SlideShare una empresa de Scribd logo

It's no Secret

Nuno Loureiro
Nuno Loureiro

Measuring the security and reliability of authentication via secret questions.

Tecnología
1 de 21
Descargar para leer sin conexión
Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1 Thursday, November 26, 2009
SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2 Thursday, November 26, 2009
SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3 Thursday, November 26, 2009
SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4 Thursday, November 26, 2009
WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5 Thursday, November 26, 2009
MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6 Thursday, November 26, 2009
MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7 Thursday, November 26, 2009
STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8 Thursday, November 26, 2009
POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9 Thursday, November 26, 2009
MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10 Thursday, November 26, 2009
MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11 Thursday, November 26, 2009
STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12 Thursday, November 26, 2009
GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13 Thursday, November 26, 2009
GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14 Thursday, November 26, 2009
SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15 Thursday, November 26, 2009
IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16 Thursday, November 26, 2009
ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17 Thursday, November 26, 2009
YAHOO! Special Topics in Applied Security Nuno Loureiro 18 Thursday, November 26, 2009
GMAIL Special Topics in Applied Security Nuno Loureiro 19 Thursday, November 26, 2009
SAPO Special Topics in Applied Security Nuno Loureiro 20 Thursday, November 26, 2009
THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21 Thursday, November 26, 2009

Recomendados

From the Unknown to the Known
From the Unknown to the KnownFrom the Unknown to the Known
From the Unknown to the KnownBen Gardner
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
From Search to Semantics
From Search to SemanticsFrom Search to Semantics
From Search to SemanticsBen Gardner
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Sashi Sivam
 
Usabilidad y diseño para formularios
Usabilidad y diseño para formulariosUsabilidad y diseño para formularios
Usabilidad y diseño para formulariosalfonsogu
 
¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?alfonsogu
 

Recomendados

From the Unknown to the Known
From the Unknown to the KnownFrom the Unknown to the Known
From the Unknown to the KnownBen Gardner
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
From Search to Semantics
From Search to SemanticsFrom Search to Semantics
From Search to SemanticsBen Gardner
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Sashi Sivam
 
Usabilidad y diseño para formularios
Usabilidad y diseño para formulariosUsabilidad y diseño para formularios
Usabilidad y diseño para formulariosalfonsogu
 
¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?alfonsogu
 
The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
12
1212
12Alp Eryürek
 
Marca global china
Marca global chinaMarca global china
Marca global chinaalfonsogu
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Developmentchristopherfairbairn
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Ben Gardner
 
Funny Toilet
Funny ToiletFunny Toilet
Funny Toiletwebhittler
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introductionBen Gardner
 
meet Jessica
meet Jessicameet Jessica
meet JessicaBen Gardner
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportalfonsogu
 
Historia del crm
Historia del crmHistoria del crm
Historia del crmalfonsogu
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Ben Gardner
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010JulioB
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalBen Gardner
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Más contenido relacionado

Destacado

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
Marca global china
Marca global chinaMarca global china
Marca global chinaalfonsogu
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Developmentchristopherfairbairn
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Ben Gardner
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introductionBen Gardner
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportalfonsogu
 
Historia del crm
Historia del crmHistoria del crm
Historia del crmalfonsogu
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Ben Gardner
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010JulioB
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalBen Gardner
 

Destacado (17)

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web Authentication
 
12
1212
12
 
Marca global china
Marca global chinaMarca global china
Marca global china
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key Repository
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password Management
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Development
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?
 
Funny Toilet
Funny ToiletFunny Toilet
Funny Toilet
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing Portfolio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introduction
 
meet Jessica
meet Jessicameet Jessica
meet Jessica
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_report
 
Historia del crm
Historia del crmHistoria del crm
Historia del crm
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legal
 

Último

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Último (20)

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

It's no Secret

  • 1. Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1 Thursday, November 26, 2009
  • 2. SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2 Thursday, November 26, 2009
  • 3. SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3 Thursday, November 26, 2009
  • 4. SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4 Thursday, November 26, 2009
  • 5. WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5 Thursday, November 26, 2009
  • 6. MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6 Thursday, November 26, 2009
  • 7. MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7 Thursday, November 26, 2009
  • 8. STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8 Thursday, November 26, 2009
  • 9. POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9 Thursday, November 26, 2009
  • 10. MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10 Thursday, November 26, 2009
  • 11. MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11 Thursday, November 26, 2009
  • 12. STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12 Thursday, November 26, 2009
  • 13. GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13 Thursday, November 26, 2009
  • 14. GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14 Thursday, November 26, 2009
  • 15. SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15 Thursday, November 26, 2009
  • 16. IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16 Thursday, November 26, 2009
  • 17. ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17 Thursday, November 26, 2009
  • 18. YAHOO! Special Topics in Applied Security Nuno Loureiro 18 Thursday, November 26, 2009
  • 19. GMAIL Special Topics in Applied Security Nuno Loureiro 19 Thursday, November 26, 2009
  • 20. SAPO Special Topics in Applied Security Nuno Loureiro 20 Thursday, November 26, 2009
  • 21. THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21 Thursday, November 26, 2009