论文信息 - Guessing human-chosen secrets

Guessing human-chosen secrets

This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration except where specifically indicated in the text. No parts of this dissertation have been submitted for any other qualification. This dissertation does not exceed the regulation length of 60, 000 words, including tables and footnotes. To Fletcher, for teaching me the value of hard work. I'm glad you're back. Acknowledgements I am grateful to my supervisor Ross Anderson for help every step of the way, from answering my emails when I was a foreign undergraduate to pushing me to finally finish the dissertation. He imparted countless research and life skills along the way, in addition to helping me learn to write in English all over again. I was also fortunate to be surrounded in Cambridge by a core group of " security people " under Ross' leadership willing to ask the sceptical questions needed to understand the field. In particular, I've benefited from the mentorship of Frank Stajano and Markus Kuhn, the other leaders of the group, as well as informal mentorship from many others. I thank Arvind Narayanan for his support and mentorship from afar. I am most appreciative of the personal mentorship extended to me by Saar Drimer through my years in the lab, which always pushed me to be more honest about my own work. was also fortunate to be able to collaborate remotely with Cormac Herley and Paul van Oorschot, senior researchers who always treated me as an equal. I owe special thanks to Hyoungshick Kim, thanks to whose patience and positivity I spent thousands of hours peacefully sharing a small office. My research on passwords would not have been possible without the gracious cooperation and support of many people at Yahoo!, in particular Richard Clayton for helping to make the collaboration happen, Henry Watts, my mentor, Elizabeth Zwicky who provided extensive help collecting and analysing data, as well as Ram Marti, Clarence Chung, and Christopher Harris who helped set up data collection experiments. My research on PINs depended on many people's help, including Alastair Beresford for assistance with survey design, Daniel Amitay for sharing data, and Bernardo Bátiz-Lazo for comments about ATM history. I never would have made it to Cambridge without many excellent teachers along the way. for inspiring me to pursue computer security research as an undergraduate. I thank Robert Plummer for …

Joseph Bonneau | Joseph Bonneau

[1] H. Sichel. On a Distribution Law for Word Frequencies , 1975 .

[2] C. Bishop. The MIT Encyclopedia of the Cognitive Sciences , 1999 .

[3] John O. Pliam. On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks , 2000, INDOCRYPT.

[4] Cormac Herley,et al. The Plight of the Targeted Attacker in a World of Scale , 2010, WEIS.

[5] Thomas D. Wu. The Secure Remote Password Protocol , 1998, NDSS.

[6] Jerome H. Saltzer,et al. Protection and the control of information sharing in multics , 1974, CACM.

[7] Clark D. Thomborson,et al. Passwords and Perceptions , 2009, AISC.

[8] Khosrow Dehnad. A simple way of improving the login security , 1989, Comput. Secur..

[9] Paul C. van Oorschot,et al. Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[10] M. Angela Sasse,et al. Making Passwords Secure and Usable , 1997, BCS HCI.

[11] Claude Castelluccia,et al. Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[12] Ross J. Anderson,et al. A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[13] Aviel D. Rubin,et al. Risks of the Passport single signon protocol , 2000, Comput. Networks.

[14] Markus Jakobsson,et al. Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[15] Bhavani M. Thuraisingham,et al. Inferring private information using social network data , 2009, WWW '09.

[16] Adrian Perrig,et al. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[17] Yingjiu Li,et al. On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[18] Joseph Bonneau,et al. The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[19] William J. Haga,et al. Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[20] Daniel Klein,et al. Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[21] Ken Klingenstein,et al. Federated Security: The Shibboleth Approach , 2004 .

[22] Serge Egelman,et al. It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[23] Bernardo Batiz-Lazo,et al. The Development of Cash-Dispensing Technology in the UK , 2010, IEEE Annals of the History of Computing.

[24] Ross J. Anderson. Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[25] Paul Dourish,et al. Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[26] Philip Heng Wai Leong,et al. UNIX Password Encryption Considered Insecure , 1991, USENIX Winter.

[27] Jeffrey I. Schiller,et al. An Authentication Service for Open Network Systems. In , 1998 .

[28] Ray A. Perlner,et al. Electronic Authentication Guideline , 2014 .

[29] Nasir D. Memon,et al. PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[30] Martin M. A. Devillers. Analyzing Password Strength , 2010 .

[31] Eugene H. Spafford,et al. Observations on reusable password choices , 1992 .

[32] Joseph Bonneau,et al. What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[33] Leslie Lamport,et al. Password authentication with insecure communication , 1981, CACM.

[34] Aggelos K. Katsaggelos,et al. Audio-Visual Biometrics , 2006, Proceedings of the IEEE.

[35] Julie Bunnell,et al. Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates , 2000, Comput. Secur..

[36] Steven M. Bellovin,et al. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[37] Kirstie Hawkey,et al. OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle , 2010, DIM '10.

[38] Joseph Bonneau. Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords , 2011, Security Protocols Workshop.

[39] Maria M. King. Rebus passwords , 1991, Proceedings Seventh Annual Computer Security Applications Conference.

[40] Kamaljit Singh. On improvements to password security , 1985, OPSR.

[41] Gunela Astbrink,et al. Password sharing: implications for security design based on social practice , 2007, CHI.

[42] Tsutomu Matsumoto. Human-computer cryptography: An attempt , 1998 .

[43] David Mazières,et al. A future-adaptive password scheme , 1999 .

[44] L. Györfi,et al. Nonparametric entropy estimation. An overview , 1997 .

[45] David A. Wagner,et al. Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract) , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[46] L. O'Gorman,et al. Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[47] Piotr Zielinski,et al. Decimalisation table attacks for PIN cracking , 2003 .

[48] Robert W. Reeder,et al. When the Password Doesn't Work: Secondary Authentication for Websites , 2011, IEEE Security & Privacy.

[49] Mike Just,et al. Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[50] A. L. Scherr,et al. AN ANALYSIS OF TIME-SHARED COMPUTER SYSTEMS , 1965 .

[51] Steven Furnell,et al. An assessment of website password practices , 2007, Comput. Secur..

[52] Noam Nisan,et al. Extracting Randomness: A Survey and New Constructions , 1999, J. Comput. Syst. Sci..

[53] James P. Anderson,et al. Information Security in a Multi-User Computer Environment , 1972, Adv. Comput..

[54] Nick Feamster,et al. Photo-based authentication using social networks , 2008, WOSN '08.

[55] Eric Rescorla,et al. The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[56] Markus Jakobsson,et al. Quantifying the security of preference-based authentication , 2008, DIM '08.

[57] Bruce Schneier,et al. Secure Applications of Low-Entropy Keys , 1997, ISW.

[58] Paul C. van Oorschot,et al. Digital Objects as Passwords , 2008, HotSec.

[59] Lawrence C. Stewart,et al. HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[60] Barbara S. Chaparro,et al. Password Security: What Users Know and What They Actually Do , 2006 .

[61] C. Latze,et al. Stronger authentication in e-commerce: how to protect even naïve user against phishing, pharming, and MITM attacks , 2007 .

[62] Vitaly Shmatikov,et al. How To Break Anonymity of the Netflix Prize Dataset , 2006, ArXiv.

[63] Cormac Herley,et al. Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[64] R. Ganesan,et al. A New Attack on Random Pronounceable Password Generators Ganesan and Davies A New Attack on Random Pronounceable Password Generators , 1994 .

[65] Joseph Bonneau,et al. Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[66] Josep Ginebra,et al. A Bayesian analysis of frequency count data , 2013 .

[67] Ingrid Verbauwhede,et al. Time-Memory Trade-Off Attack on FPGA Platforms: UNIX Password Cracking , 2006, ARC.

[68] Eugene H. Spafford,et al. The internet worm program: an analysis , 1989, CCRV.

[69] Lorie M. Liebrock,et al. Using Fingerprint Authentication to Reduce System Security: An Empirical Study , 2011, 2011 IEEE Symposium on Security and Privacy.

[70] Markus G. Kuhn – mkuhn. Probability Theory for Pickpockets — ec-PIN Guessing , 1997 .

[71] Nick Feamster,et al. Dos and don'ts of client authentication on the web , 2001 .

[72] Cormac Herley,et al. Can "Something You Know" Be Saved? , 2008, ISC.

[73] Pietro Michiardi,et al. Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[74] Ari Medvinsky,et al. Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) , 1999, RFC.

[75] Helmut Schneider,et al. The domino effect of password reuse , 2004, CACM.

[76] Sujeet Shenoi,et al. Password Cracking Using Sony Playstations , 2009, IFIP Int. Conf. Digital Forensics.

[77] Craig Metz,et al. A One-Time Password System , 1996, RFC.

[78] Muthucumaru Maheswaran,et al. Feasibility of a Socially Aware Authentication Scheme , 2009, 2009 6th IEEE Consumer Communications and Networking Conference.

[79] S. Dragomir,et al. Some estimates of the average number of guesses to determine a random variable , 1997, Proceedings of IEEE International Symposium on Information Theory.

[80] Ross J. Anderson,et al. Social Authentication: Harder Than It Looks , 2012, Financial Cryptography.

[81] Bill Cheswick. Johnny Can Obfuscate: Beyond Mother's Maiden Name , 2006, HotSec.

[82] Philippe Oechslin,et al. Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[83] James A. Landay,et al. Access control by testing for shared knowledge , 2008, CHI.

[84] Ben Adida,et al. Beamauth: two-factor web authentication with a bookmark , 2007, CCS '07.

[85] Daphna Weinshall,et al. Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[86] David A. Wagner,et al. Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[87] John N. Tsitsiklis,et al. Introduction to Probability , 2002 .

[88] William A. Gale,et al. Good-Turing Frequency Estimation Without Tears , 1995, J. Quant. Linguistics.

[89] Moti Yung,et al. Fourth-factor authentication: somebody you know , 2006, CCS '06.

[90] David A. Wagner,et al. Proofs of Security for the Unix Password Hashing Algorithm , 2000, ASIACRYPT.

[91] F. Rudmin,et al. The coming PIN code epidemic: A survey study of memory of numeric security codes , 2010 .

[92] Steven J. Murdoch. Hardened Stateless Session Cookies , 2008, Security Protocols Workshop.

[93] Robert W. Reeder,et al. 1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication , 2009, SOUPS.

[94] J. Massey. Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[95] David C. Feldmeier,et al. UNIX Password Security - Ten Years Later , 1989, CRYPTO.

[96] Aviel D. Rubin. Independent One-Time Passwords , 1996, Comput. Syst..

[97] Mike Bond. Comments on Gridsure Authentication , 2008 .

[98] Ming Li,et al. An Introduction to Kolmogorov Complexity and Its Applications , 2019, Texts in Computer Science.

[99] Latanya Sweeney,et al. k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[100] Dorothy E. Denning,et al. An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[101] Bruce L. Riddle,et al. Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[102] Nicolas Christin,et al. Undercover: authentication usable in front of prying eyes , 2008, CHI.

[103] Michael K. Reiter,et al. The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[104] Giovanni Vigna,et al. ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[105] Edward W. Felten,et al. Password management strategies for online accounts , 2006, SOUPS '06.

[106] Joseph A. Cazier,et al. Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[107] Edwin Weiss,et al. A user authentication scheme not requiring secrecy in the computer , 1974, Commun. ACM.

[108] Markus Jakobsson,et al. Love and authentication , 2008, CHI.

[109] Michael K. Reiter,et al. Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[110] Julie Bunnell,et al. Cognitive, associative and conventional passwords: Recall and guessing rates , 1997, Comput. Secur..

[111] M. F.,et al. Bibliography , 1985, Experimental Gerontology.

[112] David Taylor,et al. Using the Secure Remote Password (SRP) Protocol for TLS Authentication , 2007, RFC.

[113] Lorrie Faith Cranor,et al. Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[114] J. Yan,et al. Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[115] Yishay Spector,et al. Pass-sentence - a new approach to computer code , 1994, Comput. Secur..

[116] Cormac Herley,et al. Protecting Financial Institutions from Brute-Force Attacks , 2008, SEC.

[117] Peter J Downey. Multics Security Evaluation: Password and File Encryption Techniques. , 1977 .

[118] Kay Bryant,et al. Password Composition and Security: An Exploratory Study of User Practice , 2004 .

[119] Ralph Howard,et al. Data encryption standard , 1987 .

[120] Lucas Ballard,et al. Evaluating the Security of Handwriting Biometrics , 2006 .

[121] Serge Egelman,et al. It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[122] Karen Renaud,et al. Quantifying the quality of web authentication mechanisms: a usability perspective , 2004 .

[123] Rafail Ostrovsky,et al. Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[124] M. Kenward,et al. An Introduction to the Bootstrap , 2007 .

[125] M. Angela Sasse,et al. Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[126] A. Ant Ozok,et al. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[127] Michael K. Reiter,et al. The Practical Subtleties of Biometric Key Generation , 2008, USENIX Security Symposium.

[128] Cormac Herley,et al. Where do security policies come from? , 2010, SOUPS.

[129] Panagiotis G. Ipeirotis. Demographics of Mechanical Turk , 2010 .

[130] Alfredo De Santis,et al. Bounds on entropy in a guessing game , 2001, IEEE Trans. Inf. Theory.

[131] Mark D. Dunlop,et al. Internet authentication based on personal history - a feasibility test , 2005 .

[132] Steven J. Murdoch,et al. Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication , 2010, Financial Cryptography.

[133] Michael K. Reiter,et al. On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[134] Kirstie Hawkey,et al. A billion keys, but few locks: the crisis of web single sign-on , 2010, NSPW '10.

[135] Frank Stajano,et al. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[136] Brent Waters,et al. A convenient method for securely managing passwords , 2005, WWW '05.

[137] Simon Marechal. Advances in password cracking , 2007, Journal in Computer Virology.

[138] Peter J. Denning,et al. The tracker: a threat to statistical database security , 1979, TODS.

[139] Dan Boneh,et al. Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[140] Moni Naor,et al. Visual Cryptography , 1994, Encyclopedia of Multimedia.

[141] Sacha Brostoff,et al. “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[142] George B. Purdy,et al. A high security log-in procedure , 1974, Commun. ACM.

[143] Steve Hanna,et al. A survey of mobile malware in the wild , 2011, SPSM '11.

[144] Giancarlo Ruffo,et al. Proactive password checking with decision trees , 1997, CCS '97.

[145] Rachna Dhamija,et al. The Seven Flaws of Identity Management: Usability and Security Challenges , 2008, IEEE Security & Privacy.

[146] Burton S. Kaliski,et al. PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[147] Robert Biddle,et al. A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[148] Eran Hammer-Lahav,et al. The OAuth 1.0 Protocol , 2010, RFC.

[149] Joseph Bonneau,et al. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[150] Steven J. Murdoch,et al. Optimised to Fail: Card Readers for Online Banking , 2009, Financial Cryptography.

[151] Simson L. Garfinkel,et al. Secure Web Authentication with Mobile Phones , 2004 .

[152] Martin E. Hellman,et al. A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[153] Satoshi Hoshino,et al. Impact of artificial "gummy" fingers on fingerprint systems , 2002, IS&T/SPIE Electronic Imaging.

[154] Sudhir Aggarwal,et al. Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[155] Sidney L. Smith. Authenticating users by word association , 1987, Comput. Secur..

[156] Hassan Takabi,et al. Security and Privacy Risks of Using E-mail Address as an Identity , 2010, 2010 IEEE Second International Conference on Social Computing.

[157] Robert A. Bjork,et al. Memory: Handbook of Perception and Cognition , 1996 .

[158] W. R. Fox,et al. The Distribution of Surname Frequencies , 1983 .

[159] Cormac Herley,et al. KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[160] Moni Naor,et al. Visual Authentication and Identification , 1997, CRYPTO.

[161] Darren Antwon Sawyer. The Characteristics of User-Generated Passwords , 1990 .

[162] Joseph Bonneau. Statistical Metrics for Individual Password Strength , 2012, Security Protocols Workshop.

[163] Bruce Schneier,et al. Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[164] Donn Seeley. Password cracking: a game of wits , 1989, CACM.

[165] Marcus Bakker,et al. GPU-based password cracking , 2011 .

[166] R. Fisher,et al. The Relation Between the Number of Species and the Number of Individuals in a Random Sample of an Animal Population , 1943 .

[167] S. Boztaş. Entropies, Guessing and Cryptography , 1999 .

[168] Udi Manber,et al. A simple scheme to make passwords based on one-way functions much harder to crack , 1996, Comput. Secur..

[169] Sacha Brostoff,et al. Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[170] Benjamin B. M. Shao,et al. The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[171] Arkajit Dey,et al. PseudoID: Enhancing Privacy in Federated Login , 2010 .

[172] Arthur E. Oldehoeft,et al. A survey of password mechanisms: Weaknesses and potential improvements. Part 2 , 1989, Comput. Secur..

[173] Paul C. van Oorschot,et al. Passwords: If We're So Smart, Why Are We Still Using Them? , 2009, Financial Cryptography.

[174] Alain Forget,et al. Influencing users towards better passwords: persuasive cued click-points , 2008, BCS HCI.

[175] Frank Stajano,et al. Multi-channel Protocols , 2005, Security Protocols Workshop.

[176] Claude E. Shannon,et al. Prediction and Entropy of Printed English , 1951 .

[177] OppligerRolf. Microsoft .NET Passport , 2003 .

[178] M. Jakobsson. Rethinking Passwords to Adapt to Constrained Keyboards , 2011 .

[179] John Daugman,et al. New Methods in Iris Recognition , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[180] Julie Thorpe,et al. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[181] Johannes A. Buchmann,et al. Ouflanking and Securely Using the PIN/TAN-System , 2005, Security and Management.

[182] Ken Thompson,et al. Password security: a case history , 1979, CACM.

[183] Arun Ross,et al. From Template to Image: Reconstructing Fingerprints from Minutiae Points , 2007, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[184] Christopher Krügel,et al. Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[185] Alfredo De Santis,et al. Neural Network Techniques for Proactive Password Checking , 2006, IEEE Transactions on Dependable and Secure Computing.

[186] Lujo Bauer,et al. Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[187] Sang Joon Kim,et al. A Mathematical Theory of Communication , 2006 .

[188] Roger M. Needham,et al. Using encryption for authentication in large networks of computers , 1978, CACM.

[189] Kevin Borders,et al. Analyzing websites for user-visible security design flaws , 2008, SOUPS '08.

[190] Arthur E. Oldehoeft,et al. A survey of password mechanisms: Weaknesses and potential improvements. Part 1 , 1989, Comput. Secur..

[191] Yehuda Lindell,et al. Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[192] Moshe Zviran,et al. A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[193] Matt Bishop,et al. Improving system security via proactive password checking , 1995, Comput. Secur..

[194] Rick Wash,et al. Organization Interfaces—collaborative computing General Terms , 2022 .

[195] I. Good. THE POPULATION FREQUENCIES OF SPECIES AND THE ESTIMATION OF POPULATION PARAMETERS , 1953 .

[196] Cynthia Dwork,et al. Differential Privacy , 2006, Encyclopedia of Cryptography and Security.

[197] Sudhir Aggarwal,et al. Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[198] Michael K. Reiter,et al. The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[199] Manuel Blum,et al. Secure Human Identification Protocols , 2001, ASIACRYPT.

[200] Lee L. Selwyn. Computer resource accounting in a time sharing environment , 1970, AFIPS '70 (Spring).

[201] Sig Porter,et al. A password extension for improved human factors , 1982, Comput. Secur..

[202] M. Angela Sasse,et al. Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[203] Marti A. Hearst,et al. Why phishing works , 2006, CHI.

[204] Adrian Perrig,et al. Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[205] Christof Paar,et al. Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker , 2006, CHES.

[206] Vitaly Shmatikov,et al. Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[207] Joseph Bonneau,et al. It's Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit Origin , 2012, Financial Cryptography Workshops.

[208] Cormac Herley,et al. One-Time Password Access to Any Server without Changing the Server , 2008, ISC.

[209] Chris J. Mitchell,et al. Impostor: a single sign-on system for use from untrusted devices , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[210] Robert J. McEliece,et al. An inequality on entropy , 1995, Proceedings of 1995 IEEE International Symposium on Information Theory.

[211] Matt Bishop. A Proactive Password Checker , 1990 .

[212] Dawn Song,et al. Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[213] Charles Dinkel,et al. Automated Password Generator (APG) , 1993 .

[214] Xiaoyun Wang,et al. How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[215] Drummond Reed,et al. OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[216] David Malone,et al. Guesswork and entropy , 2004, IEEE Transactions on Information Theory.

[217] Yajie Tian,et al. Handbook of face recognition , 2003 .

[218] Neil Haller,et al. The S/KEY One-Time Password System , 1995, RFC.

[219] Paul C. van Oorschot,et al. A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[220] Dick Hardt,et al. The OAuth 2.0 Protocol , 2010 .

[221] Fabian Monrose,et al. Authentication via keystroke dynamics , 1997, CCS '97.

[222] Yossi Matias,et al. How to Make Personalized Web Browising Simple, Secure, and Anonymous , 1997, Financial Cryptography.

[223] Ross J. Anderson. Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[224] M Gasser,et al. A Random Word Generator for Pronounceable Passwords , 1975 .

[225] Vittorio Bertocci,et al. Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities , 2007 .

[226] Paul Valiant. Testing Symmetric Properties of Distributions , 2011, SIAM J. Comput..

[227] Steven Furnell,et al. Passwords: Authenticating ourselves: will we ever escape the password? , 2005 .

[228] Benny Pinkas,et al. Securing passwords against dictionary attacks , 2002, CCS '02.

[229] H. Theil,et al. Economic Forecasts and Policy. , 1959 .

[230] Lujo Bauer,et al. Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[231] Ben F. Barton,et al. User-friendly password methods for computer-mediated information systems , 1984, Comput. Secur..

[232] Mike Just,et al. Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[233] H. Theil,et al. Economic Forecasts and Policy. , 1959 .

[234] Kent E. Seamons,et al. Simple Authentication for the Web , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[235] R. Harald Baayen,et al. Word Frequency Distributions , 2001 .

[236] Burton H. Bloom,et al. Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[237] Philip R. Zimmermann,et al. The official PGP user's guide , 1996 .

[238] Christian Cachin,et al. Entropy measures and unconditional security in cryptography , 1997 .

[239] Robert Biddle,et al. Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[240] Mill Johannes G.A. Van,et al. Transmission Of Information , 1961 .

[241] Kazukuni Kobara,et al. Limiting the Visible Space Visual Secret Sharing Schemes and Their Application to Human Identification , 1996, ASIACRYPT.

[242] Chris J. Mitchell,et al. A Taxonomy of Single Sign-On Systems , 2003, ACISP.

[243] Mark E. J. Newman,et al. Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[244] Peter Tarasewich,et al. Improving interface designs to help users choose better passwords , 2006, CHI Extended Abstracts.

[245] Paul C. van Oorschot,et al. Leveraging personal devices for stronger password authentication from untrusted computers , 2011, J. Comput. Secur..

[246] Venu Govindaraju,et al. Behavioural biometrics: a survey and classification , 2008, Int. J. Biom..