OpenID, as currently used for single sign-on, facilitates phishing.
Using OpenID, you can establish an account at any identity provider you like, and then use it to log in to any OpenID-enabled website. Unfortunately, the way it’s currently deployed, described, and demonstrated, OpenID makes users even more susceptible to phishing than they are without it. [...]
I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords. Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method. And there was a questioner from the audience who noted that, whenever you popularize a particular formula for [...]
Read the paper here.
Phishing is a semantic attack: it exploits the gap between user’s intentions and the system’s operation (in particular when submitting data). The key factors are: what is the data and where will it go?
The Web Wallet is a browser sidebar that users open by pressing a secure attention key (F2). [...]
Read the paper here.
Many organizations tell users to create “mnemonic phrase-based passwords” — passwords made up by thinking of a memorable sentence or phrase, then compressing each word of the phrase to a character (such as its first letter, a number, or a punctuation character). Association with the phrase helps users remember their passwords, [...]
Read the paper here.
This study compared the real and perceived vulnerability of Passfaces (a graphical password system) to dictionary and non-dictionary passwords. There were four conditions: Passfaces with a mouse, Passfaces with the keyboard, a dictionary password, and a non-dictionary password.
The study confirmed that the concern about shoulder-surfing vulnerability of Passfaces with a mouse [...]
Read the paper here.
This study of password use surveyed about 50 Princeton undergraduates. The participants had, on average, about 3 passwords, they acquire more accounts over time, and they reuse their passwords more as they acquire more accounts. Participants most commonly rely on their memory to recall passwords, and not using software tools. [...]
Read the paper here.
Passpet is a Firefox extension that helps you manage your passwords and protects you from phishing. You memorize one master secret, and you click on your Passpet to generate a unique password for each site. The Passpet icon is a randomly chosen animal that differs from user to user. [...]
I have an idea about how to solve the phishing problem. Although proposals to solve phishing are not yet as common as proposals to solve spam, there certainly have been quite a few of them, so you would be right to wonder what makes this proposal any different or any more likely to work.
So, [...]