Better understanding of user-chosen passwords
In this work, we make a substantial step forward towards
understanding the distribution of passwords. By introducing a number of computational statistical techniques and based on fourteen large-scale datasets, which consist of 113.3 million real-world passwords, we for the first time show that Zipf’s law natively exists in the popular (and thus vulnerable) part of human-generated password datasets. Further, we provide compelling evidence that this law is also highly likely to hold in the remaining part of human-generated passwords. (see more in our IEEE TIFS'17 paper; and its applications in ESORICS'16 paper) |
We have conducted a systematic investigation into the characteristics, distribution and security of PINs chosen by English user and Chinese users. By employing NLP techniques, we have revealed that PINs follow a Zipf distribution; By adopting both statistic metrics and state-of-the-art cracking algorithms, we have highlighted that 6-digit PINs offer marginally improved security over 4-digit PINs. (see more in our ASIACCS'17 paper )
|
Understanding and improving password creation policies
In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. Our results show that the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks. (see more in ESORICS'15 paper)
|
We propose a simple yet effective password strength meter, fuzzyPSM, to give users reliable feedbacks when they select passwords. Inspired by a user survey on password practice, FuzzyPSM takes the first step towards characterizing realistic user behaviors in password creation: Generally users do not build new passwords from scratch for a new service by combining segments of words, digits and/or symbols, instead they reuse or simply modify existing passwords for new services. (see more in DSN'16 paper )
|
New two-factor authentication (2FA) schemes
We propose a new 2FA scheme with provable security, and what we believe is most interesting is that superior security and privacy can be achieved at nearly no additional communication or computation cost. As far as we know, this work is the first one that defines a formal model to capture the feature of user un-traceability and that highlights the damaging threat of de-synchronization attack on privacy-preserving two-factor authentication schemes. (see more in INS'15 paper)
|
We presented an new 2FA scheme to cope with the various identified security defects without sacrificing any desirable feature of Li et al.'s scheme. We conjecture that the strategy of only using symmetric-key techniques to achieve user anonymity is intrinsically infeasible, and pose its rigorous justification as one interesting (and fundamental) open problem. (see more in IEEE WCNC'14 paper; IEEE Systems Journal'16 paper)
|
Some principles for designing secure and privacy-preserving 2FA
Under the conditional non-tamper-resistance assumption of the smart cards, whether it is possible to construct a privacy-preserving two-factor authentication scheme by employing only light-weight symmetric cryptographic techniques, as most of the literature has done in the past? We give a negative answer to this question by empirically using two case studies and formally proving it in a widely accepted adversary model. (see more in COMNET'14 paper)
|
In this work, we, for the first time, put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the
non-tamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. (see more in our IJCS'14 ESI highly cited paper) |
Investigations into the evaluation metrics for 2FA
We further propose viable fixes and refinements to the state-of-the-art metric. The effectiveness of our refinements are tested by a comparative evaluation of 34 representative two-factor schemes. Particularly, we, for the first time, provide a taxonomy of smart-card-loss attacks. (see more in ASIACCS'16 paper; For a better metric and new scheme see our IEEE TDSC'16 paper)
|
Little attention has been given to the fundamental question: whether or not there are inherent limitations that prevent us from designing an “ideal” scheme that satisfies all the desirable goals? In this work, we aim to provide a definite answer to this question. (see more in our IEEE TDSC'15 paper_)
|