698 research outputs found
Improving the Eco-system of Passwords
Password-based authentication is perhaps the most widely used method for user authentication. Passwords are both easy to understand and use, and easy to implement. With these advantages, password-based authentication is likely to stay as an important part of security in the foreseeable future. One major weakness of password-based authentication is that many users tend to choose weak passwords that are easy to guess. In this dissertation, we address the challenge and improve the eco-system of passwords in multiple aspects. Firstly, we provide methodologies that help password research. To be more specific, we propose Probability Threshold Graphs, which is superior to Guess Number Graphs when comparing password models and password datasets. We also introduce rich literature of statistical language modeling into password modeling and show that if used correctly, whole-string Markov models outperform Probabilistic Context Free Grammar models. Secondly, we improve password policies and practice used by websites by studying how to best check weak passwords. We model different password strength checking methods as Password Ranking Algorithms (PRAs), and introduce two methods for comparing different PRAs: the β-Residual Strength Graph and the Normalized β-Residual Strength Graph. Finally, we examine the security and usability of commonly suggested password generation strategies. We find that for mnemonic sentence-based strategies, differences in the exact instructions have a tremendous impact on the security level of the resulting passwords. For word-based strategies, security of the resulting passwords mainly depends on the number of words required, and requiring at least 3 words is likely to result in passwords stronger than the general passwords chosen by typical users
Integrating Visual Mnemonics and Input Feedback with Passphrases to Improve the Usability and Security of Digital Authentication
The need for both usable and secure authentication is more pronounced than ever before. Security researchers and professionals will need to have a deep understanding of human factors to address these issues. Due to their ubiquity, recoverability, and low barrier of entry, passwords remain the most common means of digital authentication. However, fundamental human nature dictates that it is exceedingly difficult for people to generate secure passwords on their own. System-generated random passwords can be secure but are often unusable, which is why most passwords are still created by humans. We developed a simple system for automatically generating mnemonic phrases and supporting mnemonic images for randomly generated passwords. We found that study participants remembered their passwords significantly better using our system than with existing systems. To combat shoulder surfing - looking at a user\u27s screen or keyboard as he or she enters sensitive input such as passwords - we developed an input masking technique that was demonstrated to minimize the threat of shoulder surfing attacks while improving the usability of password entry over existing methods. We extended this previous work to support longer passphrases with increased security and evaluated the effectiveness of our new system against traditional passphrases. We found that our system exhibited greater memorability, increased usability and overall rankings, and maintained or improved upon the security of the traditional passphrase systems. Adopting our passphrase system will lead to more usable and secure digital authentication
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
The Forgotten Password: A Solution to Selecting, Securing and Remembering Passwords
Internet passwords are required of us more and more. Personal experience
and research shows us that it is difficult to create and remember unique passwords
that meet security requirements. This study tested a unique method of password
generation based on a selection of mnemonic aids aimed at increasing the
usability, security and memorability of passwords. Fifty-one engineers,
accountants and university students aged between 17 - 61 years participated in the
study. They were randomly assigned to one of three groups: mnemonic, self-selection
and random. All passwords in the study had to meet the following
criteria: they had to be unique, at least eight characters long with a mixture of
letters and numbers, and not include complete words or personal identifiers,
sequential or repetitive numbers, and the passwords could not be written down or
recorded anywhere. The mnemonic group created passwords based on a variety of mnemonic processes, the self-selection group generated passwords that complied with the
above criteria, and the random group were assigned random
passwords generated by the experimenter. Password recall was tested online once
a week for three weeks, and then the passwords were renewed, with participants
staying within the same groups for the length of the study. The second password
was tested weekly for three weeks, then the passwords were renewed for the third
and final time and tested for a further three weeks. The expectation was that the
use of mnemonics in password creation would improve accurate recall of
passwords, more so than if the password was 'self-selected' or a random password
was assigned. The results showed that participants in the mnemonic group were
able to accurately recall all three passwords significantly more often than
participants in the self-selection and random groups. Furthermore, passwords
created by the mnemonic group were more secure than passwords created by the
self-selection group, as their passwords generated had a greater number of
characters in them, slightly larger alphabet size, and a higher degree of entropy.
The results are discussed in terms of the practical relevance of the findings
The light side of passwords: Turning motivation from the extrinsic to the intrinsic research in progress
There are many good and bad aspects to password authentication. They are mostly without cost, securing many accounts and systems, and allowing users access from anywhere in the world. However, passwords can elicit dark side phenomena, including security technostress; with many users feeling negatively towards them, as they struggle to cope with the sheer numbers required in their everyday lives. Much research has attempted to understand users’ interactions with passwords, examining the trade-off between security, memorability, user convenience, and suggesting techniques to manage them better. However, users continue to struggle. Many studies have shown that users are more concerned with goals other than security, such as convenience and memorability. Therefore, we need to offer another reason that will entice users to engage with the password process more securely. In this study, we suggest that engaging with the password process (creating, learning and recalling passwords) well, is similar to memory training. Therefore, we propose that the “light side” of passwords – the positive reason for properly creating and learning strong passwords, and recalling them successfully, will improve users’ memories for passwords and memory functioning in general. Consequently, changing their motivation from an extrinsic goal to an intrinsic goal – improved memory functioning
Recommended from our members
Encouraging users to improve password security and memorability
Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords
Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
The average user has between 90-130 online accounts, and around passwords are in use this year. Most people are terrible at
remembering "random" passwords, so they reuse or create similar passwords using
a combination of predictable words, numbers, and symbols. Previous
password-generation or management protocols have imposed so large a cognitive
load that users have abandoned them in favor of insecure yet simpler methods
(e.g., writing them down or reusing minor variants).
We describe a range of candidate human-computable "hash" functions suitable
for use as password generators - as long as the human (with minimal education
assumptions) keeps a single, easily-memorizable "master" secret - and rate them
by various metrics, including effective security.
These functions hash master-secrets with user accounts to produce sub-secrets
that can be used as passwords; s, takes a website
, produces a password , parameterized by master secret , which may or
may not be a string.
We exploit the unique configuration of each user's associative and
implicit memory (detailed in section 2) to ensure that sources of randomness
unique to each user are present in each master-secret . An adversary
cannot compute or verify efficiently since is unique to each
individual; in that sense, our hash function is similar to a physically
unclonable function. For the algorithms we propose, the user need only complete
primitive operations such as addition, spatial navigation or searching.
Critically, most of our methods are also accessible to neurodiverse, or
cognitively or physically differently-abled persons.
We present results from a survey (n=134 individuals) investigating real-world
usage of these methods and how people currently come up with their passwords,
we also survey 400 websites to collate current password advice
Evaluating the Usability of System-Generated and User-Generated Passwords of Approximately Minimum Equal Security
System-generated or user-generated text-based passwords are commonly used by the users to authenticate access to their electronic assets. These passwords may vary in usability and memorability depending on the type of password generation, composition and length. However, little past research has compared usability and memorability of passwords, satisfying minimum entropy for a secure password. This study compared three password policy conditions, assigning/generating passwords of approximately equal minimum security, i.e. 6-character alphanumeric system-generated passwords, minimum 8-character restricted user-generated passwords and minimum 16-character unrestricted user-generated passwords. The study involved 54 participants, equally divided into three groups, 18 in each password policy condition. The study took place over two sessions, with a period of 5-7 days in between them. In the first session, depending on the password policy condition, the participants were either assigned or asked to create a password. The participants were then asked to recall their passwords in the same session and after 5-7 days in the second session. The three password policy conditions were compared with respect to the dependent variables-- the time taken to create the password account, the password creation error rates, the time taken to recall and recall error rates for both sessions, the number of unrecoverable passwords in the second session, the proximity of the recalled password to the stored password measured by Damerau-Levenshtein and Jaro-Winkler edit distances, and the subjective ratings for the NASA task load indices and the System Usability Scale questionnaire
- …