Table Of ContentStig F. Mjølsnes (Ed.)
3
9
Technology and Practice
3
9
S
C of Passwords
N
L
International Conference on Passwords, PASSWORDS’14
Trondheim, Norway, December 8–10, 2014
Revised Selected Papers
123
Lecture Notes in Computer Science 9393
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zürich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
ø
Stig F. Mj lsnes (Ed.)
Technology and Practice
of Passwords
’
International Conference on Passwords, PASSWORDS 14
–
Trondheim, Norway, December 8 10, 2014
Revised Selected Papers
123
Editor
Stig F.Mjølsnes
Department ofTelematics
NorwegianUniversity of Science
andTechnology
Trondheim
Norway
ISSN 0302-9743 ISSN 1611-3349 (electronic)
Lecture Notesin Computer Science
ISBN 978-3-319-24191-3 ISBN978-3-319-24192-0 (eBook)
DOI 10.1007/978-3-319-24192-0
LibraryofCongressControlNumber:2015948775
LNCSSublibrary:SL4–SecurityandCryptology
SpringerChamHeidelbergNewYorkDordrechtLondon
©SpringerInternationalPublishingSwitzerland2015
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow
knownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication
doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant
protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare
believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissionsthatmayhavebeenmade.
Printedonacid-freepaper
SpringerInternationalPublishingAGSwitzerlandispartofSpringerScience+BusinessMedia
(www.springer.com)
Preface
The International Conference on Passwords (PASSWORDS’14) was held December
8–10,2014,atNTNUinTrondheim,Norway.Thisvolumecontainsacollectionofthe
10 best papers presented at the conference.
Furthermore, the conference included four invited keynote talks:
– Alec Muffett: Crack - A Sensible Password Checker for Unix
– Marc Heuse: Online Password Attacks
– BenjaminDelpy:Mimikatz, orHow toPushMicrosoft toChange Some LittleStuff
– Sigbjørn Hervik: The Big Perspective!
The complete conference program can be found on the web at http://passwords14.
item.ntnu.no.
Note that all presentations were video recorded by the NTNU Mediasenter and are
available at https://video.adm.ntnu.no/serier/5493ea75d5589
The technical and practical problem addressed by this conference is illustrated by
the fact that more than half a billion user passwords have been compromised over the
last five years, including breaches at big internet companies such as Adobe, Twitter,
Forbes, LinkedIn,andYahoo.Yetpasswords,PINcodes,andsimilar remainthemost
prevalent method of personal authentication. Clearly, we have a systemic problem.
ThePasswordsconferenceseriesstartedin2010,wheretheinitiatorPerThorsheim
setouttorallythebest-practice-drivenpasswordhackersandcrackersfromaroundthe
globe on the focussed topic of ‘all password related’. This includes attacks, analyses,
designs,applications, protocols, systems, practical experiences, and theory.The inten-
tionwastoprovideafriendlyenvironmentwithplentyofopportunitytocommunicate
directlywiththespeakersandparticipantsbefore,during,andaftertheirpresentations,
and atsocialevenings with pizza. We didall this at PASSWORDS’14.
Five conference events have been organized in Norway since 2010 (Bergen, Oslo,
Trondheim),mainlysponsoredandsupportedbyNorwegianuniversitiesandtheFRISC
research network. The attendance, significance, and reputation of the conference have
been growing steadily. Annual participation has doubled over the past three years.
About 90 participants attended PASSWORDS’14, with people arriving from 11
European countries, and from India, China, Russia, and the USA. The upcoming con-
ferencewillbehostedbyCambridgeUniversity,UK,inDecember2015.(Itshouldbe
mentioned here that two more Passwords ‘presentations only’ conferences were orga-
nized inLas Vegasin 2013and2014, during thehotAugust‘hacker weeks’ there.)
Wesetourselvesthechallengeofattractingmoreuniversitypeopletothisimportant
practiceproblemarea.HencethePASSWORDS’14becamethefirstinthisconference
series to issue a call for papers in the academic sense with regular peer review and
publishing.
Hackers, in the wide positive sense, are often enthusiastic presenters of their
practical experience and exploits, but quite indifferent to writing papers. By contrast,
VI Preface
scientistsaregoodatwritingpapers,butoftenoblivioustotheactualdetailsofpractice.
At times, this difference in approach incites antagonistic attitudes between these
communities. We wanted to mingle the two, shall we say, the explorers and the
explanators,formutualinspirationandcommunicationtothebenefitoftheconference
topic. Certainly a risky ambition, but we wanted to give it a try. And judging by the
response from the participants, we succeeded!
Hereishowtheacademicactivityturnedout.Theuncertaintyofwhetherwewould
receive a sufficient number of submissions in response to the call for papers made the
Program Committee opt for a post-event proceedings publication. Consequently, the
papersappearinginthispost-eventproceedingswereselectedinatwo-roundreviewand
revision process. We received in total 30 submissions for the conference, including
tutorials and short and long papers. The Program Committee accepted 21 of these
submissions to be qualified for conference presentations. This was done through a
double blind review process with an average of 2.7 reviews per submission. A pre-
proceedingswasuploadedtotheconferencewebsite.Thesecondroundhappenedinthe
monthsaftertheconference,wherewereceived13papersforthesubmissionspresented
attheconference.Thesepaperswerenowrevisedaccordingtocommentsfromthefirst
round and questions/remarks made at the conference presentation, and showed the
authors’ name and affiliation. Therefore we performed this round as a single blind
review process with 2 reviewers per paper. This second review process resulted in 10
papers being finally accepted for publication. The Easychair web service was used
throughout this work.
July 2015 Stig Frode Mjølsnes
Acknowledgements
First of all thanks to my co-organizer Per Thorsheim for excellent and flexible coop-
eration both in the practical planning, the program creation, and in bringing all those
world-class hackers to the conference. Great working with you!
All the names of the Program Committee members and the proceedings paper
reviewers are listed below. Thanks to all of you for providing your expertise to the
service of this conference!
Thank you to Mona Nordaune at the Department of Telematics, NTNU, for your
expert assistance and efficient management in all matters of local conference organi-
zation. Thanks to PhD-students Britta Hale and Chris Carr for the practical support
work during the conference.
Andreas Aarlott, Magnus Lian, and Morten Nyutstumo at the NTNU Multimedia-
senterdidthevideorecordingandproductionofallconferencepresentationsinavery
professional and accommodating style.
AlfredHofmannatSpringerrespondedfasttomyinitialpublicationrequest,andthe
folksatSpringerprovidedclearandprofessionalguidancewithrespecttotheeditorial
work.
Department of Telematics, NTNU, hosted the conference at the Gløshaugen cam-
pus.TheconferencewasorganizedandsponsoredaspartoftheactivitiesoftheFRISC
project (www.frisc.no), which I am heading. FRISC is a network of 10 Norwegian
universities and research organizations with research groups in information security.
The purpose of the FRISC network is to bring together practitioners and academics,
and the Passwords conference series has been an excellent arena for this. FRISCS is
partly funded by the Norwegian Research Council.
Organization
Conference Program Committee Members
Stig F. Mjølsnes NTNU, Norway (papers chair)
Per Thorsheim GodPraksisAS,Norway(tutorialsandkeynoteschair)
Jean-Phillipe Aumasson Kudelski Security, Switzerland
Markus Dürmuth Ruhr-University Bochum, Germany
Tor Helleseth University of Bergen, Norway
Audun Jøsang University of Oslo, Norway
Stefan Lucks Bauhaus-University Weimar, Germany
Markku-Juhani O. Saarinen ERCIM Research Fellow at NTNU, Norway
Frank Stajano University of Cambridge, UK
Kenneth White Open Crypto Audit Project, USA
Referees for the Proceedings
Stig F. Mjølsnes NTNU, Norway (editor)
Jean-Phillipe Aumasson Kudelski Security, Switzerland
Markus Dürmuth Ruhr-University Bochum, Germany
Danilo Gligoroski NTNU, Norway
Markus Jakobsson Qualcomm, USA
Tor Helleseth University of Bergen, Norway
Stefan Lucks Bauhaus-University Weimar, Germany
Chris Mitchell Royal Holloway, University of London, UK
Markku-Juhani O. Saarinen ERCIM Research Fellow, Finland
Frank Stajano University of Cambridge, UK
Kenneth White Open Crypto Audit Project, USA
X Organization
Sponsor
Forum for Research and Innovation in Information Security and Communications
(The FRISC network project)
