System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies

Brumen, Boštjan

doi:10.15388/20-INFOR408

Informatica

System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies

Volume 31, Issue 3 (2020), pp. 459–479

Boštjan Brumen

https://doi.org/10.15388/20-INFOR408

Pub. online: 17 April 2020 Type: Research Article

Open Access

Received
1 December 2018

Accepted
1 February 2020

Published
17 April 2020

Abstract

After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The objective of this paper is to analyse the effectiveness of strict password management policies with respect to how users remember system-generated passwords of different textual types – plaintext strings, passphrases, and hybrid graphical-textual PsychoPass passwords. In an experiment, participants were assigned a random string, passphrase, and PsychoPass passwords and had to memorize them. Surprisingly, no one has remembered either the random string or the passphrase, whereas only 10% of the participants remembered their PsychoPass password. The policies where administrators let systems assign passwords to users are not appropriate. Although PsychoPass passwords are easier to remember, the recall rate of any system-assigned password is below the acceptable level. The findings of this study explain that system-assigned strong passwords are inappropriate and put unacceptable memory burden on users.

References

Abdi, H. (2007). The Bonferonni and Šidák corrections for multiple comparisons. In: Salkind, N.J. (Ed.), Encyclopedia of Measurement and Statistics. SAGE Publications, Inc., Thousand Oaks, CA, USA.

Acohido, B. (2013). ANALYSIS: why LivingSocial disclosed huge data theft. USA Today, April 30.

Adams, A., Sasse, M.A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40–46. https://doi.org/10.1145/322796.322806.

Adams, A., Sasse, M.A., Lunt, P. (1997). Making passwords secure and usable. In: People and Computers XII. Springer London, London, pp. 1–19. Chapter 1.

Al-Hudhud, G., Abdulaziz Alzamel, M., Alattas, E., Alwabil, A. (2014). Using brain signals patterns for biometric identity verification systems. Computers in Human Behavior, 31(0), 224–229. https://doi.org/10.1016/j.chb.2013.09.018.

Biddle, R., Mannan, M., van Oorschot, P.C., Whalen, T. (2011). User study, analysis, and usable security of passwords based on digital objects. IEEE Transactions on Information Forensics and Security, 6(3), 970–979. https://doi.org/10.1109/TIFS.2011.2116781.

Bishop, M., Klein, D.V. (1995). Improving system security via proactive password checking. Computers & Security, 14(3), 233–249. https://doi.org/10.1016/0167-4048(95)00003-Q.

Brostoff, A.S. (2004). Improving Password System Effectiveness. PhD Thesis, Department of Computer Science, University College London. Doctor of Philosophy, University of London, London, UK.

Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K. (2004). Generating and remembering passwords. Applied Cognitive Psychology, 18(6), 641–651. https://doi.org/10.1002/acp.1014.

Brumen, B., Černezel, A. (2014). Brute force analysis of PsychoPass-generated passwords. In: 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 26–30 May 2014.

Brumen, B., Heričko, M., Rozman, I., Hölbl, M. (2013). Security analysis and improvements to the PsychoPass method. Journal of Medical Internet Research, 15(8), e161. https://doi.org/10.2196/jmir.2366. PMID: 23942458.

Buehler, B., Mrasek, N. (2018). Average new-car prices rise nearly 4 percent for January 2018 on shifting sales mix. Retrieved from https://mediaroom.kbb.com/2018-02-01-Average-New-Car-Prices-Rise-Nearly-4-Percent-for-January-2018-on-Shifting-Sales-Mix-According-to-Kelley-Blue-Book. Accessed: 2018-10-09. Archived by WebCite^® at http://www.webcitation.org/7329ILsmT.

Cipresso, P., Gaggioli, A., Serino, S., Cipresso, S., Riva, G. (2012). How to create memorizable and strong passwords. Journal of Medical Internet Research, 14(1), e10. https://doi.org/10.2196/jmir.1906. PMID: 22233980.

Corbató, F.J. (1991). On building systems that will fail. Communications of the ACM, 34(9), 72–81. https://doi.org/10.1145/114669.114686.

Cox, J. (2012). Information systems user security: a structured model of the knowing–doing gap. Computers in Human Behavior, 28(5), 1849–1858. https://doi.org/10.1016/j.chb.2012.05.003.

Creese, S., Hodges, D., Jamison-Powell, S., Whitty, M. (2013). Relationships between password choices, perceptions of risk and security expertise. In: Human Aspects of Information Security, Privacy, and Trust. First International Conference, HAS 2013, Held as Part of HCI International 2013, Las Vegas, NV, July 2013, Vol. 8030. Springer, pp. 80–89.

Davinson, N., Sillence, E. (2010). It won’t happen to me: promoting secure behaviour among Internet users. Computers in Human Behavior, 26(6), 1739–1747. https://doi.org/10.1016/j.chb.2010.06.023.

Davis, D., Monrose, F., Reiter, M.K. (2004). On user choice in graphical password schemes. In: The USENIX 2004 Security Symposium.

De Angeli, A., Coventry, L., Johnson, G., Renaud, K. (2005). Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63(1), 128–152. https://doi.org/10.1016/j.ijhcs.2005.04.020.

Dell’Amico, M., Michiardi, P., Roudier, Y. (2010). Password strength: an empirical analysis. In: The INFOCOM, 2010 Proceedings IEEE.

Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C. (2013). Does my password go up to eleven? The impact of password meters on password selection. In: Proceedings of the 2013 SIGCHI Conference on Human Factors in Computing Systems, April 27–May 2, Paris, France.

FBI (2018). Motor Vehicle Theft, Uniform Crime Report. Crime in the United States, 2017. US Department of Justice – Federal Bureau of Investigation, Washington, DC, USA. Retrieved from https://ucr.fbi.gov/crime-in-the-u.s/2017/crime-in-the-u.s.-2017/topic-pages/motor-vehicle-theft.pdf.

FIPS (1985). PUB 112 Password Usage. National Institute of Standards and Technology.

Florencio, D., Herley, C. (2007). A large-scale study of web password habits. In: The Proceedings of the 16th International Conference on World Wide Web.

Ganesan, R., Davies, C., Atlantic, B. (1994). A new attack on random pronounceable password generators. In: Proceedings of the 17th {NIST}-{NCSC} National Computer Security Conference, Baltimore, MD, USA.

Gao, W., Wang, G.L., Chen, K.F., Wang, X.L. (2017). Generic construction of certificate-based signature from certificateless signature with provable security. Informatica, 28(2), 215–235. https://doi.org/10.15388/Informatica.2017.127.

Gasser, M. (1975). A Random Word Generator for Pronounceable Passwords, MTR-3006, ESD-TR-75-97, AD-A017676. MITRE Corporation, Bedford, Mass.

Gates, B. (1997). Speech delivered at COMDEX 1997. http://web.archive.org/web/20090114203618/http://www.microsoft.com/presspass/exec/billg/speeches/1997/comdex97.aspx Accessed: 2014-10-20. Archived by WebCite^® at http://www.webcitation.org/6JBczPMqN.

Gehringer, E.F. (2002). Choosing passwords: security and human factors. In: 2002 International Symposium on Technology and Society (ISTAS’02).

Gosney, J.M. (2018). 8x Nvidia GTX 1080 Ti Hashcat Benchmarks. https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505/. Archived by WebCite^® at http://www.webcitation.org/70yRle0jv.

Grassi, P.A., Fenton, J.L., Newton, E.M., Perlner, R.A., Regenscheid, A.R., Burr, W.E., Richer, J.P., Lefkovitz N.B., Danker J.M., Choong Y.-Y., Greene K.K., Theofanos, M.F. (2017). NIST Special Publication 800-63B. Digital Identity Guidelines. Authentication and Lifecycle Management. Retrieved from Gaithersburg, MD, USA.

Gressin, S. (2017). The Equifax Data Breach: What to Do. Federal Trade Commission, Washington, DC.

Grosse, E., Upadhyay, M. (2013). Authentication at scale. Security & Privacy, 11(1), 15–22, https://doi.org/10.1109/MSP.2012.162.

Hachman, M. (2011). PlayStation Hack to Cost Sony $171 M; Quake Costs Far Higher. Retrieved from http://www.pcmag.com/article2/0,2817,2385790,00.asp. Accessed: 2014-01-30. Archived by WebCite^® at http://www.webcitation.org/6N0tPpBte.

Hölbl, M., Welzer, T., Brumen, B. (2008). Improvement of the Peyravian–Jeffries’s user authentication protocol and password change protocol. Computer Communications, 31(10), 1945–1951. https://doi.org/10.1016/j.comcom.2007.12.029.

Hölbl, M., Welzer, T., Brumen, B. (2010). Two proposed identity-based three-party authenticated key agreement protocols from pairings. Computers & Security, 29(2), 244–252. https://doi.org/10.1016/j.cose.2009.08.006.

Hölbl, M., Welzer, T., Brumen, B. (2012). An improved two-party identity-based authenticated key agreement protocol using pairings. Journal of Computer and System Sciences, 78(1), 142–150. https://doi.org/10.1016/j.jcss.2011.01.002.

Horcher, A.-M., Tejay, G.P. (2009). Building a better password: the role of cognitive load in information security training. In: IEEE International Conference on Intelligence and Security Informatics, 2009, ISI’09.

Jiang, P., Wen, Q., Li, W., Jin, Z., Zhang, H. (2013). An anonymous user authentication with key agreement scheme without pairings for multiserver architecture using SCPKs. The Scientific World Journal. https://doi.org/10.1155/2013/419592. Article ID 419592.

Johnson, G.J. (1991). A distinctiveness model of serial learning. Psychological Review, 98(2), 204–217. https://doi.org/10.1037/0033-295X.98.2.204.

Jones, S.N. (2017). Having an affair may shorten your life: the ashley Madison suicides. Georgia State University Law Review, 33(2), 6.

Kamp, P.-H. (2012). LinkedIn password leak: salt their hide. ACM Queue, 10(6), 20. Available on-line at http://queue.acm.org/detail.cfm?id$=$2254400&ref=fullrss. Accessed: 2252013-2254410-2254420. Archived by WebCite^® at http://www.webcitation.org/2254406JBdHEdhy.

Keith, M., Shao, B., Steinbart, P.J. (2007). The usability of passphrases for authentication: an empirical field study. International Journal of Human-Computer Studies, 65(1), 17–28. https://doi.org/10.1016/j.ijhcs.2006.08.005.

Kerber, R. (2007, August 15). Cost of data breach at TJX soars to $256 m. Boston Globe.

Khan, J.S., Khan, M.A., Ahmad, J., Hwang, S.O., Ahmed, W. (2017). An improved image encryption scheme based on a non-linear chaotic algorithm and substitution boxes. Informatica, 28(4), 629–649. https://doi.org/10.15388/Informatica.2017.149.

Kirk, J. (2012). How Charles Dickens Helped Crack Your LinkedIn Password. PCWorld, June 8, 2012.

Krim, J., Barbaro, M. (2005). 40 million credit card numbers hacked. The Washington Post, June 18, 2005.

Kuo, C., Romanosky, S., Cranor, L.F. (2006). Human selection of mnemonic phrase-based passwords In: The Proceedings of the Second Symposium on Usable Privacy and Security, July 12–14, Carnegie Mellon University, Pittsburgh, PA, USA.

Lee, C.-C., Liu, C.-H., Hwang, M.-S. (2013). Guessing attacks on strong-password authentication protocol. International Journal of Network Security, 15(1), 64–67.

Liaojun, P., He, L., Pei, Q., Wang, Y. (2013). Secure and efficient mutual authentication protocol for RFID conforming to the EPC C-1 G-2 standard. Shanghai, China. In: 2013 IEEE Wireless Communications and Networking Conference (WCNC), Shanghai, China.

Loch, K.D., Carr, H.H., Warkentin, M.E. (1992). Threats to information systems: today’s reality, yesterday’s understanding. MIS Quarterly, 16(2), 173–186. https://doi.org/10.2307/249574.

Meshram, C., Tseng, Y.-M., Lee, C.-C., Meshram, S.G. (2017). An IND-ID-CPA secure ID-based cryptographic protocol using GDLP and IFP. Informatica, 28(3), 471–484. https://doi.org/10.15388/Informatica.2017.139.

Miller, G.A. (1956). The magical number seven, plus or minus two: some limits on our capacity for processing information. Psychological Review, 63(2).

Morris, R., Thompson, K. (1979). Password security: a case history. Communications of the ACM, 22(11), 594–597.

Nelson, D., Vu, K.-P.L. (2010). Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords. Computers in Human Behavior, 26(4), 705–715. https://doi.org/10.1016/j.chb.2010.01.007.

Notoatmodjo, G. (2007). Exploring the ‘Weakest Link’: a Study of Personal Password Security. MSc thesis, The University of Auckland, New Zealand.

Pascual, A., Marchini, K., Miller, S. (2018). 2018 Identity Fraud: Fraud Enters a New Era of Complexity. Retrieved from https://www.javelinstrategy.com/printpdf/58296.

Pereira, J. (2007). How credit-card data went out wireless door. The Wall Street Journal, 4.

Pfleeger, C.P., Pfleeger, S.L. (2003). Security in Computing. 3rd ed., Prentice Hall PTR, Upper Saddle River, NY, USA.

Popkin, H.A.S. (2012). LinkedIn confirms password leak, eHarmony has one, too. ABC NEWS Technology,

PRC (2018). Privacy Rights Clearinghouse. Chronology of Data Breaches. Security Breaches 2005 – Present. Retrieved from https://www.privacyrights.org/data-breaches. Accessed: 2018-10-09. Archived by WebCite^® at http://www.webcitation.org/732CmnPm2.

Sahadi, J. (2005). 40M credit cards hacked. CNN Money, July 27, 2005.

Sakalauskas, E., Mihalkovich, A. (2017). Improved asymmetric cipher based on matrix power function resistant to linear algebra attack. Informatica, 28(3), 517–524. https://doi.org/10.15388/Informatica.2017.142.

Sangani, K. (2011). Sony security laid bare. Engineering & Technology, 6(8), 74–77. https://doi.org/10.1049/et.2011.0810.

SASA (2013). On-Line List of Words in Slovenian language (Spletni Seznam Besed Slovenskega Jezika). Slovenian Academy of Sciences and Arts, Ljubljana, Slovenia. Retrieved from http://bos.zrc-sazu.si/sbsj.html. Accessed: 2014-10-20. Archived by WebCite^® at http://www.webcitation.org/6JG7LCr5o.

Sasse, M.A., Brostoff, S., Weirich, D. (2001). Transforming the ‘weakest link’ – a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122–131. https://doi.org/10.1023/A:1011902718709.

Scarfone, K., Souppaya, M. (2009). Guide to enterprise password management (draft). NIST Special Publication, 800, 118.

Schneier, B. (2005). Write Down Your Password. Schneier on Security, June 17, 2005.

Seeley, D. (1989). Password cracking: a game of wits. Communications of the ACM, 32(6), 700–703. https://doi.org/10.1145/63526.63529.

Spafford, E.H. (1989). Crisis and aftermath. Communications of the ACM, 32(6), 678–687. https://doi.org/10.1145/63526.63527.

Spector, Y., Ginzberg, J. (1994). Pass-sentence – a new approach to computer code. Computers & Security, 13(2), 145–160. https://doi.org/10.1016/0167-4048(94)90064-7.

Stallings, W. (2006). Cryptography and Network Security: Principles and Practices. 4th ed., Prentice-Hall, Upper Saddle River, NJ.

StClair, L., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., Jaeger, T. (2006). Password exhaustion: predicting the end of password usefulness. In: Information Systems Security. Springer, pp. 37–55.

Stoll, C.P. (1988). Stalking the wily hacker. Communications of the ACM, 31(5), 484–497. https://doi.org/10.1145/42411.42412.

Stoll, C.P. (1989). The Cuckoo’s Egg: Tracing a Spy Through the Maze of Computer Espionage. Doubleday, New York, NY, USA.

Suo, X., Zhu, Y., Owen, G.S. (2005). Graphical passwords: a survey. In: The 21st Annual Computer Security Applications Conference, Tucson, AZ, USA.

Tam, L., Glassman, M., Vandenwauver, M. (2009). The psychology of password management: a tradeoff between security and convenience. Behaviour & Information Technology, 29(3), 233–244. https://doi.org/10.1080/01449290903121386.

Tom, P.L. (1991). Managing Information as a Corporate Resource. 2nd ed., HarperCollins Publishers.

Tzong-Chen, W., Hung-Sung, S. (1996). Authenticating passwords over an insecure channel. Computers & Security, 15(5), 431–439. https://doi.org/10.1016/0167-4048(96)00004-1.

USA (1996). Security in Cyberspace: Hearings Before the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs, United States Senate, One Hundred Fourth Congress, Second Session, May 22, June 5, 25, and July 16, 1996, Vol. 104. Government Printing Office, Washington, DC, USA.

Verheul, E.R. (2006). Selecting secure passwords. In: Topics in Cryptology–CT-RSA 2007. Springer, pp. 49–66.

Vijayan, J. (2007a). Scope of tjx data breach doubles: 94M cards now said to be affected. Computerworld, October 24, 2007.

Vijayan, J. (2007b). TJX data breach: at 45.6 M card numbers, it’s the biggest ever. Computerworld, March 29, 2007.

Vu, K.-P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.-L., Cook, J., Eugene Schultz, E. (2007). Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65(8), 744–757. https://doi.org/10.1016/j.ijhcs.2007.03.007.

Weigel, F.K., Hazen, B.T. (2014). Technical proficiency for IS success. Computers in Human Behavior, 31(1), 27–36. https://doi.org/10.1016/j.chb.2013.10.014.

Weir, M., Aggarwal, S., Collins, M., Stern, H. (2010). Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, IL, USA.

Weirich, D., Sasse, M.A. (2001). Persuasive password security. In: CHI’01 Extended Abstracts on Human Factors in Computing Systems.

Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N. (2005). PassPoints: design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63(1), 102–127. https://doi.org/10.1016/j.ijhcs.2005.04.010.

Woods, N., Siponen, M. (2018). Too many passwords? How understanding our memory can increase password memorability. International Journal of Human-Computer Studies, 111, 36–48. https://doi.org/10.1016/j.ijhcs.2017.11.002.

Workman, M., Bommer, W.H., Straub, D. (2008). Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816. https://doi.org/10.1016/j.chb.2008.04.005.

Wu, J.D., Tseng, Y.M., Huang, S.S., Chou, W.C. (2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155. https://doi.org/10.15388/Informatica.2018.161.

Yan, J., Blackwell, A., Anderson, R., Grant, A. (2000). The Memorability and Security of Passwords: Some Empirical Results. Cambridge, UK.

Yan, J., Blackwell, A., Anderson, R., Grant, A. (2004). Password memorability and security: empirical results. IEEE Security & Privacy, 2(5), 25–31. https://doi.org/10.1109/MSP.2004.81.

Zviran, M., Haga, W.J. (1990). Cognitive passwords: the key to easy access control. Computers and Security, 9(8), 723–736. https://doi.org/10.1016/0167-4048(90)90115-A.

Zviran, M., Haga, W.J. (1993). A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal, 36(3), 227–237.

Zviran, M., Haga, W.J. (1999). Password security: an empirical study. Journal of Management Information Systems, 15, 161–186.

Biographies

Brumen Boštjan

bostjan.brumen@uni-mb.si

B. Brumen received his doctor’s degree in informatics, in 2004. He is an associate professor of informatics and tourism at University of Maribor. He was Secretary General (Provost) of University of Maribor for two consecutive terms between 2004 and 2011. Now he’s serving as a dean of Faculty of Tourism. His research interests include data security and privacy, data analysis, automated learning, and technologies in tourism. He represents Slovenia in EU’s Smart Specialisation platform “Digitalisation and Safety for Tourism”.

Full article Related articles Cited by

Open access article under the CC BY license.

Keywords

passwords passphrases security human memory mnemonics authentication

Funding

The author acknowledges the financial support from the Slovenian Research Agency (research core funding No. P2-0057, project funding No. V5-1725), and from University of Maribor (http://www.um.si, core funding).

Metrics

since January 2020

2309

Article info
views

2521

Full article
views

1153

PDF
downloads

332

XML
downloads

RSS

Authors

Abstract

References

Biographies

Export citation

Copy and paste formatted citation

Download citation in file