Umut Topkara - Purdue University
"Passwords Decay, Words Endure: Towards Secure and Re-usable Multiple Password Mnemonics"
Apr 25, 2007Download: MP4 Video Size: 218.6MB
Watch on YouTube
AbstractHuman aspects of information security were identified at the early stages in the history of time shared computing. The recent surge in attacks that exploit security vulnerabilities involving human factors have also put them under the spotlight of various research fields including human-computer interaction, information security and cognitive science. The human centered vulnerabilities involve an interplay of a broad range of actors from Information Technology specialists (who might mis-configure the security hardware and software or enforce impractical security policies) to end users (who might have a poor understanding of good security practices or not know the possible impact of weak security).
This talk will focus on human aspects of authentication mechanisms. I will present two methods that we have developed to reinforce the security of existing systems by improving their usability.
Previous studies have repeatedly shown that users find it taxing to remember truly random passwords. Many users choose easy to guess --therefore not secure-- passwords, since they require the least effort to recall. Experienced users adopt "mnemonic phrases" to generate and easily recall more secure passwords. However, regularity in the human languages may render such passwords vulnerable against a brute force attack. In the first part of the talk, I will present a method that we developed to automatically generate mnemonic phrases which can yield secure passwords in an effort to increase the usability of text password authentication.
Many computer users need to remember a multiplicity of usernames and passwords for different systems, and the users tend to reuse passwords across these systems which may have different security guarantees. In such cases remembering a different mnemonic phrase for each password does not scale and quickly becomes a challenging task. In the second part of the talk, I will present a scheme that helps the users remember a multiplicity of truly random passwords. The new scheme is applicable to an existing password authentication system without any modification, as it does not require any form of involvement from the service provider (e.g., bank, brokerage). Nor does it require the user to have any computing device at hand (not even a calculator). The scheme is such that changes to passwords do not necessitate a change in what the user remembers. Hence, passwords can be frequently changed without any additional burden on the memory of the user, thereby increasing the system's security.
About the Speaker
Umut Topkara is a PhD candidate at the Computer Science Department of Purdue University. His research interests lie at the confluence of Information Security, Natural Language Processing and Computer- Human Interaction, specifically their intersection in the field of Usable Security. More recently, he has also been involved in Grid Middle-ware Engineering research. His thesis advisor is Professor Mikhail J. Atallah. He got his B.Sc. and M.Sc. degrees from Computer Engineering Department of Bilkent University. He started his graduate studies at Purdue University in 2002. More information about Umut's research is available at http://www.cs.purdue.edu/homes/utopkara.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...