Rendering passwords more secure
Mobile devices present a great challenge
by Raffaela Römer
June 23, 2016
Prof Dr Markus Dürmuth (fig. 1) from the research group Mobile Security is familiar with the problem: “Nobody likes passwords. In order to make their lives easier, many people use the same password for different accounts, or they choose passwords that are so easy to guess that they don’t provide sufficient protection.”
Fig. 1© RUB, Roberto Schirdewahn
Markus Dürmuth heads the research group Mobile Security at Ruhr-Universität Bochum.
Dürmuth researches into a host of methods. His work focuses mainly on passwords for mobile devices. Here, entering passwords is a fairly laborious task. A wrong number is easily typed on the small screen. Moreover, numeric symbols are hidden on the secondary and tertiary keyboard.
The latest Android smartphones offer the option to choose graphic passwords. This alternative, at least, makes unlocking the device much easier. Smartphone users draw a line with their finger across the screen to connect some of the displayed dots. For a long time, the security level of this method had not been fully verified. The number of potential passwords was used as benchmark in many studies.
In a three-times-three field, there are as much as 389,112 possibilities, assuming that each dot can only be used once and that the password is made up of between four and nine dots. In a traditional PIN which has to be typed in by the user the number of combinations that are theoretically possible is much smaller; for a three-digit PIN, it amounts to merely 1,000, for a four-digit one to 10,000.
In the real world, users of mobile devices do not take full advantage of the possibilities for creating a secure password. In order to memorise it more easily, they keep using the same pattern, as Markus Dürmuth and his colleagues found out in an experiment. They asked 400 students in the Ruhr-Universität Mensa to come up with a graphic password for unlocking a smartphone. In order to generate results that are as realistic as possible, the researchers made some stipulations: the test participants had to memorise the password while they were at lunch. Other people were given the chance to break the code during that space of time. Consequently, the digit sequence had to be simple enough to memorise, yet difficult enough to prevent third parties from guessing it.
In the experiment, the researchers also used fields with alternative node arrangements to the participants, in addition to the original three-times-three fields (fig. 2). It emerged that with the original arrangement, the test participants who were given the original field to work with often chose an “L” or a “Z” in various variations. “In most cases, the patterns were not randomly chosen at all,” concludes Dürmuth. This makes it much too easy for thieves to guess the password. The most secure passwords were created if the digits were arranged in a circular shape on the screen. Test participants who were given a circular arrangement were the least tempted to choose commonly used patterns.
Fig. 2© Agentur der RUB, Zalewski
The researcher tested in an experiment if users create secure passwords if the dots on an Android smartphone are not arranged in the traditional three-times-three pattern.
Passwords are also at the heart of Markus Dürmuth’s second project. Here, the researcher is aiming at optimising the security in so-called fallback authentication. This is an approach for resetting a forgotten password. Two methods are widespread: “reset by email” means the user receives a new password by email. However, this approach entails a risk, as the new password is sent unencrypted over the network. Moreover, it may arrive in an account that was in use at the time when the registration took place but has become defunct, and the user may not even remember it.
The second method uses security questions. For this purpose, the computer asks the user a question such as “What was your mother’s maiden name?” The user established the correct answer when he set up the account. The drawback here: “With a bit of luck and research, the attacker will be able to answer some of the security questions correctly,” says Markus Dürmuth.
A case where a hacker exploited this vulnerability is that of US journalist Matt Honan, which was widely reported in the media in 2012. In the first step, attackers hacked his email account and then used the fallback authentication mechanism, in order to set up new passwords for other accounts. As a result, they successively took over all of his accounts, thus stealing Honan’s entire digital identity.
Together with colleagues from the University of California, Berkeley, and the Institut national de recherche en informatique et en automatique (INRIA), Grenoble, Markus Dürmuth has developed an alternative to the method described above. It makes use of so-called Mooney images. This term refers to black-and-white images that were edited using a special filter. At first glance, it is impossible to tell what a Mooney image is showing. Only after viewing the original picture, a user will be able to recognise the motive in a Mooney image – an effect that lasts a long time. This is referred to as priming for a picture.
The images originated in the field of brain research. In the 1950s, they were deployed by the psychologist Craig Mooney for examining that so-called aha! effect with the aid of MRI.
This is how Dürmuth uses the mechanism in fallback authentication: rather than coming up with a security question and answer to prepare for the worst-case scenario, the user is presented ten Mooney images and the respective original pictures during the priming phase. Should he forget his password one day, he will be shown 20 Mooney images and will have to state what he has recognised.
“The true account holder will recognise the ten Mooney images for which he had been primed,” explains Dürmuth. “But he won’t be able to identify the other ten. Subsequently, he will be assigned a new password.” A hacker would betray himself either by not recognising any Mooney images at all, or recognising those that the true user is not familiar with.
There is one catch, however: if the method is used on a number of websites, it is possible that a user would be primed for a Mooney image on one page for which he is not primed on another page – consequently, he would recognise the image there as well and be flagged as a hacker. “This is why we continue to pursue this project. I still think that this approach constitutes a genuine and good alternative to the current method,” says Dürmuth.