Search results

1 – 10 of over 1000
Article
Publication date: 13 March 2017

Kristen K. Greene and Yee-Yin Choong

The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect…

Abstract

Purpose

The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules.

Design/methodology/approach

This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users’ interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space.

Findings

Results show that manipulating password rule terminology causes users’ interpretation of the allowed character space to shrink or expand. Users are confused by the terms “non-alphanumeric”, “symbols”, “special characters” and “punctuation marks” in password rules. Additionally, users are confused by partial lists of allowed characters using “e.g.” or “etc.”

Practical implications

This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements.

Originality/value

This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.

Details

Information & Computer Security, vol. 25 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 14 March 2016

Panagiotis Andriotis, George Oikonomou, Alexios Mylonas and Theo Tryfonas

The Android pattern lock screen (or graphical password) is a popular user authentication method that relies on the advantages provided by the visual representation of a password

1012

Abstract

Purpose

The Android pattern lock screen (or graphical password) is a popular user authentication method that relies on the advantages provided by the visual representation of a password, which enhance its memorability. Graphical passwords are vulnerable to attacks (e.g. shoulder surfing); thus, the need for more complex passwords becomes apparent. This paper aims to focus on the features that constitute a usable and secure pattern and investigate the existence of heuristic and physical rules that possibly dictate the formation of a pattern.

Design/methodology/approach

The authors conducted a survey to study the users’ understanding of the security and usability of the pattern lock screen. The authors developed an Android application that collects graphical passwords, by simulating user authentication in a mobile device. This avoids any potential bias that is introduced when the survey participants are not interacting with a mobile device while forming graphical passwords (e.g. in Web or hard-copy surveys).

Findings

The findings verify and enrich previous knowledge for graphical passwords, namely, that users mostly prefer usability than security. Using the survey results, the authors demonstrate how biased input impairs security by shrinking the available password space.

Research limitations/implications

The sample’s demographics may affect our findings. Therefore, future work can focus on the replication of our work in a sample with different demographics.

Originality/value

The authors define metrics that measure the usability of a pattern (handedness, directionality and symmetry) and investigate their impact to its formation. The authors propose a security assessment scheme using features in a pattern (e.g. the existence of knight moves or overlapping nodes) to evaluate its security strengths.

Details

Information & Computer Security, vol. 24 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 8 January 2021

S. Vaithyasubramanian and R. Sundararajan

Purpose of this study is to classify the states of Markov Chain for the implementation of Markov Password for effective security. Password confirmation is more often required in…

Abstract

Purpose

Purpose of this study is to classify the states of Markov Chain for the implementation of Markov Password for effective security. Password confirmation is more often required in all authentication process, as the usage of computing facilities and electronic devices have developed hugely to access networks. Over the years with the increase in numerous Web developments and internet applications, each platform needs ID and password validation for individual users.

Design/methodology/approach

In the technological development of cloud computing, in recent times, it is facing security issues. Data theft, data security, denial of service, patch management, encryption management, key management, storage security and authentication are some of the issues and challenges in cloud computing. Validation in user login authentications is generally processed and executed by password. To authenticate universally, alphanumeric passwords are used. One of the promising proposed methodologies in this type of password authentication is Markov password. Markov passwords – a rule-based password formation are created or generated by using Markov chain. Representation of Markov password formation can be done by state space diagram or transition probability matrix. State space classification of Markov chain is one of the basic and significant properties. The objective of this paper is to classify the states of Markov chain to support the practice of this type of password in the direction of effective authentication for secure communication in cloud computing. Conversion of some sample obvious password into Markov password and comparative analysis on their strength is also presented in this paper. Analysis on strength of obvious password of length eight has shown range of 7%–9% although the converted Markov password has shown more than 82%. As an effective methodology, this password authentication can be implemented in cloud portal and password login validation process.

Findings

The objective of this paper is to classify the states of Markov chain to support the practice of this type of password in the direction of effective authentication for secure communication in cloud computing. Conversion of some sample obvious password into Markov password and comparative analysis on their strength is also presented in this paper.

Originality/value

Validation in user login authentications is generally processed and executed by password. To authenticate universally, alphanumeric passwords are used. One of the promising proposed methodologies in this type of password authentication is Markov password.

Details

International Journal of Pervasive Computing and Communications, vol. 17 no. 1
Type: Research Article
ISSN: 1742-7371

Keywords

Article
Publication date: 1 March 1999

K.H. Spencer Pickett

Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the…

39986

Abstract

Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the main themes ‐ a discussion between Bill and Jack on tour in the islands ‐ forms the debate. Explores the concepts of control, necessary procedures, fraud and corruption, supporting systems, creativity and chaos, and building a corporate control facility.

Details

Management Decision, vol. 37 no. 2
Type: Research Article
ISSN: 0025-1747

Keywords

Article
Publication date: 1 June 1998

K.H. Spencer Pickett

Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the…

38379

Abstract

Using the backdrop of an (apparently) extended visit to the West Indies, analogies with key concerns of internal audit are drawn. An unusual and refreshing way of exploring the main themes ‐ a discussion between Bill and Jack on tour in the islands ‐ forms the debate. Explores the concepts of control, necessary procedures, fraud and corruption, supporting systems, creativity and chaos, and building a corporate control facility.

Details

Managerial Auditing Journal, vol. 13 no. 4/5
Type: Research Article
ISSN: 0268-6902

Keywords

Article
Publication date: 4 April 2008

C.I. Ezeife, Jingyu Dong and A.K. Aggarwal

The purpose of this paper is to propose a web intrusion detection system (IDS), SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment.

Abstract

Purpose

The purpose of this paper is to propose a web intrusion detection system (IDS), SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment.

Design/methodology/approach

SensorWebIDS has three main components: the network sensor for extracting parameters from real‐time network traffic, the log digger for extracting parameters from web log files and the audit engine for analyzing all web request parameters for intrusion detection. To combat web intrusions like buffer‐over‐flow attack, SensorWebIDS utilizes an algorithm based on standard deviation (δ) theory's empirical rule of 99.7 percent of data lying within 3δ of the mean, to calculate the possible maximum value length of input parameters. Association rule mining technique is employed for mining frequent parameter list and their sequential order to identify intrusions.

Findings

Experiments show that proposed system has higher detection rate for web intrusions than SNORT and mod security for such classes of web intrusions like cross‐site scripting, SQL‐Injection, session hijacking, cookie poison, denial of service, buffer overflow, and probes attacks.

Research limitations/implications

Future work may extend the system to detect intrusions implanted with hacking tools and not through straight HTTP requests or intrusions embedded in non‐basic resources like multimedia files and others, track illegal web users with their prior web‐access sequences, implement minimum and maximum values for integer data, and automate the process of pre‐processing training data so that it is clean and free of intrusion for accurate detection results.

Practical implications

Web service security, as a branch of network security, is becoming more important as more business and social activities are moved online to the web.

Originality/value

Existing network IDSs are not directly applicable to web intrusion detection, because these IDSs are mostly sitting on the lower (network/transport) level of network model while web services are running on the higher (application) level. Proposed SensorWebIDS detects XSS and SQL‐Injection attacks through signatures, while other types of attacks are detected using association rule mining and statistics to compute frequent parameter list order and their maximum value lengths.

Details

International Journal of Web Information Systems, vol. 4 no. 1
Type: Research Article
ISSN: 1744-0084

Keywords

Article
Publication date: 14 March 2016

Xiaoying Yu and Qi Liao

Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the…

1974

Abstract

Purpose

Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the security of our systems. However, due to the explosion of user accounts and increasing complexity of password rules, users are struggling to find ways to make up sufficiently secure yet easy-to-remember passwords. This paper aims to investigate whether there are repetitive patterns when users choose passwords and how such behaviors may affect us to rethink password security policy.

Design/methodology/approach

The authors develop a model to formalize the password repetitive problem and design efficient algorithms to analyze the repeat patterns. To help security practitioners to analyze patterns, the authors design and implement a lightweight, Web-based visualization tool for interactive exploration of password data.

Findings

Through case studies on a real-world leaked password data set, the authors demonstrate how the tool can be used to identify various interesting patterns, e.g. shorter substrings of the same type used to make up longer strings, which are then repeated to make up the final passwords, suggesting that the length requirement of password policy does not necessarily increase security.

Originality/value

The contributions of this study are two-fold. First, the authors formalize the problem of password repetitive patterns by considering both short and long substrings and in both directions, which have not yet been considered in past. Efficient algorithms are developed and implemented that can analyze various repeat patterns quickly even in large data set. Second, the authors design and implement four novel visualization views that are particularly useful for exploration of password repeat patterns, i.e. the character frequency charts view, the short repeat heatmap view, the long repeat parallel coordinates view and the repeat word cloud view.

Details

Information & Computer Security, vol. 24 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 14 April 2020

Mona Mohamed, Joyram Chakraborty and Sharma Pillutla

The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese…

Abstract

Purpose

The purpose of this study is to examine the effects of culture on the cross-cultural design of the recognition-based graphical password (RBG-P) interface as inferred from Chinese and Saudi subjects’ image selections.

Design/methodology/approach

The authors use a between-group design adopted using two groups of participants from China and the Kingdom of Saudi Arabia to measure the differences caused by the effects of cultures on graphical password image selections. Three hypotheses have been tested in a four-week long study carried out using two questionnaires and an RBG-P webtool designed for images selection.

Findings

The results have indicated that participants are equally biased not only toward their own culture but also depending on their opinions about other cultures. In addition, when creating the password, it has been observed that culture not only influenced the image selection to create the password but also have an effect on the sequence of the images forming the password.

Research limitations/implications

Appropriately used image selection differences can be used appropriately in cross-cultural designs that will lead to better development of culturally adaptive interfaces that will boost the security posture of RBG-P authentication.

Practical implications

Some RBG-P interfaces that are produced outside the designer’s culture may suffer the effects of cultural differences. Hence, to incorporate culture in the interface, authentication systems within applications should be flexible by designing images that fit the culture in which the software will be used. To this end, access control interface testing should also be carried out in the environmental and cultural context in which it is will be used.

Originality/value

This paper provides useful information for international developers who develop cross-cultural usable secure designs. In such environments, the cross-culturally designs may have significant effects on the acceptability and adoption adaptation of the interface to multi-cultural settings.

Details

Journal of Systems and Information Technology, vol. 22 no. 1
Type: Research Article
ISSN: 1328-7265

Keywords

Article
Publication date: 1 February 1993

BRIAN VICKERY and ALINA VICKERY

There is a huge amount of information and data stored in publicly available online databases that consist of large text files accessed by Boolean search techniques. It is widely…

Abstract

There is a huge amount of information and data stored in publicly available online databases that consist of large text files accessed by Boolean search techniques. It is widely held that less use is made of these databases than could or should be the case, and that one reason for this is that potential users find it difficult to identify which databases to search, to use the various command languages of the hosts and to construct the Boolean search statements required. This reasoning has stimulated a considerable amount of exploration and development work on the construction of search interfaces, to aid the inexperienced user to gain effective access to these databases. The aim of our paper is to review aspects of the design of such interfaces: to indicate the requirements that must be met if maximum aid is to be offered to the inexperienced searcher; to spell out the knowledge that must be incorporated in an interface if such aid is to be given; to describe some of the solutions that have been implemented in experimental and operational interfaces; and to discuss some of the problems encountered. The paper closes with an extensive bibliography of references relevant to online search aids, going well beyond the items explicitly mentioned in the text. An index to software appears after the bibliography at the end of the paper.

Details

Journal of Documentation, vol. 49 no. 2
Type: Research Article
ISSN: 0022-0418

Article
Publication date: 10 June 2022

Priya C. Kumar and Virginia L. Byrne

Existing privacy-related educational materials are not situated in privacy theory, making it hard to understand what specifically children learn about privacy. This article aims…

Abstract

Purpose

Existing privacy-related educational materials are not situated in privacy theory, making it hard to understand what specifically children learn about privacy. This article aims to offer learning objectives and guidance grounded in theories of privacy and learning to serve as a foundation for privacy literacy efforts.

Design/methodology/approach

This article reviews theories of privacy and literacy as social practices and uses these insights to contribute a set of learning objectives for privacy education called the 5Ds of privacy literacy.

Findings

This article connects the 5Ds of privacy literacy with existing curricular standards and offers guidance for using the 5Ds to create educational efforts for preteens grounded in theories of sociocultural learning.

Practical implications

Learning scientists, instructional designers and privacy educators can use the 5Ds of privacy literacy to develop educational programs that help children hone their ability to enact appropriate information flows.

Social implications

Current approaches to privacy education treat privacy as something people need to protect from the incursions of technology, but the authors believe the 5Ds of privacy literacy can redefine privacy – for children and adults alike – as something people experience with the help of technology.

Originality/value

This study uniquely integrates theories of privacy and learning into an educational framework to guide privacy literacy pedagogy.

Details

Information and Learning Sciences, vol. 123 no. 7/8
Type: Research Article
ISSN: 2398-5348

Keywords

1 – 10 of over 1000