Assessing Relative Weights of Authentication Components: An Expert Panel Approach

Organizations rely on password-based authentication methods to control access to many Web-based systems. In a recent study, we developed a benchmarking instrument to assess the authentication methods used in these contexts. Our instrument developed included extensive literature foundation and an expert panel assessment. This paper reports on the development of the instrument and the expert panel assessment. The initial draft of the instrument was derived from literature to assess 1) password strength requirements, 2) password usage methods, and 3) password reset requirements. Following, the criteria within the index were evaluated by an expert panel and the same panel provided opinions on the relative weights of the criteria and the measures. The expert panel results were collected and analyzed using Multi-Criteria Decision Analysis (MCDA) techniques. We conclude with discussions on how the criteria were assembled, how the expert panel was conducted, and reporting the results from the panel. The results reported include the relative weights within te password usage and password reset measures as well as the relative weights of the three measures within the index

Modeling Online Passwords Protection Intention

Using the Protection Motivation Theory, the paper tests a model password protection intention of online users. Hypotheses are proposed concerning the intention to engage in good password practice. Data were collected from 182 college students who use the Internet. The result suggests that fear, response cost and response efficacy are significantly related to online password protection intention. However, perceived severity and vulnerability are not significant predictors. The study suggests that reducing cognitive costs for passwords is imperative

553 Issues in Information Systems

ABSTRAC

The Forgotten Password: A Solution to Selecting, Securing and Remembering Passwords

Internet passwords are required of us more and more. Personal experience and research shows us that it is difficult to create and remember unique passwords that meet security requirements. This study tested a unique method of password generation based on a selection of mnemonic aids aimed at increasing the usability, security and memorability of passwords. Fifty-one engineers, accountants and university students aged between 17 - 61 years participated in the study. They were randomly assigned to one of three groups: mnemonic, self-selection and random. All passwords in the study had to meet the following criteria: they had to be unique, at least eight characters long with a mixture of letters and numbers, and not include complete words or personal identifiers, sequential or repetitive numbers, and the passwords could not be written down or recorded anywhere. The mnemonic group created passwords based on a variety of mnemonic processes, the self-selection group generated passwords that complied with the above criteria, and the random group were assigned random passwords generated by the experimenter. Password recall was tested online once a week for three weeks, and then the passwords were renewed, with participants staying within the same groups for the length of the study. The second password was tested weekly for three weeks, then the passwords were renewed for the third and final time and tested for a further three weeks. The expectation was that the use of mnemonics in password creation would improve accurate recall of passwords, more so than if the password was 'self-selected' or a random password was assigned. The results showed that participants in the mnemonic group were able to accurately recall all three passwords significantly more often than participants in the self-selection and random groups. Furthermore, passwords created by the mnemonic group were more secure than passwords created by the self-selection group, as their passwords generated had a greater number of characters in them, slightly larger alphabet size, and a higher degree of entropy. The results are discussed in terms of the practical relevance of the findings

Estudo de um sistema numa instituição de seguros no Mercado português

Os maiores ativos de uma instituição seguradora são os dados dos clientes, pois através destes as políticas e objetivos da empresa são planeados e alargados. Esses dados são considerados críticos ou confidenciais, como o caso de nomes, moradas, dados de saúde e sinistros, que devem ser protegidos contra ameaças internas (fraude, erros de utilização) e externas (roubo de informação). A fuga de informação representa graves perdas de uma instituição, cujos danos vão desde perda de reputação ao afastamento de clientes, parceiros e até mesmo colaboradores, processos jurídicos e danos financeiros. Assim, a utilização de palavras-passe fortes, com regras rígidas para a sua gestão, do conhecimento de toda a empresa é importante para manter a Segurança da Informação. Regra geral, para um colaborador autorizado a consultar determinada informação entrar nessas bases de dados, autentica-se através da inserção de um Nome de Utilizador e de uma Palavra-passe num sistema. A gestão de palavras-chave insere-se no Risco Operacional, associado às atividades diárias de uma organização, envolvendo processos, pessoas e sistemas, que hoje em dia é considerado importante para uma gestão empresarial saudável e não apenas todo o risco não quantificável, como era considerado há alguns anos atrás. O objetivo deste trabalho será analisar o processo de gestão de palavras-chave numa seguradora a atuar em Portugal, ou seja, que processos e regras a empresa tem para que os seus colaboradores criem as suas palavras-chave. Será também analisado as ameaças que os sistemas de palavras-passe enfrentam, no geral, e verificar-se-á de que maneiras esta organização protege-se dessas ameaças e como será possível mitigar os riscos existentes, através da melhoria dos processos existentes ou da implementação de novas soluções