CAN WE ESCAPE PASSWORDS?

Transcription

1 INFOSECURITY WITH PLYMOUTH UNIVERSITY CAN WE ESCAPE PASSWORDS? Prof. Steven Furnell Centre for Security, Communications & Network Research Plymouth University United Kingdom Introduction Represents an aspect of security that we all tend to encounter Traditional password methods are often regarded as very usable Easy to understand the idea Familiar across different systems But the ease of use is often because users have not been made to use them properly

2 Usability challenges Practically every aspect of good password practice makes them more difficult to use Enforcing selection criteria (length and character composition) Changing them regularly Avoiding password reuse Avoiding a written record The need to use passwords across multiple systems amplifies the challenge Password management tools overcome some of the constraints but complicate the process of retrieving and using the passwords An analysis of website password practices Examination of ten leading websites Selected from within the top 25 entries in the Alexa Global Top 500 websites in September 2011 Captures a number of the leading and most recognised online brands password practices likely to influence the largest proportion of end-users potentially used as a baseline to be followed by other sites

3 Traditional Passwords Enforcement of password restrictions Site (at initial registration / sign-up to website) Restrictions Length Surname User ID Password Dictionary Composition Reuse Meter Amazon 6 û û û û û û û ebay 6 û ü ü û ü ü ~ Facebook 6 ü û ü û û û û Google 8 û ü ü ü û ü ü LinkedIn 6 û û ü û û û û Twitter 6 û û ü ~ û û ü Wikipedia û û ü û û û û û Windows Live 6 ü ü ü û ü û ü WordPress 4 û ü ü û û û ü Yahoo! 6 ü ü ü û û û ü

4 Observations Password length enforcement was variable Most enforced a minimum of 6 characters (WordPress was 4, Google was 8) Some sites enforced a maximum length (16 characters for Windows Live, 20 for ebay, and 32 for Yahoo!) Wikipedia allowed a 1 character password Other viable checks were often excluded Although some sites did inform, they did not enforce Some sites might argue that the checks are commensurate with the data at risk Overlooks the potential for users to use the same password elsewhere Better to help contribute towards raising the general security culture Lots to remember? How many passwords? (Furnell and Bär, 2013) Based on 246 respondents

5 Passwords in practice Statement Agree (n=246) It is at least 8 characters long 82% It has alphabetic and numeric characters 84% It includes other characters (e.g. punctuation symbols) 49% It uses a word you would find in a dictionary 18% It is based on personal information about me 26% I have changed it since I started using it 36% I change it regularly 21% I have shared it with other people 6% I have forgotten it and had to reset/recover it 10% (Furnell and Bär, 2013) Does password advice help? Joint study with psychology researchers at Chemnitz University of Technology Does guiding users in password selection make any difference? Could score out of 5 based upon choosing passwords: at least 8 characters long composed of both alphabetic and numeric characters using other characters (such as punctuation symbols) not based upon a dictionary word not based upon personal information

6 Guidance helps (so websites ought to offer it!) Based on 27 initial participants: average score for unguided users was 1.8 compared to 3.8 for those receiving guidance Guided (n=13) Unguided (n=14) Used at least 8 characters Used alphanumeric characters Used other characters Used nondictionary Avoided personal info 85% 85% 62% 54% 92% 50% 64% 7% 50% 64% Online Banking Identification and authentication demands: A personal banking number Customer surname Selected digits from security number A memorable date

7 Challenging the legitimate user? More time-consuming and require more cognitive effort than passwords: the authentication challenge will not be the same each time (i.e. different digits requested) the user can no longer rely on reflex response of typing a normal PIN/password the digits of the PIN are not requested in sequential order the position of the digits on the graphical keypad varies on each occasion Online Banking HSBC Secure Key introduces a multi-stage process for each login: User needs to enter their Banking ID Then answer a security question defined when they set up the account Then enter a 4-digit PIN code on the Secure Key device Then enter the 6-digit code generated by the device into the web page

8 Acceptable trade-off? Users may not object in a banking context they realise their money is at stake Such approaches would not work for website authentication in general would not scale up well as having a variety of numbers to remember for different accounts would quickly become unmanageable for the user The user s viewpoint?

9 Graphical Authentication Replacing weak password and PINbased authentication A method based upon remembering pictures of objects Implementations in web browser and mobile device platforms Windows 8 Picture Password

10 Android Pattern Lock Clearly suited to touch screen devices Complex patterns hard to remember? More observable than PINs Potential clues from greasy fingers choose patterns that double-back or clean the screen! Biometrics Authentication based upon something the user is Theoretically far more usable nothing for the user to remember nothing to them to lose or leave behind Practical factors (e.g. failure to acquire, false rejection) may limit tolerability

11 Biometric example Android Face Unlock Unlocks the phone in response to seeing the correct face Very quick and easy under the right conditions Not a universal solution reverts to PIN/password entry in low light conditions Questionable security original version could be fooled by static photo of the legitimate user limited Liveness detection (blink checking) introduced in mid-2012, but can still be fooled by edited photo Non-intrusive mobile authentication Signature Recognition Service Utilisation Facial Recognition Voice Verification Keystroke Dynamics

12 Comparison factors Mental effort the extent to which the technique relies upon the user s ability to memorise and recall things, and how precise this must be Convenience e.g. as the speed with which the user is able to login, and the effort/engagement required to do so Applicability e.g. whether the technique will work effectively on desktop, mobile and handheld devices, with differing input mechanisms and screen sizes/resolutions Flexibility e.g. the ease with which the user can change their authentication credentials in the event of compromise SECURITY PODCASTS FREE ON ITUNES U LECTURES, DISCUSSIONS, INTERVIEWS, TUTORIALS, INDUSTRY INSIGHTS...

13 INFOSECURITY WITH PLYMOUTH UNIVERSITY Prof. Steven Centre for Security, Communications & Network Research