Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.
-
Upload
clyde-lane -
Category
Documents
-
view
212 -
download
0
Transcript of Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud.
Password Reminder Systems
Group 8
Dave Rubens
Jermaine McDonald
Jon Axisa
Ryan Persaud
The Cast
Ronald Well-endowed (with money) good guy Uses online banking
Jeremy Less than well-endowed (ethically) bad guy Works in Ronald’s office
Introduction
Password Protected Services Finances Retail Personal Communications (email, chat) Entertainment
Existing Work
Little research on password reminder Schemes
Vulnerabilities arise from Information Requested (who knows it) Method of Delivery
Things to come!
Evaluation of forgotten password schemes A good forgotten password scheme An insufficient forgotten password scheme Challenge: Dave’s Bank Account The ultimate forgotten password scheme:
Information Concealing Universal Protocol
Evaluating Password Schemes
Split sites into categories Financial Consumer Retail Personal Communication, etc.
Strength of security provided, varies for each site category
Prominent Security Measures
Server displays or e-mails password if user correctly answers information queries
User chooses new password after correctly answering information queries
User receives password after speaking with a customer service rep and verifying identity
Requested Information
Low Security Name, address, email, date of birth
Medium Security Mother’s maiden name, recent purchases, SSN
High Security PIN/account number, answer to private question
Password Reminder Example 1
Amazon.com Must identify easily discovered information Must identify one of last 5 purchases Create New Password Only a stalker could know so much about you Quality Scheme
Password Reminder Example 2
AOL Instant Messenger Requires Screen Name Password E-mailed to Owner Is AOL worthy of more security?
Bank Account Locking
Reasons for servers to lock account Successive failed attempts to access account Assumes malicious intent (fails safely)
Problems created by account lock Unlocking process irritating to users Malicious harassment by 3rd party User must open new bank account
Challenge: Dave’s Account
Break into Dave’s Online Account using A voided check (supplied by Dave) Our own Madskillz
The Challenge Transfer all money to offshore account Go to Tahiti and drink!
Dave’s Account
What we have Name and Address Account and routing number
What we don’t have Date of birth SSN Mother’s Maiden Name
End Result
We are sober and penniless.
Got Privacy?
Information
Concealing
Universal
Protocol
E-mail and Security
Make e-mail the strength of the protocol, not the weakness.
Use e-mail to confirm the user’s identity, but avoid e-mailing the password.
Strengths of the Protocol
If a user forgets their password, they have to:
Provide personal information
Receive e-mail (Must know e-mail password)
Reply to e-mail (An imposter cannot just snoop incoming e-mail packets.)
ICUP Protocol
User Server
Server requests information to verify identity
User provides information
User requests new password
Server sends key K1 to user
through browser
Server sends email to address
in profile
User replies to email
Server sends email to user containing
key K2
User sends username, K1, K2 through browser
User submits new password F/T
In Conclusion
Your online passwords are not safe – we already know them
Current schemes vary in degree of security, oftentimes conflicting with psychological acceptability
In most cases, your passwords are only as safe as your email