Hazel Murray

Hazel Murray, David Malone

We present a quantum multi-factor authentication mechanism based on the hidden-matching quantum communication complexity problem. It offers step-up graded authentication for users via a quantum token. In this paper, we outline the protocol, demonstrate that it can be used in a largely classical setting, explain how it can be implemented in SASL, and discuss arising security features. We also offer a comparison between our mechanism and current state-of-the-art multi-factor authentication mechanisms.

Hazel Murray, David Malone

Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this paper, we demonstrate that security advice can be ambiguous, contradictory and at times may not even have any clear benefits. We expand on current work by defining a formal approach to identifying costs of security advice and instigate a user study to identify the costs that apply to a large range of authentication advice. We also apply a simple framework for analysing the authentication related security benefits of advice. This allows us to identify costs and benefits for all classes of security advice.

Hazel Murray, David Malone

The multi-armed bandit is a mathematical interpretation of the problem a gambler faces when confronted with a number of different machines (bandits). The gambler wants to explore different machines to discover which machine offers the best rewards, but simultaneously wants to exploit the most profitable machine. A password guesser is faced with a similar dilemma. They have lists of leaked password sets, dictionaries of words, and demographic information about the users, but they don't know which dictionary will reap the best rewards. In this paper we provide a framework for using the multi-armed bandit problem in the context of the password guesser and use some examples to show that it can be effective.

Hazel Murray, David Malone

Leaks from password datasets are a regular occurrence. An organization may defend a leak with reassurances that just a small subset of passwords were taken. In this paper we show that the leak of a relatively small number of text-based passwords from an organizations' stored dataset can lead to a further large collection of users being compromised. Taking a sample of passwords from a given dataset of passwords we exploit the knowledge we gain of the distribution to guess other samples from the same dataset. We show theoretically and empirically that the distribution of passwords in the sample follows the same distribution as the passwords in the whole dataset. We propose a function that measures the ability of one distribution to estimate another. Leveraging this we show that a sample of passwords leaked from a given dataset, will compromise the remaining passwords in that dataset better than a sample leaked from another source.

Hazel Murray, David Malone

Password advice is constantly circulated by standards agencies, companies, websites and specialists. But there appears to be great diversity in terms of the advice that is given. Users have noticed that different websites are enforcing different restrictions. For example, requiring different combinations of uppercase and lowercase letters, numbers and special characters. We collected password advice and found that the advice distributed by one organization can directly contradict advice given by another. Our paper aims to illuminate interesting characteristics for a sample of the password advice distributed. We also create a framework for identifying the costs associated with implementing password advice. In doing so we identify a reason for why password advice is often both derided and ignored.