No More Graphical Passwords

this is not for that a floor above our frequent as a metering and yeah he's a great guy and he our tweet of it that I say that is going to happen and we see no stupid task idea possible so that he consumed every idiot trying to learn to proverbs and make that this president this is Arya [Music] nice introduction of malk night till all right um mark burnett um I do security I've been doing it for her oh all right right believe it or not I've been doing it or I would do it for about 15 years I've been working insecure about 15 years I've been working an ITR working with you know security related stuff

I've been doing up about 20 years I've been writing code for about 30 years a lot of what I do well in last 15 years I've worked in just about every area of security a lot of what I do now is code security developing creating presentations tonight things like that but I just kind of wanted to start and talking about how i got into security and how I got interested in passwords and it started off about about 20 years ago I was working for this company and I was I was writing code and I go in every day to work sit down on my computer type in my password which was you know dog named Cole numbers my bad work all day

write code all day put in the you know shut down in the day next big walk-in type in my password dog named couple numbers and I do this every day and I I about every month or so they would ask me to change my password and so I would you know being as clever as I was I would increment it so you know one day I mean before I was a dog named one to the next time it was dog named 13 and now sometimes I would get really clever and skip a few you know dog named 19 dog named 25 so that's that was my help that's what I that was me and so anyway

is the boring job so I spent a lot of time researching and I got got into researching security most actually hacking and and I was really interested and I learned a few tricks you know how to it's just tricks and I got this reputation around the office being the office hacker you know because I had these things that made me look less smart and I really was one day one of the managers came to me and said they had this problem what happened was the network administrator and the VP got an argument and the administrator just left the company but he didn't tell anyone his passwords now the BP was too stubborn to call and asked for the

passwords so this manager comes to me and says you know he wants me since I'm the hacker you know he wants me to come it wants me to go and break all the passwords for the network and I said yeah okay sure but I got thinking about like oh no would I get myself into because I wasn't really you know what's just few trick I knew so do I spent I spent a few hours doing this and I one thing I realized is that people have really bad password it wasn't with me I was everyone and nothing I realized that pretty good at guessing but I went from one system to another got all this guy

got old path words I mean it was you know Superman 12 Superman to Superman 123 no wonder woman I mean it's just really obvious passwords so I went during got him on I sent him to the vet asst manager um yeah well next morning I got up as I walking up the office the President and the Vice President the company just happy walking in the same time I was and I swear they rehearsed this but as I walked up they both bow before me open the door and let me in the office and so I I thought it pretty cool you know like my honest I'm the office hacker you know and I went down

side of my desk and typed in my password you know dog named 59 and that's when I realized how horrible yeah i was i was just as vulnerable as anyone else was so i got into secured I got into passwords and it kind of became like my life's hobby really as to as to learn about Patrick learn how people choose passwords learn about how the thought process that goes behind it so I that that's that's my thing I I've spent my years doing even though I've got my day job I I've always been fascinated with passwords and I think it's great that we have so many other people here who are interested passwords thanks for

letting me speak here it's really my talk is just a big rant so thanks for listening to my rant never had someone to do this I never had an audience was to me complain oil fast work my wife well she likes me to do it only woman once you trying to fall asleep at night you know talk to me about passwords so yeah they're know that yeah she thinks I'm an idiot so anyway I get a lot of emails because I've been doing password stuff for long time ago I emails from people they want me to check out their password solution I know yeah that's great you know I love looking at new stuff and just I've worn them though

that if this is a graphical passwords scheme I'm not going to be nice it's always a graphical passwords game so and I'm never nice but um this you know I I hate them I've done two point where is really hate them you know I hate hearing about in my everyday there's new pet graphical passwords games I also hate all the biometric stuff I mean come on logging in with your feet you know there's so much time so much time you I know la vie metrics but I hate how much time is spent and how much effort spent logging out your knuckles your feet or you know way you walk or whatever and it's I think it's just it a huge waste

when there's so many other problems that we need to solve and that we haven't solved all these years another thing that's kind of knowing is seen how many mobile authentication after are and they're good you know there's a you know most of them are many of them are solid and for this thing is there we need a thousand of them it owned and each one's proprietary each one they don't work with each other and each one requires a major investment in the company so that's kind of what I hate there's some more things I hate press releases the password killer no title research paper novel approach is never a novel approach article to you the fray passwords are

passe in the title killa password and i really hate the stock photo is everywhere I mean you don't see an article about this anyway stock photo yeah and sometimes it's red yeah and sometimes it's reverse there's one that's reverse so okay so I've got this uhm tae and i am going to give it away what contest here if anyone can tell me who or what or anything about the first password hacker or when what a story or guess Holly go way back more Wi-Fi direct good back in the 60s right you are correct so you get a passport I so it started off this guy right here came up with password scheme the first path

work youth on a computer and you know it seems time sharing they had a way they kept on file separate the way they kept track of the time used on the computer while the Allen sure that's a Corvette robot oh yeah yeah and um the allen sure with one of the students there one of the doctor says he needed more time here to used up all his time on the system so he found out there was a file i see here grab my thing you accnt da secret was was a file that had all the passwords in it and even though he didn't have access to the file he they had this system where when you

wound up 11 run a print job and you know usually took a while to queue at the print job and get it all printed and get it you know go ahead and get it yeah you did submit a punch card with it your account name the name of the file you wanted and then you go and pick it up later so he submitted that file he's a system account name and when picked up the password file later in a little pronunciate all accounts so that's a first Patrick okay so graphical passwords graphical passwords so we spend like I said a lot of time working on graphical passwords other people found a long time but you know there's a

okay I pick on graphical passwords because it's a good example of going astray and with the way we do a research and 17,000 911 patents for graphical passwords and image-based passwords 7m think about that 17 thousand nine hundred and low and pat pat I mean I think we thought that one through all the way okay I mean we don't really need any more practical passport scheme there's about 2,100 us research of scholarly documents oh the written about graphical passwords games I mean it's just we spent way too much time figuring out problems that we really weren't really problems in the first place and really don't need solving so the flood okay well first of all that

graphical password schemes are usually there's like just presented several 10 minutes already wow several images you pick one or two that I got a lot more ranting to do come on or you that's right anyone wants to hear any more round Chanukah okay so when you pick a picture or you pick some points on a picture or you draw a shape or something like that and now the flaws are that it's a small key space now a lot of people argue these you see lose these formulas in the research papers that say how large is key space is the wrong okay the it's the T space is small most of them they're based on visual

interactions okay so you've limited people with with with with visual impairments you have issues with if there's if you don't have a graphical screen or graphical environment you can't use it with an API or anything like that another problem is they're not exact so they have to be a little bit fuzzy if you don't hit the right spot on the screen or whatever or if you do allow that then they're there I mean if you're not exact that was a new one is basically saying you know it's like a pad for where they let you enter it in one letter off and they'll still accept it pay or they're too exact where you get a lot of false negatives and

rejected for attaching issues a lot of times the these schemes are based on giving that you have to debate some logic where it has to make a decision whether to let you in or not you can't just take like a password and hash it and compare it so there are fighting on the scheme of our issues on storing the hash they actually have to store and encrypted form the actual answers or open the shoulder surfing less convenient sometimes they can it actually easier to type in a past word then picking pictures from the screen or whatever moving the mouse around and there's still a password they're still knowledge-based and still have a lot of the same weaknesses of

passwords now the we've got okay so one of the things we can do it's been 50 years and we've got we really haven't made a lot of progress on passwords I mean we've come up with some things we've come up with some some good ideas and some of the policies are you know things have relaxed and we people are a little bit smarter admins a little smarter out how to do things I remember once on a mailing list was about about 15 years ago where I I talked about the password length is all that really matters are talking about complexity character sets all seven I said you know if you have the password long enough

that really doesn't matter which characters are in there I got so much hate mail from that I mean jeez so anyway it's taken a while just to get that and you know just the basic things down I mean we're still having secret questions where they asking for your eye color and it says it's we still haven't really got the basics down let alone the more difficult problems so I was thinking that it would help if we had more standardization give us figure out really what our problems are what our weaknesses are and go from there that way that way we know where we need to spend our effort authentication standards there's a number of unk we may

be her the Fido Alliance little midas security coalition motto and there's all these competing groups trying to develop standards of course the phyto alliances we've got a quite a bit of industry support but they're also a lot of other groups trying to establish these standards but what we really need our metrics the these alliances are mostly AP is for communicating but the metrics are really what tell us what is what's wrong with our systems verify there are mechanisms for authenticating really Oregon working the way we think would they work its guidance for developers that helps you when you want to purchase products and you understand really just you quantify the strengths and weaknesses of any system oh come on

there we go so no way okay that's her okay that this is what happens realize standards okay so this is a patent I found one day fingerprints you know people don't like fingerprints so hey someone thought have a great idea put a fingerprint on a device you know a little fake fingerprints so you've got you've got a fingerprint but a device problem is you instead of getting the best of both worlds you get the worst of both worlds but so anyway one of the groups is ID ESG and they have done a lot of work on standardizing come up these metrics coming up with these principles guiding principles for house authentication to happen it's still

really unorganized it's still really much very much in sipping see but it's the one I've seen that has the most potential I think we we as a community should participate in that and guide the the guide that the way the direction we take on authentication but beyond what they they've established we've got accessibility issues I mean my ten-year-old doesn't have a cell phone my father-in-law doesn't have a cell phone would play would not use anyway there's so you know authentication going through SMS isn't going to work with him there's legal issues there's ethical considerations for example using biometrics and rolling people without their knowledge facebook has done this where they they use behavioral analysis to see if to understand it's really you

working on work on the side or interacting the site that's kind of a light example but the company could for example take pictures as you're walking in and use that enroll you basically into a authentication system without your thought your knowledge there's also cultural issues there's also issues like some people just don't like touching things people touched so a fingerprint scanner may not be a good idea for people like that so design patterns o mighty no time okay so another thing we need to do is we establish well-defined design patterns we've done things you know we've said you've got to use a hash assault with your hash you've got a certain process as you go through with

your password resets but I mean we're still having problems with secret questions all these things token and attribute whining is another area where you don't see a lot of talking about that multiple T factor authentication people are still doing that wrong what you have course multi-factor uh there's an issue here with usability like I said my father-in-law or my ten-year-old I mean do we have we don't really have systems or they'll really work for people like that who don't really understand computer very well or who are too young or may have other disabilities we don't really have good ways to scale that though that user bait user base scalability I have a my key chain has

like 10 tokens on it you know Hardware tokens because you know i got i like harbor tokens but come on does anyone else like hard work tokens so uh you know that's only going to go so far you can only have so many Hardware tokens and to really have that security you've got us have some kind of way to make this work on a user scalable basis lost recovery recovering from losing your token or the token breaking a token wearing down and a lot of companies allow multiple tokens but they only let you use one at a time you can choose and they support different methods but they only let you pick one it would be nice

if I could use a hardware token white log in my computer home a different token white login homework and maybe a different token 1 i'm like a authentication a Google Authenticator number the top be number wherever when I log in from my phone I mean it would it would be nice to be able to have multiple tokens one thing that google supports is having multiple tokens when you log in so if you lose one you can have a backup one to recover so if multiple multi factors it would be nice table to be able to have more than one token if we want it but the thing is that we really haven't established guidelines for how

to do this and you know that we haven't really said you need to support multiple tokens you need a support you know this this minnow amount of security just like with LastPass I mean you you log in with your Ubik hear something like that but on your phone you just log in with your phone and it goes you know it lets you log in with that you don't have to provide the second factor presumably your phone is the second factor but you can lose your phone so well I miss all my good stories so wound okay here's a good story this is my conclusion is a story so I used to play around my kids

and have them tight passwords behind my back like common passwords and I guess what the password was so one time years ago I was I was doing a sales meeting with a client and the admin gets up and and I was actually passing a kidney stone at a time so I was kind of like this with man but he types in this password and I recognize it you know admin 123 I mean I I knew this password so well sound of it who type it sometimes it sounds really distinct um hi set up my shirt password admin 123 it was like quiet per second awesome the whole room burst out laughing this admin turn bright red but yeah good skill to

have um so I didn't get the job though the thing so anyway I mean we're a world of Secrets we've got passwords but we really haven't developed much I mean you read them these old mailing lists and they're saying having the same problems that have the same discussion that we're having today we really haven't figured us out and we kind of as a community need a he contribute and guide the thinking and the guide the research and and write blog posts and and and establishes where where we should put in our effort what are the problems that are unsolved that we really haven't solved yet that's it ten questions I I noticed that you use

the example dog's name many times without if we're telling us the dog's name is it is that because you still use absolute ass or something some password you just can't change dog 2015 yeah I'm when way past that sorry I was just gonna ask you the name of your dog 15 music there you go yep well I think mark should stick around for the last walk as well I could be interesting well since we're doing light hard questions what are your views on the use of janitors key rings for multiple physical tokens no that's a great idea that's about where i'm but i'm going to move into yeah I had one of my son's I he just

loses everything we've gone through like six cell phones I gave him a toga you know my kids that you know it they have to deal with me so I gave him a token to log into the county he lost it I mean she's so I put a chain on it this is a big long chain I'm the next one I gave him a big long chain and he still wasn't so I gave up yeah I should have I should have gotten one of those janitor of things so mark actually has done a book on passwords I remember purchasing that online just how to read it and I wrote that ten years ago and it's all still

valid much of it still valid today I mean I I have no better answer than and then you on like white we continue getting stuck but one thing I have observed is that a common thread is when people start talking about you know how to get rid of passwords is thing they always started sinking in the in the absolute wrong place and making a long list of what's wrong with passwords if you want to get rid of them you be far better off making a list of what's right with passwords because it gives you a better understanding of you know I hate these guys have beaten everyone who's climbed into the ring with them in the last you know quarter

century I make a list of everything that's right with them gives you a better idea yeah exactly and that's it's always passwords are broken so hey let's get rid of them let's replace them and then the first logical conclusions what if what if we can log in with pictures but see the thing is if you're going to do pitchers you might as well just think of you know the pictures you know Apple dog whatever battery and write out the words as your password if you're going to have to remember what it was anyway you might as well use as your passwords huh what's that okay blue yeah I'll do that having much of both movies like you

know war games and sneakers and obviously both you have watched those movies multiple times and you haven't shame on you and what's the password what's the password for dr. Falcons pro/5 dork that's about Joshua Joshua joshing I'm okay and then what we seriously need to do you know a password population size for trivia help yeah how about Trinity's password in the matrix no one Zion Zion with the zero course you know he's a lead that in here 10 even German Hawker in the cliff Stoll book at the Cuckoo's egg he's gonna Benson hodgetts I just yeah do Benson out you use a jizz on different accounts nuclear launch codes for the u.s. until it is shy a 0 s 80 s yep Roger Patrick I

peered everyone days ok so again thank you much [Applause]