Search results

This paper aims to address the user perspective about usability, security and use of five authentication schemes (text and graphical passwords, biometrics and hardware tokens) from a population not covered previously in the literature. Additionally, this paper explores the criteria users apply in creating their text passwords.

An online survey study was performed in spring 2019 with university students in Mexico and Bosnia and Herzegovina. A total of 197 responses were collected.

Fingerprint-based authentication was most frequently perceived as usable and secure. However, text passwords were the predominantly used method for unlocking computer devices. The participants preferred to apply personal criteria for creating text passwords, which, interestingly, coincided with the general password guidelines, e.g. length, combining letters and special characters.

Research on young adults’ perceptions of different authentication methods is driven by the increasing frequency and sophistication of security breaches, as well as their significant consequences. This study provided insight into the commonly used authentication methods among youth from two geographic locations, which have not been accounted for previously.

This paper aims to propose that more useful novel schemes could develop from a more principled examination and application of promising authentication features. Text passwords persist despite several decades of evidence of their security and usability challenges. It seems extremely unlikely that a single scheme will globally replace text passwords, suggesting that a diverse ecosystem of multiple authentication schemes designed for specific environments is needed. Authentication scheme research has thus far proceeded in an unstructured manner.

This paper presents the User-Centred Authentication Feature Framework, a conceptual framework that classifies the various features that knowledge-based authentication schemes may support. This framework can used by researchers when designing, comparing and innovating authentication schemes, as well as administrators and users, who can use the framework to identify desirable features in schemes available for selection.

This paper illustrates how the framework can be used by demonstrating its applicability to several authentication schemes, and by briefly discussing the development and user testing of two framework-inspired schemes: Persuasive Text Passwords and Cued Gaze-Points.

This framework is intended to support the increasingly diverse ecosystem of authentication schemes by providing authentication researchers, professionals and users with the increased ability to design, develop and select authentication schemes better suited for particular applications, environments and contexts.

Security questions are one of the techniques used to recover forgotten passwords. However, security questions have both security and memorability limitations. To limit their security vulnerabilities, stronger answers need to be used. As serious games can motivate users to change their security behaviour, the purpose of this paper is to explore the features and functionalities that users would require in a serious game that educates them to provide stronger answers to security questions.

A lab study was conducted to collect users’ feedback on the desired game features and functionalities. In Stage 1, participants selected security questions/answers. In Stage 2, participants played a game and evaluated the usability and the provided features.

The main findings reveal that most participants found the current features and functionalities to be desirable; socially oriented functionalities (e.g. getting help from other players) did not seem desirable because users feared that their acquaintances could gain access to their security questions.

This research recommends that designers of serious games for security education should: use intrinsic rewards to motivate users to have a better learning experience; provide easier challenges during the training period and provide harder challenges only when the game determines that the users learned to play the game; and design their games for mobile devices because even users who usually do not play games would play a security education game on a mobile device.

This paper presents the process of constructing a language tailored to describing insider threat incidents, for the purposes of mitigating threats originating from legitimate users in an IT infrastructure.

Various information security surveys indicate that misuse by legitimate (insider) users has serious implications for the health of IT environments. A brief discussion of survey data and insider threat concepts is followed by an overview of existing research efforts to mitigate this particular problem. None of the existing insider threat mitigation frameworks provide facilities for systematically describing the elements of misuse incidents, and thus all threat mitigation frameworks could benefit from the existence of a domain specific language for describing legitimate user actions.

The paper presents a language development methodology which centres upon ways to abstract the insider threat domain and approaches to encode the abstracted information into language semantics. The language construction methodology is based upon observed information security survey trends and the study of existing insider threat and intrusion specification frameworks.

This paper summarizes the picture of the insider threat in IT infrastructures and provides a useful reference for insider threat modeling researchers by indicating ways to abstract insider threats.

Text-based passwords created by users are typically weak. A common mitigation is to provide meaningful feedback to users regarding the relative strength of their newly created password. However, the effects of these feedback mechanisms on users to create stronger passwords have not been well studied. This study examined four different types of password feedback mechanisms to determine which, if any, are the most effective. The paper aims to discuss these issues.

Undergraduate student volunteers created four different passwords and then entered the passwords into four different online password feedback mechanisms. Participants were then asked whether the feedback persuaded them to change their original password.

In all cases, the feedback mechanisms significantly influenced users with lower password entropy to choose a more secure password. The password feedback mechanism that was most effective was the feedback of the estimated amount of time to break the password.

Undergraduate students in an academic environment were the participants, which may limit external validity.

The implications are for designers of web sites and other applications that require users to create a text-based password: any feedback mechanism can influence users to create passwords with higher entropy, yet those that indicate the length of time it would take to crack the password are most effective.

There are a wide variety of password feedback mechanisms in use. However, their effects on influencing users to create stronger passwords have not been well studied.

The purpose of this paper is to increase security using persuasive cued click points (PCCP) techniques and to make a system to provide security from the malware, key loggers and attacks.

The work methodology comprises two major phases. In phase one, the PCCP take place with the registration and login process done. It also includes text-based password which hides the character of password to protect from shoulder surfing attack. In phase two, the work includes background services which protect from key loggers.

Secure password persuasive cued click point (SPPCCP) is a module that facilitates authentication for the desktop-based applications and provides a single-machine licensing functionality. SPPCCP comprises little functionality to thwart attackers, such as persuasive click points with password protection. The techniques to protect against malware such as resist from debuggers and also to the key loggers that run on desktop computers. In this, Spearman rank correlation is used for detection of key loggers. There are functionalities used to secure desktop applications such as time constraint and user selection.

The contribution of this paper is to provide knowledge in the field of security. It makes the graphical password more secure and useful. The intention behind this research was to increase the security level up to 60-80 per cent. It is also used for prevention of shoulder surfing problem till 80 per cent; this research is also operated on key loggers, and SPPCCP finds the key loggers and removes it from the system. It also decrypts the data of database by encrypting it by SHA-512 algorithm and reduces the average login time up to 20-30 per cent; it will make a smaller view port of 33.5 × 33.5 pixel square to have more choice to select the password, thereby decreasing the probability of hotspot area up to 18-20 per cent.

The purpose of this paper is to reveal the lived experiences of dyslexics in engaging with all kinds of alphanumeric authentication mechanisms.

A significant proportion of the world’s population experiences some degree of dyslexia, which can lead to spelling, processing, sequencing and retention difficulties. Passwords, being essentially sequences of alphanumeric characters, make it likely that dyslexics will struggle with these, even more so than the rest of the population. Here, this study explores the difficulties people with dyslexia face, their general experiences with passwords, the coping strategies they use and the advice they can provide to developers and others who struggle with passwords. This paper collects empirical data through semi-structured interviews with 13 participants. Thematic analysis was used to provide an in-depth view of each participant’s experience.

The main contribution of this paper is to provide evidence related to the inaccessibility dimensions of passwords as an authentication mechanism, especially for dyslexics and to recommend a solution direction.

There is a possible volunteer bias, as this study is dealing with self-reported data including historical and reflective elements and this paper is seeking information only from those with self-declared or diagnosed dyslexia. Furthermore, many expressed interest or curiosity in the relationship between dyslexia and password difficulties, for some a motivation for their participation. Finally, given that the participants told us that dyslexics might hide, it is possible that the experiences of those who do hide are different from those who chose to speak to us and thus were not hiding.

A few authors have written about the difficulties dyslexics face when it comes to passwords, but no one has asked dyslexics to tell them about their experiences. This paper fills that gap.

The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user forgetting or mistyping the password (usually because of character switching). The source of this issue is that while a password containing combinations of lowercase characters, uppercase characters, digits and special characters (LUDS) offers a reasonable level of security, it is complex to type and/or memorise, which prolongs the user authentication process. This results in much time being spent for no benefit (as perceived by users), as the user authentication process is merely a prerequisite for whatever a user intends to accomplish. This study aims to address this issue, passphrases that exclude the LUDS guidelines are proposed.

To discover constructs that create security and to investigate usability concerns relating to the memory and typing issues concerning passphrases, this study was guided by three theories as follows: Shannon’s entropy theory was used to assess security, chunking theory to analyse memory issues and the keystroke level model to assess typing issues. These three constructs were then evaluated against passwords and passphrases to determine whether passphrases better address the security and usability issues related to text-based user authentication. A content analysis was performed to identify common password compositions currently used. A login assessment experiment was used to collect data on user authentication and user – system interaction with passwords and passphrases in line with the constructs that have an impact on user authentication issues related to security, memory and typing. User–system interaction data was collected from a purposeful sample size of 112 participants, logging in at least once a day for 10 days. An expert review, which comprised usability and security experts with specific years of industry and/or academic experience, was also used to validate results and conclusions. All the experts were given questions and content to ensure sufficient context was provided and relevant feedback was obtained. A pilot study involving 10 participants (experts in security and/or usability) was performed on the login assessment website and the content was given to the experts beforehand. Both the website and the expert review content was refined after feedback was received from the pilot study.

It was concluded that, overall, passphrases better support the user during the user authentication process in terms of security, memory issues and typing issues.

This research aims at promoting the use of a specific type of passphrase instead of complex passwords. Three core aspects need to be assessed in conjunction with each other (security, memorisation and typing) to determine whether user-friendly passphrases can support user authentication better than passwords.

The Android pattern lock screen (or graphical password) is a popular user authentication method that relies on the advantages provided by the visual representation of a password, which enhance its memorability. Graphical passwords are vulnerable to attacks (e.g. shoulder surfing); thus, the need for more complex passwords becomes apparent. This paper aims to focus on the features that constitute a usable and secure pattern and investigate the existence of heuristic and physical rules that possibly dictate the formation of a pattern.

The authors conducted a survey to study the users’ understanding of the security and usability of the pattern lock screen. The authors developed an Android application that collects graphical passwords, by simulating user authentication in a mobile device. This avoids any potential bias that is introduced when the survey participants are not interacting with a mobile device while forming graphical passwords (e.g. in Web or hard-copy surveys).

The findings verify and enrich previous knowledge for graphical passwords, namely, that users mostly prefer usability than security. Using the survey results, the authors demonstrate how biased input impairs security by shrinking the available password space.

The sample’s demographics may affect our findings. Therefore, future work can focus on the replication of our work in a sample with different demographics.

The authors define metrics that measure the usability of a pattern (handedness, directionality and symmetry) and investigate their impact to its formation. The authors propose a security assessment scheme using features in a pattern (e.g. the existence of knight moves or overlapping nodes) to evaluate its security strengths.

In December 2011, the National Computer Network Emergency Response Technical Team/Coordination Center of China reported the most serious user data leak in history which involved 26 databases with 278 million user accounts and passwords. After acquiring the user data from this massive information leak, this study has two major research purposes: the paper aims to reveal similarities and differences of password construction among four companies; and investigate how culture factors shape user password construction in China.

This article analyzed real‐life passwords collected from four companies by comparing the following attributes: password length, password constitution, top 20 frequent passwords, character frequency distributions, string similarity, and password reuse.

Major findings include that: general users in China have a weaker sense of security than those in Western countries, which reflected in the password lengths, the character combinations and the content structures; password constitution preferences are different between users in Western countries and in China, where passwords are more similar to the Pinyin context and Chinese number homonym; and password reuse is very common in China. General users tend to reuse the same passwords and IT professionals tend to engage in Seed Password reuse.

Due to the rapid growth of Internet users and e‐commerce markets in China, many online service providers may not pay enough attention to security issues, but focus instead on market expansion. Employees in these companies may not be well trained in information security, resulting in carelessness when handling security issues.

This is the first study which attempts to consider culture influences in password construction by analyzing real‐life datasets.