SlideShare une entreprise Scribd logo

It's no Secret

Nuno Loureiro
Nuno Loureiro

Measuring the security and reliability of authentication via secret questions.

Technologie
1  sur  21
Télécharger pour lire hors ligne
Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1 Thursday, November 26, 2009
SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2 Thursday, November 26, 2009
SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3 Thursday, November 26, 2009
SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4 Thursday, November 26, 2009
WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5 Thursday, November 26, 2009
MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6 Thursday, November 26, 2009
MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7 Thursday, November 26, 2009
STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8 Thursday, November 26, 2009
POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9 Thursday, November 26, 2009
MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10 Thursday, November 26, 2009
MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11 Thursday, November 26, 2009
STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12 Thursday, November 26, 2009
GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13 Thursday, November 26, 2009
GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14 Thursday, November 26, 2009
SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15 Thursday, November 26, 2009
IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16 Thursday, November 26, 2009
ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17 Thursday, November 26, 2009
YAHOO! Special Topics in Applied Security Nuno Loureiro 18 Thursday, November 26, 2009
GMAIL Special Topics in Applied Security Nuno Loureiro 19 Thursday, November 26, 2009
SAPO Special Topics in Applied Security Nuno Loureiro 20 Thursday, November 26, 2009
THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21 Thursday, November 26, 2009

Recommandé

From the Unknown to the Known
From the Unknown to the KnownFrom the Unknown to the Known
From the Unknown to the KnownBen Gardner
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
From Search to Semantics
From Search to SemanticsFrom Search to Semantics
From Search to SemanticsBen Gardner
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Sashi Sivam
 
Usabilidad y diseño para formularios
Usabilidad y diseño para formulariosUsabilidad y diseño para formularios
Usabilidad y diseño para formulariosalfonsogu
 
¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?alfonsogu
 

Recommandé

From the Unknown to the Known
From the Unknown to the KnownFrom the Unknown to the Known
From the Unknown to the KnownBen Gardner
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
From Search to Semantics
From Search to SemanticsFrom Search to Semantics
From Search to SemanticsBen Gardner
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Ieora newsletter aug 2011 vol 1
Ieora newsletter aug 2011 vol 1Sashi Sivam
 
Usabilidad y diseño para formularios
Usabilidad y diseño para formulariosUsabilidad y diseño para formularios
Usabilidad y diseño para formulariosalfonsogu
 
¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?¿Qué es el Neuromarketing?
¿Qué es el Neuromarketing?alfonsogu
 
The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
12
1212
12Alp Eryürek
 
Marca global china
Marca global chinaMarca global china
Marca global chinaalfonsogu
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Developmentchristopherfairbairn
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Ben Gardner
 
Funny Toilet
Funny ToiletFunny Toilet
Funny Toiletwebhittler
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introductionBen Gardner
 
meet Jessica
meet Jessicameet Jessica
meet JessicaBen Gardner
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportalfonsogu
 
Historia del crm
Historia del crmHistoria del crm
Historia del crmalfonsogu
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Ben Gardner
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010JulioB
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalBen Gardner
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Contenu connexe

En vedette

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
Marca global china
Marca global chinaMarca global china
Marca global chinaalfonsogu
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Developmentchristopherfairbairn
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Ben Gardner
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introductionBen Gardner
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportalfonsogu
 
Historia del crm
Historia del crmHistoria del crm
Historia del crmalfonsogu
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Ben Gardner
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010JulioB
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalBen Gardner
 

En vedette (17)

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web Authentication
 
12
1212
12
 
Marca global china
Marca global chinaMarca global china
Marca global china
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key Repository
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password Management
 
Introduction to .NET Micro Framework Development
Introduction to .NET Micro Framework DevelopmentIntroduction to .NET Micro Framework Development
Introduction to .NET Micro Framework Development
 
Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?Enterprise wiki's: Does one size fit all?
Enterprise wiki's: Does one size fit all?
 
Funny Toilet
Funny ToiletFunny Toilet
Funny Toilet
 
Kristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing PortfolioKristina Smeriglio Writing Portfolio
Kristina Smeriglio Writing Portfolio
 
Practical semantics - An introduction
Practical semantics - An introductionPractical semantics - An introduction
Practical semantics - An introduction
 
meet Jessica
meet Jessicameet Jessica
meet Jessica
 
Zendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_reportZendesk wp customer_satisfaction_report
Zendesk wp customer_satisfaction_report
 
Historia del crm
Historia del crmHistoria del crm
Historia del crm
 
Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)Stratergies for the intergration of information (IPI_ConfEX)
Stratergies for the intergration of information (IPI_ConfEX)
 
Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010Charla tabaco ccss version office 2010
Charla tabaco ccss version office 2010
 
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
 
What AI is and examples of how it is used in legal
What AI is and examples of how it is used in legalWhat AI is and examples of how it is used in legal
What AI is and examples of how it is used in legal
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

It's no Secret

  • 1. Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1 Thursday, November 26, 2009
  • 2. SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2 Thursday, November 26, 2009
  • 3. SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3 Thursday, November 26, 2009
  • 4. SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4 Thursday, November 26, 2009
  • 5. WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5 Thursday, November 26, 2009
  • 6. MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6 Thursday, November 26, 2009
  • 7. MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7 Thursday, November 26, 2009
  • 8. STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8 Thursday, November 26, 2009
  • 9. POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9 Thursday, November 26, 2009
  • 10. MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10 Thursday, November 26, 2009
  • 11. MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11 Thursday, November 26, 2009
  • 12. STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12 Thursday, November 26, 2009
  • 13. GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13 Thursday, November 26, 2009
  • 14. GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14 Thursday, November 26, 2009
  • 15. SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15 Thursday, November 26, 2009
  • 16. IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16 Thursday, November 26, 2009
  • 17. ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17 Thursday, November 26, 2009
  • 18. YAHOO! Special Topics in Applied Security Nuno Loureiro 18 Thursday, November 26, 2009
  • 19. GMAIL Special Topics in Applied Security Nuno Loureiro 19 Thursday, November 26, 2009
  • 20. SAPO Special Topics in Applied Security Nuno Loureiro 20 Thursday, November 26, 2009
  • 21. THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21 Thursday, November 26, 2009