Monday, May 15:
Tuesday, May 16:
Wednesday, May 17:
Thursday, May 18:
Speakers, titles & abstracts are not published online.
Event is physical only, no streaming or recordings.
Chatham house rules: “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.“
Speaker info, with talk abstracts:
|Speaker info||Title & abstract|
Stephan Wiefling is a PhD Candidate from Germany (Institute for Cyber Security and Privacy, H-BRS). His work focuses on making cybersecurity and privacy usable for everyone. He also brought his expertise into the industry (e.g., Meta, Telenor).
Mastodon: @[email protected]
|Evaluating Risk-based Authentication on a Large-Scale Online Service|
Risk-based authentication (RBA) is recommended by government agencies (e.g., NIST, NCSC, ACSC) to strengthen password-based authentication against attacks involving stolen passwords, like credential stuffing or password spraying.
Users find RBA more usable than 2FA, and equally secure . Its security and privacy properties also look promising . But how does it really perform on a large online service?
We studied 3.3 million users and 31.3 million login attempts at a single sign-on service to uncover the real-world RBA behavior. Beyond that, we provide an open login data set and an open source solution to bring RBA into practice.
Website and Data Set: https://riskbasedauthentication.org
 Talk from PasswordsCon 2020: https://www.youtube.com/watch?v=Rd4ah5LZKyc
 Talk from PasswordsCon 2021: https://www.youtube.com/watch?v=WbeppxGKcog
PhD candidate, University of Oslo
|Privacy-Preserving Password Cracking: How a Third Party can Crack our Password Hash Without Learning the Hash Value or the Cleartext|
Using the computational resources of an untrusted third party to crack a password hash can pose a high number of privacy and security risks. The act of revealing the hash digest could in itself negatively impact both the data subject who created the password, and the data controller who stores the hash digest.
This paper solves this currently open problem by presenting a Privacy-Preserving Password Cracking protocol (3PC), that prevents the third party cracking server from learning any useful information about the hash digest, or the recovered cleartext.
This is achieved by a tailored anonymity set of decoy hashes, based on the concept of predicate encryption, where we extend the definition of a predicate function, to evaluate the output of a one way hash function. The protocol allows the client to maintain plausible deniability where the real choice of hash digest cannot be proved, even by the client itself. The probabilistic information the server obtains during the cracking process can be calculated and minimized to a desired level.
While in theory cracking a larger set of hashes would decrease computational speed, the 3PC protocol provides constant-time lookup on an arbitrary list size, bounded by the input/output operation per second (IOPS) capabilities of the third party server, thereby allowing the protocol to scale efficiently. We demonstrate these claims both theoretically and in practice, with a real-life use case implemented on an FPGA architecture.
Test & security consultant
Bachelor i Educational Psychology, Master in Digital Culture. Cecilie has a big heart for users, as well as a passion for the tech we interact with. At Bouvet she works with testing and security. As an experienced tester, Cecilie is all about testing what matters, combating abusive and user-unfriendly tech.
|How hard can it be? – choosing the right password manager|
Single-sign-on and tokens still haven’t eradicated passwords and both individuals and large businesses have a lot of passwords. Poor password hygiene is a huge risk, letting any hostile walk right in the door. So managing passwords in a good way is a must both for security and for keeping users sanity.
The question remains: what is a good choice? The talk does a dive into popular solutions and measure them against selection criterias and some of the possible choices.
The talk is a detailed look at usability and user friendliness. Selection criteria, and pitfalls in choosing a password no matter if you are a professional, single user, family or choosing a manager for enterprises and larger businesses.
Dr, CyberSkills, Munster technological University
|Quantum multi-factor authentication|
Quantum computing has the theoretical ability to break modern cryptography. However, it can also provide the key to stronger more resilient systems.
In this talk we introduce the quantum mechanics principles that enable the development of advanced computing and communication systems with capabilities beyond those we currently see in classical computing. We present a quantum multi-factor authentication mechanism based on the hidden-matching quantum communication complexity problem. It offers step-up graded authentication for users via a quantum token.
We will outline the protocol, demonstrate that it can be used in a largely classical setting, explain how it can be implemented in SASL, and discuss arising security features.
Postdoc at École Polytechnique Fédérale de Lausanne (EPFL), Switzerland
|Password Alchemy with Universal Neural-Cracking-Machines: Transmuting email addresses into Password Models|
“Bob is a system administrator of an average-size web application with a non-English-speaking user community. Bob would like to deploy a password meter to harden the password of his users.
However, deploying an accurate password meter for an under-represented, and, possibly unique, user community is not an easy task. There are no ready-made solutions available online; thus, if Bob really wants an accurate password model for his community, he has to train one from scratch. This means that Bob must find leaked plaintext passwords that follow a distribution similar to the one of his user community and use them to fit some kind of machine learning model.
Unfortunately, Bob does not have any idea where to find suitable password leaks, and, even if those were available, Bob knows nothing about machine learning. Failing in deploying his tailored password model, Bob ends up using an off-the-shelf password meter that performs poorly on the passwords of his non-English-speaking community. Bob is sad; his community has insecure passwords—everyone loses.
To make Bob’s life easier, we developed the first universal password model — a password model that, once pre-trained, can automatically adapt to any password distribution. We call it “Universal Neural-Cracking-Machine” (UNCM). To achieve this result, a UNCM does not need to access any plaintext passwords from Bob’s users. Instead, it exploits users’ auxiliary information, such as email addresses, as a proxy signal to predict and characterized the underlying password distribution.
Using a UNCM, every Bob out there can now autonomously generate tailored password models for their systems regardless of their expertise and resources. It is enough to download a pre-trained UNCM, provide it with the auxiliary information associated with users (e.g., email address), and deploy the resulting password model. No further training steps, targeted data collection, or prior knowledge of the community’s password distribution is required.”
Dr. Stefan Ivarsson
Senior Security Consultant, Truesec
|Password Culture: Understanding the mind of the masses to improve dictionary attacks|
As part of Security assessments, we regularly perform password recovery operations to assess the resilience against credential-based attacks toward customer systems. Backed by a large number of recovered passwords from systems and customers of varying sizes and password policies, we can observe human cultural patterns in the selection of passwords.
What kind of passwords do humans tend to select when limited by policies?
Let’s have a short dive into the mind of the masses and with this understanding of what is commonly selected, use this to improve dictionaries we use in recovery.
Espen Agnalt Johansen
|Why passwords and pincodes have screwed up my musical taste and why it’s actually a good thing. Experience sharing from a convert.|
For several years I have studied criminal environments and sought to understand their behavioural patterns. I went in with a strong bias toward looking for sophisticated methods and obscure yet beautiful sidechannel attacks. I have learned a lot since then.
Today I spend millions on converting belief systems and realise that Per may have been right all along.
The password and pincodes actually reflect a level of sophistication and a side channel that actually is a thing of beauty and grace when you choose to go deep and invest.
My talk will share stats, details and thoughts after spending millions on hardcore security efforts and still observe that very, very «sophisticated» people find passwords very hard to deal with. I will seek to combine this with personal accounts from a long security career and end up with recent stories from the trenches when facing infostealers in global infrastructures.
Expect this to get personal, and expect it to contain music.
Consultant, Altmode Networks
|What’s new in the NIST authentication guidelines draft?|
In December 2022, NIST released a draft revision to their Special Publication 800-63, Digital Identity Guidelines. This talk will discuss some of the changes in the new draft, especially with respect to authentication and particularly passwords.
Max Planck Institute for Security and Privacy (MPI-SP)
|“Make it screaming”: How Administrators Configure Risk-based Authentication|
Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum.
In a study, we let 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent interviews, we asked them about the intentions behind their configurations and experiences with the RBA system.
Based on these findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.
Philipp is a final-year PhD student in the Department of Computer Science at Ruhr University Bochum, Germany, and Member of the Mobile Security Group. Philipp’s research interests include computer security and human-computer interaction (HCI), with a focus on usable security and authentication.
|Something Is Rotten in the State of California: How Users React to Sign-in Emails|
“Hi, we noticed a new sign-in to your account. If it was you, you can safely ignore this email. If it wasn’t you, please change your password immediately to secure your account.” While reading these lines, you probably remembered receiving an email just like this because numerous services send them to inform users about new sign-ins to their accounts.
In two user studies, we explored how users understand sign-in emails and react when receiving them. We tested two cases, a sign-in email sent for a login users initiated themselves or sent when a malicious actor logs in. We find that users feel relatively confident identifying legitimate logins but demonstrate various risky and insecure behaviors when it comes to malicious sign-ins. We discuss the identified problems, depict which pitfalls service providers should avoid, and what the perfect sign-in email should look like.
Kirsi Helkala is a professor at the Norwegian Defence Cyber Academy (Cyberingeniørskolen), which is part of the Norwegian Defence University College. She is also research professor at the Peace Research Institute Oslo (PRIO). She holds a Master of Science degree in mathematics from the University of Joensuu, Finland, and a PhD within information security from the University of Oslo, Norway. She teaches mathematics and supervises information and cyber security related student workshops, term papers and thesis. Her research interest lays on human factor in cyber security.
|Accessible authentication – a current status|
Technology has evolved greatly over the past decades; however, authentication methods have not really changed. Authentication methods that are currently dominant can be difficult to use and the needs of users with disabilities are not always met. In our earlier works, we have used disability classification identified by the World Health Organization as well as the principles of universal design to examine usability and security of authentication methods.
This talk will summarise our earlier works by showing some examples of the difficulties disabled people are facing, presenting an assessment of different forms of user authentication in terms of usability and security and giving some recommendations and suggestions to reach inclusivity in the authentication context.
Maynooth University PhD candidate
|Guessing PINs, One Partial PIN at a time.|
A Partial PIN is used in some Banks as a form of (often secondary) authentication where you are requested to input asubset of randomly chosen positions from your personal identification number (PIN). We wanted to explore the success rate of guessing a PIN via its partial PIN compared to that of guessing the full PIN.
An in-the-wild example could look like the following scenario: you attempt to guess your (not very close) friends bank PIN via their phone. Each day you have a certain number of guesses per day before being locked out. How many guesses do you need to recover the full PIN? If you correctly guess one partial PIN, you now have the requested positions digits and your chances of guessing the full PIN increases on guessing again. For example, if the full PIN is six-digits and the partial PIN is three-digits, guessing the partial PIN correctly reduces this probability from one in a million to a much more manageable one in a thousand.
This begs the question whether partial PINs are less secure than full PINs? And how many guesses would it take to brute force a full PIN by guessing its partial PIN at each log in?
In this talk I will show how we went about answering these questions by simulating the guessing process on different length PINs with different length partial PINs. I will also talk about the four different guessing strategies we created to compare their guessing efficacy and present our results.
PhD Student in Computer Science, The George Washington University
|“The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 digits.|
With the goal of improving security, companies like Apple have moved from requiring 4-digit PINs to 6-digit PINs in contexts like smartphone unlocking. Users with a 4-digit PIN thus must “upgrade” to a 6-digit PIN for the same device or account. In an online user study (n = 1 010 ), we explore the security of such upgrades. Participants used their own smartphone to first select a 4-digit PIN. They were then directed to select a 6-digit PIN with one of five randomly assigned justifications. In an online attack that guesses a small number of common PINs (10–30), we observe that 6-digit PINs are, at best, marginally more secure than 4-digit PINs.
To understand the relationship between 4- and 6-digit PINs, we then model targeted attacks for PIN upgrades. We find that attackers who know a user’s previous 4-digit PIN perform significantly better than those who do not at guessing their 6-digit PIN in only a few guesses using basic heuristics (e.g., appending digits to the 4-digit PIN). Participants who selected a 6-digit PIN when given a “device upgrade” justification selected 6-digit PINs that were the easiest to guess in a targeted attack, with the attacker successfully guessing over 25% of the PINs in just 10 attempts, and more than 30% in 30 attempts.
Our results indicate that forcing users to upgrade to 6-digit PINs offers limited security improvements despite adding usability burdens. System designers should thus carefully consider this tradeoff before requiring upgrades.
Assistant Professor, University of Denver (Inclusive Security and Privacy-focused Innovative Research in Information Technology: Inspirit Lab)
|“Too Cute of a Toy” |
Evaluating the Usability of Multi-Factor Authentication Security Keys for Athletes
Multi-Factor Authentication (MFA) is increasingly important in today’s digital landscape, particularly as sensitive information is being transmitted and stored online. Security keys like YubiKeys have become a popular form of MFA as they require physical possession to authenticate a user’s identity. However, little attention has been given to the usability of MFA tools among athletes, who may face unique challenges due to the physical demands of their sport, including Traumatic Brain Injuries (TBI).
To address this gap, we conducted a comparative study was conducted with five athletes and five non-athletes, using a think-aloud protocol, to gain insights into their understanding of the YubiKey and any difficulties encountered. The study revealed specific areas of difficulty related to website navigation and comprehension of the YubiKey’s purpose, which are critical for effective use of the tool. The findings highlight the importance of considering the unique needs and limitations of different user groups, including athletes, when developing MFA tools to safeguard personal and professional information.
Security Advocate @ GitGuardian
Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learned first-hand how critical it is to build secure applications with robust developer operations.
Today as a Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.
|Gaining access through leaked credentials – How attackers discover and exploit secrets|
The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 6 million secrets were leaked in public repositories on Github.com. The report also showed that nearly 5% of docker images contain at least one plain text secret.
This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials. Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.
Per is the founder of PasswordsCon.
|I just might have something to say… Watch this space!|