Password Management for Multiple Accounts

advertisement
Password Management for Multiple Accounts
Some Security and Usability Considerations
Mike Just
DIMACS Workshop on Usable Privacy and Security
Software
7 July 2004
Public Works and
Travaux publics et
Government Services Services gouvernementaux
Canada
Canada
Canada
Agenda
• Introduction
• Background – Password for One Account
• Passwords for Multiple Accounts
• Further Thoughts
2
Introduction
• Premise – Passwords are too secure already
•
Several conditions lead to an unusable or intolerable
environment for users
• Password conditions
•
For a single password
• Password rules, length, …
•
For multiple passwords across several accounts
• Distinctiveness requirement/recommendation
• How usability be improved while retaining an acceptable
level of risk?
3
Password for One Account
• Usability Considerations
•
Password length, e.g. 4-8 characters
•
Password construction, e.g. 1 letter, 1 number, …
•
Password entering, e.g. allowed attempts
•
Password management, e.g. update
• Attack considerations
•
Offline attacks
•
Online attacks
4
Password for One Account
• Offline attack
•
Encryption of password images
•
Distribution of password images, cf. Ford/Kaliski
• Online attacks
•
Password rules
•
Account lockout
•
Reverse Turing Tests (CAPTCHA)
• But, you also have to consider
•
Social engineering (e.g. phishing) attacks or other attacks directed at
the user (and not the account system)
5
Password for One Account
• Enhance with “something you have”
•
One-time passwords
•
Hard tokens, e.g. SecurID, SmartCard
• In most cases, this requires a different “something you
have” for each account
•
Typically issued and managed through the information
provider
•
Compounds password usability issues across each account
6
Passwords for Multiple Accounts
• Consider a user with multiple accounts, each requiring
password authentication
• Traditional wisdom dictates a distinct password for each
account
• Is this necessary? Why or why not?
7
Passwords for Multiple Accounts
• This is often a recommendation, as opposed to a
mandatory requirement
•
Different accounts managed by different authorities
• Distinct versus independent passwords
•
•
Difficult to enforce independent passwords; see above
Even with the same authority, password values not
typically compared
8
Passwords for Multiple Accounts
•
When might the same password be used at different
accounts?
•
•
A risk management decision
Some considerations
1.
Type of attack(s)
2.
Typical behaviour of account user
3.
Account security or risk
4.
Additional authentication factors
9
Passwords for Multiple Accounts
– Type of Attack(s)
• Consider online attacks
•
Though social engineering attacks remain a concern
• Random versus targeted attacks
•
•
Random: An attack to compromise any account
Targeted: An attack to compromise a specific account
• Targeted attacks might be discouraged with a number
of security measures
•
•
Account lockout after some number of login attempts
Login monitoring systems to detect persistent failed
attempts against one account
10
Passwords for Multiple Accounts
– Type of Attack(s)
• Assuming that random attacks occur most often…the
likelihood of extending the attack to other account
systems (for the same compromised user) may be low
•
•
•
Is there much motivation to attack that same user at a
different account system?
The attacker would have to know of the location of other
account systems where the same user is registered
The attacker would have to know of the account names
• So, password re-use might be ok in some cases
11
Passwords for Multiple Accounts
– User Behaviour
•
A “separation” between multiple accounts based upon user
behaviour
1. Consistently accessing accounts from different locations
•
Often forced today, e.g. no personal account access from work
2. Distinct account identifiers
•
Create account separation, but also confusion
3. Physical and digital separation of account information
regarding multiple accounts
•
Can reduce risk of multiple account compromise
12
Passwords for Multiple Accounts
– Account Security or Risk
• Often cited reason for distinct passwords
• Work account versus magazine subscription
• Don’t create a “weak link” by using a password for a
high risk account, at an account that may not have
similar security protections
• Previous conditions may help reduce this risk
13
Passwords for Multiple Accounts
– Addn’l Authentication Factors
• Multiple authentication factors should be independent
•
Compromise of one should not increase likelihood of other
• Similarly, using the same password across multiple
accounts, with different secondary authentication
factors, introduces additional risk
• Compromising a password at account A, and token for
account B, shouldn’t allow compromise of either
account
•
But, if the password for A and B are the same…
• However, such additional risk may be tolerable
14
Passwords for Multiple Accounts
– Summary
•
Some potential for password re-use
•
Attack type
•
•
User behaviour
•
•
•
Increase protection against targeted attacks
Separate behavioural patterns and records
Account security or risk
•
Ensure separation amongst different account risk groups
•
But, based on factors above, this might be lessened somewhat
Additional authentication factors
•
Reduce potential burden in case of additional factor
15
Further Thoughts
• What about the necessity of password updates?
•
•
•
Multiple passwords over time, as opposed to space
Memorize new, forget old
Are other protections sufficient, e.g. “Last login time:”
• What about the necessity of strict password rules?
•
•
•
1 uppercase, 1 special character, …
Can risks of random or targeted online attacks be
sufficiently mitigated?
Do additional factors allow for leniency?
16
Contact Information
Mike Just
Public Works and Government Services Canada (PWGSC)
mike.just@pwgsc.gc.ca
+1–613–952–6031
Carleton University
School of Computer Science
http://www.scs.carleton.ca/~just/
17
Download