password reminder systems group 8 dave rubens jermaine mcdonald jon axisa ryan persaud
TRANSCRIPT
![Page 1: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/1.jpg)
Password Reminder Systems
Group 8
Dave Rubens
Jermaine McDonald
Jon Axisa
Ryan Persaud
![Page 2: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/2.jpg)
The Cast
Ronald Well-endowed (with money) good guy Uses online banking
Jeremy Less than well-endowed (ethically) bad guy Works in Ronald’s office
![Page 3: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/3.jpg)
Introduction
Password Protected Services Finances Retail Personal Communications (email, chat) Entertainment
![Page 4: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/4.jpg)
Existing Work
Little research on password reminder Schemes
Vulnerabilities arise from Information Requested (who knows it) Method of Delivery
![Page 5: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/5.jpg)
Things to come!
Evaluation of forgotten password schemes A good forgotten password scheme An insufficient forgotten password scheme Challenge: Dave’s Bank Account The ultimate forgotten password scheme:
Information Concealing Universal Protocol
![Page 6: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/6.jpg)
Evaluating Password Schemes
Split sites into categories Financial Consumer Retail Personal Communication, etc.
Strength of security provided, varies for each site category
![Page 7: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/7.jpg)
Prominent Security Measures
Server displays or e-mails password if user correctly answers information queries
User chooses new password after correctly answering information queries
User receives password after speaking with a customer service rep and verifying identity
![Page 8: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/8.jpg)
Requested Information
Low Security Name, address, email, date of birth
Medium Security Mother’s maiden name, recent purchases, SSN
High Security PIN/account number, answer to private question
![Page 9: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/9.jpg)
Password Reminder Example 1
Amazon.com Must identify easily discovered information Must identify one of last 5 purchases Create New Password Only a stalker could know so much about you Quality Scheme
![Page 10: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/10.jpg)
Password Reminder Example 2
AOL Instant Messenger Requires Screen Name Password E-mailed to Owner Is AOL worthy of more security?
![Page 11: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/11.jpg)
![Page 12: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/12.jpg)
Bank Account Locking
Reasons for servers to lock account Successive failed attempts to access account Assumes malicious intent (fails safely)
Problems created by account lock Unlocking process irritating to users Malicious harassment by 3rd party User must open new bank account
![Page 13: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/13.jpg)
Challenge: Dave’s Account
Break into Dave’s Online Account using A voided check (supplied by Dave) Our own Madskillz
The Challenge Transfer all money to offshore account Go to Tahiti and drink!
![Page 14: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/14.jpg)
Dave’s Account
What we have Name and Address Account and routing number
What we don’t have Date of birth SSN Mother’s Maiden Name
![Page 15: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/15.jpg)
End Result
We are sober and penniless.
![Page 16: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/16.jpg)
Got Privacy?
Information
Concealing
Universal
Protocol
![Page 17: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/17.jpg)
E-mail and Security
Make e-mail the strength of the protocol, not the weakness.
Use e-mail to confirm the user’s identity, but avoid e-mailing the password.
![Page 18: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/18.jpg)
Strengths of the Protocol
If a user forgets their password, they have to:
Provide personal information
Receive e-mail (Must know e-mail password)
Reply to e-mail (An imposter cannot just snoop incoming e-mail packets.)
![Page 19: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/19.jpg)
ICUP Protocol
User Server
Server requests information to verify identity
User provides information
User requests new password
Server sends key K1 to user
through browser
Server sends email to address
in profile
User replies to email
Server sends email to user containing
key K2
User sends username, K1, K2 through browser
User submits new password F/T
![Page 20: Password Reminder Systems Group 8 Dave Rubens Jermaine McDonald Jon Axisa Ryan Persaud](https://reader035.vdocument.in/reader035/viewer/2022072011/56649e265503460f94b16783/html5/thumbnails/20.jpg)
In Conclusion
Your online passwords are not safe – we already know them
Current schemes vary in degree of security, oftentimes conflicting with psychological acceptability
In most cases, your passwords are only as safe as your email