1. Strengthening password-based authentication
- Author
-
Al Maqbali, Fatma
- Subjects
Password-based authentication ,Password generators ,Password recovery ,Email-based password recovery - Abstract
Authenticating humans to computers remains problematic despite decades of effort. Password-based authentication remains extremely common, in spite of its widely known shortcomings, and this seems likely to continue. Hence improving the security of password use is a topic of huge practical importance — this observation provides the motivation for the work described in this thesis. We focus in particular on two topics, namely password generators and password recovery. Password generators provide site-specific passwords on demand, facilitating the use of site-specific and complex passwords; they are an alternative to password managers that avoid storing passwords long-term. We proposed a general model for such systems, and critically examine options for instantiating this model, including all those previously proposed. The model has also been used to help design a new scheme, AutoPass, intended to incorporate the best features of the prior art whilst also addressing many of the most serious shortcomings of existing systems through use of novel techniques. AutoPass is specified in detail, and a prototype implementation is described. The prototype has been user-trialled to test its usability and security. Because passwords are very widely used for user authentication, most websites using passwords also implement password recovery to allow users to re-establish a shared secret if the existing value is forgotten; however, use of such a fall-back creates additional vulnerabilities. We present a model for such systems, and use this to analyse existing approaches. This leads naturally to a set of recommendations for system implementation. Many password recovery systems involve sending a special email to the user, e.g. containing a secret link, in which case security will depend on the email being acted upon correctly; unfortunately, such emails are not always well-designed and can introduce vulnerabilities. To understand better this serious practical issue, we surveyed password recovery emails for 50 of the top English language websites and investigated their design, structure and content. We found that many well-known web services, including Facebook, Dropbox, and Microsoft, suffer from recovery email design, structure and content issues. This study enabled us to formulate recommendations for the design of such emails.
- Published
- 2019