Search results
1 – 10 of over 1000Kristen K. Greene and Yee-Yin Choong
The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect…
Abstract
Purpose
The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules.
Design/methodology/approach
This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users’ interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space.
Findings
Results show that manipulating password rule terminology causes users’ interpretation of the allowed character space to shrink or expand. Users are confused by the terms “non-alphanumeric”, “symbols”, “special characters” and “punctuation marks” in password rules. Additionally, users are confused by partial lists of allowed characters using “e.g.” or “etc.”
Practical implications
This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements.
Originality/value
This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.
Details
Keywords
Panagiotis Andriotis, George Oikonomou, Alexios Mylonas and Theo Tryfonas
The Android pattern lock screen (or graphical password) is a popular user authentication method that relies on the advantages provided by the visual representation of a password…
Abstract
Purpose
The Android pattern lock screen (or graphical password) is a popular user authentication method that relies on the advantages provided by the visual representation of a password, which enhance its memorability. Graphical passwords are vulnerable to attacks (e.g. shoulder surfing); thus, the need for more complex passwords becomes apparent. This paper aims to focus on the features that constitute a usable and secure pattern and investigate the existence of heuristic and physical rules that possibly dictate the formation of a pattern.
Design/methodology/approach
The authors conducted a survey to study the users’ understanding of the security and usability of the pattern lock screen. The authors developed an Android application that collects graphical passwords, by simulating user authentication in a mobile device. This avoids any potential bias that is introduced when the survey participants are not interacting with a mobile device while forming graphical passwords (e.g. in Web or hard-copy surveys).
Findings
The findings verify and enrich previous knowledge for graphical passwords, namely, that users mostly prefer usability than security. Using the survey results, the authors demonstrate how biased input impairs security by shrinking the available password space.
Research limitations/implications
The sample’s demographics may affect our findings. Therefore, future work can focus on the replication of our work in a sample with different demographics.
Originality/value
The authors define metrics that measure the usability of a pattern (handedness, directionality and symmetry) and investigate their impact to its formation. The authors propose a security assessment scheme using features in a pattern (e.g. the existence of knight moves or overlapping nodes) to evaluate its security strengths.
Details
Keywords
S. Vaithyasubramanian and R. Sundararajan
Purpose of this study is to classify the states of Markov Chain for the implementation of Markov Password for effective security. Password confirmation is more often required in…
Abstract
Purpose
Purpose of this study is to classify the states of Markov Chain for the implementation of Markov Password for effective security. Password confirmation is more often required in all authentication process, as the usage of computing facilities and electronic devices have developed hugely to access networks. Over the years with the increase in numerous Web developments and internet applications, each platform needs ID and password validation for individual users.
Design/methodology/approach
In the technological development of cloud computing, in recent times, it is facing security issues. Data theft, data security, denial of service, patch management, encryption management, key management, storage security and authentication are some of the issues and challenges in cloud computing. Validation in user login authentications is generally processed and executed by password. To authenticate universally, alphanumeric passwords are used. One of the promising proposed methodologies in this type of password authentication is Markov password. Markov passwords – a rule-based password formation are created or generated by using Markov chain. Representation of Markov password formation can be done by state space diagram or transition probability matrix. State space classification of Markov chain is one of the basic and significant properties. The objective of this paper is to classify the states of Markov chain to support the practice of this type of password in the direction of effective authentication for secure communication in cloud computing. Conversion of some sample obvious password into Markov password and comparative analysis on their strength is also presented in this paper. Analysis on strength of obvious password of length eight has shown range of 7%–9% although the converted Markov password has shown more than 82%. As an effective methodology, this password authentication can be implemented in cloud portal and password login validation process.
Findings
The objective of this paper is to classify the states of Markov chain to support the practice of this type of password in the direction of effective authentication for secure communication in cloud computing. Conversion of some sample obvious password into Markov password and comparative analysis on their strength is also presented in this paper.
Originality/value
Validation in user login authentications is generally processed and executed by password. To authenticate universally, alphanumeric passwords are used. One of the promising proposed methodologies in this type of password authentication is Markov password.
Details
Keywords
Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the…
Abstract
Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the main themes ‐ a discussion between Bill and Jack on tour in the islands ‐ forms the debate. Explores the concepts of control, necessary procedures, fraud and corruption, supporting systems, creativity and chaos, and building a corporate control facility.
Details
Keywords
Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the…
Abstract
Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the main themes ‐ a discussion between Bill and Jack on tour in the islands ‐ forms the debate. Explores the concepts of control, necessary procedures, fraud and corruption, supporting systems, creativity and chaos, and building a corporate control facility.
Details
Keywords
C.I. Ezeife, Jingyu Dong and A.K. Aggarwal
The purpose of this paper is to propose a web intrusion detection system (IDS), SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment.
Abstract
Purpose
The purpose of this paper is to propose a web intrusion detection system (IDS), SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment.
Design/methodology/approach
SensorWebIDS has three main components: the network sensor for extracting parameters from real‐time network traffic, the log digger for extracting parameters from web log files and the audit engine for analyzing all web request parameters for intrusion detection. To combat web intrusions like buffer‐over‐flow attack, SensorWebIDS utilizes an algorithm based on standard deviation (δ) theory's empirical rule of 99.7 percent of data lying within 3δ of the mean, to calculate the possible maximum value length of input parameters. Association rule mining technique is employed for mining frequent parameter list and their sequential order to identify intrusions.
Findings
Experiments show that proposed system has higher detection rate for web intrusions than SNORT and mod security for such classes of web intrusions like cross‐site scripting, SQL‐Injection, session hijacking, cookie poison, denial of service, buffer overflow, and probes attacks.
Research limitations/implications
Future work may extend the system to detect intrusions implanted with hacking tools and not through straight HTTP requests or intrusions embedded in non‐basic resources like multimedia files and others, track illegal web users with their prior web‐access sequences, implement minimum and maximum values for integer data, and automate the process of pre‐processing training data so that it is clean and free of intrusion for accurate detection results.
Practical implications
Web service security, as a branch of network security, is becoming more important as more business and social activities are moved online to the web.
Originality/value
Existing network IDSs are not directly applicable to web intrusion detection, because these IDSs are mostly sitting on the lower (network/transport) level of network model while web services are running on the higher (application) level. Proposed SensorWebIDS detects XSS and SQL‐Injection attacks through signatures, while other types of attacks are detected using association rule mining and statistics to compute frequent parameter list order and their maximum value lengths.
Details
Keywords
Xiaoying Yu and Qi Liao
Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the…
Abstract
Purpose
Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the security of our systems. However, due to the explosion of user accounts and increasing complexity of password rules, users are struggling to find ways to make up sufficiently secure yet easy-to-remember passwords. This paper aims to investigate whether there are repetitive patterns when users choose passwords and how such behaviors may affect us to rethink password security policy.
Design/methodology/approach
The authors develop a model to formalize the password repetitive problem and design efficient algorithms to analyze the repeat patterns. To help security practitioners to analyze patterns, the authors design and implement a lightweight, Web-based visualization tool for interactive exploration of password data.
Findings
Through case studies on a real-world leaked password data set, the authors demonstrate how the tool can be used to identify various interesting patterns, e.g. shorter substrings of the same type used to make up longer strings, which are then repeated to make up the final passwords, suggesting that the length requirement of password policy does not necessarily increase security.
Originality/value
The contributions of this study are two-fold. First, the authors formalize the problem of password repetitive patterns by considering both short and long substrings and in both directions, which have not yet been considered in past. Efficient algorithms are developed and implemented that can analyze various repeat patterns quickly even in large data set. Second, the authors design and implement four novel visualization views that are particularly useful for exploration of password repeat patterns, i.e. the character frequency charts view, the short repeat heatmap view, the long repeat parallel coordinates view and the repeat word cloud view.
Details
Keywords
Mona Mohamed, Joyram Chakraborty and Sharma Pillutla
The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese…
Abstract
Purpose
The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese and Saudi subjects’ image selections.
Design/methodology/approach
The authors use a between-group design adopted using two groups of participants from China and the Kingdom of Saudi Arabia to measure the differences caused by the effects of cultures on graphical password image selections. Three hypotheses have been tested in a four-week long study carried out using two questionnaires and an RBG-P webtool designed for images selection.
Findings
The results have indicated that participants are equally biased not only toward their own culture but also depending on their opinions about other cultures. In addition, when creating the password, it has been observed that culture not only influenced the image selection to create the password but also have an effect on the sequence of the images forming the password.
Research limitations/implications
Appropriately used image selection differences can be used appropriately in cross-cultural designs that will lead to better development of culturally adaptive interfaces that will boost the security posture of RBG-P authentication.
Practical implications
Some RBG-P interfaces that are produced outside the designer’s culture may suffer the effects of cultural differences. Hence, to incorporate culture in the interface, authentication systems within applications should be flexible by designing images that fit the culture in which the software will be used. To this end, access control interface testing should also be carried out in the environmental and cultural context in which it is will be used.
Originality/value
This paper provides useful information for international developers who develop cross-cultural usable secure designs. In such environments, the cross-culturally designs may have significant effects on the acceptability and adoption adaptation of the interface to multi-cultural settings.
Details
Keywords
BRIAN VICKERY and ALINA VICKERY
There is a huge amount of information and data stored in publicly available online databases that consist of large text files accessed by Boolean search techniques. It is widely…
Abstract
There is a huge amount of information and data stored in publicly available online databases that consist of large text files accessed by Boolean search techniques. It is widely held that less use is made of these databases than could or should be the case, and that one reason for this is that potential users find it difficult to identify which databases to search, to use the various command languages of the hosts and to construct the Boolean search statements required. This reasoning has stimulated a considerable amount of exploration and development work on the construction of search interfaces, to aid the inexperienced user to gain effective access to these databases. The aim of our paper is to review aspects of the design of such interfaces: to indicate the requirements that must be met if maximum aid is to be offered to the inexperienced searcher; to spell out the knowledge that must be incorporated in an interface if such aid is to be given; to describe some of the solutions that have been implemented in experimental and operational interfaces; and to discuss some of the problems encountered. The paper closes with an extensive bibliography of references relevant to online search aids, going well beyond the items explicitly mentioned in the text. An index to software appears after the bibliography at the end of the paper.
Priya C. Kumar and Virginia L. Byrne
Existing privacy-related educational materials are not situated in privacy theory, making it hard to understand what specifically children learn about privacy. This article aims…
Abstract
Purpose
Existing privacy-related educational materials are not situated in privacy theory, making it hard to understand what specifically children learn about privacy. This article aims to offer learning objectives and guidance grounded in theories of privacy and learning to serve as a foundation for privacy literacy efforts.
Design/methodology/approach
This article reviews theories of privacy and literacy as social practices and uses these insights to contribute a set of learning objectives for privacy education called the 5Ds of privacy literacy.
Findings
This article connects the 5Ds of privacy literacy with existing curricular standards and offers guidance for using the 5Ds to create educational efforts for preteens grounded in theories of sociocultural learning.
Practical implications
Learning scientists, instructional designers and privacy educators can use the 5Ds of privacy literacy to develop educational programs that help children hone their ability to enact appropriate information flows.
Social implications
Current approaches to privacy education treat privacy as something people need to protect from the incursions of technology, but the authors believe the 5Ds of privacy literacy can redefine privacy – for children and adults alike – as something people experience with the help of technology.
Originality/value
This study uniquely integrates theories of privacy and learning into an educational framework to guide privacy literacy pedagogy.
Details