Usable and Secure Password Management

1. Theory Lunch Usable and Secure Password Management Jeremiah Blocki Spring 2012

2. Password Management Competing Goals:

3. A Challenging Problem • Traditional Security Advice Use numbers and letters Use special symbols Don’t Reuse Passwords Don’t use words/names Not too short Don’t Write it Down Use mix of lower/upper case letters Change your passwords every 90 days

4. Reevaluate Traditional Advice? XKCD Source: http://www.xkcd.com/936/ [Munroe]

5. Experiment #0 • Memorize a random 10 character password • Case Sensitive! L[IbCGa_ND

6. Experiment #1 Chaplin, Newspapers (plural) Cedric, Scanner

7. Experiment #2 Boats, Brie March (“Marching” – “ing”) Swim (not Michael Phelps)

8. Experiment #3

9. Experiment #4

10. Outline • Introduction and Experiments • Memory and Usability • Four Big Factors • Analyzing Security • Our Password Management Scheme

11. Factor 1: Chunking • Memorize: nbccbsabc • Memorize: tkqizrlwp • 3 Chunks vs. 9 Chunks! • Usability Goal: Minimize Number of Chunks in Password Source: The magical number seven, plus or minus two [Miller, 56]

12. Chunking Source: http://www.xkcd.com/936/ [Munroe]

13. Human Memory is Associative ?

14. Factor 2: Cue Strength • Cue: context when a memory is stored • Surrounding Environment • Sounds • Visual Surroundings • Web Site • …. • As time passes we forget some of this context…

15. Mathematical Model (Cues) i {music, desk, password, amazon,…}

16. Mathematical Model (Associative Memory) Add the cue-association pair to memory (M) Find the memory associated with the given cue in M

17. Retrieval from Partial Cue Original Cue Cue Strength Retrieval Cue

18. Retrieval from Partial Cue

19. Retrieval from Partial Cue Probability of Recall Partial Cue Fraction Source: Simple memory: a theory for archicortex [Marr]

20. Factor 3: Interference Cue jblocki, l3tm3in jblocki, unbr3akabl3 jblocki, Tr0ub4dor&3 … jblocki, horsebatterystaplecorrect

21. Interference (Example) Impossible to identify which memory is associated with the cue! If the contexts are only “slightly different” there will still be significant interference!

22. Factor 4: Rehearsal Strengthens Associations Password may be linked to different contexts (cues) Goal: minimize the number of rehearsals necessary to remember passwords

23. Rehearsal • It helps if part of the context is consistent across all rehearsals/retrieval

24. Usability Desiderata • Minimize #chunks per password • Ensure that a large part of the original cue is always available at retrieval time • Minimize Interference • Minimize the required number of rehearsals

25. How Do People Pick Passwords? Source: Science of Password Selection (Hunt, 2011)

26. Password Management Competing Goals:

27. Competing Goals • Usability – “easy” for user to create and remember his passwords • Security – “hard” for adversary to learn passwords. • After many guesses • Even after seeing other passwords

28. Outline • Introduction and Experiments • Memory and Usability • Analyzing Security • Our Password Management Scheme

29. Security (what could go wrong?) Three Types of Attacks Danger

30. Online Attack 1234 Limit Guesses: Three Strike Policy

31. Offline Dictionary Attack “UnBr3akabl3” “UnBr3akabl3” MD5(“UnBr3akabl3”) + “UnBr3akabl3” Source: CERT Incident Note IN-98.03: Password Cracking Activity

32. Malicious Sites/Phishing pwd pwd PayPaul.com + Source: CERT Incident Note IN-98.03: Password Cracking Activity

33. Measuring Security • Past Measurements and Their Weaknesses • Password Strength Meters • Entropy • Min Entropy • Our Definition of Security

34. Password Strength Meters mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm Impossible to know what background knowledge the adversary will have! Our Approach: Measure the security of the password generator instead Source: https://www.microsoft.com/security/pc-security/password-checker.aspx

35. Password Generator (G)

36. Entropy Average # Bits to encode password x Intuition: 30 bits of entropy => Average # Guesses ~ 230 # Bits to encode password x Source: The mathematical theory of communication (Shannon, 1959)

37. Entropy • Example:

38. Entropy (Weaknesses) Both password generators have same entropy! One guess breaks scheme one half of the time!

39. Entropy (Weaknesses) mmmm mmmm mmmm G1 has high entropy, but is insecure!

40. Entropy (Weaknesses) • High Entropy Does Not Guarantee Safety!

41. Min-Entropy # Bits to encode most likely password x # Bits to encode password x

42. Min Entropy (Strengths) “horsebatterystaplecorrect” MD5(pwd) +

43. Min Entropy (Strengths) • High Minimum Entropy

44. Min-Entropy (Weaknesses) Hmin(G1) = 2n = Hmin(G2) Min-Entropy ignores correlations between passwords

45. Min-Entropy (Weaknesses) x x PayPaul.com x

46. Our Security Approach • Dangerous World Assumption • Not enough to defend against existing adversaries • Adversary can adapt after learning the user’s new password management strategy • Provide guarantees even when things go wrong • Offline attacks should fail with high probability • Limit damage of a successful phishing attack

47. The Adversary’s Game • Adversary can compromise at most k sites (phishing). • Adversary can execute offline attacks against at most t additional sites • Resource Constraints => at most M guesses • Adversary wins if he can compromise any new sites. pwd MD5(pwd)

48. (k,t,M,)-Security We say that a password management scheme is (k,t,M,)-Secure if for any adversary Adv t = # M = # Guesses k = # Offline Attacks Phishing Attacks

49. Example: (1,1,M,)-Security t=1 PayPaul.com + M guesses k=1

50. Outline • Introduction and Experiments • Memory and Usability • Analyzing Security • Our Password Management Scheme