A SYSTEM-GENERATED PASSWORD AND MNEMONIC APPROACH TO OPTIMIZE THE SECURITY AND USABILITY OF TEXT-BASED PASSWORDS

In this study a novel password generation policy called the system-generated password and mnemonic was designed and implemented. The intent of this policy was to optimize both the security and usability of text-based passwords. After implementing the policy we evaluated its usability and compared it with three other existing policies: user-generated password, system-generated password and user-generated mnemonic for a system-generated password. In order to have a fair comparison among the policies we maintained a constant level of security of 30±2 entropy as dictated by NIST level 2 standards. The study involved 64 participants, equally divided into four groups, 16 in each password policy condition. The study took place over two sessions, with a period of 5-7 days in between them. In the first session, depending on the password policy condition, the participants were either assigned or asked to create a password. The participants were then asked to recall their passwords in the same session and after 5-7 days in the second session. The four password policy conditions were compared with respect to the following dependent variables: the time taken to create the password account, the password creation error rate, the time taken to recall and recall error rates for both sessions, unrecoverable passwords in the second session, proximity of the recalled password to the stored password as measured by the Damerau-Levenshtein and Jaro-Winkler edit distances; and the subjective ratings for the NASA task load indices and the System Usability Scale questionnaire. There was a significant effect of password policy condition on the time taken to create a password account and for the performance index of the NASA-TLX questionnaire. Across the task sessions, there were statistically significant differences for the time taken to recall the password, recall error rates, the performance index of the NASA-TLX questionnaire and the SUS score. There were no significant differences for creation error rates, creation SUS, recall error rates and unrecoverable passwords among the password policy conditions. The results of this study suggest that overall performance was better for the user-generated policies (user-generated password and system-generated password along with a user-generated mnemonic) than for the system-generated policies (system-generated password and system-generated password and mnemonic). One of the reasons for this result might be that the direct involvement of the user in generating the password or mnemonic enhances their memorability. Other reasons mentioned by the users were that the system-generated mnemonic policy was complex and employed difficult words which were difficult to memorize and thus recollect. As a result of conducting this experiment it is concluded that user-generated policies are better in terms of usability and memorability than system-generated passwords. However, the user feedback recorded in this study suggests a number of approaches for improving the usability of system-generated password policies

Integrating Visual Mnemonics and Input Feedback with Passphrases to Improve the Usability and Security of Digital Authentication

The need for both usable and secure authentication is more pronounced than ever before. Security researchers and professionals will need to have a deep understanding of human factors to address these issues. Due to their ubiquity, recoverability, and low barrier of entry, passwords remain the most common means of digital authentication. However, fundamental human nature dictates that it is exceedingly difficult for people to generate secure passwords on their own. System-generated random passwords can be secure but are often unusable, which is why most passwords are still created by humans. We developed a simple system for automatically generating mnemonic phrases and supporting mnemonic images for randomly generated passwords. We found that study participants remembered their passwords significantly better using our system than with existing systems. To combat shoulder surfing - looking at a user\u27s screen or keyboard as he or she enters sensitive input such as passwords - we developed an input masking technique that was demonstrated to minimize the threat of shoulder surfing attacks while improving the usability of password entry over existing methods. We extended this previous work to support longer passphrases with increased security and evaluated the effectiveness of our new system against traditional passphrases. We found that our system exhibited greater memorability, increased usability and overall rankings, and maintained or improved upon the security of the traditional passphrase systems. Adopting our passphrase system will lead to more usable and secure digital authentication

The Forgotten Password: A Solution to Selecting, Securing and Remembering Passwords

Internet passwords are required of us more and more. Personal experience and research shows us that it is difficult to create and remember unique passwords that meet security requirements. This study tested a unique method of password generation based on a selection of mnemonic aids aimed at increasing the usability, security and memorability of passwords. Fifty-one engineers, accountants and university students aged between 17 - 61 years participated in the study. They were randomly assigned to one of three groups: mnemonic, self-selection and random. All passwords in the study had to meet the following criteria: they had to be unique, at least eight characters long with a mixture of letters and numbers, and not include complete words or personal identifiers, sequential or repetitive numbers, and the passwords could not be written down or recorded anywhere. The mnemonic group created passwords based on a variety of mnemonic processes, the self-selection group generated passwords that complied with the above criteria, and the random group were assigned random passwords generated by the experimenter. Password recall was tested online once a week for three weeks, and then the passwords were renewed, with participants staying within the same groups for the length of the study. The second password was tested weekly for three weeks, then the passwords were renewed for the third and final time and tested for a further three weeks. The expectation was that the use of mnemonics in password creation would improve accurate recall of passwords, more so than if the password was 'self-selected' or a random password was assigned. The results showed that participants in the mnemonic group were able to accurately recall all three passwords significantly more often than participants in the self-selection and random groups. Furthermore, passwords created by the mnemonic group were more secure than passwords created by the self-selection group, as their passwords generated had a greater number of characters in them, slightly larger alphabet size, and a higher degree of entropy. The results are discussed in terms of the practical relevance of the findings

A protection motivation theory approach to improving compliance with password guidelines

Usernames and passwords form the most widely used method of user authentication on the Internet. Yet, users still find compliance with password guidelines difficult. The primary objective of this research was to investigate how compliance with password guidelines and password quality can be improved. This study investigated how user perceptions of passwords and security threats affect compliance with password guidelines and explored if altering these perceptions would improve compliance. This research also examined if compliance with password guidelines can be sustained over time. This study focuses on personal security, particularly factors that influence compliance when using personal online accounts. The proposed research model is based on the Protection Motivation Theory (PMT) (Rogers, 1975, 1983), a model widely used in information systems security research. As studies have failed to consistently confirm the association between perceived vulnerability and information security practices, the model was extended to include exposure to hacking as a predictor of perceived vulnerability. Experimental research was used to test the model from two groups of Internet users, one of which received PMT based fear appeals in the form of a password security information and training exercise. To examine if password strength was improved by the fear appeals, passwords were collected. A password strength analysis tool was developed using Shannon’s (2001) formula for calculating entropy and coded in Visual Basic. Structural equation modeling was used to test the model. The proposed model explains compliance intentions moderately well, with 54% of the variance explained by the treatment model and 43% explained by the control group model. Overall, the results indicate that efficacy perceptions are a stronger predictor of compliance intentions than threat perceptions. This study identifies three variables that predict user intentions to comply with password guidelines as particularly important. These are perceived threat, perceived password effectiveness and password self-efficacy. The results show no association between perceived vulnerability to a security attack and a user’s decision to comply. The results also showed that those who are provided with password information and training are significantly more likely to comply, and create significantly stronger passwords. However, the fear appeals used in this study had no long-term effects on compliance intentions. The results on the long-term effects of password training on the participants’ ability to remember passwords were however promising. The group that received password training with a mnemonic training component was twice as likely to remember their passwords over time. The results of this research have practical implications for organizations. They highlight the need to raise the levels of concern for information systems security threats through training in order to improve compliance with security guidelines. Communicating to users what security responses are available is important; however, whether they implement them is dependent on how effective they feel the security responses are in preventing an attack. Regarding passwords, the single most important consideration by a user is whether they have the ability to create strong, memorable passwords. At the very least, users should be trained on how to create strong passwords, with emphasis on memorization strategies. This research found mnemonic password training to have some long-term effects on users’ ability to remember passwords, which is arguably one of the most vexing challenges associated with passwords. Future research should explore the extent to which the effects of PMT based information systems security communication can be maintained over time

Usability, Efficiency and Security of Personal Computing Technologies

New personal computing technologies such as smartphones and personal fitness trackers are widely integrated into user lifestyles. Users possess a wide range of skills, attributes and backgrounds. It is important to understand user technology practices to ensure that new designs are usable and productive. Conversely, it is important to leverage our understanding of user characteristics to optimize new technology efficiency and effectiveness. Our work initially focused on studying older users, and personal fitness tracker users. We applied the insights from these investigations to develop new techniques improving user security protections, computational efficiency, and also enhancing the user experience. We offer that by increasing the usability, efficiency and security of personal computing technology, users will enjoy greater privacy protections along with experiencing greater enjoyment of their personal computing devices. Our first project resulted in an improved authentication system for older users based on familiar facial images. Our investigation revealed that older users are often challenged by traditional text passwords, resulting in decreased technology use or less than optimal password practices. Our graphical password-based system relies on memorable images from the user\u27s personal past history. Our usability study demonstrated that this system was easy to use, enjoyable, and fast. We show that this technique is extendable to smartphones. Personal fitness trackers are very popular devices, often worn by users all day. Our personal fitness tracker investigation provides the first quantitative baseline of usage patterns with this device. By exploring public data, real-world user motivations, reliability concerns, activity levels, and fitness-related socialization patterns were discerned. This knowledge lends insight to active user practices. Personal user movement data is captured by sensors, then analyzed to provide benefits to the user. The dynamic time warping technique enables comparison of unequal data sequences, and sequences containing events at offset times. Existing techniques target short data sequences. Our Phase-aware Dynamic Time Warping algorithm focuses on a class of sinusoidal user movement patterns, resulting in improved efficiency over existing methods. Lastly, we address user data privacy concerns in an environment where user data is increasingly flowing to manufacturer remote cloud servers for analysis. Our secure computation technique protects the user\u27s privacy while data is in transit and while resident on cloud computing resources. Our technique also protects important data on cloud servers from exposure to individual users

Usable, secure and deployable graphical passwords

PhD ThesisEvaluations of the usability and security of alphanumeric passwords and Personal Identification Numbers (PINs) have shown that users cannot remember credentials considered to be secure. However, the continued reliance upon these methods of user authentication has placed end-users and system designers in a coevolutionary struggle, with each defending competing concerns of usability and security. Graphical passwords have been proposed as an alternative, and their use is supported by cognitive theories such as the picture superiority effect which suggest that pictures, rather than words or numbers, could provide a stronger foundation upon which to design usable and secure knowledge-based authentication. Indeed, early usability studies of novel systems harnessing this effect appear to show promise, however, the uptake of graphical passwords in real-world systems is low. This inertia is likely related to uncertainty regarding the challenges that novel systems might bring to the already delicate interplay between usability and security; particularly the new challenges faced in scaffolding user behaviours that comply with context-specific security policies, uncertainty regarding the nature of new socio-technical attacks, and the impact of images themselves upon usability and security. In this thesis we present a number of case studies incorporating new designs, empirical methods and results, that begin to explore these aspects of representative graphical password systems. Specifically, we explore: (i) how we can implicitly support security-focused behaviours such as choosing high entropy graphical passwords and defending against observation attack; (ii) how to capture the likely extent of insecure behaviour in the social domain such as graphical password sharing and observation attack; and (iii) how through the selection of appropriate properties of the images themselves we can provide security and usability benefits. In doing so, we gen- erate new insights into the potential of graphical passwords to provide usable, secure and deployable user authentication.Microsoft Research

Towards Implicit Visual Memory-Based Authentication

International audienceSelecting and remembering secure passwords puts a high cognitive burdenon the user, which has adverse effects on usability and security.Authentication schemes based on implicit memory can relieve the user ofthe burden of actively remembering a secure password. In this paper, wepropose a new authentication scheme (MooneyAuth) that relies onimplicitly remembering the content of previously seen Mooney images.These images are thresholded two-tone images derived from imagescontaining single objects. Our scheme has two phases: In the enrollmentphase, a user is presented with Mooney images, their correspondingoriginal images, and labels. This creates an implicit link between theMooney image and the object in the user's memory that serves as theauthentication secret. In the authentication phase, the user has tolabel a set of Mooney images, a task that gets performed withsubstantially fewer mistakes if the images have been seen in theenrollment phase. We applied an information-theoretical approach tocompute the eligibility of the user, based on which images were labeledcorrectly. This new dynamic scoring is substantially better thanpreviously proposed static scoring by considering the surprisal of theobserved events. We built a prototype and performed three experimentswith 230 and 70 participants over the course of 264 and 21 days,respectively. We show that MooneyAuth outperforms current implicitmemory-based schemes, and demonstrates a promising new approach forfallback authentication procedures on the Web

Guessing human-chosen secrets

Authenticating humans to computers remains a notable weak point in computer security despite decades of effort. Although the security research community has explored dozens of proposals for replacing or strengthening passwords, they appear likely to remain entrenched as the standard mechanism of human-computer authentication on the Internet for years to come. Even in the optimistic scenario of eliminating passwords from most of today's authentication protocols using trusted hardware devices or trusted servers to perform federated authentication, passwords will persist as a means of "last-mile" authentication between humans and these trusted single sign-on deputies. This dissertation studies the difficulty of guessing human-chosen secrets, introducing a sound mathematical framework modeling human choice as a skewed probability distribution. We introduce a new metric, alpha-guesswork, which can accurately models the resistance of a distribution against all possible guessing attacks. We also study the statistical challenges of estimating this metric using empirical data sets which can be modeled as a large random sample from the underlying probability distribution. This framework is then used to evaluate several representative data sets from the most important categories of human-chosen secrets to provide reliable estimates of security against guessing attacks. This includes collecting the largest-ever corpus of user-chosen passwords, with nearly 70 million, the largest list of human names ever assembled for research, the largest data sets of real answers to personal knowledge questions and the first data published about human choice of banking PINs. This data provides reliable numbers for designing security systems and highlights universal limitations of human-chosen secrets