Password Recovery

1
Password Recovery
Jorge Castillo, Charles Brown, and Darshan Patel
2
Introduction

• What is password recovery?
• Recovering lost password for accounts
• Example Gmail, Yahoo, Skype, Steam, and etc.

3
Current password recovery system

• Consists of multiple questions which a user
  answers.
• Most answers can be easily guessed / found with
  very little effort.
• Dictionary attack, brute force attack, birthday
  attack, and similar attacks are the most common
  threat against this system.

4
Recovery questions - example

• What was the color of your first car?
• What is your favorite team?
• What is the color of your eyes?
• What was the name of your elementary / primary
  school?
• What is your pet's name?

5
Goal

• Develop a secure password-recovery protocol
• Must be just as easy but more secure
• Must be as fast as current password-reset system
• Must use existing system

6
Solution

• Uses existing password recovery system.
• Takes an image and converts it into hash values.
• Hash value 8F5FF2E8C8EFCF2E4E4730B39B91951D

7
Practical Experiment
Reason a malicious password reset can be done by
correctly answering a user's Security Questions.
Information relating to the security questions
can be easily obtained from public sources.
We do not try to provide constant security.
And we do not provide security on the level of
encryption. We only seek to prevent easy
malicious password reset attempts.
Traditionally this an attack against a server-
(i.e. the Sarah Palin case.) Not
man-in-the-middle, etc. Hypothesis a cellphone
can be used to provide an additional layer of
security against malicious password reset
attempts.
8
Method

• We set up an experimental email account with
  Yahoo.com using a generic user-name and password.
• We select two security questions, of which we are
  asked to provide a related answer.
• To answer the security questions, we

1) Used a personal cellphone to take pictures
of everyday objects relating to the question. 2)
Used the cellphone application PictureHash to
perform a one-way hash function on the picture.
3) Use the hash value obtained from the picture
to answer the security question.
9
Practical Example
An example security question asked during Yahoo
email account creation
What was your favorite food as a child?
Traditionally, if our favorite food was oranges,
we might answer, Oranges Instead, we take an
extra security step by taking a personal picture
of an orange with a cellphone
Fig. 1 Picture of an orange
10
Practical Example
Fig. 2 PictureHash obtains the MD5 hash of the
picture of the orange
11
Practical Example

• The hash values are used to answer the security
  questions.
• Since the hash value is unique to the photograph
  of the orange, it is infeasible for someone to
  generate a similar hash value- even if they know
  the answer to our favorite food is oranges.
• To supply the correct hash value, they either
  need the photograph of the orange, or they have
  to guess the hash which is infeasible.

12
How Infeasible?
Fig. 3 Adapted from howsecureismypassword.net.
Online Image. 26 Nov. 2012. ACCESS 26 Nov. 2012.
http//howsecureismypassword.net/ According to
this website, 501 nonillion years. Contrast to
Sarah Palin's email, which was hacked in 15
seconds.
13
How Infeasible for oranges?
Fig. 3 Adapted from howsecureismypassword.net.
Online Image. 26 Nov. 2012. ACCESS 26 Nov. 2012.
http//howsecureismypassword.net/ The word
oranges would be cracked almost instantly.
14
Account Verification
Fig. 4 A screen-shot of the email registration
confirmation provided by Yahoo.com Adapted from
Yahoo. Online Image. 26 Nov. 2012. ACCESS 26 Nov.
2012. https//yahoo.com
15
Resetting password using hash
To test the hash values we performed a password
reset with the Yahoo email account.
Fig. 5 The password recovery process provided by
Yahoo.com Adapted from Yahoo. Online Image. 26
Nov. 2012. ACCESS 26 Nov. 2012. https//yahoo.com/
forgot
16
Experiment Result
As expected... -Inputting an answer of orange
denied access. -Inputting the hash value granted
access.
Fig. 6 Successful password recovery Adapted from
Yahoo. Online Image. 26 Nov. 2012. ACCESS 26 Nov.
2012. https//yahoo.com/forgot
17
Experiment Conclusion

• Yahoo.com email accepted hash values as answers
  to security questions.
• Likewise, password reset requests only worked
  when supplying the hash values generated from the
  pictures.
• We confirmed our hypothesis a cellphone can be
  used to provide an additional layer of security
  against malicious password reset attempts.

18
Goals - Recap

• Develop a secure password-recovery protocol
• Must be just as easy but more secure
• Must be as fast as current password-reset system
• Must use existing system

19
Conclusion

• We developed a new Technique/Protocol for
  password recovery
• It is just as easy and more secure because the
  user is giving a hash value they dont have to
  memorize
• It is just as fast as current password-reset
  systems because it is the same system
• We are using the same system without making any
  changes

20
Important!
It is important to remember that the picture the
user wants to use must never be shared with
anyone or on anything. It must remain on the
phone.
21
Questions?