Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

20
Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud

Transcript of Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Page 1: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Password Reminder Systems

Group 8

Dave Rubens

Jermaine McDonald

Jon Axisa

Ryan Persaud

Page 2: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

The Cast

Ronald Well-endowed (with money) good guy Uses online banking

Jeremy Less than well-endowed (ethically) bad guy Works in Ronald’s office

Page 3: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Introduction

Password Protected Services Finances Retail Personal Communications (email, chat) Entertainment

Page 4: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Existing Work

Little research on password reminder Schemes

Vulnerabilities arise from Information Requested (who knows it) Method of Delivery

Page 5: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Things to come!

Evaluation of forgotten password schemes A good forgotten password scheme An insufficient forgotten password scheme Challenge: Dave’s Bank Account The ultimate forgotten password scheme:

Information Concealing Universal Protocol

Page 6: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Evaluating Password Schemes

Split sites into categories Financial Consumer Retail Personal Communication, etc.

Strength of security provided, varies for each site category

Page 7: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Prominent Security Measures

Server displays or e-mails password if user correctly answers information queries

User chooses new password after correctly answering information queries

User receives password after speaking with a customer service rep and verifying identity

Page 8: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Requested Information

Low Security Name, address, email, date of birth

Medium Security Mother’s maiden name, recent purchases, SSN

High Security PIN/account number, answer to private question

Page 9: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Password Reminder Example 1

Amazon.com Must identify easily discovered information Must identify one of last 5 purchases Create New Password Only a stalker could know so much about you Quality Scheme

Page 10: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Password Reminder Example 2

AOL Instant Messenger Requires Screen Name Password E-mailed to Owner Is AOL worthy of more security?

Page 11: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.
Page 12: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Bank Account Locking

Reasons for servers to lock account Successive failed attempts to access account Assumes malicious intent (fails safely)

Problems created by account lock Unlocking process irritating to users Malicious harassment by 3rd party User must open new bank account

Page 13: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Challenge: Dave’s Account

Break into Dave’s Online Account using A voided check (supplied by Dave) Our own Madskillz

The Challenge Transfer all money to offshore account Go to Tahiti and drink!

Page 14: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Dave’s Account

What we have Name and Address Account and routing number

What we don’t have Date of birth SSN Mother’s Maiden Name

Page 15: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

End Result

We are sober and penniless.

Page 16: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Got Privacy?

Information

Concealing

Universal

Protocol

Page 17: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

E-mail and Security

Make e-mail the strength of the protocol, not the weakness.

Use e-mail to confirm the user’s identity, but avoid e-mailing the password.

Page 18: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

Strengths of the Protocol

If a user forgets their password, they have to:

Provide personal information

Receive e-mail (Must know e-mail password)

Reply to e-mail (An imposter cannot just snoop incoming e-mail packets.)

Page 19: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

ICUP Protocol

User Server

Server requests information to verify identity

User provides information

User requests new password

Server sends key K1 to user

through browser

Server sends email to address

in profile

User replies to email

Server sends email to user containing

key K2

User sends username, K1, K2 through browser

User submits new password F/T

Page 20: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.

In Conclusion

Your online passwords are not safe – we already know them

Current schemes vary in degree of security, oftentimes conflicting with psychological acceptability

In most cases, your passwords are only as safe as your email