[SOUND] Hi, everyone. This week we're going to talk about usable authentication and particularly about passwords. The idea behind usable authentication is that people need to do something to get themselves into a secure system. Generally we do that with passwords. And passwords tend not to be very secure. There's a lot of reasons for this and I'll point you to some readings in this week's lecture that will discuss that. What we're going to talk in this particular video is the usability of passwords as we use them now, before we get in to some of the alternatives to passwords. This is one of those things that HCI people love to talk about, because passwords are so unusable. And actually, they don't have to be. You've seen this slide from me before. These are the 10 most popular passwords. None of these are very good or secure passwords, and we'll actually describe why in the next slide. But these are easy passwords for people to remember, and that's the lesson to take out of this. People are picking terrible passwords that offer very little security, but their picking passwords that are easy to remember. So what that does tell us is that user preference when it comes to password is that they're easy to remember. And in fact, if you force people to come up with passwords that are hard to remember, they're either going to forget them frequently. And then they have to reset their password, which is a problem. Or they're going to write them down and put them in places that are easy to find. And that compromises the security. Now remember, we combine this with the fact that when we ask people to create passwords, first we give them this huge set of rules. How long it has to be, upper case, lower case, numbers, special characters, what characters can be there, what can be repeated, what can't. So there's a very complex set of rules. Already we can tell that this harms the learnability and the memorability of a password. If you have to follow all these crazy rules, it's going to be hard to memorize what you've come up with. On top of that, many systems, including our system at the University of Maryland, requires, require you to change your password every six months. I get angry every time I get one of these emails because I have just learned the password that I have and now I have to change it again. Then you're supposed to have different passwords across all the sites that you use. And on one hand this makes sense, you don't want somebody to compromise one system and then have access to a password that you may use in other systems. And we've some of those attacks where people will hack into an e-commerce system, where they have peoples email addresses and their passwords and then they're able to actually use those passwords to access peoples email, which is extremely insecure and is a big problem. But if you think about having passwords on hundreds of sites and they're complicated on every site, they're different on every site and you're changing them every six months, that's bad, people cant remember those. And the solution from a usability perspective is not to make people use password managers, it's to make passwords more usable, or have alternative authentication schemes. As I said, in the rest of the videos for this week, we're going to look at alternative authentication mechanisms. But in this video, we're going to look at how we can have passwords that are easier to work with. There's a reading that I want you to look at on the usability of passwords. And you should look at that before you watch the rest of this video because I'm going to go over some of the things that you will have read about in there. So let's look at some of the lessons from that reading because it does a really nice job of capturing the issue. There are a few ways to attack passwords. You can have a human attack, so this is where you ask someone for their password, you guess their password because you know their dogs name, or their kids name, or their birthday. Maybe you go into their office and you know where they might have written it down, maybe they stuck it on a post it under their keyboard. These have nothing to do with computers or computing it's just a human attack. This is actually one of the easiest ways to compromise a password and we'll come back to this ability to do a human attack later on. Putting those aside though. Brute force is a, is a easy and common mechanism to attack a password, in this case you just start guessing with the letter a, you go through the letter z. And if it's not a single character password you go to two character passwords, you try all the two character combinations and so on until you hit the password that they found. There are programs already out there that you download on the internet that will brute force attack a system, it's a very easy thing to do, but it can take a long time. There are common word attacks where you actually guess things that are commonly used as passwords or that are actual words that are common. And related to that are dictionary word attacks where you just go through the dictionary and try every word that's in there, assuming that somebody's going to pick an easy to remember word. We saw some of these things on that list of common passwords. Baseball was one of them. Password was one of them. That's something that you'd easily get to, if you were going through dictionary words. So taking these as ways that we can computationally attack a password. The article that you had to read looks at how difficult it would be to actually attack a password, to break a certain password. So here's the first chart from that paper. You're given six character passwords, and you want to see how hard they are to attack. The method that we use to attack is the one that would be most successful. At breaking any of these passwords, so we're kind of looking at the worst case scenario for the user. The attacker has chosen the most successful method to break your password, and we're going to get an estimate of how long it would take to do that. If you're just picking six random characters, a common words attack, or a dictionary attack, won't work. But brute-force mechanism would work and it would take about a month to break the password. That's pretty risky. A dedicated attacker would let some code run for a month. If you pick six random characters with numbers and you do a brute-force attack it takes eight months. Now the reason it takes longer. Is because if you go through all the characters you have ten less options for each of these six characters. You have all 26 letters, but you don't have the numbers zero through nine. And so, you add in a lot more complexity if numbers are in there. That would make it take about eight months to brute force attack your password, and that's pretty low risk. It's possible that an attacker would spend the better part of a year trying to get into your system, but it's likely that they could just go on to someone who has an easier to break password. If you do six random characters, where you have upper case, lower case, symbols, and numbers. The brute force attack is much harder, now you have 26 lower cased, 26 upper case letters, all the numbers, all the special characters. So there is much more complexity to guess each one of those letters' characters, so it would take about 219 years. Essentially you are secure for life, you are going to die before anybody can attack your password, so that is great. If we do a six character common word like orange, that's going to get guessed in about three minutes, so it's use, it's useless. And if we have a six character uncommon word. So this is a word but not one that people normally would use. A dictionary attack would find that. And it would take about an hour and 22 minutes, also useless. So the lesson from this is that passwords are more secure if they have random characters, upper case, lower case, numbers and symbols, right. And that's thing that we're required to have in all of passwords. And in fact a lot of systems require eight character passwords, so it's even more secure than this. So we should not be bashing IT people for making us have those passwords, right, that's the lesson here. But actually no because a six character, random character mixed case, numbers, symbols, password is very hard for people to remember. If I sit you guys down to the task of memorizing all of these passwords. Which ones are you most likely to remember. Well, orange is probably the first one. woosaa, this uncommon word still kind of sounds like a word and that's probably next. These two, six random characters, little bit easier, and this is by far the hardest. If had to memorize these passwords and come back in two weeks and tell me. Orange may be the only one that you remember. So we've created a system here that's secure, if we require people to do this mixed case symbols and numbers password. But very hard to remember. Could we create something that's equally secure but is also easy for people to remember? Here is an alternative where, again, we're using the most effective mechanisms to break these passwords. And, instead of requiring people to do uppercase, lowercase, numbers, and everything, they pick two common words. In that case, it can be broken in two months using a common word attack. But if they pick three common words, the common word attack would take over 2,000 years to break it. That's secure forever, because there's so many possible common words to go through and to try in combination. But remembering the phrase this is fun as your password is extremely easy for people. So you can allow people to use common words as long as they use enough of them in combination. They remember a phrase then which is very easy for people to remember, but it's very hard for computers to break, even with the most effective password attack scheme, in this case, with this common word. On top of that, we could do three uncommon word. Fluffy is puffy. Fluffy and puffy are not common words, and so common word attack won't get those. A dictionary attack that would finally hit those words would take 39 million years to break it. And if we do five uncommon words. Du-bi-du-bi-dub. That again is something that's easy for people to remember. A brute force attack would be able to break that but some of these wouldn't even appear in a dictionary so you would have to do brute force. And then we end up with this ridiculously long amount of time to break the password. So in other words if you let people pick passwords that make sense to them, but require it in a way that keeps in mind the kind of attacks that can be used. You can create extremely secure passwords that are also extremely usable and easy for people to remember. Let's take one more example here. One way that password systems are protected is by stopping people after they've broken into a system or tried to break into a system too many times. So if you try to authenticate, and you may have seen this on your banking website for example. If you enter the wrong password enough times. It's stop you, it makes you wait. Having a system that's implemented with a nice amount of time to block people out who are trying to attack it can also make passwords more secure. So if we take alpine fun, the password that we talked about before and we allow people to attack 100 times per second, it would take two months to break the password. If you can only authenticate one time every five seconds, it would take 63 years. Now one time every five seconds is an eternity for a computer that's trying to automatically log in, but for a person, you probably have to wait five seconds between when you enter your password and when the screen comes up that tells you it's correct or not. So a human is unlikely to notice this delay, but it makes a huge difference for the computer. And if we allow someone to try to authenticate one time every five seconds and then after ten attempts that are incorrect we put an hour long block on it. It would take a computer over 1,000 years, almost 2,000 years to break that password. So the password is the same but the system can be set up in a way that makes this very easy to remember password, actually extremely secure, by controlling how many times people can log in. And this seems straightforward but if you remember there was an attack on Apple's iCloud system where a bunch of photos of celebrities were put out online. And this attack was allowed because iCloud did not have a block on the number of brute force attacks that could come in. It just let them keep coming. Where a good secure system should have a block. That after a certain number of attempts, either the login is blocked or someone is notified so the attack stopped. This is a simple thing that doesn't have anything to do with the user, but that allows users to have more secure passwords. This is a comic from XKCD. This is also assigned reading, but all it is is this comic that we have in the screen here. And this actually makes the point for us quite well. This is the kind of password that we're making people remember now. You have to pick some uncommon, non-gibberish base word this is you know a hint that's given to people. We'll pick something that's kind of like a word but, mess around with it a little bit. So we put in some numbers and some letters and we do some upper case and some lower case. But, then, we have to have like, a special character and so we kind of stick it on the end with another number. But we don't remember which order those go in. And so, we've got a really long password here that has upper and lowercase, numbers, and special characters. And this is about 28 bits of entropy. We can say it takes 2 to the 28th attempts to guess that kind of password. That's three days if we allow 1,000 guesses per second. Now that's a pretty weak system that would allow 1,000 guesses per second but three days is a pretty easy amount of time to guess this crazy password. And it's very hard for people to remember that password. On the other hand, here we have a system with four common words, this is even more secure than the examples that we were looking at in the previous slides. And those four words together are pretty easy for a person to remember. Those have 44 bits of entropy, even if they're all in lower case, which would take 550 years to guess, even at that very insecure 1,000 guesses per second. So this kind of password is extremely hard for a computer to remember. But, very easy for a person to remember. And here's a little picture of a person memorizing this correct horse battery staple password. So in other words, we've gone through all of this effort over 20 years of people having access to systems that require passwords. And what we've done is create a system with passwords that are actually not that hard for computers to guess but are very hard for people to remember. When we could create a system that has passwords that are very easy for people to remember but very hard for computers to guess. So in conclusion password systems would be more secure if passwords were more usable, and that's true for human reasons and computational reasons. We've looked at computational reasons in a lot of these slides and the human reasons come down to the fact that if you make people remember difficult passwords they're going to fail. So they will either reset their password frequently. Or they will write it down. And that creates all sorts of opportunities for these sort of human attacks on the password. We know we can make easy to remember passwords that are hard for computers to break. And why haven't we done that? Why haven't we seen systems implementing these long, complex passwords that are actually common words that are easy for people to remember. Honestly its because the security people probably are afraid of going that route, even though there's the math to prove that it's good, and its difficult to change the status quo. So my charge to you dear students, is to go out there and talk to people about usable security and convince them that having easy to remember passwords can be even more secure, than our current eight digit, hard to remember passwords. And that's something that we should get on.
