Passwords Decay, Words Endure: Towards Secure and Re-usable Multiple Password Mnemonics
Umut Topkara - Purdue University
Apr 25, 2007Size: 218.6MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractHuman aspects of information security were identified at the early stages in the history of time shared computing. The recent surge in attacks that exploit security vulnerabilities involving human factors have also put them under the spotlight of various research fields including human-computer interaction, information security and cognitive science. The human centered vulnerabilities involve an interplay of a broad range of actors from Information Technology specialists (who might mis-configure the security hardware and software or enforce impractical security policies) to end users (who might have a poor understanding of good security practices or not know the possible impact of weak security).
This talk will focus on human aspects of authentication mechanisms. I will present two methods that we have developed to reinforce the security of existing systems by improving their usability.
Previous studies have repeatedly shown that users find it taxing to remember truly random passwords. Many users choose easy to guess --therefore not secure-- passwords, since they require the least effort to recall. Experienced users adopt "mnemonic phrases" to generate and easily recall more secure passwords. However, regularity in the human languages may render such passwords vulnerable against a brute force attack. In the first part of the talk, I will present a method that we developed to automatically generate mnemonic phrases which can yield secure passwords in an effort to increase the usability of text password authentication.
Many computer users need to remember a multiplicity of usernames and passwords for different systems, and the users tend to reuse passwords across these systems which may have different security guarantees. In such cases remembering a different mnemonic phrase for each password does not scale and quickly becomes a challenging task. In the second part of the talk, I will present a scheme that helps the users remember a multiplicity of truly random passwords. The new scheme is applicable to an existing password authentication system without any modification, as it does not require any form of involvement from the service provider (e.g., bank, brokerage). Nor does it require the user to have any computing device at hand (not even a calculator). The scheme is such that changes to passwords do not necessitate a change in what the user remembers. Hence, passwords can be frequently changed without any additional burden on the memory of the user, thereby increasing the system's security.
About the SpeakerUmut Topkara is a PhD candidate at the Computer Science Department of Purdue University. His research interests lie at the confluence of Information Security, Natural Language Processing and Computer- Human Interaction, specifically their intersection in the field of Usable Security. More recently, he has also been involved in Grid Middle-ware Engineering research. His thesis advisor is Professor Mikhail J. Atallah. He got his B.Sc. and M.Sc. degrees from Computer Engineering Department of Bilkent University. He started his graduate studies at Purdue University in 2002. More information about Umut's research is available at http://www.cs.purdue.edu/homes/utopkara.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.