NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Red Cat, Green Chair, Blue Square: A Security Experiment

            Red Cat, Green Chair, Blue Square: A Security Experiment


Over the weekend I ran a quickie little "security experiment" on my
public Google+ feed.  Since I purposely kept the underlying rationale
opaque, a lot of folks have been asking what the blazes I was up to.
So rather than contacting everyone individually (both who 
participated -- thanks! -- or who just saw the experiment zip by 
their streams) here's the scoop, such as it is.

We all realize -- or should -- that conventional passwords are rapidly
entering the "end days" of their usefulness.  A chain of major site
password mass security breaches, not to mention the constant buzz of
individuals who suffer password compromises through phishing and other
attacks, obviously point to fundamental flaws in most existing
password regimes.

But getting out from under password systems is a serious challenge.
Site access control can be integrally linked with extremely difficult
and complex foundational identity management issues, and these rapidly
descend into a complex mess of technology intertwined with law
enforcement and political machinations.

Some attempts at "solving" this situation could actually makes matters
far worse.  For example, I am extremely skeptical of a current US
federal government identity project -- entangled with Homeland
Security and intelligence agencies -- that I feel could be subject to
serious abuse both by private parties and government itself.

But even as we work toward acceptable identity solutions (which must
also protect pseudonymous and anonymous access paradigms in
appropriate circumstances), we need some shorter term methods to
improve on the current password status quo as well.

One of these is so-called multiple factor (e.g. two-factor)
authentication systems, that use a password in conjunction with a
changing numeric or other codes tied to particular user access devices
and/or applications.  These codes can have varying expiration rates,
be generated and deployed via portable hardware, software programs,
smartphone apps, telephone calls, paper printouts or other methods.

The basic idea is that unless you know the password and also the
currently valid authentication code -- particularly on a device or via
a connection that you haven't used previously -- you are forbidden
system access.  There are numerous variations on this theme, including
purely hardware-based constantly changing password systems, though
even these have not always proven invulnerable to external attacks.
Still, they're better than a simple password in the vast majority of

Google has long offered optional two-factor authentication for most of
their user accounts.  More firms have been making this option
available as well.

I've successfully introduced quite a few people to various optional
two-factor authentication systems.  I have been less successful at
getting them to stay with such systems, however.

As the number of user devices and online apps increases, and the
authentication code expiration times shorten, the hassle factor
involved with re-authentication begins to notably climb, often to a
level where many users simply don't want to deal with it any more, and
disable it if possible -- returning to simple and vulnerable password
access control.

It would be great if we could solve our fundamental access and
identity issues related to the Internet.  And we'd all be safer for
now if everyone was using multiple-factor authentication.

But I was curious to see if any sort of middle ground might also exist
between conventional passwords and typical multiple-factor access.

While most multiple-factor systems use some sort of "external"
mechanism to generate password code sequences, there is another way to
generate a sort of additional factor as well.

When you think about it, an advantage that the legitimate user of an
access account has over a remote attacker is that in the vast majority
of cases the legit user has previously been logged into the account,
and the attacker has not.

So is there a way to leverage this fact to provide a bit more than
standard password security?

Yes, and some of these are already in use.  Typical "security
questions" sometimes pushed at users may arguably fall into this
category.  First pet's name.  Grandmother's name.  First school.  Or
create your own question ...

This technique has value, but creates problems as well.  Most people
feel compelled to answer these questions honestly (or else, they
perhaps reason, they'll forget the falsified answers), and there have
been many cases where typical questions have been compromised across
systems and in conjunction with other information sources.

Ideally, you want any additional "security question data" to be system
generated, memorable to users, and unique from system to system, so
that the compromise of a password (given the unfortunately common
practice of people using the same password on multiple systems) may
still be limited in terms of resulting effective authentication

And this finally gets us to my simple little weekend experiment.

On my Google+ stream, I first sent out -- without explanation other
than labeling them as security images 1, 2, and 3 -- a simple graphic
of a green chair, a red cat, and a blue square.  I disabled comments
on these postings to discourage public speculation.

A bit later in the day, I send out three screenshots of my Google+
home page, each with one of these small images superimposed in an
otherwise empty area of the page, and now textually labeled beneath
each graphic: GREEN CHAIR, RED CAT, BLUE SQUARE.  Again, comments were

I refused to substantively respond to questions regarding what this
was all about.

The next day -- yesterday -- I sent out a note asking anyone who had
seen those images to please privately let me know what they remembered
of those color/object pairs, and I asked for their honestly in not
looking back on the stream.

I've gotten a pile of responses back and they're still been coming in.
They've provided some really fascinating insight into what people
remembered, what they've confused, and how these test images and
labels interact in viewers' minds.

This was purposely made difficult.  Not only did I send out multiple
test pairs without any genuine explanation, I never even suggested
that there was any reason to bother remembering them at all.

By now you've probably figured out the underlying purpose of this

I was curious as to how memorable these sorts of labeled images would
be under obscure circumstances, toward analysis of their possible
usefulness as a routine additional login access security factor.

For example, if a system (when you're logged in) routinely displayed a
small labeled image of a red cat, and if when trying to login from an
unfamiliar location you were asked to input your security image ("red
cat") in addition to providing your password, would you remember the
image?  Could something like this be used as a default mechanism to
provide some stopgap security beyond passwords for persons unwilling
or unable to use true multiple-factor authentication?

It's clear that a single simple image can be quite memorable, but
would users tend to ignore (and forget) them if they're routinely
shown, and would confusion result between different images shown to
users on different systems?  How much additional security would such a
system provide from external password attacks or compromises,
particularly in shared password situations?

I can't answer these questions yet.  Looking more deeply at these
issues was why I conducted this experiment.  But the results so far
certainly look interesting to say the least.

So that's the story.  Thanks again to everyone who participated or
simply put up with the strangeness that passed through my Google+
stream over the weekend.

And remember -- the green chairs, the blue squares, and especially the
red cats are on our side in the security battles!

Take care, all.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
nnsquad mailing list