Strengthening Password-based Authentication · • Users trust that servers salt+hash before...
Transcript of Strengthening Password-based Authentication · • Users trust that servers salt+hash before...
StrengtheningPassword-basedAuthentication
SCOTTRUOTI JEFFANDERSENKENTSEAMONSBRIGHAMYOUNGUNIVERSITY
ProblemswithPasswords
• Servershaveaccesstopasswordplaintext
• Userstrustthatserverssalt+hashbeforestorage
• Manyserversarevulnerabletopasswordtheft
• Webpageshaveaccesstopasswordplaintext
• Phishersimpersonatelegitimatesite
• Credentialsimmediatelyvulnerable
POORSECURITYATTHESERVER VULNERABILITYTOPHISHING
Passwordre-usecompoundsbothproblems
Whatcanbedone?
STRONGPASSWORDPROTOCOLS
SAFEPASSWORDENTRY
HTML+JS
HTTPS
RemoteServer
ClientPassword
Field
HTML+JS
HTTPS
RemoteServer
PasswordHandshake
Password“Handshake”
StrongPasswordProtocols
• Spoof-resilientpassword-entryinterfaces
• Interfacesthatindicatetheyareprivileged• Positiononscreen• OSfeatures
• SiteKey
SafePasswordEntry
DynamicSecuritySkins,Dhamija[2005]
• Over500citations • Strongpasswordprotocol
• SiteKey • Visualhashesprovidesiteauthentication
• SafePasswordEntry• Browserchrome
• Operatingsystemprompt
• SiteAuthentication• Browserdetectshandshakefailure
OurIdeas
NextSteps
1. Buildoursystems
2. Testthem NogoodmethodologiesDesignauserstudy
ImprovingUserStudies
PRESENTMETHODOLOGY
• Tooshort• Occursinalab
• Participantsareprimed
• Lab-assignedcredentials
PROPOSEDMETHODOLOGY
• Long-term
• “Take-home”
• Deception
• Personalcredentials
PreliminaryStudyDesign
• Assignusertoonesafepasswordentrytool
• Playtestinganewgamesuite• AccessviaBYUSingleSign-On
• Dailytesting,over10-dayperiod• Gamelinksdeliveredoveremail
• Onday7,usersarephishedfortheirSSOpassword
WorkNeeded• Introducesafepasswordentrywithoutprimingforsecurity
• Ensurestudyissafeforparticipants
PointsofDiscussion
• Whereshouldsafepasswordentrybeimplemented?• Browserwindow,browserchrome,oroperatingsystem
• Howcansafepasswordentryeffectivenessbeaccuratelyevaluated?• Ensuringbothdeceptionandsafetyforusers