May 8, 212 Passwords: Security vs Usability? · Security vs Usability? FINSE Winter School May 8,...

Preview:

Click to see full reader

Citation preview

Passwords:Security vs Usability?

FINSE Winter SchoolMay 8, 212

Per ThorsheimCISA, CISM, CISSP-ISSAPSecurity Advisor

Introduction

3

Google picture searchAbout me

Websitedesigner

Softwaredesigner

Securitydesigner

4

Windows 8 - Picture Passwordhttps://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspxhttps://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx

Security should be simple…

5

…but not stupid…

6

But do remember: In general, 2-factor authentication is one thing you know and one thing you forgot at home.

Good? security usability does exist:

[my personal clip art gallery]

(Mostly) Bad Examples

Tell everyone their new password inpublic

8

9

be careful with your requirements…

…but please do require something…

10

…accept end-users for who they are…

11

Store their credentials safely…

12

13

… and give them simple but useful help…

«write down your password» can besmart….

14

As long as you DO try to hide those POST-IT notes just a little bit!http://securitynirvana.blogspot.com/2010/03/write-down-your-password.html

Hey, some actually do give that advice!

15

16

17

18

19

www.ssllabs.com

Security questions are *hard* to doproperly!

20

www.lightbluetouchpaper.org/2010/03/04/evaluating-statistical-attacks-on-personal-knowledge-questions/

Do NOT e-mail me my password!

21

Or else…..

22

Hall of shame

23

https://defuse.ca/password-policy-hall-of-shame.htm

24

E-mail can be used for password resets…

25

…but not everyone does it «correctly»

26

http://securitynirvana.blogspot.com/2010/11/revisiting-password-meters.html

Password meters are dangerous:

27

http://tech.dropbox.com/?p=165 & https://github.com/lowe/zxcvbn

…Still want a password meter at yoursite?

28

http://seclists.org/bugtraq/2012/Apr/185

No default passwords or backdoors,PLEASE!

Written Password Policies

30

Password policies should be simple tounderstand

31

… or passwords may end up here:

Our past is paved with bad examples…

33

…. REALLY bad examples in fact.

Page 34

Now let me fix that password security for you…

WITHOUT affecting UX ATALL

36

Rate-limiting online bruteforce attacks

3 Blog posts and 1 academic paper:

1. «Enough with the rainbow tables: what you need to know aboutsecure password schemes»http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

2. «Strong password hashing for ASP.NET»http://zetetic.net/blog/2012/3/29/strong-password-hashing-for-aspnet.html

3. «Why you should use Bcrypt to hash stored passwords»http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/

4. «The quest to replace passwords: a framework for comparativeevaluation of web authentication schemes»http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-password--oakland.pdf

Recommendations

37

You should do risk analysis…

Page 38

(Your choice of methodology of course…)

Page 39

… and accept the real world.

40

Thank you!

Per Thorsheim

securitynirvana.blogspot.com

@thorsheim

Recommended

Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability
Documents
of Security through Usability: a user−centered approach for
Documents
Question Paper Security Analysis-II (212): January 2005
Documents
User Perceptions of the Usability and Security of
Documents
Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security:
Documents
Improving Usability & Security on E-Commerce Sites Luke Sloane … · 2019-06-08 · Improving Usability & Security on E-Commerce Sites Luke Sloane-Bulger PROGRAMME (BSc in Computer
Documents
BIOMETRIC AUTHENTICATION SECURITY AND USABILITY · Biometric Authentication -Security and Usability 231 Most biometric techniques are based on something that cannot be lost or forgotten
Documents
ALETHEIA: Improving the Usability of Static Security … Improving the Usability of Static Security Analysis Omer Tripp Salvatore Guarnieri Marco Pistoia Aleksandr Aravkin IBM T. J
Documents
UNIX vs Windows History Reputation Performance Security Stability Cost Usability
Documents
Security and Usability Engineering with Particular ... · Security and Usability Engineering with Particular Attention to Electronic Mail ... we conducted a quantitative analysis
Documents
Tradeoffs between Usability and Security - ijetch.org · designing of modern computer software's. ... like application interfaces usability, web interfaces usability, ... IEEE and
Documents
Passwords: Security vs Usability
Technology
Security and Usability: Analysis and Evaluation · 2015-10-05 · Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing
Documents
Security seminar topics - ut · Security seminar topics 2010 Aleksei Gorny . Usability of security. Overview Bad security/usability balancing choices prevail in software design. Blame
Documents
01. Course Overview; Introduction to Usable …usability within security and privacy • Learn about current research in usable security and privacy • Learn how to conduct usability
Documents
Evaluating the Usability and Security of Wireless Networks
Documents
CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords
Documents
Aligning Security and Usability - Virginia Techpeople.cs.vt.edu/~kafura/cs6204/Readings/Usability/AliigningSecurity... · Usability and Security can find some types of bugs in a
Documents
Usable Security - Computer Security Lecture 17Psychology and Usability Usability Background Research in Usability and Security Usable Authentication Password Authentication Challenge
Documents
Usability and security in future voting systems
Design