Showing papers on "Password published in 2017"

Zipf’s Law in Passwords

Abstract: Despite three decades of intensive research efforts, it remains an open question as to what is the underlying distribution of user-generated passwords. In this paper, we make a substantial step forward toward understanding this foundational question. By introducing a number of computational statistical techniques and based on 14 large-scale data sets, which consist of 113.3 million real-world passwords, we, for the first time, propose two Zipf-like models (i.e., PDF-Zipf and CDF-Zipf) to characterize the distribution of passwords. More specifically, our PDF-Zipf model can well fit the popular passwords and obtain a coefficient of determination larger than 0.97; our CDF-Zipf model can well fit the entire password data set, with the maximum cumulative distribution function (CDF) deviation between the empirical distribution and the fitted theoretical model being 0.49%~4.59% (on an average 1.85%). With the concrete knowledge of password distributions, we suggest a new metric for measuring the strength of password data sets. Extensive experimental results show the effectiveness and general applicability of the proposed Zipf-like models and security metric.

Lightweight Three-Factor Authentication and Key Agreement Protocol for Internet-Integrated Wireless Sensor Networks

Abstract: Wireless sensor networks (WSNs) will be integrated into the future Internet as one of the components of the Internet of Things, and will become globally addressable by any entity connected to the Internet. Despite the great potential of this integration, it also brings new threats, such as the exposure of sensor nodes to attacks originating from the Internet. In this context, lightweight authentication and key agreement protocols must be in place to enable end-to-end secure communication. Recently, Amin et al. proposed a three-factor mutual authentication protocol for WSNs. However, we identified several flaws in their protocol. We found that their protocol suffers from smart card loss attack where the user identity and password can be guessed using offline brute force techniques. Moreover, the protocol suffers from known session-specific temporary information attack, which leads to the disclosure of session keys in other sessions. Furthermore, the protocol is vulnerable to tracking attack and fails to fulfill user untraceability. To address these deficiencies, we present a lightweight and secure user authentication protocol based on the Rabin cryptosystem, which has the characteristic of computational asymmetry. We conduct a formal verification of our proposed protocol using ProVerif in order to demonstrate that our scheme fulfills the required security properties. We also present a comprehensive heuristic security analysis to show that our protocol is secure against all the possible attacks and provides the desired security features. The results we obtained show that our new protocol is a secure and lightweight solution for authentication and key agreement for Internet-integrated WSNs.

Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks

Abstract: Human-chosen text passwords, today's dominant form of authentication, are vulnerable to guessing attacks. Unfortunately, existing approaches for evaluating password strength by modeling adversarial password guessing are either inaccurate or orders of magnitude too large and too slow for real-time, client-side password checking. We propose using artificial neural networks to model text passwords' resistance to guessing attacks and explore how different architectures and training methods impact neural networks' guessing effectiveness. We show that neural networks can often guess passwords more effectively than state-of-the-art approaches, such as probabilistic context-free grammars and Markov models. We also show that our neural networks can be highly compressed-to as little as hundreds of kilobytes-without substantially worsening guessing effectiveness. Building on these results, we implement in JavaScript the first principled client-side model of password guessing, which analyzes a password's resistance to a guessing attack of arbitrary duration with sub-second latency. Together, our contributions enable more accurate and practical password checking than was previously possible.

Hearing Your Voice is Not Enough: An Articulatory Gesture Based Liveness Detection for Voice Authentication

Abstract: Voice biometrics is drawing increasing attention as it is a promising alternative to legacy passwords for mobile authentication. Recently, a growing body of work shows that voice biometrics is vulnerable to spoofing through replay attacks, where an adversary tries to spoof voice authentication systems by using a pre-recorded voice sample collected from a genuine user. In this work, we propose VoiceGesture, a liveness detection system for replay attack detection on smartphones. It detects a live user by leveraging both the unique articulatory gesture of the user when speaking a passphrase and the mobile audio hardware advances. Specifically, our system re-uses the smartphone as a Doppler radar, which transmits a high frequency acoustic sound from the built-in speaker and listens to the reflections at the microphone when a user speaks a passphrase. The signal reflections due to user's articulatory gesture result in Doppler shifts, which are then analyzed for live user detection. VoiceGesture is practical as it requires neither cumbersome operations nor additional hardware but a speaker and a microphone that are commonly available on smartphones. Our experimental evaluation with 21 participants and different types of phones shows that it achieves over 99% detection accuracy at around 1% Equal Error Rate (EER). Results also show that it is robust to different phone placements and is able to work with different sampling frequencies.

Secure and efficient user authentication scheme for multi-gateway wireless sensor networks

Abstract: By utilizing Internet of Things (IoT), the collected information from the sensor nodes in wireless sensor networks (WSNs) could be provided to the users who are permitted to get access of sensor nodes. As the information from the sensors are transmitted via public network and sensor nodes have limited battery, shift the focus on security and efficiency in WSNs. User authentication is the security task for limiting the access. It is achieved by equipping authorized users with passwords, tokens or biometrics. However, password and token are easy being stolen and forgotten; even biometrics inherit some limitation. More suitable approach is to combine both password and biometric authenticator to harvest benefits in security. This paper proposes a novel authentication and key agreement scheme for WSNs using biohashing. Biohashing facilitates elimination of false accept rates without increasing occurrence of false rejection rate. Additionally, biohashing has highly clear separation of imposter populations and genuine, and zero equal error rate level. The proposed scheme also supports dynamic node addition and user friendly password change mechanism. Using the BAN-logic, we prove that the proposed scheme provides mutual authentication. In addition, we simulate proposed scheme for the security against man-in-the middle attack and replay attack using the AVISPA tool, and the simulation results show that our scheme is safe. Through the informal security analysis, we show that the proposed scheme is secure against the known attacks for authentication protocols.

Anonymous and Lightweight Authentication for Secure Vehicular Networks

Abstract: Authentication is an important issue in vehicular ad hoc network. However, existing studies have not addressed some issues like efficiency and anonymity. In this paper, we propose an anonymous and lightweight authentication based on smart card (ASC) protocol to address this issue. To accomplish this goal, ASC employs low-cost cryptographic operations to authenticate the legitimacy of users (vehicles) and validation of data messages. Compared to existing methods, our protocol can reduce more than 50% of the cost in terms of communication and computational cost. A login identity, which is changed dynamically, is proposed to prevent an attacker from linking a target vehicle with the specific identity. Thus, our protocol can be anonymous. In addition, ASC provides a method for password change, which does not rely on the trusted authority. Thus, it can resist offline password guessing attack. Finally, a formal security model is designed to prove that our protocol is secure under the assumption of the computational Diffie–Hellman problem. The simulations further illustrate that the proposed ASC has superior performance in terms of communication/computational cost, packet loss ratio, latency, etc.

Design and Evaluation of a Data-Driven Password Meter

Abstract: Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it. We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's password. We describe the meter's iterative development and final design. We detail the security and usability impact of the meter's design dimensions, examined through a 4,509-participant online study. Under the more common password-composition policy we tested, we found that the data-driven meter with detailed feedback led users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.

Secure Three-Factor User Authentication Scheme for Renewable-Energy-Based Smart Grid Environment

Abstract: Smart grid (SG) technology has recently received significant attention due to its usage in maintaining demand response management in power transmission systems. In SG, charging of electric vehicles becomes one of the emerging applications. However, authentication between a vehicle user and a smart meter is required so that both of them can securely communicate for managing demand response during peak hours. To address the above mentioned issues, in this paper, we propose a new efficient three-factor user authentication scheme for a renewable energy-based smart grid environment (TUAS-RESG), which uses the lightweight cryptographic computations such as one-way hash functions, bitwise XOR operations, and elliptic curve cryptography. The detailed security analysis shows the robustness of TUAS-RESG against various well-known attacks. Moreover, TUAS-RESG provides superior security with additional features, such as dynamic smart meter addition, flexibility for password and biometric update, user and smart meter anonymity, and untraceability as compared to other related existing schemes. The practical demonstration of TUAS-RESG is also proved using the widely accepted NS2 simulation.

Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat

Abstract: Text passwords---a frequent vector for account compromise, yet still ubiquitous---have been studied for decades by researchers attempting to determine how to coerce users to create passwords that are hard for attackers to guess but still easy for users to type and memorize. Most studies examine one password or a small number of passwords per user, and studies often rely on passwords created solely for the purpose of the study or on passwords protecting low-value accounts. These limitations severely constrain our understanding of password security in practice, including the extent and nature of password reuse, password behaviors specific to categories of accounts (e.g., financial websites), and the effect of password managers and other privacy tools. In this paper we report on an in situ study of 154 participants over an average of 147 days each. Participants' computers were instrumented---with careful attention to privacy---to record detailed information about password characteristics and usage, as well as man other computing behaviors such as use of security and privacy web browser extensions. This data allows a more accurate analysis of password characteristics and behaviors across the full range of participants' web-based accounts. Examples of our findings are that the use of symbols and digits in passwords predicts increased likelihood of reuse, while increased password strength predicts decreased likelihood of reuse; that password reuse is more prevalent than previously believed, especially when partial reuse is taken into account; and that password managers may have no impact on password reuse or strength. We also observe that users can be grouped into a handful of behavioral clusters, representative of various password management strategies. Our findings suggest that once a user needs to manage a larger number of passwords, they cope by partially and exactly reusing passwords across most of their accounts.

Provably Secure Dynamic ID-Based Anonymous Two-Factor Authenticated Key Exchange Protocol With Extended Security Model

Abstract: Authenticated key exchange (AKE) protocol allows a user and a server to authenticate each other and generate a session key for the subsequent communications. With the rapid development of low-power and highly-efficient networks, such as pervasive and mobile computing network in recent years, many efficient AKE protocols have been proposed to achieve user privacy and authentication in the communications. Besides secure session key establishment, those AKE protocols offer some other useful functionalities, such as two-factor user authentication and mutual authentication. However, most of them have one or more weaknesses, such as vulnerability against lost-smart-card attack, offline dictionary attack, de-synchronization attack, or the lack of forward secrecy, and user anonymity or untraceability. Furthermore, an AKE scheme under the public key infrastructure may not be suitable for light-weight computational devices, and the security model of AKE does not capture user anonymity and resist lost-smart-card attack. In this paper, we propose a novel dynamic ID-based anonymous two-factor AKE protocol, which addresses all the above issues. Our protocol also supports smart card revocation and password update without centralized storage. Further, we extend the security model of AKE to support user anonymity and resist lost-smart-card attack, and the proposed scheme is provably secure in extended security model. The low-computational and bandwidth cost indicates that our protocol can be deployed for pervasive computing applications and mobile communications in practice.

Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication

Abstract: PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices. Thermal cameras allow performing thermal attacks, where heat traces, resulting from authentication, can be used to reconstruct passwords. In this work we investigate in details the viability of exploiting thermal imaging to infer PINs and patterns on mobile devices. We present a study (N=18) where we evaluated how properties of PINs and patterns influence their thermal attacks resistance. We found that thermal attacks are indeed viable on mobile devices; overlapping patterns significantly decrease successful thermal attack rate from 100% to 16.67%, while PINs remain vulnerable (>72% success rate) even with duplicate digits. We conclude by recommendations for users and designers of authentication schemes on how to resist thermal attacks.

Authentication of Smartphone Users Based on Activity Recognition and Mobile Sensing.

Abstract: Smartphones are context-aware devices that provide a compelling platform for ubiquitous computing and assist users in accomplishing many of their routine tasks anytime and anywhere, such as sending and receiving emails. The nature of tasks conducted with these devices has evolved with the exponential increase in the sensing and computing capabilities of a smartphone. Due to the ease of use and convenience, many users tend to store their private data, such as personal identifiers and bank account details, on their smartphone. However, this sensitive data can be vulnerable if the device gets stolen or lost. A traditional approach for protecting this type of data on mobile devices is to authenticate users with mechanisms such as PINs, passwords, and fingerprint recognition. However, these techniques are vulnerable to user compliance and a plethora of attacks, such as smudge attacks. The work in this paper addresses these challenges by proposing a novel authentication framework, which is based on recognizing the behavioral traits of smartphone users using the embedded sensors of smartphone, such as Accelerometer, Gyroscope and Magnetometer. The proposed framework also provides a platform for carrying out multi-class smart user authentication, which provides different levels of access to a wide range of smartphone users. This work has been validated with a series of experiments, which demonstrate the effectiveness of the proposed framework.

Proximity based IoT device authentication

Abstract: Internet of Things (IoT) devices are largely embedded devices which lack a sophisticated user interface, e.g., touch screen, keyboard, etc. As a consequence, traditional Pre-Shared Key (PSK) based authentication for mobile devices becomes difficult to apply. For example, according to our study on home automation devices which leverage smartphone for PSK input, the current process does not protect against active impersonating attack and also leaks the Wi-Fi password to eavesdroppers, i.e., currently these IoT devices can be exploited to enter into critical infrastructures, e.g., home networks. Motivated by this real-world security vulnerability, in this paper we propose a novel proximity-based mechanism for IoT device authentication, called Move2Auth, for the purpose of enhancing IoT device security. In Move2Auth, we require user to hold smartphone and perform one of two hand-gestures (moving towards and away, and rotating) in front of IoT device. By combining (1) large RSS-variation and (2) matching between RSS-trace and smartphone sensor-trace, Move2Auth can reliably detect proximity and authenticate IoT device accordingly. Based on our implementation on Samsung Galaxy smartphone and commodity Wi-Fi adapter, we prove Move2Auth can protect against powerful active attack, i.e., the false-positive rate is consistently lower than 0.5%.

An Efficient User Authentication and User Anonymity Scheme with Provably Security for IoT-Based Medical Care System.

Abstract: In recent years, with the increase in degenerative diseases and the aging population in advanced countries, demands for medical care of older or solitary people have increased continually in hospitals and healthcare institutions. Applying wireless sensor networks for the IoT-based telemedicine system enables doctors, caregivers or families to monitor patients’ physiological conditions at anytime and anyplace according to the acquired information. However, transmitting physiological data through the Internet concerns the personal privacy of patients. Therefore, before users can access medical care services in IoT-based medical care system, they must be authenticated. Typically, user authentication and data encryption are most critical for securing network communications over a public channel between two or more participants. In 2016, Liu and Chung proposed a bilinear pairing-based password authentication scheme for wireless healthcare sensor networks. They claimed their authentication scheme cannot only secure sensor data transmission, but also resist various well-known security attacks. In this paper, we demonstrate that Liu–Chung’s scheme has some security weaknesses, and we further present an improved secure authentication and data encryption scheme for the IoT-based medical care system, which can provide user anonymity and prevent the security threats of replay and password/sensed data disclosure attacks. Moreover, we modify the authentication process to reduce redundancy in protocol design, and the proposed scheme is more efficient in performance compared with previous related schemes. Finally, the proposed scheme is provably secure in the random oracle model under ECDHP.

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Abstract: Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems.

VibWrite: Towards Finger-input Authentication on Ubiquitous Surfaces via Physical Vibration

Abstract: The goal of this work is to enable user authentication via finger inputs on ubiquitous surfaces leveraging low-cost physical vibration. We propose VibWrite that extends finger-input authentication beyond touch screens to any solid surface for smart access systems (e.g., access to apartments, vehicles or smart appliances). It integrates passcode, behavioral and physiological characteristics, and surface dependency together to provide a low-cost, tangible and enhanced security solution. VibWrite builds upon a touch sensing technique with vibration signals that can operate on surfaces constructed from a broad range of materials. It is significantly different from traditional password-based approaches, which only authenticate the password itself rather than the legitimate user, and the behavioral biometrics-based solutions, which usually involve specific or expensive hardware (e.g., touch screen or fingerprint reader), incurring privacy concerns and suffering from smudge attacks. VibWrite is based on new algorithms to discriminate fine-grained finger inputs and supports three independent passcode secrets including PIN number, lock pattern, and simple gestures by extracting unique features in the frequency domain to capture both behavioral and physiological characteristics such as contacting area, touching force, and etc. VibWrite is implemented using a single pair of low-cost vibration motor and receiver that can be easily attached to any surface (e.g., a door panel, a desk or an appliance). Our extensive experiments demonstrate that VibWrite can authenticate users with high accuracy (e.g., over 95% within two trials), low false positive rate (e.g., less 3%) and is robust to various types of attacks.

Secure multi-factor remote user authentication scheme for Internet of Things environments

Abstract: Summary Because of the exponential growth of Internet of Things (IoT), several services are being developed. These services can be accessed through smart gadgets by the user at any place, every time and anywhere. This makes security and privacy central to IoT environments. In this paper, we propose a lightweight, robust, and multi-factor remote user authentication and key agreement scheme for IoT environments. Using this protocol, any authorized user can access and gather real-time sensor data from the IoT nodes. Before gaining access to any IoT node, the user must first get authenticated by the gateway node as well as the IoT node. The proposed protocol is based on XOR and hash operations, and includes: (i) a 3-factor authentication (ie, password, biometrics, and smart device); (ii) mutual authentication; (iii) shared session key; and (iv) key freshness. It satisfies desirable security attributes and maintains acceptable efficiency in terms of the computational overheads for resource constrained IoT environment. Further, the informal and formal security analysis using AVISPA proves security strength of the protocol and its robustness against all possible security threats. Simulation results also prove that the scheme is secure against attacks.

Phishing-Alarm: Robust and Efficient Phishing Detection via Page Component Similarity

Abstract: Social networks have become one of the most popular platforms for users to interact with each other. Given the huge amount of sensitive data available in social network platforms, user privacy protection on social networks has become one of the most urgent research issues. As a traditional information stealing technique, phishing attacks still work in their way to cause a lot of privacy violation incidents. In a Web-based phishing attack, an attacker sets up scam Web pages (pretending to be an important Website such as a social network portal) to lure users to input their private information, such as passwords, social security numbers, credit card numbers, and so on. In fact, the appearance of Web pages is among the most important factors in deceiving users, and thus, the similarity among Web pages is a critical metric for detecting phishing Websites. In this paper, we present a new solution, called Phishing-Alarm, to detect phishing attacks using features that are hard to evade by attackers. In particular, we present an algorithm to quantify the suspiciousness ratings of Web pages based on the similarity of visual appearance between the Web pages. Since cascading style sheet (CSS) is the technique to specify page layout across browser implementations, our approach uses CSS as the basis to accurately quantify the visual similarity of each page element. As page elements do not have the same influence to pages, we base our rating method on weighted page-component similarity. We prototyped our approach in the Google Chrome browser. Our large-scale evaluation using real-world websites shows the effectiveness of our approach. The proof of concept implementation verifies the correctness and accuracy of our approach with a relatively low performance overhead.

PKCS #5: Password-Based Cryptography Specification Version 2.1

Abstract: This document provides recommendations for the implementation of password-based cryptography, covering key derivation functions, encryption schemes, message authentication schemes, and ASN.1 syntax identifying the techniques. This document represents a republication of PKCS #5 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF. This document also obsoletes RFC 2898.

GazeTouchPIN: protecting sensitive data on mobile devices using secure multimodal authentication

Abstract: Although mobile devices provide access to a plethora of sensitive data, most users still only protect them with PINs or patterns, which are vulnerable to side-channel attacks (e.g., shoulder surfing). How-ever, prior research has shown that privacy-aware users are willing to take further steps to protect their private data. We propose GazeTouchPIN, a novel secure authentication scheme for mobile devices that combines gaze and touch input. Our multimodal approach complicates shoulder-surfing attacks by requiring attackers to ob-serve the screen as well as the user’s eyes to and the password. We evaluate the security and usability of GazeTouchPIN in two user studies (N=30). We found that while GazeTouchPIN requires longer entry times, privacy aware users would use it on-demand when feeling observed or when accessing sensitive data. The results show that successful shoulder surfing attack rate drops from 68% to 10.4%when using GazeTouchPIN.

Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study

Abstract: Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems.

User Authentication via PRNU-Based Physical Unclonable Functions

Abstract: Multifactor user authentication systems enhance security by augmenting passwords with the verification of additional pieces of information such as the possession of a particular device. This paper presents an innovative user authentication scheme that verifies the possession of one’s smartphone by uniquely identifying its camera. High-frequency components of the photo-response nonuniformity of the optical sensor are extracted from raw images and used as a weak physical unclonable function. A novel scheme for efficient transmission and server-side verification is also designed based on adaptive random projections and on an innovative fuzzy extractor using polar codes. The security of the system is thoroughly analyzed under different attack scenarios both theoretically and experimentally.