Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential ...responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords.
In this paper, we propose SPADE, an encrypted data deduplication scheme that resists compromised key servers and frees users from the key management problem. Specifically, we propose a ...proactivization mechanism for the servers-aided message-locked encryption (MLE) to periodically substitute key servers with newly employed ones, which renews the security protection and retains encrypted data deduplication. We present a servers-aided password-hardening protocol to resist dictionary guessing attacks. Based on the protocol, we further propose a password-based layered encryption mechanism and a password-based authentication mechanism and integrate them into SPADE to enable users to access their data only using their passwords. Provable security and high efficiency of SPADE are demonstrated by comprehensive analyses and experimental evaluations.
Attackers increasingly use passwords leaked from one website to compromise associated accounts on other websites. Such targeted attacks work because users reuse, or pick similar, passwords for ...different websites. We recast one of the core technical challenges underlying targeted attacks as the task of modeling similarity of human-chosen passwords. We show how to learn good password similarity models using a compilation of 1.4 billion leaked email, password pairs. Using our trained models of password similarity, we exhibit the most damaging targeted attack to date. Simulations indicate that our attack compromises more than 16% of user accounts in less than a thousand guesses, should one of their other passwords be known to the attacker and despite the use of state-of-the art countermeasures. We show via a case study involving a large university authentication service that the attacks are also effective in practice. We go on to propose the first-ever defense against such targeted attacks, by way of personalized password strength meters (PPSMs). These are password strength meters that can warn users when they are picking passwords that are vulnerable to attacks, including targeted ones that take advantage of the user's previously compromised passwords. We design and build a PPSM that can be compressed to less than 3 MB, making it easy to deploy in order to accurately estimate the strength of a password against all known guessing attacks.
•Increasing the number of password verification times by twice or three times, can significantly increase password memorability.•Increasing the number of password verification times by twice or three ...times does not increase user inconvenience.•The trade-off between password memorability and user convenience is not proportionately affected.
Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental groups). Psychological literature suggests that applying repetition in learning to the password process has significant effects on password memorability. However, previous password research has found a trade-off between password security and memorability, and more recently, user convenience. Our results suggest that verifying passwords three times can increase password memorability from 42% (verifying passwords just once as with current practices) to 70%. Even by increasing the verification to just two times can increase password memorability by 17%. However, we found that through increasing the number of verifications did not equate to a decrease in user convenience. What this means is that small changes to the password verification stage can have significant results on password memorability while not necessarily inconveniencing the user. The implications of these results could ultimately have a positive effect on password security, and the consequences of forgetting passwords.
Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing ...efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods' performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework TransPCFG , that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under <inline-formula> <tex-math notation="LaTeX">{10}^{14} </tex-math></inline-formula> offline guesses. For passwords with 16 characters, TransPCFG can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password 12zxcvbnword1997 has four segments since it follows the template <inline-formula> <tex-math notation="LaTeX">{Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4} </tex-math></inline-formula>. We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.
Zipf's Law in Passwords Wang, Ding; Cheng, Haibo; Wang, Ping ...
IEEE transactions on information forensics and security,
2017-Nov., 2017-11-00, Letnik:
12, Številka:
11
Journal Article
Recenzirano
Despite three decades of intensive research efforts, it remains an open question as to what is the underlying distribution of user-generated passwords. In this paper, we make a substantial step ...forward toward understanding this foundational question. By introducing a number of computational statistical techniques and based on 14 large-scale data sets, which consist of 113.3 million real-world passwords, we, for the first time, propose two Zipf-like models (i.e., PDF-Zipf and CDF-Zipf) to characterize the distribution of passwords. More specifically, our PDF-Zipf model can well fit the popular passwords and obtain a coefficient of determination larger than 0.97; our CDF-Zipf model can well fit the entire password data set, with the maximum cumulative distribution function (CDF) deviation between the empirical distribution and the fitted theoretical model being 0.49%~4.59% (on an average 1.85%). With the concrete knowledge of password distributions, we suggest a new metric for measuring the strength of password data sets. Extensive experimental results show the effectiveness and general applicability of the proposed Zipf-like models and security metric.
Online services generally employ password-based systems to enable users to access personal/private content. These services also force their users to change their passwords periodically under specific ...policies to increase security. However, analysis of breached data reveals that current policies do not consider user password selection habits and pose critical security and privacy concerns. Additionally, when passwords are leaked, attackers have the opportunity to study - and possibly identify - the structure or pattern of the user password selection set. This way, attackers could predict the next password or reduce the search space considerably in their attacks. Therefore, this study proposes a novel behavior-based password policy to increase the present security level and avoid further exploitations if a breach occurs. This study uses statistical methods and visualization techniques to examine the password selection behaviors of over ten million UserID-password pairs collected from anonymously shared data breaches. The data set is anonymized while keeping the uniqueness of userID-password pairs and shared with other researchers along with extracted features. Results show that user password selection patterns can be generalized and used to increase the success rate of attacks.
•Construct a batch dynamic password management system architecture.•Design a batch password generation algorithm using SM3 cryptographic hash algorithm.•Introduce an abnormal password update ...mechanism with zero trust.•Propose a resilient blockchain password storage scheme.
The rapid development of Industrial Internet has promoted the deep integration of Information Technology (IT) and Industrial Control (IC), so that network attacks have gradually invaded IC zone. Password security is the first line of defense to ensure the security of IC devices. In this paper, we propose a secure Batch Dynamic Password Management (BDPM) scheme in Industrial Internet environments. Aiming to automatically configure strong passwords for IC devices, our scheme can achieve a batch password generation algorithm based on SM3 Cryptographic Hash Algorithm, which encrypts the input string and then intercepts and replaces the hash value to ensure the uniqueness and crack resistance of passwords. Moreover, we continuously monitor the status of vulnerable IT devices through a zero trust anomaly monitoring mechanism and introduce a password updating mechanism for relevant IC devices, which is triggered by sending an alarm to IC devices that have interaction rights with the compromised IT device. Subsequently, we construct a resilient blockchain called PS_chain and execute two different password storage schemes based on the threshold of password updates to ensure storage security and reduce the load on block storage. The security analysis shows that our scheme can defend against the threat model and can comprehensively improve the security of IC device passwords. The simulation results show that our scheme can enhance the strength of IC device passwords while securely storing IC device passwords in a low-load manner.
Identity authentication is the first line of defense for network security. Passwords have been the most widely used authentication method in recent years. Although there are security risks in ...passwords, they will be the primary method in the future due to their simplicity and low cost. Considering the security and usability of passwords, we propose AvoidPwd, which is a novel mnemonic password generation strategy that is based on keyboard transformation. AvoidPwd helps users customize a "route" to bypass an "obstacle" and choose the characters on the "route" as the final password. The "obstacle" is a certain word using any language and the keys adjacent to the "obstacle" are typed with the "Shift" key. A two-part experiment was conducted to examine the memorability and security of the AvoidPwd strategy with other three password strategies and three leaked password sets. The results showed that the passwords generated by the AvoidPwd strategy were more secure than the other leaked password sets. Meanwhile, AvoidPwd outperformed the KbCg, SpIns, and Alphapwd in balancing security and usability. In addition, there are more symbols in the character distribution of AvoidPwd than the other strategies. AvoidPwd is hopeful to solve the security problem that people are difficult to remember symbols and they tend to input letters and digits when creating passwords.