Someone in Your Contact List: Cued Recall-Based Textual Passwords
Pages 2574 - 2589
Abstract
Textual passwords remain the most commonly employed user authentication mechanism, and potentially will continue to be so for years to come. Despite the well-known security and usability issues concerning textual passwords, none of the numerous proposed authentication alternatives appear to have achieved a sufficient level of adoption to dominate in the foreseeable future. Password hints, consisting of a user generated text saved at the account setup stage, are employed in several authentication systems to help users to recall forgotten passwords. However, users are often unable to create hints that jog the memory without revealing too much information regarding the passwords themselves. We propose a rethink of password hints by introducing <monospace>SỲNTHIMA</monospace>, a novel cued recall-based textual password method that reveals no information regarding the password, requires no modifications to authentication servers, and requires no additional setup or registration steps. <monospace>SỲNTHIMA</monospace> makes use of users’ contact lists, so that mapped password hints extracted from a user’s contacts are automatically generated while the user is typing the password. We create formal models for relevant aspects of the password hint mechanism, define its threat model, and analyze the security and usability of <monospace>SỲNTHIMA</monospace>. We also present the results of an in-lab user study of <monospace>SỲNTHIMA</monospace> on 30 participants to evaluate its effectiveness and usability. The results demonstrate that <monospace>SỲNTHIMA</monospace> minimizes the number of incorrect login attempts and improves long-term password recall, with acceptable login times and positive user feedback. We summarize the lessons learned from the user study, with the hope of provoking further insights regarding the design of effective cued recall-based textual password schemes.
References
[1]
J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes,” in Proc. IEEE Symp. Secur. Privacy, May 2012, pp. 553–567.
[2]
M. L. Mazureket al., “Measuring password guessability for an entire university,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 173–186.
[3]
C. Herley and P. van Oorschot, “A research agenda acknowledging the persistence of passwords,” IEEE Security Privacy, vol. 10, no. 1, pp. 28–36, Jan./Feb. 2012.
[4]
D. Florencio and C. Herley, “A large-scale study of Web password habits,” in Proc. 16th Int. Conf. World Wide Web, 2007, pp. 657–666.
[5]
A. Forget, S. Chiasson, and R. Biddle, “Helping users create better passwords: Is this the right approach?” in Proc. 3rd Symp. Usable Privacy Secur., 2007, pp. 151–152.
[6]
R. Shayet al., “Encountering stronger password requirements: User attitudes and behaviors,” in Proc. 6th Symp. Usable Privacy Secur., 2010, p. 2.
[7]
M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing metrics for password creation policies by attacking large sets of revealed passwords,” in Proc. 17th ACM Conf. Comput. Commun. Secur., 2010, pp. 162–175.
[8]
J. Bonneau, “The science of guessing: Analyzing an anonymized corpus of 70 million passwords,” in Proc. IEEE Symp. Secur. Privacy, May 2012, pp. 538–552.
[9]
M. Alsaleh, M. Mannan, and P. C. van Oorschot, “Revisiting defenses against large-scale online password guessing attacks,” IEEE Trans. Depend. Sec. Comput., vol. 9, no. 1, pp. 128–141, Jan./Feb. 2012.
[10]
M. Alsaleh and A. Alarifi, “Why phishing becomes a precursor to brutal cyber attacks? Comparative evaluation framework of mitigation approaches,” in Proc. 45th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw., 2015.
[11]
J. Fontana, Another Breach, Another Dollar: Is it Time to Kill the Password? accessed on May 10, 2016. [Online]. Available: http://zd.net/1QT593G
[12]
Cloud Security Alliance. IDENTITY SOLUTIONS: Security Beyond the Perimeter, accessed on May 5, 2016. [Online]. Available: http://goo.gl/NkbMDX
[13]
B. Uret al., “How does your password measure up? The effect of strength meters on password creation,” presented at the 21st USENIX Secur. Symp. (USENIX Security), 2012, pp. 65–80.
[14]
D. Florêncio, C. Herley, and P. C. van Oorschot, “Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts,” in Proc. 23rd USENIX Secur. Symp. (USENIX Security), Aug. 2014, pp. 575–590.
[15]
G. Notoatmodjo, “Exploring the ‘weakest link’: A study of personal password security,” M.S. thesis, The Univ. Auckland, New Zealand, 2007.
[16]
A. Adams and M. A. Sasse, “Users are not the enemy,” Commun. ACM, vol. 42, no. 12, pp. 40–46, 1999.
[17]
M. Alsaleh, N. Alomar, and A. Alarifi, “Smartphone users: Understanding how security mechanisms are perceived and new persuasive methods,” PloS ONE, vol. 12, no. 3, p. e0173284, 2017.
[18]
B. Lu and M. B. Twidale, “Managing multiple passwords and multiple logins: Mifa minimal-feedback hints for remote authentication,” in Proc. IFIP INTERACT Conf., 2003, pp. 821–824.
[19]
N. Alomar, M. Alsaleh, and A. Alarifi, “Social authentication applications, attacks, defense strategies and future research directions: A systematic review,” IEEE Commun. Surveys Tuts., vol. 19, no. 2, pp. 1080–1111, 2nd Quart., 2017.
[20]
R. Biddle, S. Chiasson, and P. C. van Oorschot, “Graphical passwords: Learning from the first twelve years,” ACM Comput. Surv., vol. 44, no. 4, p. 19, Aug. 2012.
[21]
B. Schneier, “Two-factor authentication: Too little, too late,” Commun. ACM, vol. 48, no. 4, p. 136, 2005.
[22]
C. Herley, P. C. van Oorschot, and A. S. Patrick, “Passwords: If we’re so smart, why are we still using them?” in Financial Cryptography and Data Security. Berlin, Germany: Springer, 2009, pp. 230–237.
[23]
A. Alarifi, M. Alsaleh, and N. Alomar, “A model for evaluating the security and usability of e-banking platforms,” Computing, vol. 99, no. 5, pp. 519–535, 2017.
[24]
S. L. Smith, “Authenticating users by word association,” Comput. Secur., vol. 6, no. 6, pp. 464–470, 1987.
[25]
H. C. Ellis and R. R. Hunt, Fundamentals of Human Memory and Cognition. Dubuque, IA, USA: William C. Brown, 1989.
[26]
E. Tulving and D. M. Thomson, “Encoding specificity and retrieval processes in episodic memory,” Psychol. Rev., vol. 80, no. 5, p. 352, 1973.
[27]
E. Stobert and R. Biddle, “Memory retrieval and graphical passwords,” in Proc. 9th Symp. Usable Privacy Secur., 2013, p. 15.
[28]
K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, and E. E. Schultz, “Improving password security and memorability to protect personal and organizational information,” Int. J. Human-Comput. Stud., vol. 65, no. 8, pp. 744–757, 2007.
[29]
J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password memorability and security: Empirical results,” IEEE Security Privacy, vol. 2, no. 5, pp. 25–31, Sep./Oct. 2004.
[30]
J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-Moffat, “Cognitive, associative and conventional passwords: Recall and guessing rates,” Comput. Secur., vol. 16, no. 7, pp. 629–641, 1997.
[31]
J. Zhang, X. Luo, S. Akkaladevi, and J. Ziegelmayer, “Improving multiple-password recall: An empirical study,” Eur. J. Inf. Syst., vol. 18, no. 2, pp. 165–176, 2009.
[32]
S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, “Multiple password interference in text passwords and click-based graphical passwords,” in Proc. 16th ACM Conf. Comput. Commun. Secur., 2009, pp. 500–511.
[33]
D. Davis, F. Monrose, and M. K. Reiter, “On user choice in graphical password schemes,” in Proc. 13th Conf. USENIX Secur. Symp., vol. 13. 2004, p. 11.
[34]
B. B. Zhu, J. Yan, D. Wei, and M. Yang, “Security analyses of click-based graphical passwords via image point memorability,” in Proc. 21st ACM SIGSAC Conf. Comput. Commun. Secur., 2014, pp. 1217–1231.
[35]
S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, “PassPoints: Design and longitudinal evaluation of a graphical password system,” Int. J. Human-Comput. Stud., vol. 63, nos. 1–2, pp. 102–127, Jul. 2005.
[36]
N. Wright, A. S. Patrick, and R. Biddle, “Do you see your password?: Applying recognition to textual passwords,” in Proc. 8th Symp. Usable Privacy Secur., 2012, p. 8.
[37]
M. Just and D. Aspinall, “Personal choice and challenge questions: A security and usability assessment,” in Proc. 5th Symp. Usable Privacy Secur., 2009, p. 8.
[38]
J. Bonneau and S. Schechter, “Towards reliable storage of 56-bit secrets in human memory,” in Proc. 23rd USENIX Secur. Symp. (USENIX Security), 2014, pp. 607–623.
[39]
G. Selander and M. M. Näslund, “Apparatus and methods for obtaining a password hint,” U.S. Patent 14 356 561, Sep. 25, 2014.
[40]
M. K. Brown, H. A. Little, and M. G. Kirkup, “User-defined passwords having associated unique version data to assist user recall of the password,” U.S. Patent 7 594 120, Aug. 28, 2012.
[41]
M. E. Moy, “Computer security apparatus with password hints,” U.S. Patent 5 425 102, Jun. 13, 1995.
[42]
S. Brostoff and M. A. Sasse, “Ten strikes and you’re out: Increasing the number of login attempts can improve password usability,” in Proc. CHI Workshop Human-Comput. Interact. Secur. Syst., Fort Lauderdale, FL, USA, 2003.
[43]
U. Manber, “A simple scheme to make passwords based on one-way functions much harder to crack,” Comput. Secur., vol. 15, no. 2, pp. 171–176, 1996.
[44]
D. Florêncio and C. Herley, “Where do security policies come from?” in Proc. 6th Symp. Usable Privacy Secur., 2010, p. 10.
[45]
B. Grobauer, T. Walloschek, and E. Stocker, “Understanding cloud computing vulnerabilities,” IEEE Security Privacy, vol. 9, no. 2, pp. 50–57, Mar./Apr. 2011.
[46]
D. E. Krutz, A. Meneely, and S. A. Malachowsky, “An insider threat activity in a software security course,” in Proc. IEEE Frontiers Edu. Conf. (FIE), Oct. 2015, pp. 1–6.
[47]
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. Boca Raton, FL, USA: CRC Press, 1996.
[48]
S. Chiasson, P. C. van Oorschot, and R. Biddle, “A usability study and critique of two password managers,” in Proc. 15th Conf. USENIX Secur., vol. 6. 2006, pp. 1–16.
[49]
J. H. Huh, S. Oh, H. Kim, K. Beznosov, A. Mohan, and S. R. Rajagopalan, “Surpass: System-initiated user-replaceable passwords,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., 2015, pp. 170–181.
[50]
X. D. C. de Carnavalet and M. Mannan, “From very weak to very strong: Analyzing password-strength meters,” in Proc. NDSS, vol. 14. 2014, pp. 23–26.
[51]
Password Strength Checker: The Password Meter, accessed on Apr. 17, 2016. [Online]. Available: http://www.passwordmeter.com
[52]
L. Peterson and M. J. Peterson, “Short-term retention of individual verbal items,” J. Experim. Psychol., vol. 58, no. 3, pp. 193–198, 1959.
[53]
E. Stobert, A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle, “Exploring usability effects of increasing security in click-based graphical passwords,” in Proc. 26th Annu. Comput. Secur. Appl. Conf., 2010, pp. 79–88.
[54]
M. M. King, “Rebus passwords,” in Proc. 7th Annu. Comput. Secur. Appl. Conf., Dec. 1991, pp. 239–243.
Index Terms
- Someone in Your Contact List: Cued Recall-Based Textual Passwords
Index terms have been assigned to the content through auto-classification.
Recommendations
Memorability of cued-recall graphical passwords with saliency masks
MUM '16: Proceedings of the 15th International Conference on Mobile and Ubiquitous MultimediaCued-recall graphical passwords have a lot of potential for secure user authentication, particularly if combined with saliency masks to prevent users from selecting weak passwords. Saliency masks were shown to significantly improve password security by ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
1556-6013 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 01 November 2017
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Jan 2025