It's no Secret
-
Upload
nuno-loureiro -
Category
Technology
-
view
521 -
download
0
description
Transcript of It's no Secret
IT’S NO SECRET
Special Topics in Applied Security
{Stuart Schechter, A.J. Bernheim Brush} @ Microsoft ResearchSerge Egelman @ Carnegie Mellon University
Nuno Loureiro2009/11/26
Research Presentation
1
Measuring the security and reliabilityof authentication via secret questions
2009 30th IEEE Symposium on Security and Privacy
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
SUBJECT OF STUDY
• AOL, Gmail, Hotmail and Yahoo! webmails...
• rely on personal questions to reset account passwords
• But is it safe?
2Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
SUBJECT OF STUDY
3Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
SUMMARY
• Why using secret questions?• Motivation• Study• Memorability• Statistical Guessing• Guessing by Acquaintance• Security of User-written Questions• Improving Questions• Alternatives
4Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
WHY USING SECRET QUESTIONS?
• Most sites depend on email as a backup authenticator to reset passwords
• Webmail services cannot assume their users have an alternative email address as a backup authenticator.
5Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
MOTIVATION• Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via
her secret question
6
• First secret question was...
• Second question was... “where did you meet your spouse?”
“what is your birthdate?”
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
MOTIVATION
• Prior studies concluded:
7
• 33-39% of their answers guessed by spouses, family and close friends
• Participants forgot 20-22% of their own answers within 3 months
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
STUDY• Top four webmail providers: AOL, Google, Microsoft, Yahoo
• Examined real-world questions in use in Mar 2008
• Invited participants in pairs
• Asked them personal questions and to guess partners’ answers
• Measured guessing by untrusted acquaintances
• Statistical guessing attacks8
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
POOL
•4 cohorts - 130 participants
•First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old)
•Each participant invited a coworker, friend, or family member
9Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
MEMORABILITY:REMEMBER ANSWER TO OWN QUESTION?
First challenge was:
•Ask Hotmail users (3 cohorts) to reset their password using their personal question
•57% could not reset their password!
10Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
MEMORABILITY:REMEMBER ANSWER AFTER 6 MONTHS?
11
Answer within 5 guesses
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
STATISTICAL GUESSING
12
If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area)
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
GUESSING BY ACQUAINTANCE
13
Answer within 5 guesses
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
GUESSING BY ACQUAINTANCE
14
Curiosities:
•50% of Spouses failed to guess: “Where did you meet your spouse?”•28% of Spouses failed to guess: “Where were you born?”•50% of Fiances failed to guess: “Where were you born?”
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
SECURITY OF USER-WRITTEN QUESTIONS
15
• 24% vulnerable to attacks that require no personal knowledge• 23% vulnerable to family members
Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
IMPROVING QUESTIONS
•Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’)
•Eliminate questions that are statistically guessable >10%
•After login, ask user occasionally to answer personal question
16Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
ALTERNATIVES
•Send token to alternate email address
•SMS token to mobile phone
•Personal question only if user does not provide any of above
17Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
YAHOO!
18Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
GMAIL
19Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security
SAPO
20Thursday, November 26, 2009
Nuno LoureiroSpecial Topics in Applied Security 21
QUESTIONS?
THANK YOU!
Thursday, November 26, 2009