_EpisoPassの論文発表スライド

EpisoPassの論文発表スライド

(expanded from EpisoPass slides このページは編集しないでください)


EpisoPass: Password Management based on Episodic Memories
Toshiyuki Masui
Keio University, Japan
masui@masui.org
Twitter: @masui password
Presented at Passwords2016

Demo: EpisoPass
Get my password!

Passwords today
Tremendous number of password-based services and systems
Never die out in the near future
We have to live with passwords

Problems of passwords
(Many problems known to everybody here)
...
Very difficult to remember strong passwords
Extra techniques required

How do Asian people use passwords?

How do Asian people use passwords?
Using numbers and alphabets only
Inadequate for kids and old people
Small kids cannot use alphabets
Old people cannot remember alphabetical passwords
People use Japanese characters for IDs (e.g. 増井)

Hiragana keyboard
10 consonants × 5 vowels = 50 keys
Almost all the Japanese people can use it

Japanese input for iPhone
Very popular in Japan
Not used for password input

Fundamental problem
New information is easily forgotten

Fundamental problem
New information is easily forgotten
Any kind of texts and images are forgotten

Fundamental problem
New information is easily forgotten
Any kind of texts and images are forgotten
Impossible to make them rememberable

Solution
Generating passwords from something we never lose
fingerprints
old memories

Logical consequence
Facts
We have to use passwords
We forget passwords
⇒ possible solutions:
Use special devces for remembering passwords
Use something we never lose

EpisoPass
Generating passwords from episodic memories
Not use strings directly related to memories
Use “seed strings” for different services
Select the right answer from many fake questions

Demo: EpisoPass
Get my passwords!

Demo: Browser extension
Logging into Amazon from browsers

Demo: Android apps
Use simpler HTML
Easily converted to Android/iPhone apps
Compiled on the server based on the Q/A data

Experiences
“Dogfooding” for 4 years
Never lost a password since 2013
No successful attack observed
All info on the Web

Password generation algorithm
Calculates a hash value from Q/A pairs
Generates a password based on the hash value and character substitution

Advantages
No need for remembering new information
Questions and answers can be put on the Net
Searchable on Google
Safer if handled with care
No “master password” required
Needs nothing to remember

Problems
Q/A pairs should be carefully designed
Easily attacked
Difficult to select good questions
Takes time to provide fake answers
Takes time for selectiong right answers
Fragile to shoulder surfing

Problems of selecting good questions
People are not good at creating good questions
People tend to use bad questions

Bad questions
Information on the net
e.g. Where did I live when I was 20?
Might be on the blog
Shared knowledge
e.g. What is my mother's maiden name?
Taste-based questionnaire
e.g. What color do I like best?
Tastes are not stable
Boastable episodes
e.g. With whom did I have secret relations?

Good questions
Trivial bad experiences
e.g. Where did I cut my leg when I was small?
e.g. Who hit me when I was 6?
Secret bad memories
e.g. What did I steal from grandma's house?
Use person names and location names
Easy to create fake answers

Possible attacks
Trying all QA pairs
Online attacks unlikely
Offline attacks possible
Asking questions to many people

Creating questions
Fun for some people (like me)
Support tools required

Creating fake answers
Generating similar names
Frankfurt ⇒ Bonn, Köln, Essen, Koblenz, ...
Bill ⇒ Steve, Edward, John, Ken, ...

Takes time to answer all questions
Usually we don't have to type passwords every time
Browsers remember them
.ssh/id_rsa fille
We can use EpisoPass only once in a while

Password leaks
If one of the passwords is revealed to an attacker, all the answers can be known by brute-force attacks
Solutions
Make Q/A pairs secret
Use many Q/A pairs
Use secret seed strings

Conclusion
Simple idea, but useful
at least very useful for me
Support tools required for attracting more people

Powered by Helpfeel