[PAST EVENT] Yue Li, Computer Science - Dissertation Proposal
Password remains the dominant authentication scheme for more than 30 years, and it cannot be easily replaced in the foreseeable future. However, password authentication has been long plagued to have many security and usability drawbacks, mainly due to human memory limitations. For example, a user may choose an easy-to-guess password since it is easier for her to remember. The drastically increasing number of online accounts an user possess even exacerbates this problem.
In this dissertation proposal, we present three research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays a very important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. Armed with the knowledge, we develop a novel password cracker, named personal-PCFG, that leverages personal information for password cracking. Our experiments show that Personal-PCFG is much more efficient to guess out the password of a target user than the state-of-art.
The second project aims to ease the password management hassle for the user. Password managers are introduced such that users need only one password (master password) to access all their other passwords. However, the password manager introduces single point of failure and is potentially vulnerable to data breach. To address these issues, we propose BluePass, a decentralized password manager that features a dual-possession security and a hand-free user experience. BluePass separately stores the password vault and the decryption key, and leverages the short-ranged Bluetooth communication to ensure the device proximity (which is one authentication factor). We evaluate BluePass in terms of functionality, latency, battery consumption, as well as usability.
We propose a third project, which aims to investigate an overlooked aspect in the password lifecycle -- the password recovery procedure. We measure the de facto password recovery mechanisms in the Alexa top 500 websites, and reveal that most of the password recovery implementations rely on accessibility to the user email account, which makes the email account a password hub that controls almost all passwords of a user. In the next step, we plan to estimate the likelihood and damage of a password recovery attack, taking the username availability, classification-based authentication, and 2 factor authentication, into consideration. We also plan to examine the current security measures posed by major email providers across the globe, trying to uncover that if adequate measures have been made to protect users' email accounts. Finally, a solution to prohibit email-based account recovery attacks is desired.
Yue Li is a Ph.D. candidate of Computer Science Department at William & Mary, co-advised by Dr. Haining Wang and Dr. Kun Sun. His research interest lies in secure authentication, network security, mobile security, forensics analysis, and intrusion detection. He received his Bachelor degree in Information Engineering from the Chinese University of Hong Kong in 2013.