698 research outputs found

    Improving the Eco-system of Passwords

    Get PDF
    Password-based authentication is perhaps the most widely used method for user authentication. Passwords are both easy to understand and use, and easy to implement. With these advantages, password-based authentication is likely to stay as an important part of security in the foreseeable future. One major weakness of password-based authentication is that many users tend to choose weak passwords that are easy to guess. In this dissertation, we address the challenge and improve the eco-system of passwords in multiple aspects. Firstly, we provide methodologies that help password research. To be more specific, we propose Probability Threshold Graphs, which is superior to Guess Number Graphs when comparing password models and password datasets. We also introduce rich literature of statistical language modeling into password modeling and show that if used correctly, whole-string Markov models outperform Probabilistic Context Free Grammar models. Secondly, we improve password policies and practice used by websites by studying how to best check weak passwords. We model different password strength checking methods as Password Ranking Algorithms (PRAs), and introduce two methods for comparing different PRAs: the β-Residual Strength Graph and the Normalized β-Residual Strength Graph. Finally, we examine the security and usability of commonly suggested password generation strategies. We find that for mnemonic sentence-based strategies, differences in the exact instructions have a tremendous impact on the security level of the resulting passwords. For word-based strategies, security of the resulting passwords mainly depends on the number of words required, and requiring at least 3 words is likely to result in passwords stronger than the general passwords chosen by typical users

    Integrating Visual Mnemonics and Input Feedback with Passphrases to Improve the Usability and Security of Digital Authentication

    Get PDF
    The need for both usable and secure authentication is more pronounced than ever before. Security researchers and professionals will need to have a deep understanding of human factors to address these issues. Due to their ubiquity, recoverability, and low barrier of entry, passwords remain the most common means of digital authentication. However, fundamental human nature dictates that it is exceedingly difficult for people to generate secure passwords on their own. System-generated random passwords can be secure but are often unusable, which is why most passwords are still created by humans. We developed a simple system for automatically generating mnemonic phrases and supporting mnemonic images for randomly generated passwords. We found that study participants remembered their passwords significantly better using our system than with existing systems. To combat shoulder surfing - looking at a user\u27s screen or keyboard as he or she enters sensitive input such as passwords - we developed an input masking technique that was demonstrated to minimize the threat of shoulder surfing attacks while improving the usability of password entry over existing methods. We extended this previous work to support longer passphrases with increased security and evaluated the effectiveness of our new system against traditional passphrases. We found that our system exhibited greater memorability, increased usability and overall rankings, and maintained or improved upon the security of the traditional passphrase systems. Adopting our passphrase system will lead to more usable and secure digital authentication

    Naturally Rehearsing Passwords

    Full text link
    We introduce quantitative usability and security models to guide the design of password management schemes --- systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and validated through empirical studies. Given rehearsal requirements and a user's visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues--- a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals

    The Forgotten Password: A Solution to Selecting, Securing and Remembering Passwords

    Get PDF
    Internet passwords are required of us more and more. Personal experience and research shows us that it is difficult to create and remember unique passwords that meet security requirements. This study tested a unique method of password generation based on a selection of mnemonic aids aimed at increasing the usability, security and memorability of passwords. Fifty-one engineers, accountants and university students aged between 17 - 61 years participated in the study. They were randomly assigned to one of three groups: mnemonic, self-selection and random. All passwords in the study had to meet the following criteria: they had to be unique, at least eight characters long with a mixture of letters and numbers, and not include complete words or personal identifiers, sequential or repetitive numbers, and the passwords could not be written down or recorded anywhere. The mnemonic group created passwords based on a variety of mnemonic processes, the self-selection group generated passwords that complied with the above criteria, and the random group were assigned random passwords generated by the experimenter. Password recall was tested online once a week for three weeks, and then the passwords were renewed, with participants staying within the same groups for the length of the study. The second password was tested weekly for three weeks, then the passwords were renewed for the third and final time and tested for a further three weeks. The expectation was that the use of mnemonics in password creation would improve accurate recall of passwords, more so than if the password was 'self-selected' or a random password was assigned. The results showed that participants in the mnemonic group were able to accurately recall all three passwords significantly more often than participants in the self-selection and random groups. Furthermore, passwords created by the mnemonic group were more secure than passwords created by the self-selection group, as their passwords generated had a greater number of characters in them, slightly larger alphabet size, and a higher degree of entropy. The results are discussed in terms of the practical relevance of the findings

    Using and managing multiple passwords: a week to a view

    Get PDF

    The light side of passwords: Turning motivation from the extrinsic to the intrinsic research in progress

    Get PDF
    There are many good and bad aspects to password authentication. They are mostly without cost, securing many accounts and systems, and allowing users access from anywhere in the world. However, passwords can elicit dark side phenomena, including security technostress; with many users feeling negatively towards them, as they struggle to cope with the sheer numbers required in their everyday lives. Much research has attempted to understand users’ interactions with passwords, examining the trade-off between security, memorability, user convenience, and suggesting techniques to manage them better. However, users continue to struggle. Many studies have shown that users are more concerned with goals other than security, such as convenience and memorability. Therefore, we need to offer another reason that will entice users to engage with the password process more securely. In this study, we suggest that engaging with the password process (creating, learning and recalling passwords) well, is similar to memory training. Therefore, we propose that the “light side” of passwords – the positive reason for properly creating and learning strong passwords, and recalling them successfully, will improve users’ memories for passwords and memory functioning in general. Consequently, changing their motivation from an extrinsic goal to an intrinsic goal – improved memory functioning

    Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

    Full text link
    The average user has between 90-130 online accounts, and around 3×10113 \times 10^{11} passwords are in use this year. Most people are terrible at remembering "random" passwords, so they reuse or create similar passwords using a combination of predictable words, numbers, and symbols. Previous password-generation or management protocols have imposed so large a cognitive load that users have abandoned them in favor of insecure yet simpler methods (e.g., writing them down or reusing minor variants). We describe a range of candidate human-computable "hash" functions suitable for use as password generators - as long as the human (with minimal education assumptions) keeps a single, easily-memorizable "master" secret - and rate them by various metrics, including effective security. These functions hash master-secrets with user accounts to produce sub-secrets that can be used as passwords; FR(F_R(s,w)y, w) \longrightarrow y, takes a website ww, produces a password yy, parameterized by master secret ss, which may or may not be a string. We exploit the unique configuration RR of each user's associative and implicit memory (detailed in section 2) to ensure that sources of randomness unique to each user are present in each master-secret FRF_R. An adversary cannot compute or verify FRF_R efficiently since RR is unique to each individual; in that sense, our hash function is similar to a physically unclonable function. For the algorithms we propose, the user need only complete primitive operations such as addition, spatial navigation or searching. Critically, most of our methods are also accessible to neurodiverse, or cognitively or physically differently-abled persons. We present results from a survey (n=134 individuals) investigating real-world usage of these methods and how people currently come up with their passwords, we also survey 400 websites to collate current password advice

    Evaluating the Usability of System-Generated and User-Generated Passwords of Approximately Minimum Equal Security

    Get PDF
    System-generated or user-generated text-based passwords are commonly used by the users to authenticate access to their electronic assets. These passwords may vary in usability and memorability depending on the type of password generation, composition and length. However, little past research has compared usability and memorability of passwords, satisfying minimum entropy for a secure password. This study compared three password policy conditions, assigning/generating passwords of approximately equal minimum security, i.e. 6-character alphanumeric system-generated passwords, minimum 8-character restricted user-generated passwords and minimum 16-character unrestricted user-generated passwords. The study involved 54 participants, equally divided into three groups, 18 in each password policy condition. The study took place over two sessions, with a period of 5-7 days in between them. In the first session, depending on the password policy condition, the participants were either assigned or asked to create a password. The participants were then asked to recall their passwords in the same session and after 5-7 days in the second session. The three password policy conditions were compared with respect to the dependent variables-- the time taken to create the password account, the password creation error rates, the time taken to recall and recall error rates for both sessions, the number of unrecoverable passwords in the second session, the proximity of the recalled password to the stored password measured by Damerau-Levenshtein and Jaro-Winkler edit distances, and the subjective ratings for the NASA task load indices and the System Usability Scale questionnaire
    corecore