887 research outputs found

    Passwords and the evolution of imperfect authentication

    Get PDF
    Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

    Nudging folks towards stronger password choices:providing certainty is the key

    Get PDF
    Persuading people to choose strong passwords is challenging. One way to influence password strength, as and when people are making the choice, is to tweak the choice architecture to encourage stronger choice. A variety of choice architecture manipulations i.e. “nudges”, have been trialled by researchers with a view to strengthening the overall password profile. None has made much of a difference so far. Here we report on our design of an influential behavioural intervention tailored to the password choice context: a hybrid nudge that significantly prompted stronger passwords.We carried out three longitudinal studies to analyse the efficacy of a range of “nudges” by manipulating the password choice architecture of an actual university web application. The first and second studies tested the efficacy of several simple visual framing “nudges”. Password strength did not budge. The third study tested expiration dates directly linked to password strength. This manipulation delivered a positive result: significantly longer and stronger passwords. Our main conclusion was that the final successful nudge provided participants with absolute certainty as to the benefit of a stronger password, and that it was this certainty that made the difference

    Lessons learned from evaluating eight password nudges in the wild

    Get PDF
    Background. The tension between security and convenience, when creating passwords, is well established. It is a tension that often leads users to create poor passwords. For security designers, three mitigation strategies exist: issuing passwords, mandating minimum strength levels or encouraging better passwords. The first strategy prompts recording, the second reuse, but the third merits further investigation. It seemed promising to explore whether users could be subtly nudged towards stronger passwords.Aim. The aim of the study was to investigate the influence of visual nudges on self-chosen password length and/or strength.Method. A university application, enabling students to check course dates and review grades, was used to support two consecutive empirical studies over the course of two academic years. In total, 497 and 776 participants, respectively, were randomly assigned either to a control or an experimental group. Whereas the control group received no intervention, the experimental groups were presented with different visual nudges on the registration page of the web application whenever passwords were created. The experimental groups’ password strengths and lengths were then compared that of the control group.Results. No impact of the visual nudges could be detected, neither in terms of password strength nor length. The ordinal score metric used to calculate password strength led to a decrease in variance and test power, so that the inability to detect an effect size does not definitively indicate that such an effect does not exist.Conclusion. We cannot conclude that the nudges had no effect on password strength. It might well be that an actual effect was not detected due to the experimental design choices. Another possible explanation for our result is that password choice is influenced by the user’s task, cognitive budget, goals and pre-existing routines. A simple visual nudge might not have the power to overcome these forces. Our lessons learned therefore recommend the use of a richer password strength quantification measure, and the acknowledgement of the user’s context, in future studies

    Guidelines for ethical nudging in password authentication

    Get PDF
    Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context

    Reconceptualizing Knowledge Based Authentication for Augmented and Virtual Reality Contexts

    Get PDF
    Augmented and Virtual Reality (AR/VR) technology has advanced significantly in recent years, with recent applications in military, medicine, and education. Currently, most security artifacts utilized in AR/VR contexts are drawn from existing computing. These artifacts, however, were developed during the early ages of computing, to satisfy a completely different set of assumptions. In the context of AR/VR these assumptions have changed significantly. This research seeks to develop a general model of knowledge-based authentication (KBA). The model will be evaluated in the AR/VR context. This research will draw attention to the importance of considering security artifacts in the context for which they are being used, not for which they were originally developed. This work is expected to guide development of knowledge-based authentication in AR/VR, as well as provide guidance as future computing technologies are developed
    • …
    corecore