•Increasing the number of password verification times by twice or three times, can significantly increase password memorability.•Increasing the number of password verification times by twice or three ...times does not increase user inconvenience.•The trade-off between password memorability and user convenience is not proportionately affected.
Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental groups). Psychological literature suggests that applying repetition in learning to the password process has significant effects on password memorability. However, previous password research has found a trade-off between password security and memorability, and more recently, user convenience. Our results suggest that verifying passwords three times can increase password memorability from 42% (verifying passwords just once as with current practices) to 70%. Even by increasing the verification to just two times can increase password memorability by 17%. However, we found that through increasing the number of verifications did not equate to a decrease in user convenience. What this means is that small changes to the password verification stage can have significant results on password memorability while not necessarily inconveniencing the user. The implications of these results could ultimately have a positive effect on password security, and the consequences of forgetting passwords.
Learning useful representations from unstructured data is one of the core challenges, as well as a driving force, of modern data-driven approaches. Deep learning has demonstrated the broad advantages ...of learning and harnessing such representations.In this paper, we introduce a deep generative model representation learning approach for password guessing. We show that an abstract password representation naturally offers compelling and versatile properties that open new directions in the extensively studied, and yet presently active, password guessing field. These properties can establish novel password generation techniques that are neither feasible nor practical with the existing probabilistic and non-probabilistic approaches. Based on these properties, we introduce: (1) A general framework for conditional password guessing that can generate passwords with arbitrary biases; and (2) an Expectation Maximization-inspired framework that can dynamically adapt the estimated password distribution to match the distribution of the attacked password set.
Computer security depends largely on passwords to authenticate human users. However, users have difficulty remembering passwords over time if they choose a secure password, i.e. a password that is ...long and random. Therefore, they tend to choose short and insecure passwords. Graphical passwords, which consist of clicking on images rather than typing alphanumeric strings, may help to overcome the problem of creating secure and memorable passwords. In this paper we describe PassPoints, a new and more secure graphical password system. We report an empirical study comparing the use of PassPoints to alphanumeric passwords. Participants created and practiced either an alphanumeric or graphical password. The participants subsequently carried out three longitudinal trials to input their password over the course of 6 weeks. The results show that the graphical password users created a valid password with fewer difficulties than the alphanumeric users. However, the graphical users took longer and made more invalid password inputs than the alphanumeric users while practicing their passwords. In the longitudinal trials the two groups performed similarly on memory of their password, but the graphical group took more time to input a password.
The efficiency of the Honeywords approach has been proven to be a significant tool for boosting password security. The suggested system utilizes the Meerkat Clan Algorithm (MCA) in conjunction with ...WordNet to produce honeywords, thereby enhancing the level of password security. The technique of generating honeywords involves data sources from WordNet, which contributes to the improvement of authenticity and diversity in the honeywords. The method encompasses a series of consecutive stages, which include the tokenization of passwords, the formation of alphabet tokens using the Meerkat Clan Algorithm (MCA), the handling of digit tokens, the creation of unique character tokens, and the consolidation of honeywords. The optimization of the performance of the Meerkat Clan Algorithm (MCA) involves the careful selection of parameters. The experimental findings have exhibited noteworthy levels of precision and optimum efficacy, particularly in tasks such as proposing words with similar meanings, forecasting numerical values, and producing distinctive symbols. The attainment of this achievement is facilitated by a confluence of factors, encompassing the caliber of data, the judicious use of algorithms or models, and the ongoing process of iterative improvement to consistently enhance outcomes. In order to achieve the appropriate levels of accuracy and functionality, it is crucial to engage in the process of conducting experiments, thoroughly testing the system, and making necessary improvements. The empirical findings provide confirmation of the effectiveness of the MCA in producing a varied and protected collection of honeywords. This is especially evident in the case of alphabet tokens, which are distinguished by their autonomous creation and strong security characteristics. The analysis of correction rates, specifically in relation to the password "Lion1999*," demonstrates the aforementioned results. This study reveals an average accuracy of honeyword production up to 0.729847632111541. In the same manner, the accuracy of the password "house2000" is determined to be 0.761325846711256. Additionally, when considering a sample of 100 passwords, the mean accuracy of honeyword creation is calculated to be 0.7073897168887518. The findings collectively highlight the effectiveness of the MCA in generating honeywords that possess improved security characteristics.
Abstract Keystroke dynamics authentication is a method of authenticating a user and could be an alternative or addition to one-time codes, with minimal user inconvenience. In this study, a new data ...set was collected for 6 unique passwords, adding to the limited available data sets for keystroke dynamics available for researchers. Data was collected by emulating legitimate users familiar with the passwords and a wider range of attackers with limited login attempts. The data set is analyzed with the use of various methods, and the effects of password length and complexity are investigated. Two algorithms were employed, one achieving an average equal error rate varying between 10.2 and 18.1% depending on the password, and the other method achieving an average true accept rate of 98% and true reject rate of 90.4% by comparing across multiple individuals in the data set. These results provide a benchmark for further studies on this data set.
•Construct a batch dynamic password management system architecture.•Design a batch password generation algorithm using SM3 cryptographic hash algorithm.•Introduce an abnormal password update ...mechanism with zero trust.•Propose a resilient blockchain password storage scheme.
The rapid development of Industrial Internet has promoted the deep integration of Information Technology (IT) and Industrial Control (IC), so that network attacks have gradually invaded IC zone. Password security is the first line of defense to ensure the security of IC devices. In this paper, we propose a secure Batch Dynamic Password Management (BDPM) scheme in Industrial Internet environments. Aiming to automatically configure strong passwords for IC devices, our scheme can achieve a batch password generation algorithm based on SM3 Cryptographic Hash Algorithm, which encrypts the input string and then intercepts and replaces the hash value to ensure the uniqueness and crack resistance of passwords. Moreover, we continuously monitor the status of vulnerable IT devices through a zero trust anomaly monitoring mechanism and introduce a password updating mechanism for relevant IC devices, which is triggered by sending an alarm to IC devices that have interaction rights with the compromised IT device. Subsequently, we construct a resilient blockchain called PS_chain and execute two different password storage schemes based on the threshold of password updates to ensure storage security and reduce the load on block storage. The security analysis shows that our scheme can defend against the threat model and can comprehensively improve the security of IC device passwords. The simulation results show that our scheme can enhance the strength of IC device passwords while securely storing IC device passwords in a low-load manner.
Measuring password guessability for an entire university Mazurek, Michelle L.; Komanduri, Saranga; Vidas, Timothy ...
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security,
11/2013
Conference Proceeding
Odprti dostop
Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically ...collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood.
We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them.
We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.
In the digital age, information is drastically exchanged among users. This data exchange paved the way for unsolicited access by cybercriminals, which could lead to psychological and financial loss. ...In this study, through a pre- and posttest experimental design, 668 Indian teenagers aged between fifteen and nineteen were evaluated last year. The preliminary study revealed low performance by teenagers in e-mail practices, password management, software practices, social media usage, and privacy settings. Through a novel intervention, 36 teenagers were observed through a curated information security module. The pretest and posttest analyses significantly supported the effects of security training, and Cohen’s d effect size reiterated the importance of progressive outcomes in their security literacy and practices. The intervention focused on the importance of threat perception and coping appraisal for inculcating security parameters and behavioral change among the teenagers.