scispace - formally typeset
Search or ask a question

Showing papers on "Password strength published in 2018"


Journal ArticleDOI
TL;DR: This article studies security vulnerabilities of password building and presents a password strength evaluation method that takes into account users' personal information.
Abstract: With the rapid development of wearable biosensors and wireless communication technologies, various smart healthcare systems are proposed to monitor the health of patients in real time. However, many security problems exist in these systems. For example, a password guessing attack can compromise IoT devices, leading to invasion of health data privacy. After giving an overview of security threats of healthcare IoT, this article studies security vulnerabilities of password building and presents a password strength evaluation method that takes into account users' personal information.

98 citations


Proceedings ArticleDOI
15 Oct 2018
TL;DR: This work proposes a set of properties that a strength meter needs to fulfill to be considered to have high accuracy, and uses these properties to select a suitable measure that can determine the accuracy of strength meters.
Abstract: Password strength meters are an important tool to help users choose secure passwords. Strength meters can only then provide reasonable guidance when they are accurate, i.e., their score correctly reflect password strength. A strength meter with low accuracy may do more harm than good and guide the user to choose passwords with a high score but low actual security. While a substantial number of different strength meters is proposed in the literature and deployed in practice, we are lacking a clear picture of which strength meters provide high accuracy, and thus are most helpful for guiding users. Furthermore, we lack a clear understanding of how to compare accuracies of strength meters. In this work, (i) we propose a set of properties that a strength meter needs to fulfill to be considered to have high accuracy, (ii) we use these properties to select a suitable measure that can determine the accuracy of strength meters, and (iii) we use the selected measure to compare a wide range of strength meters proposed in the academic literature, provided by password managers, operating systems, and those used on websites. We expect our work to be helpful in the selection of good password strength meters by service operators, and to aid the further development of improved strength meters.

70 citations


Proceedings ArticleDOI
21 May 2018
TL;DR: This study performed a broad targeted attack combining several well-established cracking techniques, such as brute-force, dictionary, and hybrid attacks, on the passwords used by the students of a Slovenian university to access the online grading system to demonstrate how easy it is to crack most of the user-created passwords using simple and predictable patterns.
Abstract: An information system is only as secure as its weakest point. In many information systems that remains to be the human factor, despite continuous attempts to educate the users about the importance of password security and enforcing password creation policies on them. Furthermore, not only do the average users' password creation and management habits remain more or less the same, but the password cracking tools, and more importantly, the computer hardware, keep improving as well. In this study, we performed a broad targeted attack combining several well-established cracking techniques, such as brute-force, dictionary, and hybrid attacks, on the passwords used by the students of a Slovenian university to access the online grading system. Our goal was to demonstrate how easy it is to crack most of the user-created passwords using simple and predictable patterns. To identify differences between them, we performed an analysis of the cracked and uncracked passwords and measured their strength. The results have shown that even a single low to mid-range modern GPU can crack over 95% of passwords in just few days, while a more dedicated system can crack all but the strongest 0.5% of them.

55 citations


Proceedings ArticleDOI
19 Apr 2018
TL;DR: Adapt characteristics to the user authentication mechanism are introduced, aiming to assist specific cognitive style user groups to create more secure passwords, and results strengthen assumptions that adaptive mechanisms based on users' differences in cognitive and visual behavior uncover a new perspective for improving the password's strength within graphical user authentication realms.
Abstract: Visual attention, search, processing and comprehension are important cognitive tasks during a graphical password composition activity. Aiming to shed light on whether individual differences on visual behavior affect the strength of the created passwords, we conducted an eye-tracking study (N=36), and adopted an accredited cognitive style theory to interpret the results. The analysis revealed that users with different cognitive styles followed different patterns of visual behavior which affected the strength of the created passwords. Motivated, by the results of the first study, we introduced adaptive characteristics to the user authentication mechanism, aiming to assist specific cognitive style user groups to create more secure passwords, and conducted a second study with a new sample (N=40) to test the adaptive characteristics. Results strengthen our assumptions that adaptive mechanisms based on users' differences in cognitive and visual behavior uncover a new perspective for improving the password's strength within graphical user authentication realms.

55 citations


Journal ArticleDOI
TL;DR: By testing the strong and weak passwords selected by a state-of-the-art password cracking-algorithm, it is observed that the proposed LPSE algorithm is superior to the existing lightweight password-strength estimation algorithms in the accurate identification of strong passwords and strong passwords.

39 citations


Proceedings ArticleDOI
21 Apr 2018
TL;DR: This work is the first to show the discrepancy between user intent and practice when creating passwords, and to investigate how users trade off security for memorability.
Abstract: It is no secret that users have difficulty choosing and remembering strong passwords, especially when asked to choose different passwords across different accounts. While research has shed light on password weaknesses and reuse, less is known about user motivations for following bad password practices. Understanding these motivations can help us design better interventions that work with the habits of users and not against them. We present a comprehensive user study in which we both collect and analyze users' real passwords and the reasoning behind their password habits. This enables us to contrast the users' actual behaviors with their intentions. We find that user intent often mismatches practice, and that this, coupled with some misconceptions and convenience, fosters bad password habits. Our work is the first to show the discrepancy between user intent and practice when creating passwords, and to investigate how users trade off security for memorability.

33 citations


Journal ArticleDOI
01 Apr 2018
TL;DR: The security of Farash–Attari’s 3PAKE protocol is analyzed and it is shown that it fails to resist password disclosure attack if the secret information stored in the server side is compromised and the server is not aware of having caused problem.
Abstract: Three-party authenticated key exchange (3PAKE) protocol allows two communication users to authenticate each other and to establish a secure common session key with the help of a trusted remote server. Recently, Farash and Attari propose an efficient and secure 3PAKE protocol based on Chebyshev chaotic maps and their protocol is supported by the formal proof in the random oracle model. However, in this paper, we analyze the security of Farash–Attari’s protocol and show that it fails to resist password disclosure attack if the secret information stored in the server side is compromised. In addition, their protocol is insecure against user impersonation attack and the server is not aware of having caused problem. Moreover, the password change phase is insecure to identify the validity of request where insecurity in password change phase can cause offline password guessing attacks and is not easily reparable. To remove these security weaknesses, based on Chebyshev chaotic maps and quadratic residues, we further design an improved protocol for 3PAKE with user anonymity. In comparison with the existing chaotic map-based 3PAKE protocols, our proposed 3PAKE protocol is more secure with acceptable computation complexity and communication overhead.

30 citations


Journal ArticleDOI
TL;DR: This paper analyzes the security level of 16 popular IoT devices and evaluates several low-cost black-box techniques for reverse engineering these devices, including software and fault injection-based techniques used to bypass password protection.
Abstract: Recent Internet of Things (IoT) botnet attacks have called the attention to the fact that there are many vulnerable IoT devices connected to the Internet today. Some of these Web-connected devices lack even basic security practices such as strong password authentication. As a consequence, many IoT devices are already infected with malware and many more are vulnerable to exploitation. In this paper we analyze the security level of 16 popular IoT devices. We evaluate several low-cost black-box techniques for reverse engineering these devices, including software and fault injection-based techniques used to bypass password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically add these devices to a botnet. We also discuss how to improve the security of IoT devices without significantly increasing their cost or affecting their usability.

24 citations


Journal ArticleDOI
TL;DR: In this article, the authors analyzed a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base and provided an analysis of passwords created by groups of people of different cultural backgrounds, some of which are underrepresented in existing data leaks.

24 citations


Journal ArticleDOI
TL;DR: A variant of password authenticated key exchange (vPAKE) protocol without the password sharing assumption is presented, and the performance analysis shows that comparing with other PAKE protocols, the communication and computation consumptions of the protocol are significantly reduced.

23 citations


Journal ArticleDOI
TL;DR: It is argued, based on the contextualized metamemory theory, that the recall of multiple passwords is not related to users’ memory capabilities, and therefore users are able to actually remember more passwords than they think.
Abstract: Passwords are the most common authentication mechanism, that are only increasing with time. Previous research suggests that users cannot remember multiple passwords. Therefore, users adopt insecure password practices, such as password reuse in response to their perceived memory limitations. The critical question not currently examined is whether users’ memory capabilities for password recall are actually related to having a poor memory. This issue is imperative: if insecure password practices result from having a poor memory, then future password research and practice should focus on increasing the memorability of passwords. If, on the other hand, the problem is not solely related to memory performance, but to users’ inaccurate perception of their memory, then future research needs to examine why this is the case and how such false perception can be improved. In this paper we examined this conundrum by contextualizing the memory theory of metamemory, to the password security context. We argue, based on our contextualized metamemory theory, that the recall of multiple passwords is not related to users’ memory capabilities, and therefore users are able to actually remember more passwords than they think. Instead, we argue that users’ perceptions of their memories abilities, in terms of password memory capacity; perceived control over their memory; motivation to remember; and their understanding of their memory, explains why users cannot remember their passwords. We tested our contextualized metamemory theory in the password security context through a longitudinal experiment, examining over 3500 passwords. The results suggest that our contextualized metamemory theory, rather than the general metamemory theory explains password recall. This study has important implications for research in password security, and practice.

Book ChapterDOI
25 Mar 2018
TL;DR: This work presents a secure two-factor authentication (TFA) scheme based on the possession by the user of a password and a crypto-capable device which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure.
Abstract: We present a secure two-factor authentication (TFA) scheme based on the possession by the user of a password and a crypto-capable device. Security is “end-to-end” in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users’ passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-Enhanced PAKE, defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation the modular, generic construction we give is not PAKE-agnostic because it doesn’t even use PAKE, but the instantiation of this scheme which instantiates DE-PAKE with PTR+PAKE is PAKE-agnostic as you say of this modular construction which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model.

Proceedings Article
15 Aug 2018
TL;DR: It is proposed that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten.
Abstract: It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.

Journal ArticleDOI
TL;DR: In this paper, the authors found that the presence or absence of a previous breach had a large impact on company perceptions, but a minimal impact on behavioral intentions to be personally more secure.
Abstract: The purpose of this study was to determine how security statement certainty (overconfident, underconfident and realistic) and behavioral intentions of potential consumers impact the perceptions of companies in the presence or absence of a past security breach.,The study exposed participants to three types of security statements and randomly assigned them to the presence or absence of a previous breach. Participants then evaluated the company and generated a hypothetical password for that company.,This study found that the presence or absence of a previous breach had a large impact on company perceptions, but a minimal impact on behavioral intentions to be personally more secure.,The authors found that the presence or absence of a previous breach had a large impact on company perceptions, but minimal impact on behavioral intentions to be personally more secure.,Companies need to be cautious about how much confidence they convey to consumers. Companies should not rely on consumers engaging in secure online practices, even following a breach.,Companies need to communicate personal security behaviors to consumers in a way that still instills confidence in the company but encourages personal responsibility.,The confidence of company security statements and presence of a previous breach were examined for their impact on company perception and a novel dependent variable of password complexity.

Journal ArticleDOI
25 Apr 2018-Entropy
TL;DR: A formal model of password security, in which two actors engage in a competition of optimal password choice against potential attacks, is considered, and different concepts of entropy are introduced to measure the quality of a password choice process under different angles.
Abstract: We consider a formal model of password security, in which two actors engage in a competition of optimal password choice against potential attacks. The proposed model is a multi-objective two-person game. Player 1 seeks an optimal password choice policy, optimizing matters of memorability of the password (measured by Shannon entropy), opposed to the difficulty for player 2 of guessing it (measured by min-entropy), and the cognitive efforts of player 1 tied to changing the password (measured by relative entropy, i.e., Kullback–Leibler divergence). The model and contribution are thus twofold: (i) it applies multi-objective game theory to the password security problem; and (ii) it introduces different concepts of entropy to measure the quality of a password choice process under different angles (and not a given password itself, since this cannot be quality-assessed in terms of entropy). We illustrate our approach with an example from everyday life, namely we analyze the password choices of employees.

Journal ArticleDOI
TL;DR: The Dynamic Password Policy Generator is proposed and devised to be an effective and usable alternative to the existing password strength checker and a diversity-based password security metric is introduced that evaluates the security of a password database in terms of password space and distribution.
Abstract: To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator , namely DPPG , to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Proceedings ArticleDOI
15 May 2018
TL;DR: This paper incorporated social influence, which is the effect others have on an individual's attitude and behavior, in the design of a peer feedback password meter, and found that those that were provided with the peer feedback meter created stronger passwords when compared to those that had the traditional meter.
Abstract: Passwords have dominated the world of authentication. Their widespread use has made them a prized target for attackers. Various schemes have been employed to strengthen password security to resist such attacks. Numerous websites and applications use password meters to help users create a stronger password. The objective of having a password meter is to provide visual feedback to users on their choice of a password by labeling it as weak, medium, or strong, for example. In this paper, we incorporated social influence, which is the effect others have on an individual's attitude and behavior. This social influence, commonly known as peer feedback, was incorporated in the design of a peer feedback password meter. When participants were given explicit instructions to create a unique password, those that were provided with the peer feedback meter created stronger passwords when compared to those that had the traditional meter.

Proceedings ArticleDOI
14 Jun 2018
TL;DR: It is argued that the proposed gaze-based metric allows for unobtrusive prediction of the strength of the password a user is going to create and enables intervention to the password composition for helping users create stronger passwords.
Abstract: In this paper, we introduce a two-step method for estimating the strength of user-created graphical passwords based on the eye-gaze behaviour during password composition. First, the individuals' gaze patterns, represented by the unique fixations on each area of interest (AOI) and the total fixation duration per AOI, are calculated. Second, the gaze-based entropy of the individual is calculated. To investigate whether the proposed metric is a credible predictor of the password strength, we conducted two feasibility studies. Results revealed a strong positive correlation between the strength of the created passwords and the gaze-based entropy. Hence, we argue that the proposed gaze-based metric allows for unobtrusive prediction of the strength of the password a user is going to create and enables intervention to the password composition for helping users create stronger passwords.

Proceedings Article
25 Mar 2018
TL;DR: This paper proposes a double serial mechanism to adapt the user's model over time and demonstrates that the proposed method offers competitive performances while keeping a high usability.
Abstract: Password based applications are commonly used in our daily lives such as the social networks, e-mails, e-commerce, and e-banking. Given the increasing number of hacker attacks, the only use of passwords is not enough to protect personal data and does not meet usability requirements. Keystroke dynamics is a promising solution that decreases the vulnerability of passwords to guessing attacks by analyzing the typing manner of the user. Despite its efficiency in the discrimination between users, it remains non-industrialized essentially due to the tedious learning phase and the intra-class variation of the users' characteristics. In this paper, we propose a double serial mechanism to adapt the user's model over time. An important property of the proposed solution relies in its usability as we only use a single sample as user's reference during the account creation. We demonstrate that the proposed method offers competitive performances while keeping a high usability.

Book ChapterDOI
01 Jan 2018
TL;DR: The goal of this chapter is to highlight the current state of password cracking techniques, as well as discuss some of the cutting edge approaches that may become more prevalent in the near future.
Abstract: At its heart, a password cracking attack is a modeling problem. An attacker makes guesses about a user’s password until they guess correctly or they give up. While the defender may limit the number of guesses an attacker is allowed, a password’s strength often depends on how hard it is for an attacker to model and reproduce the way in which a user created their password. If humans were effective at practicing unique habits or generating and remembering random values, cracking passwords would be a near impossible task. That is not the case, though. A vast majority of people still follow common patterns, from capitalizing the first letter of their password to putting numbers at the end. While people have remained mostly the same, the password security field has undergone major changes in an ongoing arms race between the attackers and defenders. The goal of this chapter is to highlight the current state of password cracking techniques, as well as discuss some of the cutting edge approaches that may become more prevalent in the near future.

Proceedings Article
15 Aug 2018
TL;DR: In this article, the authors provided the first large-scale study of the influence of password managers' influence on users' real-life passwords by combining qualitative data on user's password creation and management strategies, collected from 476 participants of an online survey, with quantitative data (incl password metrics and entry methods).
Abstract: Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services To remedy the situation, users are very often referred to password managers as a solution to the password reuse and weakness problems However, to date, the actual impact of password managers on password strength and reuse has not been studied systematically We provide the first large-scale study of the password managers' influence on users' real-life passwords By combining qualitative data on users' password creation and management strategies, collected from 476 participants of an online survey, with quantitative data (incl password metrics and entry methods) collected in situ with a browser plugin from 170 users, we were able to gain a more complete picture of the factors that influence our participants' password strength and reuse Our approach allows us to quantify for the first time that password managers indeed influence the password security, however, whether this influence is beneficial or aggravating existing problems depends on the users' strategies and how well the manager supports the users' password management right from the time of password creation Given our results, we think research should further investigate how managers can better support users' password strategies in order to improve password security as well as stop aggravating the existing problems

Proceedings ArticleDOI
02 Nov 2018
TL;DR: This paper proposes a password attacking method based on structure partition and bidirectional long short-term memory (BiLSTM) recurrent neural network, which is denoted as SPRNN model, and shows that in the context of a fixed number of guessing trials, this model breaks the password 25% -30% more than Narayanan's method.
Abstract: Identity authentication is an important line of defense for network security, and passwords are still the mainstream of identity authentication. Password attacking is an important means of password security research. Probabilistic context-free grammar (PCFG) is the most effective password structure partitioning method at present. The string generation method based on neural network has powerful generalization ability. They effectively characterize the passwords on the substructure level and the character level respectively. In this paper, based on the merits of the above two models, we propose a password attacking method based on structure partition and bidirectional long short-term memory (BiLSTM) recurrent neural network, which is denoted as SPRNN model. Firstly, passwords are divided into abstract substructures. Then substrings of characters, digits and symbols in substructures are generated by using BiLSTM model to take account of the accuracy and generalization ability of the model. Finally, the method is verified by experiment on six real Chinese and English password datasets. The results show that in the context of a fixed number of guessing trials, the SPRNN model breaks the password 25% -30% more than Narayanan's method, about 10% than Weir et al.'s method password between the cross datasets.

Proceedings ArticleDOI
05 Dec 2018
TL;DR: A systematic literature review revealed that misconceptions exist in basically all aspects of password security and developed interventions to address these misconceptions.
Abstract: Nowadays, most users need more passwords than they can handle. Consequently, users have developed a multitude of strategies to cope with this situation. Some of these coping strategies are based on misconceptions about password security. In such cases, the users are unaware of their insecure password practices. Addressing the misconceptions is vital in order to decrease insecure coping strategies. We conducted a systematic literature review with the goal to provide an overview of the misconceptions about password security. Our literature review revealed that misconceptions exist in basically all aspects of password security. Furthermore, we developed interventions to address these misconceptions. Then, we evaluated the interventions' effectiveness in decreasing the misconceptions at three small and medium sized enterprises (SME). Our results show that the interventions decrease the overall prevalence of misconceptions significantly in the participating employees.

Book ChapterDOI
07 Nov 2018
TL;DR: The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP.
Abstract: Text-based password is the most popular method for authenticating users on the internet. However, despite decades of security research, users continue to choose easy-to-guess passwords to protect their important online accounts. In this paper, we explore the potential of serious games to educate users about various features that negatively impact password security. Specifically, we designed a web-based casual game called GAP and assessed its impact by conducting a comparative user study with 119 participants. The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP. Besides having educational value, most of the participants also found GAP fun to play.

Proceedings ArticleDOI
29 May 2018
TL;DR: Results provide evidence that advanced visualization techniques provide a more suitable framework for deploying graphical user authentication schemes and underpin the need for considering such techniques for providing assistive and/or adaptive mechanisms to users aiming to assist them to create stronger graphical passwords.
Abstract: Nowadays, technological advances introduce new visualization and user interaction possibilities. Focusing on the user authentication domain, graphical passwords are considered a better fit for interaction environments which lack a physical keyboard. Nonetheless, the current graphical user authentication schemes are deployed in conventional layouts, which introduce security vulnerabilities associated with the strength of the user selected passwords. Aiming to investigate the effectiveness of advanced visualization layouts in selecting stronger passwords, this paper reports a between-subject study, comparing two different design layouts a two-dimensional and a three dimensional. Results provide evidence that advanced visualization techniques provide a more suitable framework for deploying graphical user authentication schemes and underpin the need for considering such techniques for providing assistive and/or adaptive mechanisms to users aiming to assist them to create stronger graphical passwords.

Proceedings ArticleDOI
19 Jun 2018
TL;DR: A study with children 11 to 13 years indicated that these children create simple passwords consisting of their personal information, believe that these passwords are hard for a stranger to guess and do not have good understanding of creating strong passwords.
Abstract: With increasing use of technology and the Internet among children, we explore how they create passwords to protect their personal information. We conducted a study with children 11 to 13 years to understand their password practices. The results of the study indicated that these children create simple passwords consisting of their personal information, believe that these passwords are hard for a stranger to guess and do not have good understanding of creating strong passwords.

Journal ArticleDOI
TL;DR: It is discovered that some passwords in a dataset are tightly connected with each other; they have the tendency to gather together as a cluster like they are in a social network; password graph has logarithmic distribution for its degrees.
Abstract: We present in this paper an alternative method for understanding user-chosen passwords. In password research, much attention has been given to increasing the security and usability of individual passwords for common users. Few of them focus on the relationships between passwords; therefore we explore the relationships between passwords: modification-based, similarity-based, and probability-based. By regarding passwords as vertices, we shed light on how to transform a dataset of passwords into a password graph. Subsequently, we introduce some novel notions from graph theory and report on a number of inner properties of passwords from the perspective of graph. With the assistance of Python Graph-tool, we are able to visualize our password graph to deliver an intuitive grasp of user-chosen passwords. Five real-world password datasets are used in our experiments to fulfill our thorough experiments. We discover that some passwords in a dataset are tightly connected with each other; they have the tendency to gather together as a cluster like they are in a social network; password graph has logarithmic distribution for its degrees. Top clusters in password graph could be exploited to obtain the effective mangling rules for cracking passwords. Also, password graph can be utilized for a new kind of password strength meter.

Book ChapterDOI
16 Jul 2018
TL;DR: A hybrid authentication scheme integrating text and recognition-based graphical passwords is proposed, which can reduce the phishing attacks and increase memorability as it does not require users to remember long and complex passwords.
Abstract: Considering the popularity and wide deployment of text passwords, we predict that they will be used as a prevalent authentication mechanism for many years to come. Thus, we have carried out studies on mechanisms to enhance text passwords. These studies suggest that password space and memorability should be improved, with an additional mechanism based on images. The combination of text and images increases resistance to some password attacks, such as brute force and observing attacks. We propose a hybrid authentication scheme integrating text and recognition-based graphical passwords. This authentication scheme can reduce the phishing attacks because if users are deceived to share their key passwords, there is still a chance to save the complete password as attackers do not know the users’ image preferences. In addition to the security aspect, the proposed authentication scheme increases memorability as it does not require users to remember long and complex passwords. Thus, with the proposed scheme users will be able to create strong passwords without sacrificing usability. The hybrid scheme also offers an enjoyable sign-in/log-in experience to users.

Proceedings ArticleDOI
05 Dec 2018
TL;DR: In this paper, the effect of incidental fear and stress on the measured strength of a chosen password was investigated with two experiments with within-subject designs measuring the zxcvbn [55] log 10 number of guesses as strength of chosen passwords as dependent variable.
Abstract: Background. The current cognitive state, such as cognitive effort and depletion [22], incidental affect or stress may impact the strength of a chosen password unconsciously.Aim. We investigate the effect of incidental fear and stress on the measured strength of a chosen password.Method. We conducted two experiments with within-subject designs measuring the zxcvbn [55] log 10 number of guesses as strength of chosen passwords as dependent variable. In both experiments, participants were signed up to a site holding their personal data and, for the second run a day later, asked under a security incident pretext to change their password. (a) Fear. NF = 34 participants were exposed to standardized fear and happiness stimulus videos in random order. (b) Stress. NS = 50 participants were either exposed to a battery of standard stress tasks or left in a control condition in random order. The zxcvbn password strength was compared across conditions.Results. We did not observe a statistically significant difference in mean zxcvbn password strengths on fear (Hedges' gav = -0.11,95% CI [-0.45, 0.23]) or stress (and control group, Hedges' gav = 0.01, 95% CI [-0.31,0.33]). However, we found a statistically significant cross-over interaction of stress and TLX mental demand.Conclusions. While having observed negligible main effect size estimates for incidental fear and stress, we offer evidence towards the interaction between stress and cognitive effort that vouches for further investigation.

Journal Article
TL;DR: This work analyzes a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base, and shows that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds.
Abstract: A large number of studies on passwords make use of passwords leaked by attackers who compromised online services. Frequently, these leaks contain only the passwords themselves, or basic information such as usernames or email addresses. While metadata-rich leaks exist, they are often limited in the variety of demographics they cover. In this work, we analyze a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base. We provide an analysis of passwords created by groups of people of different cultural backgrounds, some of which are under-represented in existing data leaks, e.g., Arab, Filipino, Indian, and Pakistani. The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information.