User Friendly Passwords

Nicole LongworthMichael Shoppell

RJ Brown

Overview

• Introductiono Current Password Methodso Project Proposal

• Researcho Related Workso Possible Solutions

• Demo

• Conclusions

• Questions

Password Generation

• Randomo create random passwords that are secure and

difficult to guess due to a combination of uppercase and lowercase letters, numbers, and punctuation symbols

• User Generatedo passwords created by the user that are unique and

made up due what is easiest for the user to remember

Project Proposal

• Problem

• secure passwords are becoming easier to crack than to remember

• security is compromised by user behavior through multiple instances

o passwords aren't strong enougho storing passwords on computero reusing passwords for multiple accounts

Project Proposal

• investigate two methods to generate passwordso using abstract imageso using simple images

• based on results, methods will show whether images make it easier for users to remember passwords

Purpose

Proposed Solution

• substitute the number of characters possible for a higher character count

• logically makes it easier for a human to remember

• creating 4 shorter words that create a 20-character password

Related WorksBeaver, Kevin “Hacking For Dumies 3rd Edition Publisher: For Dummies Jan 12, 2010

Mohs, Richard C., PHD “How Human Memory Works” howstuffworks.com July 7 2011 Feb 29, 2012

“The Human Memory” human-memory.net Feb 29, 2012

Shimonski, Rob “Hacking Techniques, Introduction to password cracking”

ibm.com/developerworks/library/s-crack Jul 01 2002 Feb 29 2012

Vines, Russell Dean“Ethical hacking tools and techniques: password cracking” searchsecuritychannel.techtarget.com Feb 29 2012

Related Workshttp://ict.govt.nz/guidance-and-resources/standards-compliance/authentication-standards/password-standard/5-

password-vulnerabilities-and-attacks

http://static.usenix.org/event/usenix99/provos/provos_html/node11.html

http://www.computer-network-security-training.com/what-are-password-attacks/

http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/232700282/command-injection-attacks-automated-password-guessing-on-the-rise.html

http://www.windowsecurity.com/articles/passwords-attacks-solutions.html

http://www.windowsitpro.com/article/kerberos/types-of-password-attacks-

http://www.go4expert.com/forums/showthread.php?t=7685

http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices

http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html

http://www.securitynewsdaily.com/553-how-to-create-remember-super-secure-passwords.html

Survey• Test user generation password and recall upon

forgetting

• Two Partso Given 4 random words to remembero Shown 4 imageso 2 Concreteo 2 Abstracto Asked to produce four words per image

• After one month, participants shown same images to test memory

Purposes

1. Test randomness of user generation for a given image

2. Test ability of user to recall password when linked with an image

3. Given word bank, efficiency of brute force attack

Total Participants: 20

9 took part in both generation and recall

Duration between surveys: 1 month

Results

Over a short period of time successful recall

Between two surveys recall almost nonexistant

Randomly Generated Words

Results - Image Prompted

Picture 1 2 3 4

Words Generated

115 116 115 114

Unique Words 67 63 68 74

Average Password Length

23 21 22 23

Minimum 16 11 17 16

Maximum 41 27 30 311

Results - Recall

Password Strength• Measured in Entropy

o lack of predictability

• Randomness stated in Bits

(entropy per character) = log2(n)password entropy = L * (entropy per character)n = pool size of charactersL = password length

Calculation

Results - EntropyAverage password length = 22

Entropy of case insensitive alphabet = 4.7 bits

Average password entropy = 103 bits

Time to crack at 1000 Guesses/SecCharacter based = 4.2718 x 1020 years

Word bank (as generated by participants) = 5.5 hours

Demo

Future Work

Conduct survey on a larger group in a more similar situation

Determine method for randomly assigning unique images securely to users

Conclusions

Image prompted passwords plausible alternative

No user generated password were identical

Traditional brute force methods highly inefficient

Images did assist somewhat in recall

Inquiries?