Improving password system effectiveness.

As computers reach more aspects of our everyday life, so too do the passwords that keep them secure. Coping with these passwords can be a problem for many individuals and organisations who have to deal with the consequences of passwords being forgotten, yet little is known of this issue. This thesis considers the effectiveness of password authentication systems for three groups of stakeholders including users, support staff, and system owners. The initial problem of how to create memorable but secure passwords is reconceptualised as how to improve password system effectiveness. Interview, questionnaire, and system log studies in BT, and experiments at UCL-CS confirm some basic hypotheses about key variables impacting performance, and show that other variables than the memorability of password content are also important which have hitherto not figured in security research and practice. Interventions based on these findings are proposed. Empirical evaluation suggests that the interventions proposed that 'redesign' the user but exclude other parts of the system would fail. Reason's (1990) Generic Error Modelling System (GEMS) is used as a basis for modelling password system performance at the level of individual users. GEMS and the Basic Elements of Production are used generalise these findings, and for the first time to model information security. This new model, "Elevation", is validated by expert review, and a modified version is presented