From: Joe Zimmerman <[email protected]>
> > Usable and Secure Human Authentication > > Jeremiah Blocki > > Tuesday, November 18, 2014 > Talk at 4:15pm > Gates 463A > > Abstract: > > A typical computer user today manages passwords for many different online > accounts. Users struggle with this task --- often forgetting their > passwords > or adopting insecure practices, such as using the same passwords for > multiple > accounts and selecting weak passwords. While there are many books, > articles, > papers and even comics about selecting strong individual passwords, there > is > very little work on password management schemes --- systematic strategies > to help users create and remember multiple passwords. Before we can design > good password management schemes it is necessary to address a fundamental > question: How can we quantify the usability or security of a password > management scheme. One way to quantify the usability of a password > management > scheme would be to conduct user studies evaluating each user's success at > remembering multiple passwords over an extended period of time. However, > these user studies would necessarily be slow and expensive and would need > to > be repeated for each new password management scheme. In this talk we argue > that user models and security models can guide the development of password > management schemes with analyzable usability and security properties. We > present several results in support of this premise. First, we introduce > Naturally Rehearsing Password schemes. Notably, our user model, which is > based > on research on human memory about spaced rehearsal, allows us to analyze > the > usability of this family of schemes while experimentally validating only > the common user model underlying all of them. Second, we introduce Human > Computable Password schemes, which leverage human capabilities for simple > arithmetic operations. We provide constructions that make modest demands > on users and we prove that these constructions provide strong security: an > adversary who has seen 100 10-digit passwords of a user cannot compute any > other passwords except with very low probability. Our password management > schemes are precisely specified and publishable: the security proofs hold > even if the adversary knows the scheme and has extensive background > knowledge > about the user (hobbies, birthdate, etc.). > > The talk is based on joint work with the following collaborators: Manuel > Blum, > Anupam Datta, Lorrie Cranor, Saranga Komanduri and Santosh Vempala. > > Bio: > > Jeremiah Blocki is a post-doctoral fellow in the Computer Science > Department at > Carnegie Mellon University. He completed his PhD at Carnegie Mellon > University > in 2014 under the supervision of Manuel Blum and Anupam Datta. His research > interests include: Passwords, Usable and Secure Human Authentication, Human > Computable Cryptography, Differential Privacy and the intersection of Game > Theory and Security. He is generally interested in applying fundamental > ideas from theoretical computer science to address practical problems in > privacy and security. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
