Towards strong and memorable passwords

System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember.


In this paper, we propose a system-initiated user-replaceable password scheme called “Surpass” that lets users replace few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.

This work has been presented at ACM CCS ’15. For more details, get the paper:

Jun Ho Huh, Seongyeol Oh, Hyoungshick Kim, Konstantin Beznosov, Apurva Mohan, and S. Raj Rajagopalan. 2015. Surpass: System-initiated User-replaceable Passwords. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15). ACM, 170-181.

Android Rooting:
 Methods, Detection, and Evasion

User root their Android (or jailbreak their iPhone) smartphones. They do so in order to run useful apps that require root privileges, to remove restrictions by carriers and hardware manufacturers, and to alter or remove system apps.


Rooted devices are prevalent. According to a recent Android security report, Google Verify Apps detected rooting apps installed on approximately 2.5M devices.

While useful, rooting weakens the security of Android devices and opens the door for malware to obtain privileged access easily. Without rooting, malware must exploit a system or kernel vulnerability present in the system in order to gain root access, which could be technically challenging. However, on a rooted device, any app could simply ask the user for root access with one-line of code (e.g., Runtime.exec(“su”)). The security of a rooted device relies solely on the device user regulating root access properly. Yet, the research shows that many users ignore security warnings due to habituation or lack of contextual information or just lack of motivation to do due diligence. Once root access is inadvertently granted, malware could gain unauthorized access to any sensitive data stored on the device, intercept user inputs, tamper with runtime code (e.g., circumvent security controls, intercept file IO and network communication), and manipulate inter-app communications. Several rooting prevention mechanisms have been introduced by vendors, and sensitive or high-value mobile apps perform rooting detection to mitigate potential security exposures on rooted devices. There is a lack of understanding of how various rooting methods work and what rooting detection methods could be difficult to evade.

I’ve presented at CCS-colocated SPSM Workshop a study led by LERSSE’s Dr. San-Tsai Sun and Andrea Cuadros which investigated methods for rooting, detecting rooting, and invading the detection on Android devices. Our study resulted in (a) a taxonomy of rooting methods and traits of rooted devices, (b) an inventory of techniques for detecting if device is rooted, (c) a tool for detection analysis, and (d) empirical analysis of rooting detection by real-world apps.


Based on our findings, we outline new directions for research in this area: reliably detecting rooting, reducing need for rooting, reducing risks of rooting (specifically, via social engineering attacks on the users of rooted devices).

For more details, read the paper.

How Much Can Chunking Help to Remember Banking PINs?

To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied.


In a collaboration among Honeywell ACS Labs, Sungkyunkwan University, Oregon State University, University of Illinois at Urbana-Champaign, and UBC, we conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. Our findings have been reported at SOUPS ’15.As one would expect, our study shows that system-generated 4-digit PINs outperform 6-, 7-, and 8-digit PINs in long-term memorability. Interestingly, however, we find that there is no statistically significant difference in memorability between 6-, 7-, and 8-digit PINs, indicating that 7-, and 8-digit PINs should also be considered when looking to increase PIN length to 6-digits from currently common length of 4-digits for improved security.

By grouping all 6-, 7-, and 8-digit chunked PINs together, and comparing them against a group of all non-chunked PINs, we find that chunking, overall, improves memorability of system-generated PINs. To our surprise, however, none of the individual chunking policies (e.g., 0000-00-00) showed statistically significant improvement over their peer non-chunked policies (e.g., 00000000), indicating that chunking may only have a limited impact. Interestingly, the top performing 8-digit chunking policy did show noticeable and statistically significant improvement in memorability over shorter 7-digit PINs, indicating that while chunking has the potential to improve memorability, more studies are needed to understand the contexts in which that potential can be realized.

For more details, read the paper.

Touch ID: How Does It Affect iPhone Security?

Recently, Apple has introduced Touch ID, which allows a fingerprint-based authentication to be used for iPhone unlocking.

Touch ID

It’s positioned to allow users to use stronger passcodes for locking their iOS devices, without substantially sacrificing usability. It is unclear, however, if users take advantage of Touch ID technology and if they, indeed, employ stronger passcodes. In order to answer this question, at LERSSE, we conducted three user studies through which we found that users do not take an advantage of Touch ID and use weak unlocking secrets. To our surprise, we found that more than 30% of the participants did not know that they could use passwords instead of 4-digit PINs. Some other participants indicated that they adopted PINs due to better usability, in comparison to passwords. Most of the participants agreed that Touch ID, indeed, offers usability benefits, such as convenience, speed and ease of use. Finally, we found that there is a disconnect between users’ desires for security that their passcodes have to offer and the reality. In particular, only 12% of participants correctly estimated the security their passcodes provide.

Find more details in our SOUPS ’15 paper.

Improving Detection of OSN Fakes by Predicting Victims

LERSSE student Yazan Boshmaf (co-supervised with Matei Ripeanu) has presented at NDSS last part of his Ph.D. research, Integro.


It helps OSNs detect automated fake accounts using a robust user ranking scheme. The key idea is based on an insight that victims, benign users who control real accounts and have befriended fakes, form a distinct classification category that is useful for designing robust detection mechanisms. As attackers have no control over victim accounts and cannot alter their activities, a victim account classifier which relies on user-level activities is relatively hard to circumvent. Moreover, as fakes are directly connected to victims, a fake account detection mechanism that integrates victim prediction into graph-level structures can be more robust against manipulations of the graph.Integro starts by predicting victim accounts from user-level activities. After that, it integrates these predictions into the graph as weights such that edges incident to predicted victims have lower weights than others. Finally, Integro ranks user accounts based on a modified random walk that starts from a known real account. Integro guarantees that most real accounts rank higher than fakes so that OSN operators can take actions against low-ranking fake accounts. We implemented Integro using widely-used, open-source parallel computing platforms in which it scaled nearly linearly. We evaluated Integro against SybilRank, the state-of-the-art in fake account detection, using real-world datasets and a large-scale deployment at Tuenti, the largest OSN in Spain. In particular, we show that Integro significantly outperforms SybilRank in user ranking quality, with the only requirement that the used victim classifier is better than random. Moreover, the deployment of Integro at Tuenti resulted in an order of magnitude higher fake account detection precision, as compared to SybilRank.

For more details, read the paper.

Improving Access Review with AuthzMap

Research led by LERSSE Ph.D. student Pooya Jaferian will be featured at SOUPS this July. By interviewing IT professionals, he has explored access review activity in organizations, and then modeled access review in the activity theory framework. The model suggests that access review requires an understanding of the activity context including information about the users, their job, their access rights, and the history of access policy. Guidelines of the activity theory were used to design a new user interface, AuthzMap, which was compared to two state of the practice. The experiments demonstrated that AuthzMap improved the efficiency of access review most scenarios. Read the full paper for details.


Serving on Computers & Security Editorial Board


As of January 2014, I’m serving on the editorial board of Elsevier’s Computers & Security journal. Apparently, it is the official journal of Technical Committee 11 (computer security) of the International Federation for Information Processing (IFIP). The journal is in its 29th year, which makes it one of the oldest archival publications in the field of computer security. One of the main goals of the editorial board nowadays is to arrange quality reviews with quick turn-around.


Final Report on Internet Voting

After about 18 months of work, the Internet Voting Panel I served on has released its final report on February 12 and submitted it to the Legislative Assembly of British Columbia. final reportThe report contains the panel’s conclusions and recommendations, and summarizes the benefits and challenges of implementing Internet voting for provincial or local government elections in B.C. On October 23, 2013 the panel published a Preliminary Report for a six-week public comment period, ending on December 4, 2013.  The panel reviewed the commentary, including additional submissions from experts, academics and vendors in the Internet voting community. The report can be found on the panel’s web site.

San-Tsai Sun defends his Ph.D. dissertation on Web Single Sign-On Systems and graduates

My Ph.D. student San-Tsai Sun has successfully defended and submitted the final version of his thesis “Towards Improving the Usability and Security of Web Single Sign-On Systems.” San-TsaiHe’s moving back to industry, where he will be applying his expertise in web security to real-world systems. Congratulations to San-Tsai on very successful completion of the Ph.D. program, with many quality publications.