search

OpenSecEd / passwd

A learning module about passwords
0 stars 1 forks source link

Interesting material #8

Open dbosk opened 8 years ago

dbosk commented 8 years ago
dbosk commented 7 years ago

The annual Passwords conference.

dbosk commented 7 years ago

There is a list of publications related to passwords (or authentication in general) here.

dbosk commented 7 years ago

The following are interesting:

@inproceedings{das2014tangled, title={The Tangled Web of Password Reuse.}, author={Das, Anupam and Bonneau, Joseph and Caesar, Matthew and Borisov, Nikita and Wang, XiaoFeng}, booktitle={NDSS}, volume={14}, pages={23--26}, year={2014} }

@article{castelluccia2013privacy, title={When privacy meets security: Leveraging personal information for password cracking}, author={Castelluccia, Claude and Chaabane, Abdelberi and D{\"u}rmuth, Markus and Perito, Daniele}, journal={arXiv preprint arXiv:1304.6584}, year={2013} }

@inproceedings{kelley2012guess, title={Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms}, author={Kelley, Patrick Gage and Komanduri, Saranga and Mazurek, Michelle L and Shay, Richard and Vidas, Timothy and Bauer, Lujo and Christin, Nicolas and Cranor, Lorrie Faith and Lopez, Julio}, booktitle={Security and Privacy (SP), 2012 IEEE Symposium on}, pages={523--537}, year={2012}, organization={IEEE} }

@inproceedings{mazurek2013measuring, title={Measuring password guessability for an entire university}, author={Mazurek, Michelle L and Komanduri, Saranga and Vidas, Timothy and Bauer, Lujo and Christin, Nicolas and Cranor, Lorrie Faith and Kelley, Patrick Gage and Shay, Richard and Ur, Blase}, booktitle={Proceedings of the 2013 ACM SIGSAC conference on Computer \& communications security}, pages={173--186}, year={2013}, organization={ACM} }

@inproceedings{shay2010encountering, title={Encountering stronger password requirements: user attitudes and behaviors}, author={Shay, Richard and Komanduri, Saranga and Kelley, Patrick Gage and Leon, Pedro Giovanni and Mazurek, Michelle L and Bauer, Lujo and Christin, Nicolas and Cranor, Lorrie Faith}, booktitle={Proceedings of the Sixth Symposium on Usable Privacy and Security}, pages={2}, year={2010}, organization={ACM} }

@inproceedings{florencio2007large, title={A large-scale study of web password habits}, author={Florencio, Dinei and Herley, Cormac}, booktitle={Proceedings of the 16th international conference on World Wide Web}, pages={657--666}, year={2007}, organization={ACM} }

@inproceedings{gaw2006password, title={Password management strategies for online accounts}, author={Gaw, Shirley and Felten, Edward W}, booktitle={Proceedings of the second symposium on Usable privacy and security}, pages={44--55}, year={2006}, organization={ACM} }

@inproceedings{stobert2014password, title={The password life cycle: user behaviour in managing passwords}, author={Stobert, Elizabeth and Biddle, Robert}, booktitle={Proc. SOUPS}, year={2014} }

@inproceedings{weir2010testing, title={Testing metrics for password creation policies by attacking large sets of revealed passwords}, author={Weir, Matt and Aggarwal, Sudhir and Collins, Michael and Stern, Henry}, booktitle={Proceedings of the 17th ACM conference on Computer and communications security}, pages={162--175}, year={2010}, organization={ACM} }

@inproceedings{florencio2010security, title={Where do security policies come from?}, author={Flor{\^e}ncio, Dinei and Herley, Cormac}, booktitle={Proceedings of the Sixth Symposium on Usable Privacy and Security}, pages={10}, year={2010}, organization={ACM} }

dbosk commented 7 years ago

Specifically kelley2012guess.

dbosk commented 7 years ago

NIST Electronic Authentication Guideline: http://dx.doi.org/10.6028/NIST.SP.800-63-2

dbosk commented 6 years ago
dbosk commented 6 years ago

The article [On the Privacy Impacts of Publicly Leaked Password Databases]() provides an interesting aspect of passwords too.

@inproceedings{DBLP:conf/dimva/HeenN17,
  author    = {Olivier Heen and
               Christoph Neumann},
  title     = {On the Privacy Impacts of Publicly Leaked Password Databases},
  booktitle = {Detection of Intrusions and Malware, and Vulnerability Assessment
               - 14th International Conference, {DIMVA} 2017, Bonn, Germany, July
               6-7, 2017, Proceedings},
  pages     = {347--365},
  year      = {2017},
  crossref  = {DBLP:conf/dimva/2017},
  url       = {https://doi.org/10.1007/978-3-319-60876-1_16},
  doi       = {10.1007/978-3-319-60876-1_16},
  timestamp = {Tue, 27 Jun 2017 15:32:28 +0200},
  biburl    = {http://dblp.uni-trier.de/rec/bib/conf/dimva/HeenN17},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
dbosk commented 6 years ago

https://arxiv.org/abs/1709.00440

@ARTICLE{2017arXiv170900440H,
   author = {{Hitaj}, B. and {Gasti}, P. and {Ateniese}, G. and {Perez-Cruz}, F.
    },
    title = "{PassGAN: A Deep Learning Approach for Password Guessing}",
  journal = {ArXiv e-prints},
archivePrefix = "arXiv",
   eprint = {1709.00440},
 primaryClass = "cs.CR",
 keywords = {Computer Science - Cryptography and Security, Computer Science - Learning, Statistics - Machine Learning},
     year = 2017,
    month = sep,
   adsurl = {http://adsabs.harvard.edu/abs/2017arXiv170900440H},
  adsnote = {Provided by the SAO/NASA Astrophysics Data System}
}
dbosk commented 6 years ago

One way of designing an unconditionally-secure password manager: http://webee.technion.ac.il/~hugo/rwc17.html

Slides: https://rwc.iacr.org/2017/Slides/hugo.krawczyk.pdf Video: https://www.youtube.com/watch?v=px8hiyf81iM

dbosk commented 6 years ago

FireEye gives the world GoCrack, a Dockerised hashcat implementation for sysadmins https://www.theregister.co.uk/2017/10/31/fireeye_simplifies_hashcat/

dbosk commented 6 years ago

Subject: A Serious Game Design: Nudging Users' Memorability of Security Questions. (arXiv:1709.08167v1 [cs.CR])

http://arxiv.org/abs/1709.08167

Authors: Nicholas Micallef[1], Nalin Asanka Gamagedara Arachchilage[2]

Security questions are one of the techniques used to recover passwords. The
main limitation of security questions is that users find strong answers
difficult to remember. This leads users to trade-off security for the
convenience of an improved memorability. Previous research found that
increased fun and enjoyment can lead to an enhanced memorability, which
provides a better learning experience. Hence, we empirically investigate
whether a serious game has the potential of improving the memorability of
strong answers to security questions. For our serious game, we adapted the
popular "4 Pics 1 word" mobile game because of its use of pictures and cues,
which psychology research found to be important to help with memorability. Our
findings indicate that the proposed serious game could potentially improve the
memorability of answers to security questions. This potential improvement in
memorability, could eventually help reduce the trade-off between usability and
security in fall-back authentication.

dbosk commented 6 years ago

https://haveibeenpwned.com/

dbosk commented 6 years ago

Could semantic icons replace passwords and PINs? https://nakedsecurity.sophos.com/2018/07/18/could-semantic-icons-replace-passwords-and-pins/amp/

dbosk commented 5 years ago

Graphical passwords: Learning from the first twelve years

dbosk commented 4 years ago

https://www.schneier.com/blog/archives/2019/09/cracking_forgot.html