The objective of information system security management is information assurance: to maintain confidentiality (privacy), integrity, and availability of information resources for authorized organizational end users. User authentication is a foundation procedure in the overall pursuit of these objectives, and password procedures have historically been the primary method of user authentication. There is an inverse relationship between the level of security provided by a password procedure and ease of recall for users. The longer the password and the more variability in its characters, the higher the level of security provided by such a password (because they are more difficult to violate or “crack”). However, such passwords tend to be more difficult for end users to remember, particularly when the password does not spell a recognizable word (or includes non-alphanumeric characters such as punctuation marks or other symbols). Conversely, when end users select their own more easily remembered passwords, the passwords may also be easier to crack. This study presents a new approach to entering passwords, which combines a high level of security with easy recall for the end user. The Check-Off Password System (COPS) is more secure than self-selected passwords as well as high-protection, assigned-password procedures. The present study investigates trade-offs between using COPS and three traditional password procedures, and provides a preliminary assessment of the efficacy of COPS. The study offers evidence that COPS is a valid alternative to current user authentication systems. End users perceive all password procedures tested to have equal usefulness, but the perceived ease of use of COPS passwords equals that of an established highsecurity password, and the new interface does not negatively affect user performance compared with that high-security password. Further research will be conducted to investigate long-term benefits.
[1]
Jeff Yan,et al.
A note on proactive password checking
,
2001,
NSPW '01.
[2]
John R. Anderson.
Cognitive Psychology and Its Implications
,
1980
.
[3]
M. Angela Sasse,et al.
Users are not the enemy
,
1999,
CACM.
[4]
Giancarlo Ruffo,et al.
High dictionary compression for proactive password checking
,
1998,
TSEC.
[5]
Benny Pinkas,et al.
Securing passwords against dictionary attacks
,
2002,
CCS '02.
[6]
Henry S. Baird,et al.
Pessimal print: a reverse Turing test
,
2001,
Proceedings of Sixth International Conference on Document Analysis and Recognition.
[7]
Fred D. Davis.
Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology
,
1989,
MIS Q..
[8]
Allen Newell,et al.
Human Problem Solving.
,
1973
.
[9]
Thomas T. Hewett.
Cognitive factors in design (tutorial session): basic phenomena in human memory and problem solving
,
1999,
Creativity & Cognition.
[10]
G. A. Miller.
THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1
,
1956
.
[11]
Michael K. Reiter,et al.
Password hardening based on keystroke dynamics
,
1999,
CCS '99.
[12]
M. Angela Sasse,et al.
Pretty good persuasion: a first step towards effective password security in the real world
,
2001,
NSPW '01.
[13]
Eugene H. Spafford,et al.
The internet worm program: an analysis
,
1989,
CCRV.