pASSWORD tYPOS and How to Corrent Them Securely

PASSWORD TYPOS And How To Corrent Them Securely-ppt Download

  • Date:01 Aug 2020
  • Views:13
  • Downloads:0
  • Size:5.24 MB

Share Presentation : PASSWORD TYPOS And How To Corrent Them Securely

Download and Preview : PASSWORD TYPOS And How To Corrent Them Securely

Report CopyRight/DMCA Form For : PASSWORD TYPOS And How To Corrent Them Securely


Transcription:

pASSWORD tYPOSand How to Correct ThemR Chatterjee A Athalye D Akhawe A Juels T RistenpartTo typo is human to tolerate divine .
Password based authenticationPassword459Salted slow H Password459 .
cryptographic a5idoiaU7p Password based authenticationAny typo ispassword459Password459.
Salted slow H Password459 cryptographic a5idoiaU7p hash H password459 a5idoiaU7p .
Typo tolerant password checkingAllow registered password or typos of it Typo tolerant password checking in industryPassword459 pASSWORD459 password459 We know little about password typos.
Lots of work on usability of passwords Ur et al 2012 Shay et al 2012 2014 Mazurek et al Bonneau Schechter 2014 Keith et al 2007 2009 Bard 2007 Jakobsson et al 2012 but nothing on typo tolerant password checking .
1 How can we build a typo tolerant systems 2 How much would tolerating typos help users 3 Does it endanger security We measure password typos at Dropbox and showthey are a huge problem for both users and service.
providers We develop approaches to typo tolerant checking and show they improve utility with minimal security Have your cake and eat it too How to do typo tolerant.
password checking We focus on relaxed checkerspassword459 No change inpassword hashPassword459 database.
Apply caps H password459 lock a5idoiaU7p corrector H PASSWORD459 Apply first a5idoiaU7p case flip .
H Password459 corrector a5idoiaU7p Can we find a small but useful set of typocorrectors MTurk password transcription.
100 000 passwords typed by 4 300 workersFlip firstCapslock letter case78 8 Last digit of all typos 0 2 .
Impact of top 3 typos in the real worldInstrumented production login of Dropbox to quantifyNOTE We did not change authentication policy 24 hour period 3 of all users failed to login because one of top.
20 of users who made a typo would have savedat least 1 minute in logging into Dropbox if top 3typos typos in password will add severalare corrected person months of login time every day .
Typo tolerance will significantlyenhance usability of passwords Can it be secure Threat 1 Server compromisepassword459 No change in.
password hashPassword459 databaseNo change in H password459 security in case a5idoiaU7p .
H PASSWORD459 of a5idoiaU7p H Password459 server a5idoiaU7p compromise.
Threat 2 Remote guessingWeb service should lock account after wrongGet 3 free passwordchecks with every query queries result in free password guesses .
Previously Apply caps queries result in noH password freelock a5idoiaU7p corrector H PASSWORD .
Apply first a5idoiaU7p Attacker scase flip success increasesH Password bycorrector a5idoiaU7p .
Apply extra H passwor char at end a5idoiaU7p Passwords are not uniformly distributed 300 improvement only if all checked passwords are.
equally probable BUT humans do not chose randompasswords Good for online guesses Probability.
maximizes success probability Attack simulation using password leaksAdversary knows Distribution of passwords and the set of correctors Exact checking Typo tolerant checking.
Query most probable passwords Query passwords that maximizessuccess Computed using greedy2 94 Exact checkingSuccess probability phpbb myspace.
Security sensitive typo correctionDon t check a correction if theresulting password is too popular Password password pASSWORFree Correction Theorem.
For any non uniform password distribution set ofcorrectors and adversarial query budget thereexists a typo correction scheme that corrects typoswith no degradation in security 17 Security of checkers with filtering.
Correct typo ensuring that total probability of allchecked password is less than Estimated password distribution with rockyouExact checking Typo tolerant checking Typo tolerant checking w filtering3 2 75 2 77.
Success probability 2 Change in success 0 02 1 0 79 0 81phpbb myspace Typo tolerant checking can.
enhance users experiencefor essentially nodegradation in security pASSWORD tYPOS in one slide1 Introduce typo tolerant password checkers.
Compatible with existing password databases easy to deploy2 Study password typos empirically 3 of users fail to login due to correctable top 3 typos3 Analyze security of typo tolerant checkers Free correction theorem In theory .
With heuristic works in practice too rchatterjee mistypographyrahul cs cornell eduPassword-based authentication systems. Password459! Salted, slow cryptographic hash. H(Password459!) = “a5idoiaU7p..”? … it goes to server, where the server applies a strong cryptographic hash function on the password, and checks the output of the hash against the previously stored hash value computed on similar way on the password used at the time of registration. If the equality check ...

Related Presentations