Password Security - No Change in 35 Years?: MIPRO 2014, 26-30 May 2014, Opatija, Croatia

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

MIPRO 2014, 26-30 May 2014, Opatija, Croatia

Password security – no change in 35 years?

Viktor Taneski*, Marjan Heričko* and Boštjan Brumen*


* University of Maribor, Faculty of electrical engineering and computer science/Institute of Informatics, Maribor,
Slovenia
[email protected], marjan.herič[email protected], [email protected]

Abstract - BACKGROUND: Textual passwords were first system users about the consequences of how they choose
identified as a weak point in information system’s security their passwords. However, despite the widespread use of
by Morris and Thompson in 1979. They found that 86% of passwords and their importance as the first line of defense
the passwords were weak: being too short, containing in most information systems, little attention has been
lowercase letters only, digits only or a combination of the given to the characteristics of their actual use.
two, being easily found in dictionaries. OBJECTIVE:
Despite the importance of passwords as the first line of The objective of this paper is to perform a systematic
defense in most information systems, little attention has literature review of studies in the area of textual
been given to the characteristics of their actual use. Thus, passwords and textual passwords security. We conduct
the objective of this paper is to identify any problems that our review following the guidelines proposed in [1]. The
may arise in creating and using textual passwords. rationale for conducting the review is threefold. The first
METHOD: A systematic literature review of studies in the reason is to identify any problems that may arise in
area of password use and password security. Our research is creating and using textual passwords. Secondly, to
restricted to articles in journals and conference papers appraise the current situation of passwords with respect to
written in English and published between 1979 and 2014. the passwords strength, password management and
The search is conducted through IEEEXplore, password memorability. Thirdly, to find out what is the
ScienceDirect, Springer Link and ACM Digital Library.
relationship between users and the textual passwords they
RESULTS: The computer community has not made a very
use (are the users still “the weakest link?”).
much-needed shift in password management for more than
35 years. Users and their passwords are still considered the The reminder of this paper is organized as follows: the
main weakness in any password system, because users often research method is described in Section II, while Section
choose easily guessable passwords: words, names, III represent the review results and the answers to our
birthdates, etc., because they are easy to remember. research questions. Section IV concludes the paper and
CONCLUSION: Password policies and password checkers presents plans for future work.
can help users create strong and easy-to-remember
passwords. This work will serve as a starting point for our
further research in this area where we want to determine II. RESEARCH METHOD
whether these password policies are useful to the users, and
whether the users can easily apply them. A. Research Questions
We use the PICOC (Population, Intervention,
Comparison, Outcomes, Context) [2] structure for
I. INTRODUCTION
formulating the research questions. Table 1 represents the
Typically, a user is authenticated based on one of the selected criteria for the PICOC structure. Considering the
three underlying principles: “what you know” (e.g. textual three parts in Table 1, we formulate the following research
or graphical passwords), “what you are” (e.g. retina, iris, questions:
voice and fingerprint scans) and “what you have” (e.g.
smart cards or other tokens). The passwords that fall under x RQ1: What are the major problems with creating
the category of “what you know” can be divided into and managing textual passwords?
textual passwords and graphical passwords [24][29]– x RQ2: What is the current situation of textual
[31][45]. In this study, we focus particularly on the textual passwords with respect to password strength,
passwords and their security simply because they are still password management and password
the most common method for authentication. memorability?
More than 30 years ago, Morris and Thompson [3] x RQ3: What is the relationship between users and
identified textual passwords as a weak point in textual passwords? Are the users still "the weakest
information system’s security. They found out that link"?
majority of users’ passwords (87% of them) were short,
contained only lowercase letters or digits or were easily Our population represents the textual passwords, while
found in dictionaries. Because the use of passwords has the intervention are the different techniques and
always been, and continues to be, one of the most technologies used for creating and manipulating textual
common control mechanisms for authenticating users of passwords. We do not compare textual passwords with
computerized information systems, it was expected that other types of passwords, since our subject of interest are
Morris and Thompson would have raised the awareness of strictly textual passwords. The outcomes refer to the

1360
x the study deals with issues or problems with
TABLE I. THE PICOC STRUCTURE password use, password management or
password memorability
Population Textual passwords
Techniques and technologies for creating Exclusion – a study is not peer-reviewed, or the study
Intervention
and managing textual passwords deals with computer security in general, cryptography,
Comparison / graphical passwords or any other type of user
Problems when creating and managing authentication (biometrics, tokes or smart cards etc.).
Outcome
textual passwords Because the titles and abstracts of the documents are
Context / not always extensive, we do not always have a clear
indication if the document meets the specified criteria. If
this is the case, we take a further step and read the whole
problems that may arise in creating and using (or document to determine whether the data meet the
manipulating) textual passwords. inclusion and exclusion criteria.

B. Search Strategy III. RESULTS


Our literature search strategy is organized in two Table 2 lists the results from the initial search. The
phases: initial search and reference search. search into 4 electronic databases found 58 relevant
The initial search for relevant studies is performed primary studies. The third column in the table represents
over electronic data sources – digital libraries. When the number of studies that are duplicates, i.e. studies that
selecting the digital libraries, we took into account the have already occurred in another digital database. We can
recommendations from the literature [1] and also our see from the table that the ACM Digital Library
knowledge and practical experience and the fact that we contributed the largest number of documents (42) and also
do not have access to all the digital databases. This initial the largest number of duplicates (20). The column “Total
search is conducted through the digital databases relevant studies” shows the total number of documents
IEEEXplore, ScienceDirect, SpringerLink and ACM from each source, but in this case documents that have
Digital Library. already appeared in the a previous source are not included.
The review of the references of the primary studies found
We composed a search string by deriving major search additional 9 documents that were not found by the initial
terms from our research questions and by using Boolean search of the electronic databases, thereby increasing the
OR to link the major search terms: number of total relevant documents to 67.
(“password security” OR “password strength” OR Next, we present the results of our review and the
“password memorability” OR “password cracking” answers to the research questions.
OR “password management”)
RQ1: What are the major problems with creating and
The search of the electronic databases is restricted to managing textual passwords?
articles in journals, conference papers and book chapters
written in English and published since 1979, i.e. this is the We observe that 17 ([3]-[18][68]) out of 67 studies,
year when the first article in the area of password security address the issue of password security, password use or
was published. re-use, and are suitable for answering the first research
question.
The reference search is conducted by reviewing the
reference lists of primary studies and the review articles As already mentioned earlier, Morris and Thompson
addressing the password security [3], [4] and [5]. [3] were the first authors that addressed the issue of
password security in 1979. They observed problems
C. Selection Criteria regarding to the accessibility and availability of the
password file in the UNIX system. They also conducted
The search is performed by using the search string and
experiments in order to determine typical users’ habits
the search result is a set of documents in which the search
about the choice of passwords and noticed that users of
string appears partially or entirely. However, in some
the system chose passwords that are short, simple and
cases, the search string outputs a study whose topic is in a
from a restricted character set (e.g. alphanumeric
different field of study. Because of such cases, we also
password with all lower-case letters). Ten years later
performed a subsequent semantic checking by reading the
authors in [4] concluded that, in order to maximize the
titles and abstracts of these documents and selecting the
difficulty of password cracking and to prevent the fast,
documents that are consistent with our research area. This
simple attacks, systems should implement passwords
selection is carried out in an objective manner, using
policies that will require the passwords to contain certain
inclusion and exclusion criteria. In order to select the
amount of entropy.
relevant documents, we define the following inclusion and
exclusion criteria: On the other hand, higher entropy makes a password
more difficult for a user to memorize [13]. Further
Inclusion – a study focuses on textual passwords only
research has shown that despite password policies’
(“what you know”):
recommendations and the efforts by information system
x the study focuses on password security or professionals to educate users about secure password
presents method(s) for password creation policies, users still tend to choose passwords that are

1361
potentially leading to the fall of many other systems
TABLE II. SUMMARY OF FOUND AND SELECTED STUDIES (including the ones that are far more secure that the first
Duplicates Total one) [10]. Users must lower their overall password
Electronic Found Relevant quality, in order to cope with the password overload [68].
found relevant
database studies studies
elsewhere studies According to [11], duplicating passwords is more likely to
IEEEXplore 89 15 0 15 become more problematic in the future as password reuse
rates are increasing because people are accumulating more
ScienceDirect 76 6 0 6 accounts but are not creating more passwords.
SpringerLink 847 15 0 15
RQ2: What is the current situation of textual
ACM Digital passwords with respect to password strength, password
1203 42 20 22
Library
management and password memorability?
Total 2215 78 20 58
From all collected documents, we can observe that in
the period of 35 years different methods and approaches
simple and easy to remember [5]. This particular study [5] for creating and easily memorizing and managing textual
showed that user-created passwords are still based on passwords were developed ([19]-[58][64]-[67][69] 45 out
user's personal data or a combination of meaningful of 67 studies).
details. Adams and Sasse [7] conducted a study of The earliest approach that deals with the problem of
password related user behaviors, including password creating passwords that are memorable and difficult to
construction, frequency of use, password recall and work guess, is the use of cognitive passwords. Cognitive
practices. They concluded that their participants lacked passwords represent a dialog between a user and a system.
security motivation and understanding of password The dialog is a actually a rotating set of randomly chosen
policies, and tended to circumvent password restrictions questions out of a set of predefined questions, previously
for the sake of convenience. selected by the user [20]. Cognitive passwords are more
Because of the rapid growth of the popularity of readily recalled than conventional passwords and are also
Internet technology and e-commerce and the increased more difficult to guess [20][21][23]. The only possible
number of online services requiring password based issues are the issue of time needed for authentication of
authentication, users have to maintain many different user access and that remembering many cognitive
accounts [15]. Different passwords should be used for passwords may be harder for the user [20][21].
every account so that no single password cracking will Similar to cognitive passwords are associative
lead to compromising the other accounts [10], thus users passwords. This alternative is based on a single-word cue
have to remember multiple passwords. and a one-word response, instead of whole questions and
In order to provide better password security i.e. to answers [21]. Just like with cognitive passwords, the only
ensure that a stolen password will become unusable more possible problem is that a user would likely not remember
or less quickly, some password security mechanisms and many associative passwords [21][54].
password policies include forced password change Passphrases and mnemonic-based passwords are
(password aging). This results with the user having many another alternative for conventional passwords. A
different accounts to maintain and many different passphrase is basically an extended password, which
passwords to remember that are changing frequently consists of a meaningful sequence of words. It is designed
because of password security mechanisms. Password to form a compromise between ease of memorability and
aging is a very serious problem, because of the lack of difficulty of guessing it [21]. It turned out that passphrases
warning users receive before their password is about to are no harder to remember and are more resistant to brute-
expire. If the system insist on users changing their force attacks than conventional passwords [35][21]. But
password during the login procedure, denies them the time [35] also found out that passphrase users initially
to think about choosing a good one [6]. Forcing password experienced a significantly higher number of login failures
change too frequently may make the user to quickly due to typographical errors, which can be one downside of
forget the password [5][13], or to write it down passphrases. Mnemonic-based passwords present an
[5][8][9][14], which is another “bad habit” noted in the alternative for passphrases and are also one of the earliest
literature regarding to password security. approaches [19]. They are basically a short passphrase
One of the most common vulnerability, which is also where a character (often the first letter) is used to
most frequently cited in the literature, associated with represent each word of the passphrase (e.g. “I love to ski
password security is the password re-use (using the same at Seven Springs!” transforms into “Ilts@7S!”) [32]. They
password, or a very similar one, for more than one secure are difficult to guess, but are also almost equally safe as
item) [9][10][11][12][14][15][16][17][18]. The results of the random passwords, and equally easy to remember as
studies [9][17] show that duplicating passwords is a very the naively selected passwords [27][43]. The only
common practice. In such an environment, where one downside of mnemonic-based passwords is that users
password is used for authentication for several different often select phrases from music lyrics, movies, literature,
accounts (an average user has about 25 different password or television shows, which are often available on the
accounts [12]), password re-use can cause serious damage, internet. This opens the possibility that a dictionary of
if the password is successfully cracked, for a single (not- mnemonic passwords can be built, so authors in [32]
so-important) account. Information may be revealed that conclude that mnemonic passwords should not be treated
will aid the hackers in infiltrating other systems,

1362
as a solution for the problems mentioned earlier in this down or to share them with their friends and they also
section. rarely change their passwords [34][38][46]. Password
requirements may have something to do with this, since
We mentioned password policies earlier as a [42] found out that the majority of the websites that have
mechanism for encouraging users to create and use strong passwords requirements, do not keep pace with the
and easy to crack passwords. But the literature shows that progress in the area of password security and rarely
users do not comply with such recommendations and change od update their passwords requirements. In the
policies [28][33][47][51][53]. This usually happens following years we can expect that the security of any
because password policies are too inflexible to match system that is based on passwords will be equivalent to
users’ capabilities, and the tasks and contexts in which the availability of the material for passwords disclosure
they operate [47][66]. So, other studies conclude that and not how random and strong passwords are [58].
password policies should be adjusted for different focus Therefore, stronger passwords may not be necessary
groups and should be more aware of the increasing burden (especially for smaller institutions with hundreds rather
users have managing passwords [39][57][67]. If we start than millions of users), as long as the security protocols
to enforce stricter password policies without a thorough are well designed (e.g. three unsuccessful logins freezes
explanation and user training, this has almost no effect the account for a time) [37]. Users can also be encouraged
[57][64]. This can create a conflict between users’ to design strong passwords, using elements associated
perception and the enforced practice – we can only ran with a given service, together with a personal factor [55].
into some of the already mentioned problems regarding to The growth of web-based services will demand
password security [47][52]. memorizing even more passwords in the future, so some
Some authors even propose that administrators should other usable alternatives to textual passwords may have to
pro-actively attempt to crack passwords in their systems, be found [41][56]. Due to the widespread use of the World
in order to estimate the risk of password-guessing attacks, Wide Web and the increased number of Web accounts that
such as [69]. Password breaking mechanisms may also be a user has to maintain, we still encounter with the majority
used for data recovery purposes, as suggested in [69]. of the already discussed problems [34][50].
A proactive password checker is one possible RQ3: What is the relationship between users and their
solution to prevent users from creating easily guessed textual passwords? Are the users still "the weakest link"?
passwords and to also encourage them to adhere to The rest of the studies (5 out of 67) address the issue
password policies. Password checkers are proposed in of the user as the weakest link in password security
some of the studies we analyze, including [22][25][26] [59][60][61][62][63]. From the studies that we have
[44][65]. But password security is not a problem that can already analyzed, we can observe that the user behavior is
be solved only by technical means. Human factors are also a very common issue in the area of password security and
very important (which is basically the problem with many security departments treat users as a security risk
password policies) [25]. A further research is needed in that needs to be controlled. Authors in [59] and [60] argue
order to find out how to create password policies that are that the usability of the security mechanism has rarely
acceptable to users and that can create secure passwords. been investigated. Users usually are not aware about the
A few studies propose a technique of “persuading” security threats and the importance of security and
users to choose better passwords, rather than to instruct password mechanism are currently badly matched to
them or impose new password schemes, because they users’ capabilities and their tasks. These are the challenges
believe that improved instructions and new password arising from the lack of communication between users and
schemes may not be the solution [36][40]. organizations (or their security services), which leads to
the development of useless security mechanisms [59][60].
Passfaces and graphical passwords are not originally Therefore it is maybe necessary for password mechanisms
our subject of interest but, since they are potential to apply a user-centric approach for designing “usable
substitute for textual passwords, we decided to include security” (i.e. human factors should be given priority over
only those studies where the security of graphical technological factors) [62][63]. On the other hand, authors
passwords is discussed. Studies [24][29]–[31][45] show in [61] claim that users are the enemies of the system
that passfaces and graphical passwords actually provide a (willingly or unwillingly) and security policies should be
better security than textual passwords. The only downside applied appropriately according to the user's type. They
with graphical password is that the password registration argue that ignorant users have to be educated about
and log-in process take very long and the authentication security mechanisms, and non-copliant users have to be
procedure is different than that using textual passwords. persuaded to follow the security best practices.
This requires redesign of the existing software.
According to this, we can not conclude if the users are
It seems that users are more aware about password still the enemy of a system and we aggree that a further
security and the importance of creating strong and hard to research in this area is needed.
guess passwords [48]. The results indicate that, according
to the amount of characters, passwords became little more
secure over time (a study in Greece shows that the average IV. CONLUSION
password length is slightly less than 7 characters) The results of our review show that the computer
[49][56]. Despite that, users still tend to use less secure community has not made a very much-needed shift in
passwords (which are composed only of lowercase letters, password management for more than 35 years. It seems
uppercase letters or numbers), to write their passwords nothing has changed since Morris and Thompson

1363
addressed the issue of password security and published [14] P. Hoonakker, N. Bornoe, and P. Carayon, “Password
their results in 1979. For example, an average user has 8.5 Authentication from a Human Factors Perspective : Results of
a Survey among End-Users,” pp. 459–463, 2009.
different Web accounts, 6.5 passwords (each of which is
[15] G. Notoatmodjo and C. Thomborson, “Passwords and
shared across 3.9 different websites), resulting in users to Perceptions,” in Proceedings of the Seventh Australasian
very often forget their passwords or write them down Conference on Information Security - Volume 98, 2009, pp.
[12][34][50]. Besides that, users still tend to create 71–78.
passwords based on their personal characteristics. Users [16] P. Tarwireyi, S. Flowerday, and A. Bayaga, “Information
and their passwords are still considered the weakest link – security competence test with regards to password
the main weakness in any password system is that users management,” Information Security South Africa (ISSA),
2011. pp. 1–7, 2011.
often choose easily guessable passwords: words, names,
[17] S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov,
birthdates, etc., because they are easy to remember. One and C. Herley, “Does My Password Go Up to Eleven?: The
way to decrease password guessability is to restrict the Impact of Password Meters on Password Selection,” in
passwords accepted from the user by using a system (e.g., Proceedings of the SIGCHI Conference on Human Factors in
a password checker) that filters out easily guessed Computing Systems, 2013, pp. 2379–2388.
passwords. Password checkers require that passwords [18] M. Jakobsson and M. Dhiman, “The Benefits of
have certain characteristics (usually defined in a password Understanding Passwords,” in in Mobile Authentication SE -
2, Springer New York, 2013, pp. 5–24.
policy) before they are accepted by the system when the
user enters a password. Password policies and password [19] B. F. Barton and M. S. Barton, “User-friendly Password
Methods for Computer-mediated Information Systems,”
checkers can help users create strong and easy-to- Comput. Secur., vol. 3, no. 3, pp. 186–195, 1984.
remember passwords. However, despite password policy [20] M. Zviran and W. J. Haga, “Cognitive passwords: The key to
advice, users still tend towards creating weak and easy-to- easy access control,” Computers & Security, vol. 9, no. 8, pp.
guess passwords. This work will serve as a starting point 723–736, 1990.
for our further research in this area where we want to [21] M. Zviran and W. Haga J., “A Comparison of Password
determine whether these password policies are useful to Techniques for Multilevel Authentication Mechanisms,” vol.
the users, and whether the users can easily apply them or 36, no. 3, 1993.
the policies cause them problems when creating and using [22] M. Bishop and D. V Klein, “Improving system security via
proactive password checking,” Computers & Security, vol. 14,
passwords. no. 3, pp. 233–249, 1995.
[23] J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-
REFERENCES Moffat, “Cognitive, associative and conventional passwords:
Recall and guessing rates,” Computers & Security, vol. 16, no.
[1] B. Kitchenham and S. Charters, “Guidelines fro performing 7, pp. 629–641, 1997.
Systematic Literature Reviews in Software Engineering,”
2007. [24] S. Brostoff and Ma. Sasse, “Are Passfaces More Usable Than
Passwords? A Field Trial Investigation,” in in People and
[2] M. Petticrew and H. Roberts, Systematic Reviews in the Social
Computers XIV — Usability or Else! SE - 27, S. McDonald,
Sciences - A Practical Guide, 1 edition. Wiley-Blackwell,
Y. Waern, and G. Cockton, Eds. Springer London, 2000, pp.
2006, p. 352.
405–424.
[3] R. Morris and K. Thompson, “Password Security: A Case
[25] J. J. Yan, “A Note on Proactive Password Checking,” in
History,” Commun. ACM, vol. 22, no. 11, pp. 594–597, Nov.
Proceedings of the 2001 Workshop on New Security
1979.
Paradigms, 2001, pp. 127–135.
[4] D. Feldmeier and P. Karn, “UNIX Password Security - Ten
[26] R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G.
Years Later,” in in Advances in Cryptology — CRYPTO’ 89
Salvendy, “Improving computer security for authentication of
Proceedings SE - 6, vol. 435, G. Brassard, Ed. Springer New
users: influence of proactive password restrictions.,” Behavior
York, 1990, pp. 44–63.
research methods, instruments, & computers : a journal of the
[5] M. Zviran and W. J. Haga, “Password Security: An Empirical Psychonomic Society, Inc, vol. 34, no. 2, pp. 163–9, May
Study,” J. Manage. Inf. Syst., vol. 15, no. 4, pp. 161–185, 2002.
1999.
[27] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password
[6] M. Bishop, “Password management,” Compcon Spring ’91. memorability and security: empirical results,” Security &
Digest of Papers. pp. 167–169, 1991. Privacy, IEEE, vol. 2, no. 5. pp. 25–31, 2004.
[7] A. Adams, M. A. Sasse, and P. Lunt, “Making Passwords [28] W. C. Summers and E. Bosworth, “Password Policy: The
Secure and Usable,” in Proceedings of HCI on People and Good, the Bad, and the Ugly,” in Proceedings of the Winter
Computers XII, 1997, pp. 1–19. International Synposium on Information and Communication
[8] E. F. Gehringer, “Choosing passwords: security and human Technologies, 2004, pp. 1–6.
factors,” Technology and Society, 2002. (ISTAS’02). 2002 [29] D. Davis, F. Monrose, and M. K. Reiter, “On User Choice in
International Symposium on. pp. 369–373, 2002. Graphical Password Schemes,” in Proceedings of the 13th
[9] A. S. Brown, E. Bracken, S. Zoccoli, and K. Douglas, Conference on USENIX Security Symposium - Volume 13,
“Generating and remembering passwords,” Applied Cognitive 2004, p. 11.
Psychology, vol. 18, no. 6, pp. 641–651, Sep. 2004. [30] F. Monrose and M. K. Reiter, “Graphical Passwords,” pp.
[10] B. Ives, K. R. Walsh, and H. Schneider, “The Domino Effect 161–180, 2005.
of Password Reuse,” Commun. ACM, vol. 47, no. 4, pp. 75– [31] X. Suo, Y. Zhu, and G. S. Owen, “Graphical passwords: a
78, Apr. 2004. survey,” Computer Security Applications Conference, 21st
[11] S. Gaw and E. W. Felten, “Password Management Strategies Annual. p. 10 pp.–472, 2005.
for Online Accounts,” in Proceedings of the Second [32] C. Kuo, S. Romanosky, and L. F. Cranor, “Human Selection
Symposium on Usable Privacy and Security, 2006, pp. 44–55. of Mnemonic Phrase-based Passwords,” in Proceedings of the
[12] D. Florencio and C. Herley, “A Large-scale Study of Web Second Symposium on Usable Privacy and Security, 2006, pp.
Password Habits,” in Proceedings of the 16th International 67–78.
Conference on World Wide Web, 2007, pp. 657–666. [33] C. P. Garrison, “Encouraging Good Passwords,” in
[13] P. Cisar and S. M. Cisar, “Password – a Form of Proceedings of the 3rd Annual Conference on Information
Authentication.” 2007. Security Curriculum Development, 2006, pp. 109–112.

1364
[34] S. Riley, “Password Security : What Users Know and What “Guess Again (and Again and Again): Measuring Password
They Actually Do,” vol. 8, no. 1, 2006. Strength by Simulating Password-Cracking Algorithms,”
[35] M. Keith, B. Shao, and P. J. Steinbart, “The usability of Security and Privacy (SP), 2012 IEEE Symposium on. pp.
passphrases for authentication: An empirical field study,” 523–537, 2012.
International Journal of Human-Computer Studies, vol. 65, [54] K. Helkala, N. Svendsen, P. Thorsheim, and A. Wiehe,
no. 1, pp. 17–28, 2007. “Cracking Associative Passwords,” in in Secure IT Systems
[36] A. Forget, S. Chiasson, and R. Biddle, “Helping Users Create SE - 11, vol. 7617, A. Jøsang and B. Carlsson, Eds. Springer
Better Passwords: Is This the Right Approach?,” in Berlin Heidelberg, 2012, pp. 153–168.
Proceedings of the 3rd Symposium on Usable Privacy and [55] K. Helkala and N. Svendsen, “The Security and Memorability
Security, 2007, pp. 151–152. of Passwords Generated by Using an Association Element and
[37] D. Florêncio, C. Herley, and B. Coskun, “Do Strong Web a Personal Factor,” in in Information Security Technology for
Passwords Accomplish Anything?,” in Proceedings of the Applications SE - 9, vol. 7161, P. Laud, Ed. Springer Berlin
2Nd USENIX Workshop on Hot Topics in Security, 2007, pp. Heidelberg, 2012, pp. 114–130.
10:1–10:6. [56] E. Zezschwitz, A. Luca, and H. Hussmann, “Survival of the
[38] D. Hart, “Attitudes and Practices of Students Towards Shortest: A Retrospective Analysis of Influencing Factors on
Password Security,” J. Comput. Sci. Coll., vol. 23, no. 5, pp. Password Composition,” in in Human-Computer Interaction –
169–174, 2008. INTERACT 2013 SE - 28, vol. 8119, P. Kotzé, G. Marsden, G.
Lindgaard, J. Wesson, and M. Winckler, Eds. Springer Berlin
[39] S. Farrell, “Password Policy Purgatory,” Internet Computing, Heidelberg, 2013, pp. 460–467.
IEEE, vol. 12, no. 5. pp. 84–87, 2008.
[57] B. Lorenz, K. Kikkas, and A. Klooster, “‘The Four Most-
[40] A.-M. Horcher and G. P. Tejay, “Building a better password: Used Passwords Are Love, Sex, Secret, and God’: Password
The role of cognitive load in information security training,” Security and Training in Different User Groups,” in in Human
Intelligence and Security Informatics, 2009. ISI ’09. IEEE Aspects of Information Security, Privacy, and Trust SE - 29,
International Conference on. pp. 113–118, 2009.
vol. 8030, L. Marinos and I. Askoxylakis, Eds. Springer
[41] C. Herley, P. C. Oorschot, and A. Patrick, “Passwords: If Berlin Heidelberg, 2013, pp. 276–283.
We’re So Smart, Why Are We Still Using Them?,” in in [58] L. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P.
Financial Cryptography and Data Security SE - 14, vol. 5628, McDaniel, and T. Jaeger, “Password Exhaustion: Predicting
R. Dingledine and P. Golle, Eds. Springer Berlin Heidelberg, the End of Password Usefulness,” in in Information Systems
2009, pp. 230–237.
Security SE - 3, vol. 4332, A. Bagchi and V. Atluri, Eds.
[42] B. T. Kuhn and C. Garrison, “A Survey of Passwords from Springer Berlin Heidelberg, 2006, pp. 37–55.
2007 to 2009,” in 2009 Information Security Curriculum
[59] A. Adams and M. A. Sasse, “Users Are Not the Enemy,”
Development Conference, 2009, pp. 91–94.
Commun. ACM, vol. 42, no. 12, pp. 40–46, Dec. 1999.
[43] D. Nelson and K.-P. Vu, “Effects of a Mnemonic Technique
[60] M. A. Sasse, S. Brostoff, and D. Weirich, “Transforming the
on Subsequent Recall of Assigned and Self-generated
‘Weakest Link’ — a Human/Computer Interaction Approach
Passwords,” in in Human Interface and the Management of
to Usable and Effective Security,” BT Technology Journal,
Information. Designing Information Environments SE - 78, vol. 19, no. 3, pp. 122–131, 2001.
vol. 5617, M. Smith and G. Salvendy, Eds. Springer Berlin
Heidelberg, 2009, pp. 693–701. [61] S. Vidyaraman, M. Chandrasekaran, and S. Upadhyaya,
“Position: The User is the Enemy,” in Proceedings of the
[44] M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password 2007 Workshop on New Security Paradigms, 2008, pp. 75–80.
Strength: An Empirical Analysis,” INFOCOM, 2010
Proceedings IEEE. pp. 1–9, 2010. [62] C. A. Fidas, A. G. Voyiatzis, and N. M. Avouris, “When
Security Meets Usability: A User-Centric Approach on a
[45] W. Hu, X. Wu, and G. Wei, “The Security Analysis of Crossroads Priority Problem,” Informatics (PCI), 2010 14th
Graphical Passwords,” Communications and Intelligence Panhellenic Conference on. pp. 112–117, 2010.
Information Security (ICCIIS), 2010 International Conference
on. pp. 200–203, 2010. [63] M. Adeka, S. Shepherd, and R. Abd-Alhameed, “Resolving
the password security purgatory in the contexts of technology,
[46] L. Tam, M. Glassman, and M. Vandenwauver, “The security and human factors,” Computer Applications
Psychology of Password Management: A Tradeoff Between Technology (ICCAT), 2013 International Conference on. pp.
Security and Convenience,” Behav. Inf. Technol., vol. 29, no. 1–7, 2013.
3, pp. 233–244, 2010.
[64] D. Florêncio and C. Herley, “Where Do Security Policies
[47] P. G. Inglesant and M. A. Sasse, “The True Cost of Unusable Come from?,” in Proceedings of the Sixth Symposium on
Password Policies: Password Use in the Wild,” in Usable Privacy and Security, 2010, pp. 10:1–10:14.
Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems, 2010, pp. 383–392. [65] K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L.
(Belin) Tai, J. Cook, and E. Eugene Schultz, “Improving
[48] A. Moallem, “Did You Forget Your Password ?,” pp. 29–39,
Password Security and Memorability to Protect Personal and
2011.
Organizational Information,” Int. J. Hum.-Comput. Stud., vol.
[49] A. G. Voyiatzis, C. A. Fidas, D. N. Serpanos, and N. M. 65, no. 8, pp. 744–757, 2007.
Avouris, “An Empirical Study on the Web Password Strength
[66] B. Grawemeyer and H. Johnson, “Using and Managing
in Greece,” Informatics (PCI), 2011 15th Panhellenic
Multiple Passwords: A Week to a View,” Interact. Comput.,
Conference on. pp. 212–216, 2011.
vol. 23, no. 3, pp. 256–267, 2011.
[50] E. Hayashi and J. Hong, “A Diary Study of Password Usage [67] G. B. Duggan, H. Johnson, and B. Grawemeyer, “Rational
in Daily Life,” in Proceedings of the SIGCHI Conference on Security: Modelling Everyday Password Use,” Int. J. Hum.-
Human Factors in Computing Systems, 2011, pp. 2627–2630. Comput. Stud., vol. 70, no. 6, pp. 415–431, 2012.
[51] K. Schaffer, “Are Password Requirements too Difficult?,” [68] S. Preibusch and J. Bonneau, “The Password Game: Negative
Computer, vol. 44, no. 12. pp. 90–92, 2011.
Externalities from Weak Password Practices,” in Decision and
[52] S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Game Theory for Security SE - 13, vol. 6442, T. Alpcan, L.
Bauer, N. Christin, L. F. Cranor, and S. Egelman, “Of Buttyán, and J. Baras, Eds. Springer Berlin Heidelberg, 2010,
Passwords and People: Measuring the Effect of Password- pp. 192–207.
composition Policies,” in Proceedings of the SIGCHI [69] M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek,
Conference on Human Factors in Computing Systems, 2011, “Password Cracking Using Probabilistic Context-Free
pp. 2595–2604.
Grammars,” Security and Privacy, 2009 30th IEEE
[53] P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Symposium on. pp. 391–405, 2009.
Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez,

1365

You might also like