Your search keyword '"Password policy"' showing total 1,597 results

1. Delving Deep into Reverse Engineering of UEFI Firmwares via Human Interface Infrastructure.

Author

Chen, Siyi, Tan, Yu-An, Qiu, Kefan, Zhang, Zheng, Li, Yuanzhang, and Zhang, Quanxin

Subjects

REVERSE engineering, HUMAN beings

Abstract

The Unified Extensible Firmware Interface (UEFI) provides a specification of the software interface between an OS and its underlying platform firmware. UEFI UI is an interactive interface that allows users to configure and manage UEFI settings, which is closely related to HII (Human Interface Infrastructure). In practice, HII provides a mechanism that allows developers to create UI elements with HII-related protocols. In this paper, we provide a comprehensive analysis of the UEFI combined with a case study. We proposed a protocol-centered static analysis method to obtain UEFI's password policy, using HII-related protocols to find password implementation. Existing static analyses are ineffective in detecting such password policy in stripped UEFI firmware images. By reverse-engineering the IFR (Internal Forms Representation) in HII, we located where much sensitive information is stored. Lastly, we studied hardware port configurations, using Secure Boot as a case in point. We analyzed how UEFI uses the HII protocol to set relevant information in the UEFI UI. This paper is the first to offer a reverse-engineering systematic analysis of exploring UEFI via HII, providing valuable insights into its structure and potential enhancements for firmware security. [ABSTRACT FROM AUTHOR]

Published

2023

2. Dynamically Generate Password Policy via Zipf Distribution.

Author

Xiao, Yang and Zeng, Jianping

Abstract

Password composition policies are helpful in strengthening password’s resistance against guessing attacks. Sadly, existing off-the-shelf composition policies often remain static, which creates potential security vulnerability. In this paper, we propose a new adaptive password policy generation framework called HTPG. Based on the Zipf distribution of passwords, HTPG classifies all passwords in data set into two categories, that is, head passwords and tail passwords. We find that head passwords are vulnerable and high-value for attackers because they are most frequently used, while tail passwords have higher strength than head passwords. According to this fact, HTPG dynamically generates policies to enhance head passwords by modifying them so as to be closer to tail passwords on feature space. By introducing the idea of machine learning, we propose a policy sort method based on information gain ratio to help user choose more effective policies in enhancing head passwords. HTPG can effectively improve the security of entire password data set and make the password distribution more uniform. Experiments show that the number of cracked head passwords decreases 69% on average, compared with the original head passwords, by adopting policies generated by HTPG. Surveys on usability show that 80.23% enhanced passwords can be recalled by those who remember the corresponding original passwords. [ABSTRACT FROM AUTHOR]

Published

2022

3. Password Policies Adopted by South African Organizations: Influential Factors and Weaknesses

Author

Maoneke, Pardon Blessings, Flowerday, Stephen, Barbosa, Simone Diniz Junqueira, Series Editor, Filipe, Joaquim, Series Editor, Kotenko, Igor, Series Editor, Sivalingam, Krishna M., Series Editor, Washio, Takashi, Series Editor, Yuan, Junsong, Series Editor, Zhou, Lizhu, Series Editor, Ghosh, Ashish, Series Editor, Venter, Hein, editor, Loock, Marianne, editor, Coetzee, Marijke, editor, Eloff, Mariki, editor, and Eloff, Jan, editor

Published

2019

4. Is My Password Strong Enough?: A Study on User Perception in The Developing World

Author

Tangila Tanni, Tanjin Taharat, Muhammad Parvez, Sarker Rumee, and Moinul Zaber

Subjects

password strength, user perception, password policy, security, usability, memorability, Technology

Abstract

INTRODUCTION: The first line of defense in the cyber world is strong and difficult to predict passwords. However, usersoften choose highly predictable passwords based on personal information, dictionary words, birth date, etc.OBJECTIVES: The primary objective is to ascertain password choice and practices of users of developing countries.METHODS: Most of the existing studies are done in the developed world and our exhaustive search failed to find similarresearch in the context of developing countries. Here, we conducted detailed surveybased scrutiny about the password-based security perceptions of Bangladeshi nationals, which include 881 participants, primarily students, and professionals.RESULTS: Most of the users were found to have bad practices, for example, having personal information(56%), passwordreuse(69%), having commonly used patterns(81.3%). Students from technical backgrounds fared well compared tonon-technical backgrounds as expected. However, some professionals (especially Bankers) surprisingly chose weakerpasswords even though dealing with sensitive data.CONCLUSION: We also make a few recommendations to improve awareness.

Published

2022

5. PassMon: A Technique for Password Generation and Strength Estimation.

Author

Murmu, Sanjay, Kasyap, Harsh, and Tripathy, Somanath

Abstract

The password is the most prevalent and reliant mode of authentication by date. We often come across many websites with user registration pages having different password strength estimation techniques. Most of them run lightweight java-script-based rules on the client-side, while others take it to the server and evaluate. The same password is measured on different scales and is treated as invalid, weak, medium, or strong by different meters. These constraints compel users to choose weak passwords. The state-of-the-art password guessing and strength estimating techniques are trained on the publicly available leaked data sets. They are able to cope with the dictionary attacks but became prone to adversarial attacks. Creating dynamic rules for such attacks is tedious and infeasible. This paper proposes an ensemble approach with a classification and guessing strategy. We devise a bi-directional generative adversarial network based algorithm to generate personalized passwords with an improved convergence rate. It generates as many numbers of samples compared to GAN in less time. The one-class SVM is trained over the leaked and generated passwords to estimate password strength. The passwords mainly comprise the medium and weak category, and it gives better performance drawing a similarity between weak passwords. LSTM has been tuned to predict the difficulty level to crack the given test password. Based on their combined results, the password strength is determined. This paper also proposes three password design methods to create memorable and reasonably strong passwords. They are simple to design by taking user personal information and adding randomness based on functional patterns. [ABSTRACT FROM AUTHOR]

Published

2022

6. Is My Password Strong Enough?: A Study on User Perception in The Developing World.

Author

Tanni, Tangila Islam, Taharat, Tanjin, Parvez, Muhammad Shakil, Ahmed Rumee, Sarker T., and Zaber, Moinul Islam

Subjects

DEVELOPING countries, BANKERS

Abstract

INTRODUCTION: The first line of defense in the cyber world is strong and difficult to predict passwords. However, users often choose highly predictable passwords based on personal information, dictionary words, birth date, etc. OBJECTIVES: The primary objective is to ascertain password choice and practices of users of developing countries. METHODS: Most of the existing studies are done in the developed world and our exhaustive search failed to find similar research in the context of developing countries. Here, we conducted detailed surveybased scrutiny about the passwordbased security perceptions of Bangladeshi nationals, which include 881 participants, primarily students, and professionals. RESULTS: Most of the users were found to have bad practices, for example, having personal information(56%), password reuse(69%), having commonly used patterns(81.3%). Students from technical backgrounds fared well compared to non-technical backgrounds as expected. However, some professionals (especially Bankers) surprisingly chose weaker passwords even though dealing with sensitive data. CONCLUSION: We also make a few recommendations to improve awareness. [ABSTRACT FROM AUTHOR]

Published

2022

7. The Effect of Simulation in Large-Scale Data Collection—An Example of Password Policy Development

Author

Chakraborty, J., Nguyen, N., Langdon, Pat, editor, Lazar, Jonathan, editor, Heylighen, Ann, editor, and Dong, Hua, editor

Published

2018

8. Zero-Knowledge Password Policy Check from Lattices

Author

Nguyen, Khoa, Tan, Benjamin Hong Meng, Wang, Huaxiong, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Nguyen, Phong Q., editor, and Zhou, Jianying, editor

Published

2017

9. Certified Password Quality : A Case Study Using Coq and Linux Pluggable Authentication Modules

Author

Ferreira, João F., Johnson, Saul A., Mendes, Alexandra, Brooke, Phillip J., Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Polikarpova, Nadia, editor, and Schneider, Steve, editor

Published

2017

10. Zipf’s law analysis on the leaked Iranian users’ passwords

Author

Alebouyeh, Zeinab and Bidgoly, Amir Jalaly

Published

2022

11. Encouraging users to improve password security and memorability.

Author

Yıldırım, M. and Mackie, I.

Subjects

*COMPUTER passwords, *MEMORY, *HUMAN security, *SECURITY management, *INFORMATION technology security

Abstract

Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords. [ABSTRACT FROM AUTHOR]

Published

2019

12. Human Generated Passwords – The Impacts of Password Requirements and Presentation Styles

Author

Lee, Paul Y., Choong, Yee-Yin, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Tryfonas, Theo, editor, and Askoxylakis, Ioannis, editor

Published

2015

13. Password Policy Languages: Usable Translation from the Informal to the Formal

Author

Steves, Michelle, Theofanos, Mary, Paulsen, Celia, Ribeiro, Athos, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Tryfonas, Theo, editor, and Askoxylakis, Ioannis, editor

Published

2015

14. A Cognitive-Behavioral Framework of User Password Management Lifecycle

Author

Choong, Yee-Yin, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Kobsa, Alfred, editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Weikum, Gerhard, editor, Tryfonas, Theo, editor, and Askoxylakis, Ioannis, editor

Published

2014

15. Clear, Unambiguous Password Policies: An Oxymoron?

Author

Steves, Michelle, Killourhy, Kevin, Theofanos, Mary F., Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Kobsa, Alfred, editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Weikum, Gerhard, editor, and Rau, P. L. Patrick, editor

Published

2014

16. Securing password using dynamic password policy generator algorithm

Author

Anuraj Singh and Sumit Raj

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password policy, General Computer Science, Computer science, Hash function, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 020201 artificial intelligence & image processing, 02 engineering and technology, Algorithm, Time complexity

Abstract

It is proposed to tackle the problem of password leakage of popular websites like Linked-In, Adobe, Gmail, Yahoo, eHarmony, etc. by using dynamic password policy and enhanced hash algorithm. Here, an algorithm is developed that will generate password policies dynamically depending on the frequency of characters. Time complexity is computed, and it is found that the algorithm works fast. Since the algorithm creates password policies dynamically, it will be tough for the attacker to guess the characteristics of the password database.

Published

2022

17. IMPROVING DATA ACCESS SECURITY BY SERVER-SIDE FUNCTIONAL EXTENSIONS

Author

Marek Milosz and Dariusz Draganek

Subjects

security, data access, access time control, password policy, Engineering (General). Civil engineering (General), TA1-2040

Abstract

All Database Management Systems used in the industry provide secure access to data at the server level. The level of security is influenced by technology, security model, password encryption method, password strength and others. The human factor – unreasonable behaviour of users – also has a significant impact on safety. Developers of database applications often implement their security policy by limiting the risk caused by users. This implementation has a disadvantage – it does not work outside of the application. A large number and variety of applications that work with the database server may then create a security gap. The paper presents the authors’ extensions of the functional features implemented in the Oracle database server, increasing the security of data access. The implemented methods of controlling the time of user access to data and limiting the use of serial and modular passwords are also discussed.

Published

2016

18. Zipf’s law analysis on the leaked Iranian users’ passwords

Author

Amir Jalaly Bidgoly and Zeinab Alebouyeh

Subjects

Password, Password policy, Security analysis, Authentication, Software_OPERATINGSYSTEMS, Zipf's law, Computer science, English language, Computer security, computer.software_genre, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Computational Theory and Mathematics, Hardware and Architecture, Computer Science (miscellaneous), Selection (linguistics), computer, Software, Vulnerability (computing)

Abstract

Textual passwords are one of the most common methods of authentication and an important factor in systems security. Knowing the correct distribution of users’ passwords can play an important role in defining password policies and preventing various attacks. Culture and language can affect the pattern of users’ password selection and consequently, influence the vulnerability of passwords to guessing attacks. Therefore, knowing the distribution of English users’ passwords may not be appropriate for the security analysis of non-English users’ passwords. The main purpose of this paper is to analyze the passwords of Iranian users and investigating their differences from English-speaking users. The paper also examines the existence of Zipf’s law on Iranian passwords as the most well-known distribution for passwords. Password analysis of Iranian users shows that the popular password length between Iranian users and users of other countries is not much different, but in terms of the combination of characters used in the passwords, Iranian users are more inclined to use numeric passwords while English language users are more inclined to use passwords made up of alphabet. In this paper, Zipf’s law is reviewed on five datasets of Iranian users’ passwords using three different approaches including PDF, PDF with removing unpopular passwords and, CDF. Among these methods, in the CDF method, the passwords best matched with a Zipf’s law distribution between 0.02 and 0.07. Finally, the robustness of Iranians’ passwords to statistical guessing attacks has been measured and it is concluded that the passwords of Iranian users are more vulnerable to guessing attacks than English language users.

Published

2021

19. Voice Biometrics as a Way to Self-service Password Reset

Author

Hohgräfe, Bernd, Jacobi, Sebastian, Pohlmann, Norbert, editor, Reimer, Helmut, editor, and Schneider, Wolfgang, editor

Published

2010

20. Password Security Assessment of IoT-Devices

Author

Seyum Wolde, Mehir, Hussain, Adeel, Seyum Wolde, Mehir, and Hussain, Adeel

Abstract

With the rapid development of the IoT (Internet of Things) and the integration of connected devices into our households, IoT security is becoming more important. This technology allows the user to accomplish tasks and store information in a more effective way. Due to this large development, various solutions are being established to make sure that only an authorised user gains access to these functions. Among these solutions, passwords have become the most prominent one today. Since passwords allow a user to protect sensitive data and authorise access to their devices, they have become the target of various cyberattacks. Different password policies have therefore been established to strengthen passwords and prevent unauthorised access. In response to this emerging problem, the study conducted in this report has evaluated authentication systems in four categories of smart home devices to assess if they meet security regulations according to best practices. A compilation of the password requirements in these devices has been made and they have been categorized in terms of password security from very weak to very strong. Multiple instances of weak policies were discovered in all of the examined categories and important password features are missing in a majority of them., Med den hastiga utvecklingen av sakernas internet (IoT) och integrationen av anslutna enheter till hushållet blir IoT säkerhet alltmer viktigt. Denna teknologi tillåter användare att åstadkomma uppgifter och lagra information på ett mer effektivt sätt. På grund av denna stora utveckling har många lösningar skapats för att säkerställa att endast en auktoriserad användare erhålls tillgång. Bland dessa lösningar är lösenord den mest förekommande idag. Eftersom att lösenord tillåter användaren att skydda känslig information och auktorisera tillgång till deras enheter har dem blivit en lockande måltavla för diverse cyberattacker. Ett flertal lösenordspolicys har därför etablerats för att förstärka lösenord och förhindra obehörig tillgång. Som svar på detta framväxande problem, har undersökningen som utförts i denna rapport utvärderat autentiseringssystem i fyra kategorier av smarta hem enheter med mål att bedöma ifall de uppfyller säkerhetsföreskrifter i enighet med bästa praxis. En lista med lösenordskrav i enheterna har skapats och dessa enheter har blivit kategoriserade enligt lösenordssäkerhet från väldigt svag till väldigt stark. Flera olika instanser av svaga policys har upptäckts i alla undersökta kategorier och viktiga lösenordsfunktioner saknas i en majoritet av grupperna.

Published

2022

21. Password policy characteristics and keystroke biometric authentication

Author

Na Liu, Simon Parkinson, Andrew Crampton, Qing Xu, Kyle Dakin, Saad Khan, and Weizhi Xie

Subjects

Password policy, Biometrics, Computer science, Electronic computers. Computer science, Signal Processing, Computer Vision and Pattern Recognition, QA75.5-76.95, Keystroke logging, Computer security, computer.software_genre, computer, Software, Authentication (law)

Abstract

Behavioural biometrics have the potential to provide an additional or alternative authentication mechanism to those involving a shared secret (i.e. a password). Keystroke timings are the focus of this study, where key press and release timings are acquired whilst monitoring a user typing a known phrase. Many studies exist in keystroke biometrics, but there is an absence of literature aiming to understand the relationship between characteristics of password policies and the potential of keystroke biometrics. Furthermore, benchmark datasets used in keystroke biometric research do not enable useful insights into the relationship between their capability and password policy. Herein, substitutions of uppercase, numeric, special characters, and their combination of passwords derived from English words are considered. Timings for 42 participants for the same 40 passwords are acquired. A matching system using the Manhattan distance measure with seven different feature sets is implemented, culminating in an Equal Error Rate of between 6% and 11% and accuracy values between 89% and 94%, demonstrating comparable accuracy to other threshold‐based systems. Further analysis suggests that the best feature sets are those containing all timings and trigraph press to press. Evidence also suggests that phrases containing fewer characters have greater accuracy, except for those with special character substitutions.

Published

2021

22. TransPCFG: Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively

Author

Kai Zhang, Weili Han, C Wang, Junjie Zhang, Ming Xu, and X. Sean Wang

Subjects

Password, Password policy, Theoretical computer science, Rule-based machine translation, Computer Networks and Communications, Character (computing), Computer science, Password cracking, Key (cryptography), Safety, Risk, Reliability and Quality

Abstract

Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods’ performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework TransPCFG , that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under ${10}^{14}$ offline guesses. For passwords with 16 characters, TransPCFG can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password 12zxcvbnword1997 has four segments since it follows the template ${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

Published

2021

23. IMPROVING DATA ACCESS SECURITY BY SERVER-SIDE FUNCTIONAL EXTENSIONS.

Author

Miłosz, Marek and Draganek, Dariusz

Subjects

DATA security, DATABASE management, COMPUTER passwords, DATA encryption, COMPUTER security, DATA analysis, GOVERNMENT policy

Abstract

All Database Management Systems used in the industry provide secure access to data at the server level. The level of security is influenced by technology, security model, password encryption method, password strength and others. The human factor - unreasonable behaviour of users - also has a significant impact on safety. Developers of database applications often implement their security policy by limiting the risk caused by users. This implementation has a disadvantage - it does not work outside of the application. A large number and variety of applications that work with the database server may then create a security gap. The paper presents the authors' extensions of the functional features implemented in the Oracle database server, increasing the security of data access. The implemented methods of controlling the time of user access to data and limiting the use of serial and modular passwords are also discussed. [ABSTRACT FROM AUTHOR]

Published

2016

24. Think Harder! Investigating the Effect of Password Strength on Cognitive Load during Password Creation

Author

Mohamed Khamis, Florian Alt, Yomna Abdelrahman, and Yasmeen Abdrabou

Subjects

Password, Password policy, Computer science, 05 social sciences, Wearable computer, 020207 software engineering, Cognition, 02 engineering and technology, Password strength, Human–computer interaction, 0202 electrical engineering, electronic engineering, information engineering, Eye tracking, 0501 psychology and cognitive sciences, User interface, 050107 human factors, Cognitive load

Abstract

Strict password policies can frustrate users, reduce their productivity, and lead them to write their passwords down. This paper investigates the relation between password creation and cognitive load inferred from eye pupil diameter. We use a wearable eye tracker to monitor the user’s pupil size while creating passwords with different strengths. To assess how creating passwords of different strength (namely weak and strong) influences users’ cognitive load, we conducted a lab study (N = 15). We asked the participants to create and enter 6 weak and 6 strong passwords. The results showed that passwords with different strengths affect the pupil diameter, thereby giving an indication of the user’s cognitive state. Our initial investigation shows the potential for new applications in the field of cognition-aware user interfaces. For example, future systems can use our results to determine whether the user created a strong password based on their gaze behavior, without the need to reveal the characteristics of the password.

Published

2021

25. Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password Choices

Author

George E. Raptis, Lennart E. Nacke, Christina Katsini, Andrew Jian-lan Cen, and Nalin Asanka Gamagedara Arachchilage

Subjects

Password, User authentication, Password policy, Authentication, Process (engineering), Computer science, 05 social sciences, 020207 software engineering, 02 engineering and technology, Space (commercial competition), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Human–computer interaction, Salient, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, 050107 human factors

Abstract

Graphical user authentication (GUA) is a common alternative to text-based user authentication, where people are required to draw graphical passwords on background images. Such schemes are theoretically considered remarkably secure because they offer a large password space. However, people tend to create their passwords on salient image areas introducing high password predictability. Aiming to help people use the password space more effectively, we propose a gameful password creation process. In this paper, we present GamePass, a gamified mechanism that integrates the GUA password creation process. We provide the first evidence that it is possible to nudge people towards better password choices by gamifying the process. GamePass randomly guides participants’ attention to areas other than the salient areas of authentication images, makes the password creation process more fun, and people are more engaged. Gamifying the password creation process enables users to interact better and make less predictable graphical password choices instead of being forced to use a strict password policy.

Published

2021

26. Optiwords: A new password policy for creating memorable and strong passwords

Author

Zhenfeng Zhang, Yajun Guo, and Yimin Guo

Subjects

Password, Password policy, General Computer Science, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Law, computer

Abstract

User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.

Published

2019

27. Efficient Multi-Factor Authenticated Key Exchange Scheme for Mobile Communications

Author

Hui Ma, Yuting Xiao, Shuzhou Sun, and Rui Zhang

Subjects

Password, 021110 strategic, defence & security studies, Password policy, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Computer security model, Cryptographic protocol, Computer security, computer.software_genre, Authenticated Key Exchange, Security association, Authentication protocol, Electrical and Electronic Engineering, Challenge–response authentication, computer

Abstract

Authenticated key exchange (AKE) is one of the most important applications in applied cryptography, where a user interacts with a server to set up a session key where pre-registered information (aka. authentication factor), such as a password or biometrics, of the user is stored. While single-factor AKE is widely used in practice, higher security concerns call for multi-factor AKE (MFAKE) schemes, e.g., combining both passwords and biometrics simultaneously. However, in some casually designed schemes, security is even weakened in the sense that leakage of one authentication factor will defeat the whole MFAKE protocol. Furthermore, an inevitable by-product arise that the usability of the protocol often drop greatly. To summarize, the existing multi-factor protocols did not provide enough security and efficiency simultaneously. In this paper, we make one step ahead by proposing a very efficient MFAKE protocol. We define the security model and give the according security analysis. We also implement our protocol on a smartphone and a cloud server. The theoretic comparisons and the experimental results show that our scheme achieves both security and usability.

Published

2019

28. Protecting Facebook Password: Indonesian Users’ Motivation

Author

Harin Puspa Ayu Catherina, Ari Kusyanti, and Yustiyana April Lia Sari

Subjects

Password, Password policy, Coping (psychology), business.industry, Computer science, Perceived vulnerability, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, language.human_language, Indonesian, Protection motivation theory, 0202 electrical engineering, electronic engineering, information engineering, language, General Earth and Planetary Sciences, 020201 artificial intelligence & image processing, Moral responsibility, business, General Environmental Science

Abstract

Facebook is one of the social networking services that have users around 1.86 billion active users spread all over the world. To be able to enjoy various services from Facebook, a user is required to have a Facebook account. In the registration process to create a new Facebook account, the user is prompted to create a password to protect his account. The password policy service applied by Facebook requires all users to create and use a password for their Facebook account in accordance with the policies. This study aims to analyze user behavior with case study of Facebook account by using 12 construct variables adapted from Protection Motivation Theory (PMT). Data collected from Facebook users of 300 respondents. Data analysis method used is Structural Equation Modeling (SEM) analysis. From the research result, the factors that influence Facebook users’ intention to protect their account are perceived vulnerability, fear, response efficacy, response cost, subjective norm, prior experience with safety hazard, threat susceptibility and personal responsibility. Meanwhile, they ignore the threat sverity, coping self-efficacy and security support from others while protecting their Facebook account.

Published

2019

29. Evaluating Password Behavior at a Small University

Author

Zakaria Al-Qudah, Mohammed I. Awad, Sahar Idwan, and Abdul-Halim Jallad

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password policy, Artificial Intelligence, Computer Networks and Communications, Computer science, Computer security, computer.software_genre, computer, Software, Vulnerability (computing)

Abstract

No matter how sophisticated an organization’s security system is, it remains vulnerable due to the human factor. In this study, we surveyed and analyzed the patterns practiced by users when generating passwords at a small-sized university. We found that users are not as aware of security requirements and practices as they think. Moreover, the vast majority of users’ passwords are breakable within days or shorter. Interestingly, we found that the use of numbers and uppercase letters is prevalent among users. However, numbers are mostly used at the end of the passwords and uppercase letters are mostly used at the beginning of passwords. The existence of such trends makes it easier for attackers to generate more effective dictionaries. Based on the analysis in this study, we make recommendations to the IT department to improve the password policy. Additionally, we provide recommendations to the faculty, staff, and students on how to strengthen their passwords.

Published

2019

30. SECURITY Comparison on KOREAN Password / Authentication Policy and Other Countries

Author

Woo Simon and Jung Kyeong-joo

Subjects

Password, Password policy, Software_OPERATINGSYSTEMS, computer.internet_protocol, Computer science, Private security, Computer security, computer.software_genre, Authentication (law), Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password authentication protocol, computer, ComputingMilieux_MISCELLANEOUS

Abstract

Password is needed to create an account in most of the websites. Each website has different password and authentication policy when making an account....

Published

2018

31. ОСОБЛИВОСТІ ТЕХНІКО-ТЕХНОЛОГІЧНОГО МЕНЕДЖМЕНТУ ІНФОРМАЦІЙНОЇ БЕЗПЕКИ ПІДПРИЄМСТВА В УМОВАХ БІЗНЕС-СЕРЕДОВИЩА

Subjects

Password policy, Process management, Computer science, business.industry, Access control, Information security, Information protection policy, Software security assurance, Management system, Information system, General Earth and Planetary Sciences, business, General Environmental Science, Information security management system

Abstract

The article actualizes the need to study the enterprise information security management system, in particular in its technical and technological part. On the basis of the conducted researches the basic levels at which there was maintenance of information security are allocated: physical, program, normative-legal, technical-technological and organizational-administrative levels. The system of management of technical and technical protection of information in information systems was formed, which includes subjects (special subjects of protection system, management, specialists and personnel), objects (databases, documentation in electronic form and on paper, information, constituting a trade secret, technological, technical and production information) and technical-technological, hardware, software, organizational and managerial tools for managing the protection of the information system. Taking into account the proposed management system of technical and technological protection of information in information systems, its functions, tasks, stages of implementation and other aspects, the directions and basic tools for technical and technological management of information security of the business entity were identified. The main directions of the management system of technical and technological protection of information were defined: management of information security incidents, regular updating of software security, access control and password policy control, audit of network infrastructure. The tools of technical and technological management of information security of the enterprise were characterized by: modules of trusted loading, analysis of security of information systems, protection against viruses and spam, DLP-systems, protection of virtual infrastructure, intrusion detection systems. Effective implementation of the system of technical and technological management of information security of the enterprise was proposed to implement on the basis of the model "Lifecycle Security", which regulates and describes the stages of building a corporate information security system and organizational modes of information system protection in general, means of information protection.

Published

2021

32. Nepoučitelní uživatelé: příčiny (ne)bezpečných hesel

Author

Nedvěd, Vojtěch, Baruník, Jozef, and Kukačka, Jiří

Subjects

ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Software_OPERATINGSYSTEMS, kybernetická bezpečnost, behaviorálníekonomie, cybersecurity, digitální ekonomie, password policy, behavioral economics,digital economy, tvorba hesel

Abstract

Careless Society: Drivers of (Un)Secure Passwords Thesis abstract Vojtěch Nedvěd May 2, 2021 Vulnerabilities related to poor cybersecurity are a dangerous global economic issue. This thesis aims to explain two examples of poor password management. First, why users use similar password and username and second, why they reuse their passwords, as the main drivers of this behaviour are unknown. We examined the effects of selected macroeconomic variables, gender, password length and password complexity. Additionally, this thesis suggest how to estimate sentiment in passwords using models build on Twitter posts. The results are verified on large password data, including password leaks from recent years. There are four main findings. First, a higher cybersecurity index and diversity of a password seem to be related to the lower similarity between a username and a password. Second, it seems that there are structural differences between countries and languages. Third, the sentiment seems to be a significant determinant too. Fourth, password reuse seems to be positively affected by the cybersecurity level. The thesis contributes to the study of password management. It proposes how to model the relationship, derive the data, split the passwords into words, model the sentiment of passwords, what variables might be...

Published

2021

33. Hybrid security assessment methodology for web applications

Author

Roddy A. Correa, Javier Bermejo-Higuera, Juan Antonio Sicilia, Juan Ramón Bermejo Higuera, Á. Alberto Magreñán, and Manuel Sánchez Rubio

Subjects

Security analysis, Password policy, Authentication, Computer science, business.industry, Access control, Static analysis, Computer security, computer.software_genre, Computer Science Applications, Modeling and Simulation, Systems development life cycle, White box, business, computer, Software, Vulnerability (computing)

Abstract

This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications. The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box, to carry out the security validation of a web application in an agile and precise way. The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks. Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage, so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result. The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle (SSDLC). A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics. Dynamic analysis with manual checking is used to audit the results, 24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally. This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally. Dynamic analysis finds six (6) additional critical vulnerabilities. Access control analysis finds other five (5) important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks, two vulnerabilities that permit brute force attacks.

Published

2021

34. Provably secure verifier-based password authenticated key exchange based on lattices

Author

Xiaojun Wang, Yongli Tang, Zongqu Zhao, Huanhuan Lian, and Jinxia Yu

Subjects

Password, Authenticated Key Exchange, Password policy, Computer science, business.industry, Hash function, Session key, Cryptosystem, Mutual authentication, business, Encryption, Computer network

Abstract

Verifier-based Password Authenticated Key Exchange (VPAKE) protocol enables users to generate a session key over insecure channels, which can limit the impact of server's information leakage. However, most existing VPAKE protocols are based on the integer factorization problem and the discrete logarithm problem; they cannot resist attack by quantum computers. In this chapter, we propose a new VPAKE protocol based on lattices. The protocol is constructed by using Chosen-Ciphertext Attacks (CCA) secure public-key encryption scheme, which is based on the learning with errors problem and an associated approximate smooth projective hash. Furthermore, this protocol uses a new randomized password hashing scheme based on lattices. This scheme enables ASCII-based passwords and a zero-knowledge password policy check; it allows users to prove the compliance of their password without revealing any information. Meanwhile, through explicit mutual authentication between the users and the servers, the protocol can resist undetectable online dictionary attacks. We then prove the security of this protocol. Our new protocol only involves three-round interactions with mutual explicit authentication. In addition, it avoids vulnerability of cryptosystem based on the integer factorization problem, and it is robust against quantum attacks.

Published

2021

35. One Time Password, from a Key Management Perspective

Author

Carlisle Adams

Subjects

Password policy, Cognitive password, Computer science, Perspective (graphical), Key management, Computer security, computer.software_genre, Password psychology, One-time password, computer

Published

2021

36. Password Policies vs. Usability: When Do Users Go 'Bananas'?

Author

Dayana Hristova, Shailey Chawla, Suzana Jovicic, Barbara Göbl, and Roberto Dillon

Subjects

Password, Password policy, Point (typography), Computer science, business.industry, Workaround, Authorization, Usability, business, Computer security, computer.software_genre, computer, Password strength

Abstract

To grant password security, it is still a common practice to request users to comply with a number of rules that need to be met for the resulting password to be valid. Users have no option but to comply with the rules, but is there a specific point where the required rules start being perceived as a nuisance and thus jeopardize security? This paper addresses users' reactions to such a scenario by means of an online survey ( N=51) where users are being asked to create a password following an increasing number of restrictions. We thereby follow their evolving responses as each further criterion is added. Our analysis confirms that the increase in rule complexity has detrimental effects on usability and can lead to workarounds potentially compromising password security.

Published

2020

37. Hacking Passwords that Satisfy Common Password Policies

Author

Richard Beno and Ron Poet

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password policy, Software_OPERATINGSYSTEMS, Computer science, Password cracking, Alphabet, Computer security, computer.software_genre, computer, Hacker

Abstract

The password policies for 14 popular websites were checked and a list of passwords that satisfied the minimal requirements created for each website. 58 users then created realistic passwords that satisfied the minimal requirements. A special purpose cracking computer was built to crack these passwords using dictionary and brute-force attacks. All minimal passwords were cracked and it was found that weaker password policies produced weaker realistic passwords. It is recommended that password policies increase the minimal length to 8 characters, require a more diverse alphabet, prevent simple passwords based on repetitions and sequences, and check a database of already hacked passwords.

Published

2020

38. Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements

Author

Nicolas Christin, Lujo Bauer, Lorrie Faith Cranor, and Joshua Tan

Subjects

Password, Password policy, Balance (accounting), business.industry, Computer science, Usability, USable, Computer security, computer.software_genre, business, computer

Abstract

Multiple mechanisms exist to encourage users to create stronger passwords, including minimum-length and character-class requirements, prohibiting blocklisted passwords, and giving feedback on the strength of candidate passwords. Despite much research, there is little definitive, scientific guidance on how these mechanisms should be combined and configured to best effect. Through two online experiments, we evaluated combinations of minimum-length and character-class requirements, blocklists, and a minimum-strength requirement that requires passwords to exceed a strength threshold according to neural-network-driven password-strength estimates. Our results lead to concrete recommendations for policy configurations that produce a good balance of security and usability. In particular, for high-value user accounts we recommend policies that combine minimum-strength and minimum-length requirements. While we offer recommendations for organizations required to use blocklists, using blocklists does not provide further gains. Interestingly, we also find that against expert attackers, character-class requirements, traditionally associated with producing stronger passwords, in practice may provide very little improvement and may even reduce effective security.

Published

2020

39. Giving Motivation for Using Secure Credentials through User Authentication by Game

Author

Yumeji Hattori and Tetsuji Takada

Subjects

Password, Password policy, User authentication, Computer science, business.industry, media_common.quotation_subject, 05 social sciences, 020207 software engineering, Usability, 02 engineering and technology, Computer security, computer.software_genre, Credential, Set (abstract data type), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Incentive, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, business, Function (engineering), computer, 050107 human factors, media_common

Abstract

One of the issues in the knowledge-based user authentication is that users do not set and use a secure credential. Some methods exist to be able to resolve this issue, such as password policy, education, and password meter. However, these countermeasures impose a usability cost that is difficult for many users to accept. Therefore, these measures have not propelled users to use secure credentials in user authentication. We consider that motivating users is necessary to voluntarily accept the cost of using secure credentials. Thus, we attach a role-playing game function to pattern-based user authentication, and provide an incentive to users through user authentication. We conducted a small experiment with eight participants, and the result demonstrated that the prototype system has the potential to prompt users to use secure credentials.

Published

2020

40. Smarter Password Guessing Techniques Leveraging Contextual Information and OSINT

Author

Aikaterini Kanta, Iwen Coisel, and Mark Scanlon

Subjects

FOS: Computer and information sciences, Password, Password policy, Authentication, Computer Science - Cryptography and Security, Computer science, Law enforcement, Password cracking, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Computer security, computer.software_genre, Authentication (law), Suspect, Cryptography and Security (cs.CR), computer

Abstract

In recent decades, criminals have increasingly used the web to research, assist and perpetrate criminal behaviour. One of the most important ways in which law enforcement can battle this growing trend is through accessing pertinent information about suspects in a timely manner. A significant hindrance to this is the difficulty of accessing any system a suspect uses that requires authentication via password. Password guessing techniques generally consider common user behaviour while generating their passwords, as well as the password policy in place. Such techniques can offer a modest success rate considering a large/average population. However, they tend to fail when focusing on a single target -- especially when the latter is an educated user taking precautions as a savvy criminal would be expected to do. Open Source Intelligence is being increasingly leveraged by Law Enforcement in order to gain useful information about a suspect, but very little is currently being done to integrate this knowledge in an automated way within password cracking. The purpose of this research is to delve into the techniques that enable the gathering of the necessary context about a suspect and find ways to leverage this information within password guessing techniques.

Published

2020

41. Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites

Author

Endalew Elsabeth Alem, Wei Wang, and Yongzhong He

Subjects

Password, Password policy, Information retrieval, Dictionary attack, General Computer Science, Exploit, Computer science, 020207 software engineering, 02 engineering and technology, USable, Perceptron, Ensemble learning, Theoretical Computer Science, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing

Abstract

Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.

Published

2019

42. A Shoulder Surfing Resistant Graphical Authentication System

Author

Jyh-haw Yeh, Hung-Min Sun, Chia-Yun Cheng, and Shiuan-Tung Chen

Subjects

Password, Password policy, Alphanumeric, Computer science, business.industry, 020206 networking & telecommunications, Usability, 02 engineering and technology, Computer security, computer.software_genre, Login, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Shoulder surfing, 0202 electrical engineering, electronic engineering, information engineering, Web application, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, Android (operating system), business, computer

Abstract

Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Published

2018

43. DPPG: A Dynamic Password Policy Generation System

Author

Raheem Beyah, Shukun Yang, and Shouling Ji

Subjects

Password, 021110 strategic, defence & security studies, Password policy, Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Cognitive password, Computer Networks and Communications, Salt (cryptography), Computer science, 0211 other engineering and technologies, Password cracking, Passphrase, 02 engineering and technology, Adversary, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, 020201 artificial intelligence & image processing, Safety, Risk, Reliability and Quality, computer

Abstract

To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator , namely DPPG , to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Published

2018

44. Biometric Encryption System for Increased Security

Author

Ranjith Jayapal and Pramod

Subjects

Dictionary attack, Biometrics, Computer science, Internet privacy, Data_MISCELLANEOUS, fingerprint, Cryptography, 02 engineering and technology, Encryption, Computer security, computer.software_genre, lcsh:Communication. Mass media, minutiae extraction and cryptography, image binarization, 0202 electrical engineering, electronic engineering, information engineering, image enhancement, Password, Password policy, Authentication, lcsh:T58.5-58.64, business.industry, lcsh:Information technology, 020207 software engineering, Fingerprint recognition, lcsh:P87-96, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, business, computer

Abstract

In this highly-interconnected world, most of our daily activities are computer based, and the data transactions are protected by passwords. These passwords identify various entities such as bank accounts, mobile phones, etc. People might reuse the same password, or passwords related to an individual that can lead to attacks. Indeed, remembering several passwords can become a tedious task. Biometrics is a science that measures an individual's physical characteristics in a unique way. Biometrics serve as a method to replace the cumbersome use of complex passwords. By using a Biometric Encryption method, one can personalize the biometric to encode a PIN, a password, or an alphanumeric string, for a multitude of applications such as, bank ATMs, building access, and computer terminal access. Moreover, the database only needs to store the biometrically encrypted PIN or password, not the large biometric sample.

Published

2018

45. A variant of password authenticated key exchange protocol

Author

Wei Wu, Abdulhameed Alelaiwi, Yang Xiang, and Yuexin Zhang

Subjects

Password, Password policy, Zero-knowledge password proof, Cognitive password, Computer Networks and Communications, Computer science, Key distribution, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Password strength, Authenticated Key Exchange, 010201 computation theory & mathematics, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Session key, computer, Software

Abstract

Password authenticated key exchange (PAKE) protocols are designed for a pair of users to establish a secret session key over a public and unreliable network. In existing PAKE protocols, it is assumed that short passwords are pre-shared between users. This assumption, however, would be impractical in certain applications. For instance, in the Internet of Things and Fog computing, billions of devices will be wirelessly connected. In practice, the devices are produced by different factories, and it is not practical to assume that these devices are pre-loaded with passwords when they leave factories. As a result, existing PAKE protocols cannot be directly employed in these applications. Moreover, it is investigated that devices can extract secrets using the wireless fading channel. However, the key extraction rate at the physical layer is slow. Motivated by these observations, this paper presents a variant of password authenticated key exchange (vPAKE) protocol without the password sharing assumption. To obtain the passwords, wireless devices, such as mobile phones, tablets, and laptops, are used to extract short secrets at the physical layer. Using the extracted secrets, users can establish a secret key at higher layers. The performance analysis shows that comparing with other PAKE protocols (which are proved secure in the standard model), the communication and computation consumptions of our protocol are significantly reduced. Additionally, the proposed protocol is proved secure in the standard model.

Published

2018

46. A provably secure password-based anonymous authentication scheme for wireless body area networks

Author

Jian Shen, Fushan Wei, Li Li, Ruijie Zhang, and Pandi Vijayakumar

Subjects

Password, Password policy, Zero-knowledge password proof, General Computer Science, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Random oracle, S/KEY, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Zero-knowledge proof, Electrical and Electronic Engineering, business, computer, Anonymity, Computer network

Abstract

Wireless body area networks (WBANs) comprise many tiny sensor nodes which are planted in or around a patient’s body. These sensor nodes can collect biomedical data of the patient and transmit these valuable data to a data sink or a personal digital assistant. Later, health care service providers can get access to these data through authorization. The biomedical data are usually personal and privacy. Consequently, data confidentiality and user privacy are primary concerns for WBANs. In order to achieve these goals, we propose an anonymous authentication scheme for WBANs based on low-entropy password and prove its security in the random oracle model. Our scheme enjoys strong anonymity in the sense that only the client knows his identity during the authentication phase of the scheme. Compared with other related proposals, our scheme is efficient in terms of computation. Moreover, the authentication of the client relies on human-rememberable password, which makes our scheme more suitable for applications in WBANs.

Published

2018

47. Real-Time Multimodal Biometric User Authentication for Web Application Access in Wireless LAN

Author

Sanjay Kumar, Surjit Paul, and Dilip Kumar Shaw

Subjects

Biometrics, Computer Networks and Communications, Computer science, Data_MISCELLANEOUS, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, One-time password, S/KEY, World Wide Web, Artificial Intelligence, 0202 electrical engineering, electronic engineering, information engineering, Web application, Password, Authentication, Password policy, business.industry, Fingerprint (computing), Multi-factor authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 010201 computation theory & mathematics, 020201 artificial intelligence & image processing, Challenge–response authentication, business, Software, Computer network

Abstract

Web applications store trustworthy information and can be accessed online through wired or wireless network. Authentication is one of the major challenges to access these web applications. With varying level of sensitive data stored in web application, the concept of level of authentication can be introduced using biometric traits. This paper proposes biometric-based multi-modal authentication system with four levels of securities. Level 1 uses user name and password only; Level 2 uses fingerprint with user name and password; Level 3 uses fingerprint and face with user name and password; Level 4 uses fingerprint, face and iris with user name and password.

Published

2017

48. A New Multimodal Approach for Password Strength Estimation—Part II: Experimental Evaluation

Author

Iwen Coisel, Ignacio Sanchez, and Javier Galbally

Subjects

Password, 021110 strategic, defence & security studies, Password policy, Computer Networks and Communications, Computer science, business.industry, 0211 other engineering and technologies, Password cracking, 02 engineering and technology, Machine learning, computer.software_genre, Password strength, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Data mining, Artificial intelligence, Safety, Risk, Reliability and Quality, business, computer, Protocol (object-oriented programming)

Abstract

A novel multimodal method for the estimation of password strength was presented in Part I of this series of two papers. In this paper, the experimental framework used for the evaluation of the novel approach is described. The method is evaluated following a reproducible protocol, which includes a three-dimensional approach: 1) deterministic assessment; 2) statistical assessment; and 3) third parties assessment (thanks to the availability upon request of an executable application that integrates the multimodal meter). The key experiment of the protocol compares, from a probabilistic point of view, the strength distributions assigned to passwords broken with increasingly complex attacking approaches, following a common strategy in a typical password cracking session. The experimental evaluation is carried out not only for the new meter, but also for other strength estimators from the state of the art, comparing their overall performance. In addition to its consistent results, the proposed method is highly flexible and can be adjusted to specific environments or to a certain password policy. Furthermore, it can also evolve over time in order to naturally adjust to new password selection trends followed by users.

Published

2017

49. Someone in Your Contact List: Cued Recall-Based Textual Passwords

Author

Abdulrahman Alarifi, Mansour Alsaleh, and Noura Alomar

Subjects

Password, 021110 strategic, defence & security studies, Zero-knowledge password proof, Authentication, Password policy, User authentication, Cognitive password, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, 02 engineering and technology, One-time password, Electronic mail, S/KEY, Password strength, World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Human–computer interaction, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Safety, Risk, Reliability and Quality, Password psychology

Abstract

Textual passwords remain the most commonly employed user authentication mechanism, and potentially will continue to be so for years to come. Despite the well-known security and usability issues concerning textual passwords, none of the numerous proposed authentication alternatives appear to have achieved a sufficient level of adoption to dominate in the foreseeable future. Password hints, consisting of a user generated text saved at the account setup stage, are employed in several authentication systems to help users to recall forgotten passwords. However, users are often unable to create hints that jog the memory without revealing too much information regarding the passwords themselves. We propose a rethink of password hints by introducing SỲNTHIMA , a novel cued recall-based textual password method that reveals no information regarding the password, requires no modifications to authentication servers, and requires no additional setup or registration steps. SỲNTHIMA makes use of users’ contact lists, so that mapped password hints extracted from a user’s contacts are automatically generated while the user is typing the password. We create formal models for relevant aspects of the password hint mechanism, define its threat model, and analyze the security and usability of SỲNTHIMA . We also present the results of an in-lab user study of SỲNTHIMA on 30 participants to evaluate its effectiveness and usability. The results demonstrate that SỲNTHIMA minimizes the number of incorrect login attempts and improves long-term password recall, with acceptable login times and positive user feedback. We summarize the lessons learned from the user study, with the hope of provoking further insights regarding the design of effective cued recall-based textual password schemes.

Published

2017

50. Var kommer myndigheters lösenordspolicys ifrån? : En kvalitativ studie om deras ursprung

Author

Naess, Andreas and Naess, Andreas

Abstract

Samhället blir mer digitaliserat och fler människor kopplar upp sig mot Internet. Detta innebär att många arbetsuppgifter som hanterar känsliga uppgifter nu utförs på datorer. Det finns även många tjänster som kräver personligauppgifter för att registrera sig och kontouppgifter för att beställa varor eller prenumerera till tjänsten. Denna information är av intresse för brottslingar som kan använda denna för att tjäna pengar. Som en konsekvens av detta har användningen av lösenord ökat och för att försäkra att starka lösenord skapas följs riktlinjer. Dessa lösenordsriktlinjer skapas och sprids ofta utav myndigheter och andra expertorganisationer. Dock saknar de källor för var riktlinjerna kommer ifrån och en förklarning för hur de skapades. För att belysa detta ämnar studien att eftersöka riktlinjernas ursprung och vad dessa baserades på. Detta är en kvalitativ studie där intervjuer gjorts med informationssäkerhetspecialister från tre myndigheter och en expertorganisation. För att bearbeta data från dessa intervjuer har en tematisk analys utförts för att identifiera de olika källorna som använts vid skapandet av riktlinjerna. Studiens resultat visar att motivationen för riktlinjerna varierar mellan organisationerna. Detta kan observeras genom skillnader i deras målgrupp och fokus. Det har även visat sig att det inte finns några studier att hänvisa till. Dock är ett genomgående mönster att källorna för riktlinjerna ofta verkar vara baserade på de anställdas erfarenheter och expertis. Förutom detta tas inspiration för riktlinjerna från organisationer som NIST., Society is getting more digitalized and more people are connecting to the Internet. This means that a lot of work that handles sensitive information is now done using computers. There is also a lot of services that requires personal information for registration and bank account information to order wares or subscribe to the service. This information is of interest to criminal who can use it to make money. Because of this the use of passwords has increased and to make sure that strong passwords are created guidelines are adhered to. The password guidelines are created and spread by authorities and expert organizations. However, there are no sources for where the guidelines came from or an explanation for how they were made. To shine a light on this, the study aims to explain the guidelines origins and what they were based on. This is a qualitative study where interviews were done with information security specialists from three governmental bodies and one expert organization. After the interviews were completed and data collected, they were analyzed using thematic analysis to identify the sources that were used during the creation of the guidelines. The study’s results show that the motivation for the guidelines vary. This can be observed through the differences in target group and focus. It also appears like there are no studies which could be referred to. Although there is a consistent pattern that the sources for the guidelines often seems to be based on the experiences and expertise of their employees. Except for this, inspiration is also drawn from organizations such as NIST.

Published

2019