1,456 research outputs found
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
Recommended from our members
Encouraging users to improve password security and memorability
Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords
Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
The average user has between 90-130 online accounts, and around passwords are in use this year. Most people are terrible at
remembering "random" passwords, so they reuse or create similar passwords using
a combination of predictable words, numbers, and symbols. Previous
password-generation or management protocols have imposed so large a cognitive
load that users have abandoned them in favor of insecure yet simpler methods
(e.g., writing them down or reusing minor variants).
We describe a range of candidate human-computable "hash" functions suitable
for use as password generators - as long as the human (with minimal education
assumptions) keeps a single, easily-memorizable "master" secret - and rate them
by various metrics, including effective security.
These functions hash master-secrets with user accounts to produce sub-secrets
that can be used as passwords; s, takes a website
, produces a password , parameterized by master secret , which may or
may not be a string.
We exploit the unique configuration of each user's associative and
implicit memory (detailed in section 2) to ensure that sources of randomness
unique to each user are present in each master-secret . An adversary
cannot compute or verify efficiently since is unique to each
individual; in that sense, our hash function is similar to a physically
unclonable function. For the algorithms we propose, the user need only complete
primitive operations such as addition, spatial navigation or searching.
Critically, most of our methods are also accessible to neurodiverse, or
cognitively or physically differently-abled persons.
We present results from a survey (n=134 individuals) investigating real-world
usage of these methods and how people currently come up with their passwords,
we also survey 400 websites to collate current password advice
The Forgotten Password: A Solution to Selecting, Securing and Remembering Passwords
Internet passwords are required of us more and more. Personal experience
and research shows us that it is difficult to create and remember unique passwords
that meet security requirements. This study tested a unique method of password
generation based on a selection of mnemonic aids aimed at increasing the
usability, security and memorability of passwords. Fifty-one engineers,
accountants and university students aged between 17 - 61 years participated in the
study. They were randomly assigned to one of three groups: mnemonic, self-selection
and random. All passwords in the study had to meet the following
criteria: they had to be unique, at least eight characters long with a mixture of
letters and numbers, and not include complete words or personal identifiers,
sequential or repetitive numbers, and the passwords could not be written down or
recorded anywhere. The mnemonic group created passwords based on a variety of mnemonic processes, the self-selection group generated passwords that complied with the
above criteria, and the random group were assigned random
passwords generated by the experimenter. Password recall was tested online once
a week for three weeks, and then the passwords were renewed, with participants
staying within the same groups for the length of the study. The second password
was tested weekly for three weeks, then the passwords were renewed for the third
and final time and tested for a further three weeks. The expectation was that the
use of mnemonics in password creation would improve accurate recall of
passwords, more so than if the password was 'self-selected' or a random password
was assigned. The results showed that participants in the mnemonic group were
able to accurately recall all three passwords significantly more often than
participants in the self-selection and random groups. Furthermore, passwords
created by the mnemonic group were more secure than passwords created by the
self-selection group, as their passwords generated had a greater number of
characters in them, slightly larger alphabet size, and a higher degree of entropy.
The results are discussed in terms of the practical relevance of the findings
“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?
The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines
- …