Pico in the Wild: Replacing Passwords, One Site at a Time

The Pico team have just returned from Paris, where Kat Krol presented at both EuroS&P and the affiliated EuroUSEC workshop on usable security. Pico is an ERC-funded project, led by Frank Stajano, to liberate humanity from passwords. It lets you log into devices and websites without having to remember any secrets. It relies on “something … Continue reading Pico in the Wild: Replacing Passwords, One Site at a Time

Pico part III: Making Pico psychologically acceptable to the everyday user

Many users are willing to sacrifice some security to gain quick and easy access to their services, often in spite of advice from service providers. Users are somehow expected to use a unique password for every service, each sufficiently long and consisting of letters, numbers, and symbols. Since most users do not (indeed, cannot) follow … Continue reading Pico part III: Making Pico psychologically acceptable to the everyday user

Pico part II: What’s wrong with QR code password replacement schemes, and how to fix them!

Users don’t want to authenticate, they want to do useful or enjoyable things like sending emails, ordering groceries or playing games. To alleviate the burden of having to type passwords, Pico and several other schemes, such as SQRL and tiQR, let the user simply scan a QR code; then a cryptographic protocol authenticates the user … Continue reading Pico part II: What’s wrong with QR code password replacement schemes, and how to fix them!

Pico part I: Russian hackers stole a billion passwords? True or not, with Pico you wouldn’t worry about it.

In last week’s news (August 2014) we heard that Russian hackers stole 1.2 billion passwords. Even though such claims sound somewhat exaggerated, and not correlated with a proportional amount of fraudulent access to user accounts, password compromise is always a pain for the web sites involved—more so when it causes direct reputation damage by having … Continue reading Pico part I: Russian hackers stole a billion passwords? True or not, with Pico you wouldn’t worry about it.

Pico: no more passwords (at Usenix Security)

The usability community has long complained about the problems of passwords (remember the Adams and Sasse classic). These days, even our beloved XKCD has something to say about the difficulties of coming up with a password that is easy to memorize and hard to brute-force. The sensible strategy suggested in the comic, of using a … Continue reading Pico: no more passwords (at Usenix Security)

Pico: no more passwords!

Passwords are no longer acceptable as a security mechanism. The arrogant security people ask users that passwords be memorable, unguessable, high entropy, all different and never written down. With the proliferation of the number of passwords and the ever-increasing brute-force capabilities of modern computers, passwords of adequate strength are too complicated for human memory, especially … Continue reading Pico: no more passwords!

Three exciting job openings in security usability

We are looking for three more people to join the Cambridge security group. Two job adverts, intended for postgrads or postdocs, are already out now. A third one, specifically aimed at a final year undergraduate or master student, strong on programming but with no significant work experience, is currently making its way through the HR … Continue reading Three exciting job openings in security usability

Why password managers (sometimes) fail

We are asked to remember far too many passwords. This problem is most acute on the web. And thus, unsurprisingly, it is on the web that technical solutions have had most success in replacing users’ ad hoc coping strategies. One of the longest established and most widely adopted technical solutions is a password manager: software … Continue reading Why password managers (sometimes) fail

Job opening: post-doctoral researcher in usable security

(post UPDATED with new job opening) I am delighted to announce a job opening in the Cambridge Security Group. Thanks to generous funding from the European Research Council I am in a position to recruit several post-doc research associates to work with me on the Pico project, whose ambitious aim is ultimately to liberate the … Continue reading Job opening: post-doctoral researcher in usable security