Evaluating the Usability of System-Generated and User-Generated Passwords of Approximately Minimum Equal Security

System-generated or user-generated text-based passwords are commonly used by the users to authenticate access to their electronic assets. These passwords may vary in usability and memorability depending on the type of password generation, composition and length. However, little past research has compared usability and memorability of passwords, satisfying minimum entropy for a secure password. This study compared three password policy conditions, assigning/generating passwords of approximately equal minimum security, i.e. 6-character alphanumeric system-generated passwords, minimum 8-character restricted user-generated passwords and minimum 16-character unrestricted user-generated passwords. The study involved 54 participants, equally divided into three groups, 18 in each password policy condition. The study took place over two sessions, with a period of 5-7 days in between them. In the first session, depending on the password policy condition, the participants were either assigned or asked to create a password. The participants were then asked to recall their passwords in the same session and after 5-7 days in the second session. The three password policy conditions were compared with respect to the dependent variables-- the time taken to create the password account, the password creation error rates, the time taken to recall and recall error rates for both sessions, the number of unrecoverable passwords in the second session, the proximity of the recalled password to the stored password measured by Damerau-Levenshtein and Jaro-Winkler edit distances, and the subjective ratings for the NASA task load indices and the System Usability Scale questionnaire

Generating and Managing Secure Passwords for Online Accounts

User accounts at Internet services contain a multitude of personal data such as messages, documents, pictures, and payment information. Passwords are used to protect these data from unauthorized access. User authentication based on passwords has many advantages for both users and service providers. Users can use passwords across many platforms, devices, and applications and do not need to carry an additional device. Service providers can implement password-based user authentication with little effort and operate it with low cost per user. However, passwords have a key problem: the conflict between security and ease of use. For security reasons, passwords must be attack-resistant, individual for each account, and changed on a regular basis. But, these security requirements make passwords very difficult to use. They require users to create and manage a large portfolio of passwords. This poses three problems: First, the generation of attack-resistant passwords is very difficult. Second, the memorization of many passwords is practically impossible. Third, the regular change of passwords is very time-consuming. These problems are aggravated by the different password requirements, interfaces, and procedures of services. The preservation of passwords for users such as storing passwords on user devices mitigates the memorization problem, but it raises new problems: the confidentiality, availability, recoverability, and accessibility of the preserved passwords. Despite decades of research, the problems of passwords are not solved yet. Consequently, secure passwords are not usable in practice. As a result, users select weak passwords, use them across accounts, and barely change them. In this thesis, we introduce the Password Assistance System (PAS). It makes secure passwords usable for users. This is achieved by automation and comprehensive support. PAS covers all aspects of passwords. It generates, preserves, and changes passwords for users as well as ensures the confidentiality, availability, recoverability, and accessibility of the preserved passwords. This reduces the efforts and activities of users to deal with passwords to a minimum and thus enables users to practically realize secure passwords for their online accounts for the first time. PAS is the first solution that is capable of handling the different password implementations of services. This is achieved by a standardized description of password requirements, interfaces, and procedures. Moreover, PAS is solely realized on the user-side and requires no changes on the service-side. Both features ensure the practicability of PAS and make it ready to be used. PAS solves the password generation problem by creating attack-resistant, individual, and valid passwords for users automatically. Users just need to provide the URL of a service to generate an optimal password for an account. Our uniform description of password requirements provides the information to generate passwords in accordance with the individual password requirements of services. PAS is able to generate the requirements descriptions automatically by extracting the password requirements of services from their websites. So far, this was done for 185,696 services. Moreover, PAS is equipped with an optimal password-composition rule set for the event that services do not explicitly state their password requirements, which is the usual case. By means of the optimal rule set, PAS also generates attack-resistant passwords with the best possible acceptance rate in case of unknown password requirements. PAS solves the password memorization problem by preserving passwords for users. This releases users from memorizing their passwords and facilitates to use individual passwords for accounts. PAS makes users' password portfolios available on all their devices as well as automatically synchronizes changes. PAS achieves this without storing passwords at servers so that an attacker cannot steal them from servers. Moreover, PAS provides a backup solution to recover the preserved passwords in case of loss. Users need to create backups only once and do not have to update them even when their password portfolios change. Consequently, users can keep backups completely offline at secure, different, and physically isolated locations. This minimizes the risk of compromise and loss as well as enables an emergency access to the passwords for trusted persons. Moreover, PAS has a built-in revocation mechanism. It allows users to completely invalidate devices and backups in case they lose control over them. This guarantees that no passwords can be stolen from lost user devices and backups once revoked. Users always have full control of their passwords. PAS solves the password change problem by changing passwords automatically for users. Users neither need to create new passwords nor manually log in to their accounts. Our uniform description of password interfaces and procedures provides the information to change passwords at arbitrary services. Moreover, PAS is the first solution that provides autonomous password changes. It changes passwords on a regular basis with respect to the security level of passwords as well as immediately after PAS detects a compromise of users' passwords. The practicability of PAS is demonstrated by an implementation. The individual components of PAS can be used independently, integrated into other applications, and combined to a single user application, called a password assistant. In summary, this thesis presents a solution that makes secure passwords usable. This is done by automation and comprehensive support in the generation and management of passwords

Password Cracking Detection System with Honeyword

Honeywords are the decoy words also known as potential password for a user which, when an attacker enters in the system, it is detected by the honeychecker. Honeyword is a technique that can be successfully used as a guard strategy which can be utilized against stolen secret key records. This technique is honed by putting bogus patterns of passwords inside the record that consist of passwords of authentication server to deceive adversary. Honeywords resemble ordinary, user-selected passwords. Various different password patterns make it troublesome for the attacker that steal a honeyword-laced password file to recognize the true user password and honeyword. (?Honey? is an old term for decoy resources in computing environments). In existing system honeywords (decoy passwords) are used to detect malicious attempter against hashed password database. While considering every single accessible record, the legitimate passwords are stored along with various patterns and different combinations of honeywords in order sense impersonation. While considering runtime scenario, a cyber-attacker hacked the file consisting of hashed passwords, but the attacker cannot make out whether the password that is available is authentic password or the honeyword any specific account. If the attacker tries to enter the dummy (honeyword) credentials, then an alarm will be triggered and that will notify the administrator regarding password file breach. Considering the present scenario of the expenses on the storage requirement for expanding the capacity prerequisite by ample amount, this technique is easy to adopt and implement efficiently to encounter the issues of password file disclosure events. The aim of this research is to study honeyword generation system and techniques and compare the sub tasks using the literatures published in those areas finding out the research gaps in them and to analyses them to make password more secure using security hybrid generation method using triple hashing technique as perfectly flat honeyword gene ration method. The second aim is to make honeywords more realistic to trap adversary easily

PALPAS - PAsswordLess PAssword Synchronization

Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES 201

Usability of Humanly Computable Passwords

Reusing passwords across multiple websites is a common practice that compromises security. Recently, Blum and Vempala have proposed password strategies to help people calculate, in their heads, passwords for different sites without dependence on third-party tools or external devices. Thus far, the security and efficiency of these "mental algorithms" has been analyzed only theoretically. But are such methods usable? We present the first usability study of humanly computable password strategies, involving a learning phase (to learn a password strategy), then a rehearsal phase (to login to a few websites), and multiple follow-up tests. In our user study, with training, participants were able to calculate a deterministic eight-character password for an arbitrary new website in under 20 seconds

A Secure Mobile-based Authentication System

Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable.We propose a challengeresponse based one-time password (OTP) scheme that uses symmetric cryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks. Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their own trusted computers.La informació financera és extremadament sensible. Per tant, la banca electrònica ha de proporcionar un sistema robust per autenticar als seus clients i fer-los accedir a les dades de forma remota. D'altra banda, aquest sistema ha de ser usable, accessible, i portàtil. Es proposa una resposta al desafiament basat en una contrasenya única (OTP), esquema que utilitza la criptografia simètrica en combinació amb un mòdul de maquinari de seguretat. Amés, aquesta solució ofereix mobilitat convenient per als usuaris que volen bancària en línia en qualsevol moment i en qualsevol lloc, no només des dels seus propis equips de confiança.La información financiera es extremadamente sensible. Por lo tanto, la banca electrónica debe proporcionar un sistema robusto para autenticar a sus clientes y hacerles acceder a sus datos de forma remota. Por otra parte, dicho sistema debe ser usable, accesible, y portátil. Se propone una respuesta al desafío basado en una contraseña única (OTP), esquema que utiliza la criptografía simétrica en combinación con un módulo hardware de seguridad hardware. Además, esta solución ofrece una movilidad conveniente para los usuarios que quieren la entidad bancaria en línea en cualquier momento y en cualquier lugar, no sólo des de sus propios equipos de confianza