Password-Based Authentication: A System Perspective
2004
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
User authentication in computer systems has been a cornerstone of computer security for decades. The concept of a user id and password is a cost effective and efficient method of maintaining a shared secret between a user and a computer system. One of the key elements in the password solution for security is a reliance on human cognitive ability to remember the shared secret. In early computing days with only a few computer systems and a small select group of users, this model proved effective.
Figures (2)
Key takeaways
- This has placed a strain on user memory and users have developed memory aides, such as password lists, to assist them in the task of keeping accounts and passwords straight.
- An example is a user ID and password combination, one of the simplest forms of user authentication [4][5][6][7].
- Widespread usage of password protected systems accessed by the Internet has caused an explosion in the number of accounts per user and is revealing issues associated with users' difficulty in remembering passwords [32][33][34][35].
- When a user gets to pick a password, picking one that the user currently uses elsewhere represents a simple method to reduce the number of passwords a user must remember.
- System rules that make passwords harder to remember can increase the need for user based password memory aids.
Related papers
A Critical appraisal on Password based Authentication
International Journal of Computer Network and Information Security
There is no doubt that, even after the development of many other authentication schemes, passwords remain one of the most popular means of authentication. A review in the field of password based authentication is addressed, by introducing and analyzing different schemes of authentication, respective advantages and disadvantages, and probable causes of the 'very disconnect' between user and password mechanisms. The evolution of passwords and how they have deep-rooted in our life is remarkable. This paper addresses the gap between the user and industry perspectives of password authentication, the state of art of password authentication and how the most investigated topic in password authentication changed over time. The author's tries to distinguish password based authentication into two levels 'User Centric Design Level' and the 'Machine Centric Protocol Level' under one framework. The paper concludes with the special section covering the ways in which password based authentication system can be strengthened on the issues which are currently holding-in the password based authentication.
Password-based Authentication in Computer Security: Why is it still there?
The SIJ Transactions on Computer Science Engineering & its Applications (CSEA), 2017
Amongst today's methods of authentication, the old-fashioned technique which requires a username and password remains the prevailing measure of securing computers, email accounts, or online transactions. Besides the threats people are often exposed to if they don't change their passwords regularly, there is always a risk that passwords wipe out from human memory over a longer period of time. This research is exploring the flaws of the dominating username-password security measure, and focusing on the alternative authentication and authorization techniques. Furthermore, the classification of password usage is given and suitable authentication methods are suggested.
Authentication Methods for Computer Systems Security
Encyclopedia of Information Science and Technology, Second Edition
Authentication systems: A literature review and classification
One of the most important parts of any system is authentication. Appreciated as the first and the last line of defense in the great majority of cases, authentication systems can usually prevent the kleptomaniac from unauthorized accessing to users' data. However, the traditional text-based password is still used in many websites and applications which are vulnerable to different kinds of attacks. Accordingly, there exist some other alternative ways to boost this traditional method. In this study, we classified and identified different types of authentication systems in a variety of platforms. Their usage, similarity, usability, performance and drawbacks were discussed. The goal of this study is to provide useful, classified information with the aim of understanding of how different authentication systems work and of what their usability and drawbacks are to the readers.
Evaluation of the Human Impact of Password Authentication
Informing Science: The International Journal of an Emerging Transdiscipline, 2004
The research objective was to develop a model for evaluating the human impact that password authentication issues are having on the security of information systems. Through distributing a survey and conducting an experiment, researchers created a model for predicting the vulnerability that a particular set of conditions will have on the likelihood of error in an information system. The survey consisted of over 250 respondents. The experiment consisted of 30 subjects and the analysis utilized a χ2 goodness of fit test. The findings indicate that human error associated with password authentication can be significantly reduced through the use of passwords comprised of data meaningful for the user and that meet the information technology community requirement for strength of password. Future research will be performed to further validate and enhance the developed model and to develop human factor password guidelines.
A conceptual model for graphical authentication
Proceedings of the …, 2003
Reasons for the adoption of smart cards and biometric authentication mechanisms have been discussed in the past, yet many organisations are still resorting to traditional methods of authentication. Passwords possess several encumbrances not the least of which includes the difficulty some users have in remembering them. Often users inadvertently write difficult passwords down near the workstation, which negates any security password authentication, may provide and opens the floodgates to identity theft. In the current mainstream authentication paradigm, system administrators must ensure all users are educated on the need for a password policy, and implement it strictly. This paper discusses a conceptual framework for an alternative authentication paradigm. The framework attempts to reduce complexity for the user as well as increase security at the network and application levels.
Learning System-assigned Passwords (up to 56 Bits) in a Single Registration Session with the Methods of Cognitive Psychology
Proceedings 2017 Workshop on Usable Security
System-assigned random passwords offer security guarantees against guessing attacks but suffer from poor memorability. In this work, we review the cognitive psychology literature and identify two training methods appropriate to aid users in memorizing system-assigned passwords. The method of loci exploits users' spatial and visual memory, while the link method helps users by creating a chain of memory cues. We developed techniques to automatically take a given random password and generate training aids (videos) based on each of these methods. The results of a memorability study showed that both methods were significantly better than a control condition (no training) and that the method of loci had a login success rate of 86%, a high value for any recall-based study with system-assigned passwords. With a registration time of 160 seconds and a median login time of 9 seconds, this method holds promise as a direction to addressing the usability-security trade-off in user authentication. We further extend this idea to help users memorize long system-assigned random passwords that offer almost crypto-level security and conduct a second memorability study. The results of this study demonstrated that with the help of a password hint, 81% of participants were able to recall the password after a week. This indicates that the method of loci can be leveraged to help users memorize cryptographically-strong secret in just one session, and thus offers a more viable alternative to the spaced repetition technique, which involves dozens of sessions of user training. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.
Resolving the password security purgatory in the contexts of technology, security and human factors
2013 International Conference on Computer Applications Technology (ICCAT), 2013
Passwords are the most popular and constitute the first line of defence in computer-based security systems; despite the existence of more attack-resistant authentication schemes. In order to enhance password security, it is imperative to strike a balance between having enough rules to maintain good security and not having too many rules that would compel users to take evasive actions which would, in turn, compromise security. It is noted that the human factor is the most critical element in the security system for at least three possible reasons; it is the weakest link, the only factor that exercises initiatives, as well as the factor that transcends all the other elements of the entire system. This illustrates the significance of social engineering in security designs, and the fact that security is indeed a function of both technology and human factors; bearing in mind the fact that there can be no technical hacking in vacuum. This paper examines the current divergence among security engineers as regards the rules governing best practices in the use of passwords: should they be written down or memorized; changed frequently or remain permanent? It also attempts to elucidate the facts surrounding some of the myths associated with computer security. This paper posits that destitution of requisite balance between the factors of technology and factors of humanity is responsible for the purgatory posture of password security related problems. It is thus recommended that, in the handling of password security issues, human factors should be given priority over technological factors. The paper proposes the use of the (k, n)-Threshold Scheme, such as the Shamir's secret-sharing scheme, to enhance the security of the password repository. This presupposes an inclination towards writing down the password: after all, Diamond, Platinum, Gold and Silver are not memorised; they are stored.
Systematization of Password ManagerUse Cases and Design Paradigms
Annual Computer Security Applications Conference, 2021
Despite efforts to replace them, passwords remain the primary form of authentication on the web. Password managers seek to address many of the problems with passwords by helping users generate, store, and fill strong and unique passwords. Even though experts frequently recommend password managers, there is limited information regarding their usability. To aid in designing such usability studies, we systematize password manager use cases, identifying ten essential use cases, three recommended use cases, and four extended use cases. We also systematize the system designs employed to satisfy these use cases, designs that should be examined in usability studies to understand their relative strengths and weaknesses. Finally, we describe observations from 136 cognitive walkthroughs exploring the identified essential use cases in eight popular managers. Ultimately, we expect that this work will serve as the foundation for an explosion of new research into the usability of password managers. CCS CONCEPTS • Security and privacy → Authentication; Usability in security and privacy.
Related papers
Improving computer security for authentication of users: Influence of proactive password restrictions
Behavior Research Methods, Instruments, & Computers, 2002
Security and usability in password authentication
2017
This thesis investigates the human-factor problems in password authentication and proposes some usable solutions to these problems by focusing on both forms of knowledge based authentication: textual passwords and graphical passwords. It includes a range of empirical studies to examine users' password-related behaviour and practices in authentication, and helps users to adopt secure password behaviour. This thesis consists of two parts. The first part focuses on traditional text-based passwords. Design flaws and usability issues of existing text-password mechanisms used by many organisations cause employees to adopt insecure password practices. The first work in this thesis investigates the reasons for employees' lack of motivation regarding password protection against security failures. An empirical study is conducted to identify the factors causing employees’ insecure behaviours in organisations, and several persuasion strategies are tested to persuade employees to use pas...
Choosing passwords: security and human factors
IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293)
Password security is essential to the security of information systems. It is often recommended that passwords not be short, not be words found in a dictionary, and that they should be changed frequently. When a user has access to many accounts or systems, different passwords should be used so that no single incident will lead to the compromise of all of these accounts. Unfortunately, human fallibility makes it nearly impossible to follow all of these rules simultaneously. A user with many different passwords, frequently changing, will be forced to write them down somewhere. Some systems constrain them to have a certain minimum length, or to require them to contain a combination of letters and numbers. Some systems also impose maximum lengths, and some prohibit special characters. The lack of common standards for passwords makes it difficult for a user to remember which password is used for which system. To make matters worse, systems frequently revoke a user's access after a password has been incorrectly entered as few as three times. What is needed, then, is an analysis of passwords that takes both human factors and security into account. We must recognize that what really matters is the security of the total system-offline as well as online. This paper explores the tradeoffs that need to be made to achieve maximum security in everyday use by forgetful users.
Exploring human factors issues & possible countermeasures in password authentication
2013
Ayad Keshlaf and all the rest of the participants that have took part in any of the three experimental works that I have conducted; for which without the full commitment and cooperation from each of you, the research would not have been a success. Last but not least, I would like to sincerely thank from the bottom of my heart, my beloved husband and children for being patient with me throughout this journey. I would like to apologise for the times when I was not able to play my role as a good wife or good mommy but one thing I know for sure; you guys have been so wonderful to me and that has granted me the opportunity to make this thesis possible at the end.
An Empirical Assessment of Factors Impeding Effective Password Management
Journal of Information Privacy and Security, 2008
A Study for an Ideal Password Management System
International Journal for Research in Applied Science & Engineering Technology (IJRASET), 2022
The growing number of online services needs users to have control over their password management system (generation, storage, recall). But the demand for total randomness and exclusivity of passwords is impractical in day-today life. Each component of a password management system comes with its cognitive burden on a user. There are many password management solutions available for users but every one of them has some drawbacks. Password managers have the ability to help users manage their passwords more successfully while also addressing many of the problems about password-based authentication. In this study, We're analyzing various previous studies regarding the effectiveness, usability, and security of password managers of all categories. Also, we're trying to come up with an ideal set of parameters to build the best possible password management system in 2022. This study will help to understand the key parameters and algorithms that we can use while building the ideal password generation, storage, and recall system for the user. I.
Philosophical Survey of Passwords
Computing Research Repository, 2009
Over the years security experts in the field of Information Technology have had a tough time in making passwords secure. This paper studies and takes a careful look at this issue from the angle of philosophy and cognitive science. We have studied the process of passwords to rank its strengths and weaknesses in order to establish a quality metric for passwords. Finally we related the process to human senses which enables us to propose a constitutional scheme for the process of password. The basic proposition is to exploit relationship between human senses and password to ensure improvement in authentication while keeping it an enjoyable activity.
Boosting Authentication Security by Building Strong Password and Individualizing Easy to Remember Techniques
Journal of University of Human Development, 2016
Newly released researches disclose the need of canceling the incorrect opinion; security by Password (PW) is dead and proves that these believe has been hurtful. Moreover, recommended a campaign prioritize strategies of building PW. Considering the PW features such as costless, maturity and vast experiences, and usability PW continues to be the most used options in Information Security (IS), it is furthermore, consider most challengers to researchers and really needs further boosting. PWs control authentication mechanism of IS, requiring that individuals choose strong PW. The best advice to protect from hackers is randomly generating unique PW for every site and service, to apply this advice we need more techniques of easy to remember and hard to guess. This study proposed a bunch of easy to remember techniques for building a strong PW. Also, it exhibited the importance of similar strategy despite existing of many helpful PW managers. On the other hand, this paper compiled and analyzed today's data regarding authenticating secure systems via PW. Analyzed data showed some of common weakness in PW selection. Moreover, gathered information and evaluated data indicated the need of boosting PW. Proposed techniques and solutions enable individuals to select appropriate PW easily.
The Future of Authentication
IEEE Security & Privacy Magazine, 2012
Simple passwords have been around for a long time but are now destined to become a thing of the past. Widely recognized as the weakest link in computer security, corporate enterprises and financial institutions are scrambling to find suitable, secure alternatives. This is spurred by the 2005 FFIEC Security Guidance that wants all online financial services to have increased authentication security technologies in place by 2007. Will Online Users Log On or Check Out There are dozens of security authentication methodologies to choose from. As organizations select and implement individual solutions, the overall impact on the online community will be substantial. Since the average user has 5 plus passwords, and each organization will adapt their own technology, users will be confronted with learning and using several logon systems. Power internet users have an even bigger problem. Imagine for a moment a power Internet user with dozens of password protected accounts. These might include: e-Bay, PayPal, an online brokerage account, one or more online banking accounts, one or more e-mail accounts, and several online shopping accounts. Each will have their own authentication technology ranging from tokens, to authenticators, to cryptographies.
Using Technology to Overcome the Password's Contradiction
Handbook of Research on Social and Organizational Liabilities in Information Security, 2009
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the analogical world. The digital era provided the means to easily try thousands of passwords in a short period of time and now the password schema is no longer safe. Now it suffers of the password's contradiction: the fact that it requires both simplicity and complexity to be usable and safe. Being so, new technologies are required that can preserve the easiness of use, but can provide stronger authentication processes. This chapter presents the latest advances in three technologies that can be used, unaided or together, to improve the safety of user/password schemas without significant changes in the protected information system architecture, despite the human factors that traditionally reduce the security of those systems. The presented technologies are Keystroke Dynamics, Graphical Authentication and Pointer Dynamic.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.