A comparison of password management policies

Managing of passwords in information systems is a very important task, yet nothing seems to be learned from the recent stories. The consequences of bad password management practices have led to the loss of lives, as in the case of suicides after the “Ashley Madison leak”. Password security is simply not taken seriously, despite problems being known since 1979 at least. Interestingly, the PICMET conference on-line system itself implements a bad password management policy as all passwords are stored and re-sent upon request by plaintext email. The objective of this paper is to present the underlying mechanisms that lead to bad password management policies. Memorability and memory decay, complexity, simplicity and other factors are presented and analyzed. A novel password management policy “Psychopass” is proposed, where a password can be created, memorized and recalled by thinking of an action sequence (visual representation) instead of a string of characters. In the experiment it was shown that users tend to better remember passwords under the “Psychopass” policy compared to other password management policies nowadays in effect. The results confirm that “Psychopass” policy is an alternative to the existing password management practices and can improve the resilience to the attacks on information systems.

[1]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[2]  G. J. Johnson A distinctiveness model of serial learning , 1991 .

[3]  Cheng-Chi Lee,et al.  Guessing Attacks on Strong-Password Authentication Protocol , 2013, Int. J. Netw. Secur..

[4]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[5]  Wu Tzong-Chen,et al.  Refereed paper: Authenticating passwords over an insecure channel , 1996 .

[6]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[7]  Liaojun Pang,et al.  Secure and efficient mutual authentication protocol for RFID conforming to the EPC C-1 G-2 standard , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[8]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[9]  F. J. Corbató,et al.  On building systems that will fail , 1991, CACM.

[10]  Kim-Phuong L. Vu,et al.  Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords , 2010, Comput. Hum. Behav..

[11]  Qiaoyan Wen,et al.  An Anonymous User Authentication with Key Agreement Scheme without Pairings for Multiserver Architecture Using SCPKs , 2013, TheScientificWorldJournal.

[12]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[13]  Yishay Spector,et al.  Pass-sentence - a new approach to computer code , 1994, Comput. Secur..

[14]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[15]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[16]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[17]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[18]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[19]  Julie Thorpe,et al.  Purely Automated Attacks on PassPoints-Style Graphical Passwords , 2010, IEEE Transactions on Information Forensics and Security.

[20]  Eric R. Verheul,et al.  Selecting Secure Passwords , 2007, CT-RSA.

[21]  M Gasser,et al.  A Random Word Generator for Pronounceable Passwords , 1975 .

[22]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[23]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[24]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[25]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[26]  Marko Hölbl,et al.  Security Analysis and Improvements to the PsychoPass Method , 2013, Journal of medical Internet research.

[27]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[28]  Areej Al-Wabil,et al.  Using brain signals patterns for biometric identity verification systems , 2014, Comput. Hum. Behav..

[29]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[30]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[31]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[32]  Andrea Gaggioli,et al.  How to Create Memorizable and Strong Passwords , 2012, Journal of medical Internet research.

[33]  Bostjan Brumen,et al.  Brute force analysis of PsychoPass-generated Passwords , 2014, 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[34]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.