-
Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues
Authors:
Mahdi Nasrullah Al-Ameen,
Matthew Wright,
Shannon Scielzo
Abstract:
Given the choice, users produce passwords reflecting common strategies and patterns that ease recall but offer uncertain and often weak security. System-assigned passwords provide measurable security but suffer from poor memorability. To address this usability-security tension, we argue that systems should assign random passwords but also help with memorization and recall. We investigate the feasi…
▽ More
Given the choice, users produce passwords reflecting common strategies and patterns that ease recall but offer uncertain and often weak security. System-assigned passwords provide measurable security but suffer from poor memorability. To address this usability-security tension, we argue that systems should assign random passwords but also help with memorization and recall. We investigate the feasibility of this approach with CuedR, a novel cued-recognition authentication scheme that provides users with multiple cues (visual, verbal, and spatial) and lets them choose the cues that best fit their learning process for later recognition of system-assigned keywords. In our lab study, all 37 of our participants could log in within three attempts one week after registration (mean login time: 38.0 seconds). A pilot study on using multiple CuedR passwords also showed 100% recall within three attempts. Based on our results, we suggest appropriate applications for CuedR, such as financial and e-commerce accounts.
△ Less
Submitted 8 March, 2015;
originally announced March 2015.
-
iPersea : The Improved Persea with Sybil Detection Mechanism
Authors:
Mahdi Nasrullah Al-Ameen,
Matthew Wright
Abstract:
P2P systems are highly susceptible to Sybil attacks, in which an attacker creates a large number of identities and uses them to control a substantial fraction of the system. Persea is the most recent approach towards designing a social network based Sybil-resistant DHT. Unlike prior Sybil-resistant P2P systems based on social networks, Persea does not rely on two key assumptions: (i) that the soci…
▽ More
P2P systems are highly susceptible to Sybil attacks, in which an attacker creates a large number of identities and uses them to control a substantial fraction of the system. Persea is the most recent approach towards designing a social network based Sybil-resistant DHT. Unlike prior Sybil-resistant P2P systems based on social networks, Persea does not rely on two key assumptions: (i) that the social network is fast mixing, and (ii) that there is a small ratio of attack edges to honest peers. Both assumptions have been shown to be unreliable in real social networks. The hierarchical distribution of node IDs in Persea confines a large attacker botnet to a considerably smaller region of the ID space than in a normal P2P system and its replication mechanism lets a peer to retrieve the desired results even if a given region is occupied by attackers. However, Persea system suffers from certain limitations, since it cannot handle the scenario, where the malicious target returns an incorrect result instead of just ignoring the lookup request. In this paper, we address this major limitation of Persea through a Sybil detection mechanism built on top of Persea system, which accommodates inspection lookup, a specially designed lookup scheme to detect the Sybil nodes based on their responses to the lookup query. We design a scheme to filter those detected Sybils to ensure the participation of honest nodes on the lookup path during regular DHT lookup. Since the malicious nodes are opt-out from the lookup path in our system, they cannot return any incorrect result during regular lookup. We evaluate our system in simulations with social network datasets and the results show that catster, the largest network in our simulation with 149700 nodes and 5449275 edges, gains 100% lookup success rate, even when the number of attack edges is equal to the number of benign peers in the network.
△ Less
Submitted 22 December, 2014;
originally announced December 2014.
-
A Comprehensive Study of the GeoPass User Authentication Scheme
Authors:
Mahdi Nasrullah Al-Ameen,
Matthew Wright
Abstract:
Before deploying a new user authentication scheme, it is critical to subject the scheme to comprehensive study. Few works, however, have undertaken such a study. Recently, Thorpe et al. proposed GeoPass, the most promising of a class of user authentication schemes based on geographic locations in online maps. Their study showed very high memorability (97%) and satisfactory resilience against onlin…
▽ More
Before deploying a new user authentication scheme, it is critical to subject the scheme to comprehensive study. Few works, however, have undertaken such a study. Recently, Thorpe et al. proposed GeoPass, the most promising of a class of user authentication schemes based on geographic locations in online maps. Their study showed very high memorability (97%) and satisfactory resilience against online guessing, which means that GeoPass has compelling features for real-world use. No comprehensive study, however, has been conducted for GeoPass or any other location-based password scheme. In this paper, we present a systematic approach for the detailed evaluation of a password system, which we implement to study GeoPass. We conducted three separate studies to evaluate the suitability of GeoPass for widespread use. First, we performed a field study over two months, in which users in a real-world setting remembered their location-passwords 96% of the time and showed improvement with more login sessions. Second, we conducted a study to test how users would fare with multiple location-passwords and found that users remembered their location-passwords in less than 70% of login sessions, with 40% of login failures due to interference effects. Third, we conducted a study to examine the resilience of GeoPass against shoulder surfing. Our participants played the role of attackers and had an overall success rate of 48%. Based on our results, we suggest suitable applications of GeoPass in its current state and identify aspects of GeoPass that must be improved before widespread deployment could be considered.
△ Less
Submitted 12 August, 2014;
originally announced August 2014.
-
Q-A: Towards the Solution of Usability-Security Tension in User Authentication
Authors:
Mahdi Nasrullah Al-Ameen,
S M Taiabul Haque,
Matthew Wright
Abstract:
Users often choose passwords that are easy to remember but also easy to guess by attackers. Recent studies have revealed the vulnerability of textual passwords to shoulder surfing and keystroke loggers. It remains a critical challenge in password research to develop an authentication scheme that addresses these security issues, in addition to offering good memorability. Motivated by psychology res…
▽ More
Users often choose passwords that are easy to remember but also easy to guess by attackers. Recent studies have revealed the vulnerability of textual passwords to shoulder surfing and keystroke loggers. It remains a critical challenge in password research to develop an authentication scheme that addresses these security issues, in addition to offering good memorability. Motivated by psychology research on humans' cognitive strengths and weaknesses, we explore the potential of cognitive questions as a way to address the major challenges in user authentication. We design, implement, and evaluate Q-A, a novel cognitive-question-based password system that requires a user to enter the letter at a given position in her answer for each of six personal questions (e.g. "What is the name of your favorite childhood teacher?"). In this scheme, the user does not need to memorize new, artificial information as her authentication secret. Our scheme offers 28 bits of theoretical password space, which has been found sufficient to prevent online brute-force attacks. Q-A is also robust against shoulder surfing and keystroke loggers. We conducted a multi-session in-lab user study to evaluate the usability of Q-A; 100% of users were able to remember their Q-A password over the span of one week, although login times were high. We compared our scheme with random six character passwords and found that login success rate in Q-A was significantly higher. Based on our results, we suggest that Q-A would be most appropriate in contexts that demand high security and where logins occur infrequently (e.g., online bank accounts).
△ Less
Submitted 27 July, 2014;
originally announced July 2014.
-
An Intelligent Fire Alert System using Wireless Mobile Communication
Authors:
Mahdi Nasrullah Al-Ameen
Abstract:
The system has come to light through the way of inspiration to develop a compact system, based on the fundamental ideas of safety, security and control. Once this system is installed to operation specifying temperature and smoke threshold, in case of any emergency situation due to increasing temperature and/or smoke at place surpassing the threshold, the system immediately sends automatic alert-no…
▽ More
The system has come to light through the way of inspiration to develop a compact system, based on the fundamental ideas of safety, security and control. Once this system is installed to operation specifying temperature and smoke threshold, in case of any emergency situation due to increasing temperature and/or smoke at place surpassing the threshold, the system immediately sends automatic alert-notifications to the users, concerned with the situations. The user gets total control over the system through mobile SMS, even from the distant location, that to change the threshold, turn on/off the feature of sending 'alert notification' and also to reset the system after the emergency situation is overcome. Before executing any command (through SMS) from the user, the system asks for the preset password to verify an authorized user. The security issues have been considered with utter attention in this system to ensure its applicability in industries and business organizations, where security is an important concern. Hence, the fundamental ideas of safety, security and control have been entirely ensured through the system, which have definitely worked as the gear moving factor to look for a new dimension of an 'Intelligent Fire Alert System'.
△ Less
Submitted 1 August, 2013;
originally announced August 2013.
-
ReDS: A Framework for Reputation-Enhanced DHTs
Authors:
Ruj Akavipat,
Mahdi N. Al-Ameen,
Apu Kapadia,
Zahid Rahman,
Roman Schlegel,
Matthew Wright
Abstract:
Distributed Hash Tables (DHTs) such as Chord and Kademlia offer an efficient solution for locating resources in peer-to-peer networks. Unfortunately, malicious nodes along a lookup path can easily subvert such queries. Several systems, including Halo (based on Chord) and Kad (based on Kademlia), mitigate such attacks by using a combination of redundancy and diversity in the paths taken by redundan…
▽ More
Distributed Hash Tables (DHTs) such as Chord and Kademlia offer an efficient solution for locating resources in peer-to-peer networks. Unfortunately, malicious nodes along a lookup path can easily subvert such queries. Several systems, including Halo (based on Chord) and Kad (based on Kademlia), mitigate such attacks by using a combination of redundancy and diversity in the paths taken by redundant lookup queries. Much greater assurance can be provided, however. We describe Reputation for Directory Services (ReDS), a framework for enhancing lookups in redundant DHTs by tracking how well other nodes service lookup requests. We describe how the ReDS technique can be applied to virtually any redundant DHT including Halo and Kad. We also study the collaborative identification and removal of bad lookup paths in a way that does not rely on the sharing of reputation scores --- we show that such sharing is vulnerable to attacks that make it unsuitable for most applications of ReDS. Through extensive simulations we demonstrate that ReDS improves lookup success rates for Halo and Kad by 80% or more over a wide range of conditions, even against strategic attackers attempting to game their reputation scores and in the presence of node churn.
△ Less
Submitted 21 September, 2012;
originally announced September 2012.