Re: [Cfrg] Passwords - rethinked

Yoav Nir <ynir.ietf@gmail.com> Mon, 07 November 2016 12:43 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71104128DF6 for <cfrg@ietfa.amsl.com>; Mon, 7 Nov 2016 04:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PA9191sCLPmT for <cfrg@ietfa.amsl.com>; Mon, 7 Nov 2016 04:43:42 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFA751295D5 for <cfrg@irtf.org>; Mon, 7 Nov 2016 04:43:41 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id p190so180291093wmp.1 for <cfrg@irtf.org>; Mon, 07 Nov 2016 04:43:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=w3lClJLyEJH4b05GPRvA2sj7oPx0Y6KWjoPpOUpvfGY=; b=M5X7/fq9c5qkl2WF2Au2UiIUbV4A095i9hvbD6irMMjApLzfzMEbVNJCbC3C4ABUr8 yd2LBLE3WCguc3hO17PF+9cKFs4EePUXFq4kUTmrUpJGG325VNbCGRJoiIsy+W51zUTX c5N/SyNUI9xgmg/F+bHmEchcoNb8qnNpNUUUHv40b11Fd0zvQlIGVV7Q6+SXtnfB9FES wLyzBoEw5D+XLn8Um6312Tj94kFTiLm9V1K6qVWQJ4CCseQkeC2RJIZVLOUUqVvs+cI9 ynBnwaAiNmxb+gSwcx65C9hBfgvd0IokS2K11cPD1fHU0xBOdxibPvUrYEDktTLMx4RX QGvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=w3lClJLyEJH4b05GPRvA2sj7oPx0Y6KWjoPpOUpvfGY=; b=mb5DPtc5QIJ5MpJ0eVcKM/qSqTNfgBh2grK+wjsRVa3gL4huMZOSMb4bdkZ70zAYdF CkQ8mMdYGaKQFyYoM78L7UKnNe159lcyHjo0pjyjLmW65QIWopvmZ9zgqsg7kcYhyKvd OVquX/6iIfFLXkcbeaTNowUepiDPvQWRbVHWDNWFERnvEGY7KoyvP0ca4SscWrlgm9da kzKOhkfsSDdzeTxoSLmWHg66kwmGeiNPPhaJYzAy9/Y1xNOZyhivgGf/w6FWtb7Lq5Tn 9XL+bJRVIi8OdZFUzk7Fk08/VnPy/Z/LyI7anzE9wiOszysfcRH5xyIjKeaWxyY4Zclr ftoA==
X-Gm-Message-State: ABUngverMMiPptNLx1m79exZVKNmGEVGScpZcjEExd08h9joWPzmDG083tQW+vzKpbOaNg==
X-Received: by 10.28.167.77 with SMTP id q74mr6435285wme.21.1478522620254; Mon, 07 Nov 2016 04:43:40 -0800 (PST)
Received: from [172.24.250.113] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id c4sm13343138wmh.4.2016.11.07.04.43.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Nov 2016 04:43:39 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <4ACEEE20-0914-4F91-B79D-BEC78621D3C5@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3211489D-CE47-4F55-B6CF-309AF5D07980"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Date: Mon, 7 Nov 2016 14:43:36 +0200
In-Reply-To: <7c00f6cb-5b95-e042-5c39-fa1d2348a1c7@gmail.com>
To: Otto Ersek <oersek@gmail.com>
References: <7c00f6cb-5b95-e042-5c39-fa1d2348a1c7@gmail.com>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2wI7o_GJdULxS7im5diB5StauCU>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Passwords - rethinked
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 12:43:46 -0000

Hi, Otto

Just imagining using this, I can see two downsides:

1. I can type my password is under a second. Editing this text field will take me a while (30 seconds?  Probably can get it down a bit)

2. If each website, SSH server and FTP server that I connect to presents me with a different text (depending on the administrator’s preference for Tolkien, Conan-Doyle or Roddenberry) it becomes harder to remember how I edited each one.  So I end up with something like flipping the capitalization of the first word, and adding “123” before the last word:

####################################################################
nEXT morning, after breakfast, we found Inspector MacDonald and White
Mason seated in close consultation in the small parlour of the local
police sergeant. On the table in front of them were piled a number of
letters and telegrams, which they were carefully sorting and
docketing. Three had been placed on one side.

"Still on the track of the elusive bicyclist?" Holmes asked
cheerfully. "What is the latest news of the 123ruffian?"
####################################################################

How original am I?  Probably as original as all those people with password “Passwd123” and slightly less than the l33t haxxors who choose “pa55wd123”.  I’m guessing there will be a (relatively) small number of transformations everyone will use and so the dictionary attack does not go away.

All this is idle speculation, though.  This requires an experiment with real people (preferably not all of them college-age) to test that:
 1. They’re willing to use this even without promising the $100 every time they succeed.
 2. They can perform the task within a reasonable time.
 3. They can perform the task even when they have 20 different sites with 15 different texts.
 4. They can perform the task after not having used the site for a week.
 5. There is enough entropy in the transformations that they come up with.

A lot of authentication methods fail on usability. I suspect this one might.

Yoav

> On 1 Nov 2016, at 7:58, Otto Ersek <oersek@gmail.com> wrote:
> 
> For 50 years we were using passwords and have built up paradigms to end up with something like this: JW=?mt%3D5z!.*zNpC as a standard password.
> 
> First of all the good news, we don't need a long "password" to authenticate 4 base64 characters will do the job.
> But this is not secure enough, to use the standard way.
> Therefore let us completely change the way we submit a password.
> And most importantly let us do the whole procedure in a human way
> 
> The idea/concept is as follows:
> 
> INSTEAD of a blinking login prompt sitting there and waiting desperately for a user password -> JW=?mt%3D5z!.*zNpC
> let us present the user a simple text edit field with a short story in it, which can be any text, no need to keep that secret, everybody might even use the same!
> 
> For example:
> Kindly borrowed from the project Gutenberg.
> Arthur Conan Doyle, THE COMPLETE SHERLOCK HOLMES, The valley of fear, The Solution
> 
> Original text as it could appear to the user:
> ####################################################################
> Next morning, after breakfast, we found Inspector MacDonald and White
> Mason seated in close consultation in the small parlour of the local
> police sergeant. On the table in front of them were piled a number of
> letters and telegrams, which they were carefully sorting and
> docketing. Three had been placed on one side.
> 
> "Still on the track of the elusive bicyclist?" Holmes asked
> cheerfully. "What is the latest news of the ruffian?"
> ####################################################################
> 
> But how can a 100 years old text help authenticating today?
> 
> What if we change the above text “slightly” to the following (sorry Dr. Watson!):
> ####################################################################
> Next morning, after breakfast, we found Inspector McDonald and White
> Mason seated in close consultation in the small parlour of the local
> police sergeant. On the stable in front of them were piled a number of
> letters and emails, which they were carefully sorting and
> docketing. Three had been placed on one side.
> 
> "Still on the track of the eXClusive bicyclist?" Holmes asked
> cheerfully. "What is the latest news of the ruffian?"
> ####################################################################
> 
> Sha512 of the "original version" is
> 686027BE2595FF6BB7B7E0737D40B552753424D30D7B06CFA617165C022E256D
> 
> Sha512 of the "modified version" is
> C958DA6B2BC84AD4DEEE453E8654C94502A5F66E9B4E353937F9663A1A22CF04
> 
> Well and that's it! Use the hash as an auth string,...
> 
> PROPOSAL:
> To achieve an estimated 36bits of security per round choose an arbitrary starting text of at least 1024 characters.
> Copy some selected text and paste it somewhere into the text PLUS type before or after pasting some character from A-Z,a-z,0-9 (Yeah!!! No special characters needed! But if you really insist on using them go ahead)
> Repeat 3 times. So in total 36bits x 4rounds = 144bits
> 
> As long as we keep the changes made to the original text secure and follow the given proposal we should get a security level > 128bits, which is considered "secure" by today's standards.
> 
> Summary:
> 1) We still need some "password" but 4 characters should be sufficient. Further we need to remember the copy & paste sections. In total 4 + 4*3 = 16items to remember, but we have the original text in front of us as a visual guidance while doing our changes.
> 2) The way we provide passwords has changed, not a blank field but a story is presented to us for us to make deliberate and memorable typos in it
> 3) This should be easier to remember than the following funny-random-senseless ................... 24 character and 22 character long strings:
> 
> JWmt3DEz4VYEwQOhRKzyiWmA
> ZF7IwsBlxGwwnvMLjpSMy9f3
> 
> or slightly "shorter":
> 
> }cM3MdgP'=\els6toBvTo[
> u]o{^`>Mimn o_wlS}'.Ie
> 
> For optional top notch security one may pick: arthur conan doyle, append shakespeare twice, append lord of the rings, append whatever,... but don't infringe copyright, only use books/texts you own! Then ask the user to authenticate in that file, and ask for more than 4 rounds,... but this is most likely overkill :-)
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg