SaTC: CORE: Improving Password Ecosystem: A Holistic Approach

SaTC：核心：改进密码生态系统：整体方法

• 批准号: 1704587
• 负责人: Ninghui Li
• 金额: $ 30万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-10-01 至 2020-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1704587&HistoricalAwards=false
• 关键词: SaTC; CORE; Improving; Password; Ecosystem

User authentication is an important part of most information systems that require some level of security. Due to their ease of use, wide deployment, and user familiarity, passwords have been the most widely adopted user authentication mechanism in the past and are likely to continue to be an important part of cybersecurity for the foreseeable future. At the same time, it is well known that there is a tension between the security and usability of passwords. Often times, secure passwords are difficult to memorize, making them less usable, whereas passwords that are memorable tend to be predictable and discoverable. This project aims to improve the complex password ecosystem, including ways to help both human users and websites that require passwords. One research thrust focuses on developing techniques to help human users, and in particular, ways that effectively train humans in the skills to create and remember secure passwords. Another research thrust focuses on studying how to improve the password-generation interface of the website, which plays a decisive role in users' performance of password generation. To help human users, the project aims to develop and evaluate mental password generation strategies--cognitive algorithms that can be executed by humans--for generating high-entropy passwords that can be acquired and implemented by human users. An effective generation strategy should be easy to use, and the resulting passwords should be both unpredictable and easy to recall. Another major challenge a user faces is the large number of accounts that need passwords. The researchers are studying effective mental password management systems, in which passwords for different accounts are organized in a hierarchical manner and related to the website domain name to make recall easier, while it remains difficult for an attacker who possesses such a password to easily guess another. To help websites promote user-centered and safe password generation, this project studies how to improve the password-generation interface of the website by developing effective password strength communication and embedded training methods. The project poses the research question of how should websites check for weak passwords and effectively warn against or forbid their use, without imposing excess effort on the user.

用户身份验证是大多数需要一定安全级别的信息系统的重要组成部分。由于其易用性、广泛的部署和用户熟悉性，密码在过去一直是最广泛采用的用户身份验证机制，在可预见的未来可能会继续成为网络安全的重要组成部分。与此同时，众所周知，密码的安全性和可用性之间存在着紧张关系。通常情况下，安全密码很难记住，这使得它们不太有用，而容易记住的密码往往是可预测和可发现的。该项目旨在改善复杂的密码生态系统，包括帮助人类用户和需要密码的网站的方法。其中一个研究重点是开发技术来帮助人类用户，特别是有效地培训人类创建和记住安全密码的技能的方法。另一项研究重点是研究如何改善网站的密码生成界面，这对用户的密码生成性能起着决定性的作用。为了帮助人类用户，该项目旨在开发和评估心理密码生成策略-人类可以执行的认知算法-生成可以由人类用户获取和实现的高熵密码。有效的生成策略应易于使用，生成的密码应不可预测且易于回忆。用户面临的另一个主要挑战是需要密码的大量账户。研究人员正在研究有效的心理密码管理系统，其中不同账户的密码以分层方式组织，并与网站域名相关，以便于回忆，而拥有这样的密码的攻击者仍然很难轻易猜出另一个密码。为了帮助网站促进以用户为中心的安全密码生成，本项目研究如何通过开发有效的密码强度通信和嵌入式训练方法来改善网站的密码生成界面。该项目提出了一个研究问题，即网站应该如何检查弱密码，并有效地警告或禁止使用它们，而不会给用户带来过多的努力。

项目成果

Sustained Space Complexity

持续的空间复杂性

• DOI: 10.1007/978-3-319-78375-8_4
• 发表时间: 2018
• 期刊: Advances in Cryptology – EUROCRYPT 2018
• 作者: Alwen, Joël;Blocki, Jeremiah;Pietrzak, Krzysztof
• 通讯作者: Pietrzak, Krzysztof

Surviving in the Digital Environment: Does Survival Processing Provide an Additional Memory Benefit to Password Generation Strategies?

在数字环境中生存：生存处理是否为密码生成策略提供额外的内存优势？

• DOI: 10.1016/j.jarmac.2020.04.006
• 发表时间: 2020
• 期刊: Journal of Applied Research in Memory and Cognition
• 影响因子: 4.2
• 作者: Chong, Isis;Proctor, Robert W.;Li, Ninghui;Blocki, Jeremiah
• 通讯作者: Blocki, Jeremiah

Just In Time Hashing

及时哈希

• DOI: 10.1109/eurosp.2018.00033
• 发表时间: 2018
• 期刊: 2018 IEEE European Symposium on Security and Privacy (EuroS&P
• 作者: Harsha, Benjamin;Blocki, Jeremiah
• 通讯作者: Blocki, Jeremiah

On the Depth-Robustness and Cumulative Pebbling Cost of Argon2i

关于 Argon2i 的深度鲁棒性和累积卵石成本

• DOI: 10.1007/978-3-319-70500-2_15
• 发表时间: 2017
• 期刊: Theory of Cryptography. TCC 2017
• 作者: Blocki, J.;Zhou, S.
• 通讯作者: Zhou, S.

Locally Decodable/Correctable Codes for Insertions and Deletions

用于插入和删除的本地可解码/可纠正代码

• DOI: 10.4230/lipics.fsttcs.2020.16
• 发表时间: 2020
• 期刊: 40th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science
• 作者: Block, A;Blocki, J;Grigorescu, E;Kulkarni, S;Zhu, M.
• 通讯作者: Zhu, M.