Paul Van Oorschot
Learning about Human-Computer Authentication through Graphical Passwords
Abstract: Passwords are inseparable from computers, To most users, passwords are a nuisance — they get in the way of our primary tasks. On the other hand, attackers view passwords more favourably — because they are amenable to so many easy forms of attack, providing access to user accounts. The challenge is therefore to design password systems which are simultaneously usable, and secure. Recent years have seen numerous proposals of new password schemes involving images — so-called graphical passwords — in an attempt to address long-standing problems with traditional alphanumeric text passwords.
We provide a selective review of research in this area over the past five years, including security and usability analysis of existing proposals, design and analysis of new proposals, and the value of user studies. Our goal is to design better password systems in general, including text password systems, through principles learned from experience with graphical password systems; and more broadly, to extract principles of general use in the emerging field of security and usability, as it becomes an important sub-discipline of computer security.
Biography: Paul Van Oorschot is a Professor of Computer Science at Carleton University, where he is Canada Research Chair in Network and Software Security, and founding director of Carletons Computer Security Lab. He previously held positions in network security R&D and senior management at Bell-Northern Research (Ottawa), Entrust Technologies (Ottawa), and Cloakware Corp. (Ottawa). He completed his PhD in Computer Science at the University of Waterloo in 1988.
He is co-author of the standard reference Handbook of Applied Cryptography, and regularly serves on program committees of major international computer security conferences, including ACM CCS, NDSS, USENIX Security, and IEEE Security and Privacy. He is on the editorial board of ACM TISSEC, and was Program Chair of USENIX Security 2008, and of the Internet Societys NDSS 2002 and 2001. He is Scientific Director of NSERC ISSNet, a pan-Canadian research network exploring Internetworked Systems Security. His current research focus includes computer security and usability, software security, authentication and identity management, and Internet security.