralized mechanisms of varying entropy were installed on the personal devices of participants. Across two working weeks success rates collected from users of a high entropy version were similar to those of a low entropy version at 77%, and login durations decreased significantly across the study.

The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices

Abstract: Tangible user interfaces are portals to digital information. In the future, securing access to such material will be an important concern. This paper describes the design, implementation and evaluation of a PIN entry system based on audio or haptic cues that is suitable for integration into such physical systems. The current implementation links movements on a mobile phone touch screen with the display of non-visual cues; selection of a sequence of these cues composes a password. Studies reveal the validity of this approach in terms of task times and error rates that improve over prior art. In sum, this paper demonstrates the potential of non-visual PINs as a mechanism for securing access to a range of systems, ultimately incorporating mobile, ubiquitous or tangible interfaces.

Kamouflage: loss-resistant password management

Abstract: We introduce Kamouflage: a new architecture for building theft-resistant password managers. An attacker who steals a laptop or cell phone with a Kamouflage-based password manager is forced to carry out a considerable amount of online work before obtaining any user credentials. We implemented our proposal as a replacement for the built-in Firefox password manager, and provide performance measurements and the results from experiments with large real-world password sets to evaluate the feasibility and effectiveness of our approach. Kamouflage is well suited to become a standard architecture for password managers on mobile devices.

Purely Automated Attacks on PassPoints-Style Graphical Passwords

Abstract: We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line). Some of our methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7%-16% of passwords for two representative images using dictionaries of approximately 226 entries (where the full password space is 243). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 235 entries, allowing attacks that guessed 48%-54% of passwords (compared to previous results of 1% and 9% on the same dataset for two images with 235 guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, require serious consideration when deploying basic PassPoints-style graphical passwords.

Financial transaction system, automated teller machine (atm), and method for operating an atm

Abstract: A financial transaction system is provided. The financial transaction system includes a server and at least one automated teller machine (ATM). In response to a request from a user, the server issues a one-time password (OTP) to the user's mobile device. The ATM receives an OTP from the user and sends the received OTP to the server for verification, in order to perform a financial transaction operation.

Improved two-factor user authentication in wireless sensor networks

Abstract: Wireless sensor networks (WSNs) are considered due to the ubiquitous nature, ease of deployment, and wide range of possible applications. WSNs can be deployed in unattended environments, where a registered user can login to the network and access data collected by the linked sensors. Authenticating users in resource constrained environments is one of the major security concerns. Since sensor nodes have limited resources and computation power, it is desirable that the authentication protocol is simple and efficient. In 2009, M. L. Das proposed a two-factor authentication for WSNs, where a user has to prove possession of both, a password and a smart card. Since his scheme utilizes only cryptographic one-way hash function and exclusive-OR operation, it is well-suited for resource constrained environments. However, Khan and Algahathbar pointed out that Das's scheme has some flaws and is vulnerable to various attacks and proposed an alternative solution. In this paper, we show that both, Das's and Khan-Algahathbar's schemes have flaws and remain vulnerable to various attacks including stolen smart card attacks. To overcome the security weaknesses of both schemes, we propose an improved two-factor user authentication that is resilient to stolen smart card attacks as well as other common types of attacks. We provide security evaluation of the proposed protocols showing its robustness to various attacks and analyzed the scheme's performance to determine its efficiency. Compared to the previous schemes, it is proven more robust and provides better security.

Quantifying information leaks in software

Abstract: Leakage of confidential information represents a serious security risk. Despite a number of novel, theoretical advances, it has been unclear if and how quantitative approaches to measuring leakage of confidential information could be applied to substantial, real-world programs. This is mostly due to the high complexity of computing precise leakage quantities. In this paper, we introduce a technique which makes it possible to decide if a program conforms to a quantitative policy which scales to large state-spaces with the help of bounded model checking.Our technique is applied to a number of officially reported information leak vulnerabilities in the Linux Kernel. Additionally, we also analysed authentication routines in the Secure Remote Password suite and of a Internet Message Support Protocol implementation. Our technique shows when there is unacceptable leakage; the same technique is also used to verify, for the first time, that the applied software patches indeed plug the information leaks.This is the first demonstration of quantitative information flow addressing security concerns of real-world industrial programs.

System and method for remote payment based on mobile terminal

Abstract: The present invention discloses a method for remote payment based on a mobile terminal. The method includes: an authentication server asking a mobile terminal for a digital certificate, the mobile terminal transmitting an certificate reading instruction to the built-in smart card, and after the smart card exports the stored digital certificate, the mobile terminal transmitting it to the authentication server for certificate registration, and the authentication server sending a signature instruction to the mobile terminal, the mobile terminal transmitting a private key signature instruction to the built-in smart card, the smart card sending out the signature result and the mobile terminal reporting the signature result to the authentication server. The present invention also discloses a system for remote payment based on mobile terminal, a mobile terminal and a smart card. The present invention not only breaks through the limitation of short distance of the mobile phone payment, but also has more security and privacy than the manner of transmitting the personal ID and password by using short message and WAP.

A Novel User Authentication Scheme Based on QR-Code

Abstract: User authentication is one of the fundamental procedures to ensure secure communications and share system resources over an insecure public network channel. Thus, a simple and efficient authentication mechanism is required for securing the network system in the real environment. In general, the password-based authentication mechanism provides the basic capability to prevent unauthorized access. Especially, the purpose of the one-time password is to make it more difficult to gain unauthorized access to restricted resources. Instead of using the password file as conventional authentication systems, many researchers have devoted to implement various one-time password schemes using smart cards, time-synchronized token or short message service in order to reduce the risk of tampering and maintenance cost. However, these schemes are impractical because of the far from ubiquitous hardware devices or the infrastructure requirements. To remedy these weaknesses, the attraction of the QR - code technique can be introduced into our one-time password authentication protocol. Not the same as before, the proposed scheme based on QR code not only eliminates the usage of the password verification table, but also is a cost effective solution since most internet users already have mobile phones. For this reason, instead of carrying around a separate hardware token for each security domain, the superiority of handiness benefit from the mobile phone makes our approach more practical and convenient.

Towards task-independent person authentication using eye movement signals

Abstract: We propose a person authentication system using eye movement signals. In security scenarios, eye-tracking has earlier been used for gaze-based password entry. A few authors have also used physical features of eye movement signals for authentication in a task-dependent scenario with matched training and test samples. We propose and implement a task-independent scenario whereby the training and test samples can be arbitrary. We use short-term eye gaze direction to construct feature vectors which are modeled using Gaussian mixtures. The results suggest that there are personspecific features in the eye movements that can be modeled in a task-independent manner. The range of possible applications extends beyond the security-type of authentication to proactive and user-convenience systems.

Mobile host using a virtual single account client and server system for network access and management

Abstract: A Virtual Single Account (VSA) system and method that provides a mobile user with automatic authentication and connection to a remote network via local access networks with a single password, where the local access networks may be independent of the remote network. A mobile user has a single authentication credential for one VSA that is utilized by a VSA client installed on a mobile computing device. The VSA client provides for automatically authenticating and connecting the user's mobile device to a current local access network, and the target remote network such as the user's office network. All authentication credentials are encrypted using a key generated from the user's VSA password that is generated from the user's single password. The VSA client derives the key from the submitted VSA password and decrypts all authentication credentials that are required in order to connect the mobile device to the current local access network and thereafter to the office network.

A Diary Study of Password Usage in Daily Life (CMU-CyLab-10-016)

Abstract: While past work has examined password usage on a specific computer, web site, or organization, there is little work examining overall password usage in daily life. Through a diary study, we examine all usage of passwords, and offer some new findings based on quantitative analyses regarding how often people log in, where they log in, and how frequently people use foreign computers. Our analysis also confirms or updates existing statistics about password usage patterns. We also discuss some implications for design as well as security education. Author

Pressure password for a touchscreen device

Abstract: A handheld communication or computing device having a touchscreen interface is configured to permit access in response to detection of a pressure-based password by a plurality of force sensors, each one of the force sensors corresponding to one of a plurality of sensing regions defined on the surface of the touchscreen interface. Upon detecting a sequence of presses applied to a plurality of the force sensors, the detected sequence is compared to previously stored information to determine if it matches. If there is a match, access to functions and/or data at the device is granted.