2. Last week …
• Access control permits or denies the use of a particular resource by
a particular entity
• To dimensions: authentication and authorisation
• Authentication
– User to system
– System to user
• Authorisation
– Discretional access control
– Mandatory access control
– Role-based access control
Computer Security Management
Page 2
4. Password authentication (1)
• Ways of authenticating a person
– Knowledge based: password, PIN, etc.
– Token based: smartcard, etc.
– Biometrics: fingerprints, face recognition, etc.
• Password: two factor authentication:
– Identification
– Verification
Computer Security Management
Page 4
5. Password authentication (2)
• Assumption: password exists in two places only:
– System
– User’s memory
• In reality also:
– Under the keyboard
– On a post-it sticking to the monitor
– Shared amongst a group of colleagues/friends
– Etc.
Computer Security Management
Page 5
6. Passwords
• Unaided recall
• Passwords should be meaningless
• Recall has to be 100% correct
• No feedback on failure
• Problems:
– Unaided recall harder than cued recall
– Non-meaningful items are hard to recall
– Limited capacity of working memory
– Items stored in memory decay over time
– Similar items compete
– Old passwords cannot be deleted on demand
– Etc.
Computer Security Management
Page 6
7. Password attacks
• General criminal economics: attacker will only invest up to 10% of
the achieved profits!
• Password attacks: cheap!
• Types of password attacks:
– Brute-force-attack
– Guessing attacks
– Shoulder surfing attacks
– Spyware
– Packet sniffing
– Social engineering
Computer Security Management
Page 7
8. Password policies
• Aim to enforce strong passwords in an organisation
• Define the rules for:
– Password length
– Content
– Frequency of change
– Number of login attempts
– How to recover/reset a password
• Ideally:
– Variable length
– Meaningless
– Do not change passwords more often than necessary
– Limit login attempts
– Credential recovery: see later slide
Computer Security Management
Page 8
9. Problems, problems …
• Nowadays, Joe Average has to remember a large number of
passwords/PINs!
• Many of these need to be changed frequently
• Many similar items compete (including old, invalid passwords!)
• Infrequently used passwords are easily forgotten
• Recently changed passwords are forgotten or confused
• Etc.
Computer Security Management
Page 9
10. Password failure
• 52% Memory failure
– Confused with old password 37%
– Confused with other system’s password 15%
• 20% Wrong user ID
• 12% Typo
– Missing or additional characters
– Pressing ENTER
Computer Security Management
Page 10
11. User strategies
• If not given a strategy: users will make up their own!
– Use same password for multiple system
– Only change passwords if forced to
– Externalise passwords
• On-the-spot decisions
Computer Security Management
Page 11
12. Password quality (Sasse et al, 2001)
• Content
– 28% of users’ passwords are identical
– 68% use one way to construct their passwords
– 51% of the passwords are words with a number on the end
• Change
– 90% only change when forced to do so
– 45% increment number by one when change
• Writing down
– 30% write down all passwords
– 32% write down infrequently used passwords
Computer Security Management
Page 12
13. PINs
• Numerical passwords, eg. 4587
• Similar problems
– Same PIN across many applications
– Many people give card and PIN to others to fetch cash
– Using mobile phones in public
– Etc.
• Where to find PINs:
– On the card
– In the wallet
– Post-it
– Around cash machine
– Etc.
Computer Security Management
Page 13
14. Countermeasures
• Help with passwords
– Reactive, e.g. reminder
– Proactive, e.g. hints, writing down, …
• Not really effective
• Better:
– User support and training
– Single sign-on
– Changes to password policy
– Alternative methods: Graphical or biometrics
Computer Security Management
Page 14
15. Reminders
• Advantages:
– No password change
– Automated, i.e. reduced workload on helpdesk or system admin
• Disadvantages:
– Over the internet: security risk
– Attacker might guess or know the answer to additional security questions
• Example: “what is your mothers maiden name?”
Computer Security Management
Page 15
16. Hints
• User selects reminder of password that is stored on the system
together with the password
• System provides the hint if:
– user forgets his/her password and requests it
– login fails
• Advantages
– No password change
– Automated
• Disadvantage:
– Untrained users often chose bad hints in terms of memorability
– Attacker might find out the password through social networks
Computer Security Management
Page 16
17. How to improve
• Provide instructions for better memorability
– Must be available when users need them
– e.g. “make up sentence to memorise” or “funny content helps to memorise”
• Provide feedback
– At registration time
– Needs to be positive and constructive
– Might help an attacker!
• Pro-active password checking
– Prevent weak passwords
– Checks at registration for compliance with password policy
• Helpdesks
– Many people prefer to interact with other human beings
– Humans are more flexible
Computer Security Management
Page 17
18. Single sign-on (SSO)
• Enables a user to log in once and gain access to the resources of
multiple software systems without being prompted to log in again
• Advantages:
– Reduces user’s workload to a minimum
– Reduces time spend with logins
– Reduce help desk calls
– Single point of recovery
• Disadvantages:
– Valuable to attacker (single point of attack!)
Computer Security Management
Page 18
19. Challenge-response (1)
• Authentication technique
• An individual is prompted (the challenge) to provide some private
information (the response)
• Enrolment:
– Challenge-response (CR) pairs generated randomly from database
– User accepts a set of memorable CRs when enrolling
• Operation:
– Individual is given one challenge from set
– If individual gives the matching response: authenticated
Computer Security Management
Page 19
20. Challenge-response (2)
• When enrolling challenge can be
– Selected entirely by the system, or
– Partly chosen by user, or
– Partly selected from list by user
• Response can be
– Selected by the system, or
– Chosen by user, or
– Selected from list by user
• Examples
– C: Name of your pet? R: [open answer chosen by user]
– C: Your mother’s maiden name? R: [input chosen by the user]
– C: What do you think of the [input chosen by the user]? R: I think the [from C]
[chosen by the user]
Computer Security Management
Page 20
21. Challenge-response (3)
• Challenge-Response pairs (CRs) two dimensions:
– Usability
– Security
• Criteria for assessing security:
– Guessing difficulty
• Criteria for assessing usability:
– User physical and mental workload
– Administrator physical workload
Computer Security Management
Page 21