Password Reminder Systems

1
Password Reminder Systems

• Group 8
• Dave Rubens
• Jermaine McDonald
• Jon Axisa
• Ryan Persaud

2
The Cast

• Ronald
• Well-endowed (with money) good guy
• Uses online banking
• Jeremy
• Less than well-endowed (ethically) bad guy
• Works in Ronalds office

3
Introduction

• Password Protected Services
• Finances
• Retail
• Personal Communications (email, chat)
• Entertainment

4
Existing Work

• Little research on password reminder Schemes
• Vulnerabilities arise from
• Information Requested (who knows it)
• Method of Delivery

5
Things to come!

• Evaluation of forgotten password schemes
• A good forgotten password scheme
• An insufficient forgotten password scheme
• Challenge Daves Bank Account
• The ultimate forgotten password scheme
• Information Concealing Universal Protocol

6
Evaluating Password Schemes

• Split sites into categories
• Financial
• Consumer Retail
• Personal Communication, etc.
• Strength of security provided, varies for each
  site category

7
Prominent Security Measures

• Server displays or e-mails password if user
  correctly answers information queries
• User chooses new password after correctly
  answering information queries
• User receives password after speaking with a
  customer service rep and verifying identity

8
Requested Information

• Low Security
• Name, address, email, date of birth
• Medium Security
• Mothers maiden name, recent purchases, SSN
• High Security
• PIN/account number, answer to private question

9
Password Reminder Example 1

• Amazon.com
• Must identify easily discovered information
• Must identify one of last 5 purchases
• Create New Password
• Only a stalker could know so much about you
• Quality Scheme

10
Password Reminder Example 2

• AOL Instant Messenger
• Requires Screen Name
• Password E-mailed to Owner
• Is AOL worthy of more security?

11
(No Transcript)
12
Bank Account Locking

• Reasons for servers to lock account
• Successive failed attempts to access account
• Assumes malicious intent (fails safely)
• Problems created by account lock
• Unlocking process irritating to users
• Malicious harassment by 3rd party
• User must open new bank account

13
Challenge Daves Account

• Break into Daves Online Account using
• A voided check (supplied by Dave)
• Our own Madskillz
• The Challenge
• Transfer all money to offshore account
• Go to Tahiti and drink!

14
Daves Account

• What we have
• Name and Address
• Account and routing number
• What we dont have
• Date of birth
• SSN
• Mothers Maiden Name

15
End Result

• We are sober and penniless.

16
Got Privacy?

• Information
• Concealing
• Universal
• Protocol

17
E-mail and Security

• Make e-mail the strength of the protocol, not the
  weakness.
• Use e-mail to confirm the users identity, but
  avoid e-mailing the password.

18
Strengths of the Protocol

• If a user forgets their password, they have to
• Provide personal information
• Receive e-mail (Must know e-mail password)
• Reply to e-mail (An imposter cannot just snoop
  incoming e-mail packets.)

19
ICUP Protocol
F/T
Server
User
20
In Conclusion

• Your online passwords are not safe we already
  know them
• Current schemes vary in degree of security,
  oftentimes conflicting with psychological
  acceptability
• In most cases, your passwords are only as safe as
  your email