Password Reminder Systems

Group 8

Dave Rubens

Jermaine McDonald

Jon Axisa

Ryan Persaud

The Cast

Ronald Well-endowed (with money) good guy Uses online banking

Jeremy Less than well-endowed (ethically) bad guy Works in Ronald’s office

Introduction

Password Protected Services Finances Retail Personal Communications (email, chat) Entertainment

Existing Work

Little research on password reminder Schemes

Vulnerabilities arise from Information Requested (who knows it) Method of Delivery

Things to come!

Evaluation of forgotten password schemes A good forgotten password scheme An insufficient forgotten password scheme Challenge: Dave’s Bank Account The ultimate forgotten password scheme:

Information Concealing Universal Protocol

Evaluating Password Schemes

Split sites into categories Financial Consumer Retail Personal Communication, etc.

Strength of security provided, varies for each site category

Prominent Security Measures

Server displays or e-mails password if user correctly answers information queries

User chooses new password after correctly answering information queries

User receives password after speaking with a customer service rep and verifying identity

Requested Information

Low Security Name, address, email, date of birth

Medium Security Mother’s maiden name, recent purchases, SSN

High Security PIN/account number, answer to private question

Password Reminder Example 1

Amazon.com Must identify easily discovered information Must identify one of last 5 purchases Create New Password Only a stalker could know so much about you Quality Scheme

Password Reminder Example 2

AOL Instant Messenger Requires Screen Name Password E-mailed to Owner Is AOL worthy of more security?

Bank Account Locking

Reasons for servers to lock account Successive failed attempts to access account Assumes malicious intent (fails safely)

Problems created by account lock Unlocking process irritating to users Malicious harassment by 3rd party User must open new bank account

Challenge: Dave’s Account

Break into Dave’s Online Account using A voided check (supplied by Dave) Our own Madskillz

The Challenge Transfer all money to offshore account Go to Tahiti and drink!

Dave’s Account

What we have Name and Address Account and routing number

What we don’t have Date of birth SSN Mother’s Maiden Name

End Result

We are sober and penniless.

Got Privacy?

Information

Concealing

Universal

Protocol

E-mail and Security

Make e-mail the strength of the protocol, not the weakness.

Use e-mail to confirm the user’s identity, but avoid e-mailing the password.

Strengths of the Protocol

If a user forgets their password, they have to:

Provide personal information

Receive e-mail (Must know e-mail password)

Reply to e-mail (An imposter cannot just snoop incoming e-mail packets.)

ICUP Protocol

User Server

Server requests information to verify identity

User provides information

User requests new password

Server sends key K1 to user

through browser

Server sends email to address

in profile

User replies to email

Server sends email to user containing

key K2

User sends username, K1, K2 through browser

User submits new password F/T

In Conclusion

Your online passwords are not safe – we already know them

Current schemes vary in degree of security, oftentimes conflicting with psychological acceptability

In most cases, your passwords are only as safe as your email