Case study:exploring children’s password knowledge and practices

Children use technology from a very young age, and often have to authenticate themselves. Yet very little attention has been paid to designing authentication specifically for this particular target group. The usual practice is to deploy the ubiquitous password, and this might well be a suboptimal choice. Designing authentication for children requires acknowledgement of child-specific developmental challenges related to literacy, cognitive abilities and differing developmental stages. Understanding the current state of play is essential, to deliver insights that can inform the development of child-centred authentication mechanisms and processes. We carried out a systematic literature review of all research related to children and authentication since 2000. A distinct research gap emerged from the analysis. Thus, we designed and administered a survey to school children in the United States (US), so as to gain insights into their current password usage and behaviors. This paper reports preliminary results from a case study of 189 children (part of a much larger research effort). The findings highlight age-related differences in children’s password understanding and practices. We also discovered that children confuse concepts of safety and security. We conclude by suggesting directions for future research. This paper reports on work in progress.<br/

SOK:young children’s cybersecurity knowledge, skills &amp; practice: a systematic literature review

The rise in children’s use of digital technology highlights the need for them to learn to act securely online. Cybersecurity skills require mature cognitive abilities which children only acquire after they start using technology. As such, this paper explores the guidance and current curriculum expectations on cybersecurity aspects in Scotland. Additionally, a systematic review was undertaken of the literature pertaining to cybersecurity education for children on a wider scale including papers from around the world, with 27 peer reviewed papers included in the final review. We discovered that most research focused on assessing children’s knowledge or investigating the efficacy of interventions to improve cybersecurity knowledge and practice. Very few investigated the skills required to carry out the expected cybersecurity actions. For example, high levels of literacy, mature short- and long-term memory, attention, and established meta cognition are all pre-requisites to be able to carry out cybersecurity activities. Our main finding is that empirical research is required to explore the ages at which children have developed essential cognitive abilities and thereby the potential to master cybersecurity skills

An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices

Security experts recommend password managers to help users generate, store, and enter strong, unique passwords. Prior research confirms that managers do help users move towards these objectives, but it also identified usability and security issues that had the potential to leak user data or prevent users from making full use of their manager. In this dissertation, I set out to measure to what extent modern managers have addressed these security issues on both desktop and mobile environments. Additionally, I have interviewed individuals to understand their password management behavior. I begin my analysis by conducting the first security evaluation of the full password manager lifecycle (generation, storage, and autofill) on desktop devices, including the creation and analysis of a corpus of 147 million generated passwords. My results show that a small percentage of generated passwords are weak against both online and offline attacks, and that attacks against autofill mechanisms are still possible in modern managers. Next, I present a comparative analysis of autofill frameworks on iOS and Android. I find that these frameworks fail to properly verify webpage security and identify a new class of phishing attacks enabled by incorrect handling of autofill within WebView controls hosted in apps. Finally, I interview users of third-party password managers to understand both how and why they use their managers as they do. I find evidence that many users leverage multiple password managers to address issues with existing managers, as well as provide explanations for why password reuse continues even in the presence of a password manager. Based on these results, I conclude with recommendations addressing the attacks and usability issues identified in this work

Passphrase and keystroke dynamics authentication: security and usability

It was found that employees spend a total 2.25 days within a 60 day period on password related activities. Another study found that over 85 days an average user will create 25 accounts with an average of 6.5 unique passwords. These numbers are expected to increase over time as more systems become available. In addition, the use of 6.5 unique passwords highlight that passwords are being reused which creates security concerns as multiple systems will be accessible by an unauthorised party if one of these passwords is leaked. Current user authentication solutions either increase security or usability. When security increases, usability decreases, or vice versa. To add to this, stringent security protocols encourage unsecure behaviours by the user such as writing the password down on a piece of paper to remember it. It was found that passphrases require less cognitive effort than passwords and because passphrases are stronger than passwords, they don’t need to be changed as frequently as passwords. This study aimed to assess a two-tier user authentication solution that increases security and usability. The proposed solution uses passphrases in conjunction with keystroke dynamics to address this research problem. The design science research approach was used to guide this study. The study’s theoretical foundation includes three theories. The Shannon entropy formula was used to calculate the strength of passwords, passphrases and keystroke dynamics. The chunking theory assisted in assessing password and passphrase memorisation issues and the keystroke-level model was used to assess password and passphrase typing issues. Two primary data collection methods were used to evaluate the findings and to ensure that gaps in the research were filled. A login assessment experiment collected data on user authentication and user-system interaction for passwords and passphrases. Plus, an expert review was conducted to verify findings and assess the research artefact in the form of a model. The model can be used to assist with the implementation of a two-tier user authentication solution which involves passphrases and keystroke dynamics. There are a number of components that need to be considered to realise the benefits of this solution and ensure successful implementation

Users’ perceptions regarding password policies

Information is considered a valuable asset to most organisations and is often exposed to various threats which exploit its confidentiality, integrity and availability (CIA). Identification and Authentication are commonly used to help ensure the CIA of information. This research study specifically focused on password-based authentication. Passwords are used to log into personal computers, company computers, email accounts, bank accounts and various software systems and mobile applications. Passwords act like a protective barrier between a user and their personal and company information, and remain the most cost-effective and most efficient method to control access to computer systems. An extensive content analysis was conducted regarding the security of passwords, as well as users’ password management coping strategies. It was determined that very little research has been conducted in relation to users’ perceptions towards password policies. The problem identified by this research is that organisations often implement password policy guidelines without taking into consideration users’ perceptions regarding such guidelines. This could result in users adopting various password management coping strategies. This research therefore aimed to determine users’ perceptions with regard to current password-related standards and best practices (password policy guidelines). Standards and best practices such as ISO/IEC 27002 (2013), NIST SP 800-118 (2009), NIST SP 800-63-2 (2013), NIST SP 800-63B (2016) and the SANS Password Protection Policy (2014b) were studied in order to determine the common elements of password policies. This research argued that before organisations implement password policy guidelines, they need to determine users’ perceptions towards such guidelines. It was identified that certain human factors such as human memory, attitude and apathy often cause users to adopt insecure coping strategies such as Reusing Passwords, Writing Down Passwords and Not Changing Passwords. This research included a survey which took the form of a questionnaire. The aim of the survey was to determine users’ perceptions towards common elements of password policies and to determine the coping strategies users commonly adopt. The survey included questions related to the new NIST SP 800-63B (2016) that sought to determine users’ perceptions towards these new NIST password policy iii guidelines. Findings from the survey indicated that respondents found the new NIST guidelines to be helpful, secure and easier to adhere to. Finally, recommendations regarding password policies were presented based on the common elements of password policies and users’ perceptions of the new NIST password guidelines. These recommendations could help policy makers in the implementation of new password policies or the revision of current password policies