Search results
1 – 10 of over 4000Suggests that computer passwords can pose a major computer securityrisk, as password guessing is the most prevalent and effective method ofsystem penetration. Introduces a new…
Abstract
Suggests that computer passwords can pose a major computer security risk, as password guessing is the most prevalent and effective method of system penetration. Introduces a new computer package which can address this problem by generating difficult‐to‐guess passwords by removing human judgement from the password construction process.
Details
Keywords
Alain Forget, Sonia Chiasson and Robert Biddle
This paper aims to propose that more useful novel schemes could develop from a more principled examination and application of promising authentication features. Text passwords…
Abstract
Purpose
This paper aims to propose that more useful novel schemes could develop from a more principled examination and application of promising authentication features. Text passwords persist despite several decades of evidence of their security and usability challenges. It seems extremely unlikely that a single scheme will globally replace text passwords, suggesting that a diverse ecosystem of multiple authentication schemes designed for specific environments is needed. Authentication scheme research has thus far proceeded in an unstructured manner.
Design/methodology/approach
This paper presents the User-Centred Authentication Feature Framework, a conceptual framework that classifies the various features that knowledge-based authentication schemes may support. This framework can used by researchers when designing, comparing and innovating authentication schemes, as well as administrators and users, who can use the framework to identify desirable features in schemes available for selection.
Findings
This paper illustrates how the framework can be used by demonstrating its applicability to several authentication schemes, and by briefly discussing the development and user testing of two framework-inspired schemes: Persuasive Text Passwords and Cued Gaze-Points.
Originality/value
This framework is intended to support the increasingly diverse ecosystem of authentication schemes by providing authentication researchers, professionals and users with the increased ability to design, develop and select authentication schemes better suited for particular applications, environments and contexts.
Details
Keywords
Cheng Yang, Jui‐long Hung and Zhangxi Lin
In December 2011, the National Computer Network Emergency Response Technical Team/Coordination Center of China reported the most serious user data leak in history which involved…
Abstract
Purpose
In December 2011, the National Computer Network Emergency Response Technical Team/Coordination Center of China reported the most serious user data leak in history which involved 26 databases with 278 million user accounts and passwords. After acquiring the user data from this massive information leak, this study has two major research purposes: the paper aims to reveal similarities and differences of password construction among four companies; and investigate how culture factors shape user password construction in China.
Design/methodology/approach
This article analyzed real‐life passwords collected from four companies by comparing the following attributes: password length, password constitution, top 20 frequent passwords, character frequency distributions, string similarity, and password reuse.
Findings
Major findings include that: general users in China have a weaker sense of security than those in Western countries, which reflected in the password lengths, the character combinations and the content structures; password constitution preferences are different between users in Western countries and in China, where passwords are more similar to the Pinyin context and Chinese number homonym; and password reuse is very common in China. General users tend to reuse the same passwords and IT professionals tend to engage in Seed Password reuse.
Research limitations/implications
Due to the rapid growth of Internet users and e‐commerce markets in China, many online service providers may not pay enough attention to security issues, but focus instead on market expansion. Employees in these companies may not be well trained in information security, resulting in carelessness when handling security issues.
Originality/value
This is the first study which attempts to consider culture influences in password construction by analyzing real‐life datasets.
Details
Keywords
Kirsi Helkala and Tone Hoddø Bakås
The purpose of this paper is to extend the results of a Norwegian password security survey. Research, especially in the early 21st century, has shown that education is needed to…
Abstract
Purpose
The purpose of this paper is to extend the results of a Norwegian password security survey. Research, especially in the early 21st century, has shown that education is needed to change people’s behaviour regarding password generation, management and storage. As our daily routines and duties have become more dependent on electronic services in the last decade, one could think that qualitative education is nowadays given to users. This survey is to verify that assumption.
Methodology
A nation-wide demographic survey among employees in Norway with a sample of 1,003 respondents at the ages of 18-64 years was conducted in October 2012.
Findings
The results show that the education or proper guidance seldom is given leading to the outdated users’ behaviour.
Research limitations
The results of the study are limited to the employed only and they do not explain behaviour of students, teenagers or children.
Social implications
During the current year, the results of the study have been discussed several times in national media and, hopefully, have an impact to employees’ behaviour. The results have also been used in the National Security Month campaign in October 2013.
Originality/value
The questionnaire itself is not unique. However, the large amount of respondents gives higher value to the results.
Details
Keywords
Kristen K. Greene and Yee-Yin Choong
The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect…
Abstract
Purpose
The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules.
Design/methodology/approach
This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users’ interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space.
Findings
Results show that manipulating password rule terminology causes users’ interpretation of the allowed character space to shrink or expand. Users are confused by the terms “non-alphanumeric”, “symbols”, “special characters” and “punctuation marks” in password rules. Additionally, users are confused by partial lists of allowed characters using “e.g.” or “etc.”
Practical implications
This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements.
Originality/value
This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.
Details
Keywords
To devise a biometric‐based mechanism for enhancing security of private keys used in cryptographic applications.
Abstract
Purpose
To devise a biometric‐based mechanism for enhancing security of private keys used in cryptographic applications.
Design/methodology/approach
To enhance security of a private key, we propose a scheme that regenerates a user's private key by taking a genuine user's password, fingerprint and a valid smart card. Our scheme uses features extracted from fingerprint along with public key cryptography, cryptographic hash functions and Shamir secret sharing scheme in a novel way to achieve our desired objectives.
Findings
Despite changes in the fingerprint pattern each time it is presented, our scheme is sufficiently robust to regenerate a constant private key. As compared to conventional methods of storing a private key merely by password‐based encryption, our scheme offers more security as it requires a genuine user's password, fingerprint and a valid smart card. Key lengths up to 1024‐bit or even higher can be regenerated making the scheme compatible with the current security requirements of public key cryptosystems.
Research limitations/implications
Minutia points used for image alignment can be incorporated in the key regeneration algorithm for stronger user authentication. In this case, some alternative technique will be required for image alignment.
Practical implications
The robustness of our scheme depicts its use in practical systems where there are variations in fingerprint patterns because of sensor noise and alignment issues.
Originality/value
In this paper, we have demonstrated a novel idea of regenerating the private key of a user by using fingerprint, password and a smart card. The basic aim is to provide more security to key storage as compared to traditional methods that uses password‐based encryption for secure storage of private keys.
Details
Keywords
Salvatore Aurigemma and Thomas Mattson
This paper aims to examine the impact an individual’s long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security…
Abstract
Purpose
This paper aims to examine the impact an individual’s long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in the context of the dangers related to poor account access management.
Design/methodology/approach
The paper relied upon survey data and actual usage information from a culturally diverse sample of 227 individuals who were introduced to the specific security problem and the accepted solution of using a password manager application.
Findings
The paper provides empirical evidence that the effect of positive attitudes increased when individuals were more long-term oriented, but the effect was reversed for average/negative attitudes toward the voluntary security behavior. Furthermore, participants with high long-term orientation and strong positive attitudes toward the security action actually adopted password manager applications 57 per cent more than the average adoption rate across the sample.
Research limitations/implications
Due to the research approach (survey data), security context and sample population, the research results may lack generalizability.
Practical implications
The findings suggest that security awareness messaging and training should account for differences in long-term orientation of the target audience and integrate the distinctly different types of messages that have been shown to improve an individual’s participation in voluntary security actions.
Originality/value
The paper addresses previous research calls for examining possible cultural differences that impact security behaviors and is the only study that has focused on the impact of long-term orientation, specifically on voluntary security actions.
Details
Keywords
Xiaoying Yu and Qi Liao
Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the…
Abstract
Purpose
Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the security of our systems. However, due to the explosion of user accounts and increasing complexity of password rules, users are struggling to find ways to make up sufficiently secure yet easy-to-remember passwords. This paper aims to investigate whether there are repetitive patterns when users choose passwords and how such behaviors may affect us to rethink password security policy.
Design/methodology/approach
The authors develop a model to formalize the password repetitive problem and design efficient algorithms to analyze the repeat patterns. To help security practitioners to analyze patterns, the authors design and implement a lightweight, Web-based visualization tool for interactive exploration of password data.
Findings
Through case studies on a real-world leaked password data set, the authors demonstrate how the tool can be used to identify various interesting patterns, e.g. shorter substrings of the same type used to make up longer strings, which are then repeated to make up the final passwords, suggesting that the length requirement of password policy does not necessarily increase security.
Originality/value
The contributions of this study are two-fold. First, the authors formalize the problem of password repetitive patterns by considering both short and long substrings and in both directions, which have not yet been considered in past. Efficient algorithms are developed and implemented that can analyze various repeat patterns quickly even in large data set. Second, the authors design and implement four novel visualization views that are particularly useful for exploration of password repeat patterns, i.e. the character frequency charts view, the short repeat heatmap view, the long repeat parallel coordinates view and the repeat word cloud view.
Details
Keywords
Mona Mohamed, Joyram Chakraborty and Sharma Pillutla
The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese…
Abstract
Purpose
The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese and Saudi subjects’ image selections.
Design/methodology/approach
The authors use a between-group design adopted using two groups of participants from China and the Kingdom of Saudi Arabia to measure the differences caused by the effects of cultures on graphical password image selections. Three hypotheses have been tested in a four-week long study carried out using two questionnaires and an RBG-P webtool designed for images selection.
Findings
The results have indicated that participants are equally biased not only toward their own culture but also depending on their opinions about other cultures. In addition, when creating the password, it has been observed that culture not only influenced the image selection to create the password but also have an effect on the sequence of the images forming the password.
Research limitations/implications
Appropriately used image selection differences can be used appropriately in cross-cultural designs that will lead to better development of culturally adaptive interfaces that will boost the security posture of RBG-P authentication.
Practical implications
Some RBG-P interfaces that are produced outside the designer’s culture may suffer the effects of cultural differences. Hence, to incorporate culture in the interface, authentication systems within applications should be flexible by designing images that fit the culture in which the software will be used. To this end, access control interface testing should also be carried out in the environmental and cultural context in which it is will be used.
Originality/value
This paper provides useful information for international developers who develop cross-cultural usable secure designs. In such environments, the cross-culturally designs may have significant effects on the acceptability and adoption adaptation of the interface to multi-cultural settings.
Details
Keywords
Atish Dipakbhai Nayak and Rajesh Bansode
The purpose of this paper is to increase security using persuasive cued click points (PCCP) techniques and to make a system to provide security from the malware, key loggers and…
Abstract
Purpose
The purpose of this paper is to increase security using persuasive cued click points (PCCP) techniques and to make a system to provide security from the malware, key loggers and attacks.
Design/methodology/approach
The work methodology comprises two major phases. In phase one, the PCCP take place with the registration and login process done. It also includes text-based password which hides the character of password to protect from shoulder surfing attack. In phase two, the work includes background services which protect from key loggers.
Findings
Secure password persuasive cued click point (SPPCCP) is a module that facilitates authentication for the desktop-based applications and provides a single-machine licensing functionality. SPPCCP comprises little functionality to thwart attackers, such as persuasive click points with password protection. The techniques to protect against malware such as resist from debuggers and also to the key loggers that run on desktop computers. In this, Spearman rank correlation is used for detection of key loggers. There are functionalities used to secure desktop applications such as time constraint and user selection.
Originality/value
The contribution of this paper is to provide knowledge in the field of security. It makes the graphical password more secure and useful. The intention behind this research was to increase the security level up to 60-80 per cent. It is also used for prevention of shoulder surfing problem till 80 per cent; this research is also operated on key loggers, and SPPCCP finds the key loggers and removes it from the system. It also decrypts the data of database by encrypting it by SHA-512 algorithm and reduces the average login time up to 20-30 per cent; it will make a smaller view port of 33.5 × 33.5 pixel square to have more choice to select the password, thereby decreasing the probability of hotspot area up to 18-20 per cent.
Details