Monday, May 15:
Tuesday, May 16:
| Time | Speaker | Title |
|---|---|---|
| 08:30 | Doors open / coffee | “Social interaction” |
| 09:00 | Sanchari Das | “Too Cute of a Toy” Evaluating the Usability of Multi-Factor Authentication Security Keys for Athletes |
| 09:30 | Cecilie Wian | How hard can it be? – choosing the right password manager |
| 10:00 | BREAK | |
| 10:30 | Dario Pasquini | Password Alchemy with Universal Neural-Cracking-Machines: Transmuting email addresses into Password Models |
| 11:15 | BREAK | |
| 11:30 | Stefan Ivarsson | Password Culture: Understanding the mind of the masses to improve dictionary attacks |
| 12:00 | Ashley Sheil | Guessing PINs, One Partial PIN at a time. |
| 12:30 | LUNCH BREAK | |
| 13:30 | Collins Munyendo | “The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 digits. |
| 14:00 | BREAK | |
| 14:15 | Mackenzie Jackson | Gaining access through leaked credentials – How attackers discover and exploit secrets |
| 15:00 | Hazel Murray | Quantum multi-factor authentication |
| 15:30 | Per Thorsheim | End of day 2 / Open part of PasswordsCon |
| –:– | Evening meetup in city center somewhere? |
Wednesday, May 17:
Thursday, May 18:
Speakers, titles & abstracts are not published online.
Event is physical only, no streaming or recordings.
Chatham house rules: “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.“
Speaker info, with talk abstracts:
| Speaker info | Title & abstract |
|---|---|
 Stephan Wiefling Stephan Wiefling is a PhD Candidate from Germany (Institute for Cyber Security and Privacy, H-BRS). His work focuses on making cybersecurity and privacy usable for everyone. He also brought his expertise into the industry (e.g., Meta, Telenor). Mastodon: @[email protected] | Evaluating Risk-based Authentication on a Large-Scale Online Service Risk-based authentication (RBA) is recommended by government agencies (e.g., NIST, NCSC, ACSC) to strengthen password-based authentication against attacks involving stolen passwords, like credential stuffing or password spraying. Users find RBA more usable than 2FA, and equally secure [1]. Its security and privacy properties also look promising [2]. But how does it really perform on a large online service? We studied 3.3 million users and 31.3 million login attempts at a single sign-on service to uncover the real-world RBA behavior. Beyond that, we provide an open login data set and an open source solution to bring RBA into practice. Website and Data Set: https://riskbasedauthentication.org [1] Talk from PasswordsCon 2020: https://www.youtube.com/watch?v=Rd4ah5LZKyc [2] Talk from PasswordsCon 2021: https://www.youtube.com/watch?v=WbeppxGKcog |
 Tamas Bisztray PhD candidate, University of Oslo Linkedin: linkedin.com/in/tb-link | Privacy-Preserving Password Cracking: How a Third Party can Crack our Password Hash Without Learning the Hash Value or the Cleartext Using the computational resources of an untrusted third party to crack a password hash can pose a high number of privacy and security risks. The act of revealing the hash digest could in itself negatively impact both the data subject who created the password, and the data controller who stores the hash digest. This paper solves this currently open problem by presenting a Privacy-Preserving Password Cracking protocol (3PC), that prevents the third party cracking server from learning any useful information about the hash digest, or the recovered cleartext. This is achieved by a tailored anonymity set of decoy hashes, based on the concept of predicate encryption, where we extend the definition of a predicate function, to evaluate the output of a one way hash function. The protocol allows the client to maintain plausible deniability where the real choice of hash digest cannot be proved, even by the client itself. The probabilistic information the server obtains during the cracking process can be calculated and minimized to a desired level. While in theory cracking a larger set of hashes would decrease computational speed, the 3PC protocol provides constant-time lookup on an arbitrary list size, bounded by the input/output operation per second (IOPS) capabilities of the third party server, thereby allowing the protocol to scale efficiently. We demonstrate these claims both theoretically and in practice, with a real-life use case implemented on an FPGA architecture. |
 Cecilie Wian Test & security consultant Bachelor i Educational Psychology, Master in Digital Culture. Cecilie has a big heart for users, as well as a passion for the tech we interact with. At Bouvet she works with testing and security. As an experienced tester, Cecilie is all about testing what matters, combating abusive and user-unfriendly tech. Linkedin: https://www.linkedin.com/in/lcwian/ Mastodon: https://mastodon.social/@[email protected] | How hard can it be? – choosing the right password manager Single-sign-on and tokens still haven’t eradicated passwords and both individuals and large businesses have a lot of passwords. Poor password hygiene is a huge risk, letting any hostile walk right in the door. So managing passwords in a good way is a must both for security and for keeping users sanity. The question remains: what is a good choice? The talk does a dive into popular solutions and measure them against selection criterias and some of the possible choices. The talk is a detailed look at usability and user friendliness. Selection criteria, and pitfalls in choosing a password no matter if you are a professional, single user, family or choosing a manager for enterprises and larger businesses. |
 Hazel Murray Dr, CyberSkills, Munster technological University Linkedin: https://linkedin.com/in/hazel-murray-a0276170 | Quantum multi-factor authentication Quantum computing has the theoretical ability to break modern cryptography. However, it can also provide the key to stronger more resilient systems. In this talk we introduce the quantum mechanics principles that enable the development of advanced computing and communication systems with capabilities beyond those we currently see in classical computing. We present a quantum multi-factor authentication mechanism based on the hidden-matching quantum communication complexity problem. It offers step-up graded authentication for users via a quantum token. We will outline the protocol, demonstrate that it can be used in a largely classical setting, explain how it can be implemented in SASL, and discuss arising security features. |
 Dario Pasquini Postdoc at École Polytechnique Fédérale de Lausanne (EPFL), Switzerland Twitter: https://twitter.com/dario_pasquini Personal homepage: https://pasquini-dario.github.io/me/ | Password Alchemy with Universal Neural-Cracking-Machines: Transmuting email addresses into Password Models “Bob is a system administrator of an average-size web application with a non-English-speaking user community. Bob would like to deploy a password meter to harden the password of his users. However, deploying an accurate password meter for an under-represented, and, possibly unique, user community is not an easy task. There are no ready-made solutions available online; thus, if Bob really wants an accurate password model for his community, he has to train one from scratch. This means that Bob must find leaked plaintext passwords that follow a distribution similar to the one of his user community and use them to fit some kind of machine learning model. Unfortunately, Bob does not have any idea where to find suitable password leaks, and, even if those were available, Bob knows nothing about machine learning. Failing in deploying his tailored password model, Bob ends up using an off-the-shelf password meter that performs poorly on the passwords of his non-English-speaking community. Bob is sad; his community has insecure passwords—everyone loses. To make Bob’s life easier, we developed the first universal password model — a password model that, once pre-trained, can automatically adapt to any password distribution. We call it “Universal Neural-Cracking-Machine” (UNCM). To achieve this result, a UNCM does not need to access any plaintext passwords from Bob’s users. Instead, it exploits users’ auxiliary information, such as email addresses, as a proxy signal to predict and characterized the underlying password distribution. Using a UNCM, every Bob out there can now autonomously generate tailored password models for their systems regardless of their expertise and resources. It is enough to download a pre-trained UNCM, provide it with the auxiliary information associated with users (e.g., email address), and deploy the resulting password model. No further training steps, targeted data collection, or prior knowledge of the community’s password distribution is required.” |
 Dr. Stefan Ivarsson Senior Security Consultant, Truesec Linkedin: https://se.linkedin.com/in/dragondesign | Password Culture: Understanding the mind of the masses to improve dictionary attacks As part of Security assessments, we regularly perform password recovery operations to assess the resilience against credential-based attacks toward customer systems. Backed by a large number of recovered passwords from systems and customers of varying sizes and password policies, we can observe human cultural patterns in the selection of passwords. What kind of passwords do humans tend to select when limited by policies? Let’s have a short dive into the mind of the masses and with this understanding of what is commonly selected, use this to improve dictionaries we use in recovery. |
 Espen Agnalt Johansen Tryggleiksjef, Visma Linkedin: https://www.linkedin.com/in/espenjohansen/ | Why passwords and pincodes have screwed up my musical taste and why it’s actually a good thing. Experience sharing from a convert. For several years I have studied criminal environments and sought to understand their behavioural patterns. I went in with a strong bias toward looking for sophisticated methods and obscure yet beautiful sidechannel attacks. I have learned a lot since then. Today I spend millions on converting belief systems and realise that Per may have been right all along. The password and pincodes actually reflect a level of sophistication and a side channel that actually is a thing of beauty and grace when you choose to go deep and invest. My talk will share stats, details and thoughts after spending millions on hardcore security efforts and still observe that very, very «sophisticated» people find passwords very hard to deal with. I will seek to combine this with personal accounts from a long security career and end up with recent stories from the trenches when facing infostealers in global infrastructures. Expect this to get personal, and expect it to contain music. |
 Jim Fenton Consultant, Altmode Networks Linkedin: https://www.linkedin.com/in/jim-fenton-5385222/ Mastodon: https://mastodon.social/@jimfenton | What’s new in the NIST authentication guidelines draft? In December 2022, NIST released a draft revision to their Special Publication 800-63, Digital Identity Guidelines. This talk will discuss some of the changes in the new draft, especially with respect to authentication and particularly passwords. |
 Maximilian Golla Max Planck Institute for Security and Privacy (MPI-SP) Homepage: https://maximiliangolla.com LinkedIn: https://www.linkedin.com/in/maximilian-golla Mastodon: https://mastodon.social/@m33x | “Make it screaming”: How Administrators Configure Risk-based Authentication Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. In a study, we let 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. Based on these findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone. |
 Philipp Markert Philipp is a final-year PhD student in the Department of Computer Science at Ruhr University Bochum, Germany, and Member of the Mobile Security Group. Philipp’s research interests include computer security and human-computer interaction (HCI), with a focus on usable security and authentication. Homepage: https://philipp-markert.com | Something Is Rotten in the State of California: How Users React to Sign-in Emails “Hi, we noticed a new sign-in to your account. If it was you, you can safely ignore this email. If it wasn’t you, please change your password immediately to secure your account.” While reading these lines, you probably remembered receiving an email just like this because numerous services send them to inform users about new sign-ins to their accounts. In two user studies, we explored how users understand sign-in emails and react when receiving them. We tested two cases, a sign-in email sent for a login users initiated themselves or sent when a malicious actor logs in. We find that users feel relatively confident identifying legitimate logins but demonstrate various risky and insecure behaviors when it comes to malicious sign-ins. We discuss the identified problems, depict which pitfalls service providers should avoid, and what the perfect sign-in email should look like. |
 Kirsi Helkala Kirsi Helkala is a professor at the Norwegian Defence Cyber Academy (Cyberingeniørskolen), which is part of the Norwegian Defence University College. She is also research professor at the Peace Research Institute Oslo (PRIO). She holds a Master of Science degree in mathematics from the University of Joensuu, Finland, and a PhD within information security from the University of Oslo, Norway. She teaches mathematics and supervises information and cyber security related student workshops, term papers and thesis. Her research interest lays on human factor in cyber security. Homepages: https://www.nordrekalstad.com/kirsi-helkala https://www.forsvaret.no/en/research/staff/helkala-kirsi-marjaana Linkedin: https://www.linkedin.com/in/kirsi-helkala-3150251/ | Accessible authentication – a current status Technology has evolved greatly over the past decades; however, authentication methods have not really changed. Authentication methods that are currently dominant can be difficult to use and the needs of users with disabilities are not always met. In our earlier works, we have used disability classification identified by the World Health Organization as well as the principles of universal design to examine usability and security of authentication methods. This talk will summarise our earlier works by showing some examples of the difficulties disabled people are facing, presenting an assessment of different forms of user authentication in terms of usability and security and giving some recommendations and suggestions to reach inclusivity in the authentication context. |
 Ashley Sheil Maynooth University PhD candidate Linkedin: https://www.linkedin.com/in/ashley-sheil-801947122 | Guessing PINs, One Partial PIN at a time. A Partial PIN is used in some Banks as a form of (often secondary) authentication where you are requested to input asubset of randomly chosen positions from your personal identification number (PIN). We wanted to explore the success rate of guessing a PIN via its partial PIN compared to that of guessing the full PIN. An in-the-wild example could look like the following scenario: you attempt to guess your (not very close) friends bank PIN via their phone. Each day you have a certain number of guesses per day before being locked out. How many guesses do you need to recover the full PIN? If you correctly guess one partial PIN, you now have the requested positions digits and your chances of guessing the full PIN increases on guessing again. For example, if the full PIN is six-digits and the partial PIN is three-digits, guessing the partial PIN correctly reduces this probability from one in a million to a much more manageable one in a thousand. This begs the question whether partial PINs are less secure than full PINs? And how many guesses would it take to brute force a full PIN by guessing its partial PIN at each log in? In this talk I will show how we went about answering these questions by simulating the guessing process on different length PINs with different length partial PINs. I will also talk about the four different guessing strategies we created to compare their guessing efficacy and present our results. |
 Collins Munyendo PhD Student in Computer Science, The George Washington University Homepage: https://collinsmunyendo.github.io/ | “The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 digits. With the goal of improving security, companies like Apple have moved from requiring 4-digit PINs to 6-digit PINs in contexts like smartphone unlocking. Users with a 4-digit PIN thus must “upgrade” to a 6-digit PIN for the same device or account. In an online user study (n = 1 010 ), we explore the security of such upgrades. Participants used their own smartphone to first select a 4-digit PIN. They were then directed to select a 6-digit PIN with one of five randomly assigned justifications. In an online attack that guesses a small number of common PINs (10–30), we observe that 6-digit PINs are, at best, marginally more secure than 4-digit PINs. To understand the relationship between 4- and 6-digit PINs, we then model targeted attacks for PIN upgrades. We find that attackers who know a user’s previous 4-digit PIN perform significantly better than those who do not at guessing their 6-digit PIN in only a few guesses using basic heuristics (e.g., appending digits to the 4-digit PIN). Participants who selected a 6-digit PIN when given a “device upgrade” justification selected 6-digit PINs that were the easiest to guess in a targeted attack, with the attacker successfully guessing over 25% of the PINs in just 10 attempts, and more than 30% in 30 attempts. Our results indicate that forcing users to upgrade to 6-digit PINs offers limited security improvements despite adding usability burdens. System designers should thus carefully consider this tradeoff before requiring upgrades. |
 Sanchari Das Assistant Professor, University of Denver (Inclusive Security and Privacy-focused Innovative Research in Information Technology: Inspirit Lab) Twitter: https://twitter.com/DrSanchariDas Linkedin: https://www.linkedin.com/in/sanchari-das/ Mastodon: @[email protected] | “Too Cute of a Toy” Evaluating the Usability of Multi-Factor Authentication Security Keys for Athletes Multi-Factor Authentication (MFA) is increasingly important in today’s digital landscape, particularly as sensitive information is being transmitted and stored online. Security keys like YubiKeys have become a popular form of MFA as they require physical possession to authenticate a user’s identity. However, little attention has been given to the usability of MFA tools among athletes, who may face unique challenges due to the physical demands of their sport, including Traumatic Brain Injuries (TBI). To address this gap, we conducted a comparative study was conducted with five athletes and five non-athletes, using a think-aloud protocol, to gain insights into their understanding of the YubiKey and any difficulties encountered. The study revealed specific areas of difficulty related to website navigation and comprehension of the YubiKey’s purpose, which are critical for effective use of the tool. The findings highlight the importance of considering the unique needs and limitations of different user groups, including athletes, when developing MFA tools to safeguard personal and professional information. |
 Mackenzie Jackson Security Advocate @ GitGuardian Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learned first-hand how critical it is to build secure applications with robust developer operations. Today as a Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code. Linkedin: https://linkedin.com/in/advocatemack Twitter: https://twitter.com/advocatemack | Gaining access through leaked credentials – How attackers discover and exploit secrets The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 6 million secrets were leaked in public repositories on Github.com. The report also showed that nearly 5% of docker images contain at least one plain text secret. This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials. Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each. |
 Per Thorsheim Per is the founder of PasswordsCon. | I just might have something to say… Watch this space! |