E-mail senden E-Mail Adresse kopieren
2020-05-27

On the Usability and Security of Password-Based User Authentication

Zusammenfassung

Passwords' security and usability problems have been studied for decades. Still, passwords remain to be the primary authenticator in computer systems. With the increasing number of services that require authentication, users, administrators, and system developers face new challenges like the threats caused by weak passwords or password reuse. To better protect their users, services deployed solutions to reinforce password-based authentication, mostly by considering authentication factors other than passwords. At the same time, legacy problems such as system designers' and users' incorrect mental models of attacker capabilities hinder the adoption of healthy password practices. This thesis studies four key aspects of password-based user authentication: password recovery, password strength meters, passwordreuse notifications, and cracking-resistant password managers. First, we explore password recovery mechanisms. When users are forced to comply with complicated password composition requirements or expiration policies, they cannot be blamed for forgetting their passwords. However, currently deployed knowledge-based recovery mechanisms are heavily biased by users' selection and thus insecure. We propose a selection bias-free fallback authentication system that both relieves the user from memorizing a secret and performs well over longer periods of time. Second, we analyze password strength meters. During account registration, users can benefit from additional guidance and feedback provided by password strength meters. However, in a large-scale survey, we found many meters that are inaccurate but are used on popular websites or password managers. To support developers and system designers, we provide metrics, guidance, and tools to improve their meters. Third, we look into communicating the threats caused by password reuse. Currently, password reuse is one of the most pressing security issues in password-based authentication. Proactive checks by service providers against their user database for matches with leaked credentials is one technique services deploy to limit the success rate of password-reuse attacks. Communicating this security issue is a challenging task, as it involves a complexity that is difficult for users to understand, but that requires immediate action to prevent harm. We show that users' mental models regarding the imminent threat of password reuse are incomplete and oftentimes wrong. We then provide guidelines for system designers and developers to improve their password-reuse notifications. Finally, we examine the security of cracking-resistant password managers. Password managers can help to deal with the increasing number of passwords and accounts. By synchronizing the password protected vault file with cloud services, attackers have a higher chance to obtain and thus successfully decrypt the vault. Cracking-resistant managers help to mitigate this problem by trying to cover whether a guessed master password is correct or not. We show that the current proposal is vulnerable to distribution-based attacks which can distinguish real from decoy vaults and propose a more secure construction.

publication_eventtype_thesis

Veröffentlichungsdatum

2020-05-27

Letztes Änderungsdatum

2026-06-23