Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals

Password reuse – using the same password for multiple accounts – is a prevalent phenomenon that can make even the most secure systems vulnerable. When passwords are reused across multiple systems, hackers may compromise accounts by stealing passwords from low-security sites to access sites with higher security. Password reuse can be particularly threatening to users in developing countries in which cybersecurity training is limited, law enforcement of cybersecurity is non-existent, or in which programs to secure cyberspace are limited. This article proposes a two-pronged solution for reducing password reuse through detection and mitigation. First, based on the theories of routine, cognitive load and motor movement, we hypothesize that password reuse can be detected by monitoring characteristics of users' typing behavior (i.e. keystroke dynamics). Second, based on protection motivation theory, we hypothesize that providing just-in-time fear appeals when a violation is detected will decrease password reuse. We tested our hypotheses in an experiment and found that users' keystroke dynamics are diagnostic of password reuse. By analyzing changes in typing patterns, we were able to detect password reuse with 81.71% accuracy. We also found that just-in-time fear appeals decrease password reuse; 88.41% of users who received a fear appeal subsequently created unique passwords, whereas only 4.45% of users who did not receive a fear appeal created unique passwords. Our results suggest that future research should continue to examine keystroke dynamics as an indicator of cybersecurity behaviors and use just-in-time fear appeals as a method for reducing non-secure behavior. The findings of our research provide a practical and cost-effective solution to bolster cybersecurity through discouraging password reuse.

[1]  Shouhong Wang,et al.  Password Authentication Using Hopfield Neural Networks , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[2]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[3]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[4]  L. Shaffer,et al.  Typing Performance as a Function of Text , 1968 .

[5]  R. Sitgreaves Psychometric theory (2nd ed.). , 1979 .

[6]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[7]  Andrew Beng Jin Teoh,et al.  Keystroke dynamics in password authentication enhancement , 2010, Expert Syst. Appl..

[8]  Lorne Olfman,et al.  Improving End User Behaviour in Password Utilization: An Action Research Initiative , 2008 .

[9]  Traci Carte,et al.  Building IT capabilities: learning by doing , 2011, Inf. Technol. Dev..

[10]  Udo Will,et al.  Linguistic units in word typing: Effects of word presentation modes and typing delay , 2006 .

[11]  L. Shaffer Intention and performance. , 1976 .

[12]  John J. Leggett,et al.  Verifying Identity via Keystroke Characteristics , 1988, Int. J. Man Mach. Stud..

[13]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[14]  Wanli Ma,et al.  Impact of restrictive composition policy on user password choices , 2011, Behav. Inf. Technol..

[15]  B. Morel,et al.  Cybersecurity challenges in developing nations , 2010 .

[16]  Nello Cristianini,et al.  An Introduction to Support Vector Machines and Other Kernel-based Learning Methods , 2000 .

[17]  Udo Will,et al.  Morphemes, syllables and graphemes in written word production , 2004 .

[18]  Matthew J. C. Crump,et al.  Hierarchical control and skilled typing: evidence for word-level control over the execution of individual keystrokes. , 2010, Journal of experimental psychology. Learning, memory, and cognition.

[19]  Jonathan Grudin,et al.  Finger Movements in Transcription Typing , 1980 .

[20]  Sungzoon Cho,et al.  User authentication based on keystroke analysis of long free texts with a reduced number of features , 2010, 2010 Second International Conference on Communication Systems, Networks and Applications.

[21]  Jay F. Nunamaker,et al.  Encouraging Users to Behave Securely: Examining the Influence of Technical, Managerial, and Educational Controls on Users' Secure Behavior , 2010, ICIS.

[22]  McKinneyVicki,et al.  The Measurement of Web-Customer Satisfaction , 2002 .

[23]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[24]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[25]  Andrew Sears,et al.  Automated stress detection using keystroke and linguistic features: An exploratory study , 2009, Int. J. Hum. Comput. Stud..

[26]  Min-Shiang Hwang,et al.  DoS-resistant ID-based password authentication scheme using smart cards , 2010, J. Syst. Softw..

[27]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[28]  Wanli Ma,et al.  The Good and Not So Good of Enforcing Password Composition Rules , 2007, Inf. Secur. J. A Glob. Perspect..

[29]  A. Battersby Plans and the Structure of Behavior , 1968 .

[30]  G. Logan Simon-type effects: chronometric evidence for keypress schemata in typewriting. , 2003, Journal of experimental psychology. Human perception and performance.

[31]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[32]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[33]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[34]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[35]  R. Oliver Effect of expectation and disconfirmation on postexposure product evaluations: An alternative interpretation. , 1977 .

[36]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[37]  Sung-Hyuk Cha,et al.  Keystroke Biometric Identification and Authentication on Long-Text Input , 2010 .

[38]  Bonnie E. John TYPIST: A Theory of Performance in Skilled Typing , 1996, Hum. Comput. Interact..

[39]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[40]  Jianhua Chen,et al.  Cryptanalysis of a DoS-resistant ID-based password authentication , 2010, IACR Cryptol. ePrint Arch..

[41]  Egwali Annie Oghenerukevbe Mnemonic Passwords Practices in Corporate Sites in Nigerian , 2009 .

[42]  Jon A. Krosnick,et al.  Attitude Strength and Vested Interest , 2014 .

[43]  Matthew J. C. Crump,et al.  PSYCHOLOGICAL SCIENCE Research Article The Left Hand Doesn’t Know What the Right Hand Is Doing The Disruptive Effects of Attention to the Hands in Skilled , 2022 .

[44]  Serge Larochelle,et al.  A Comparison of Skilled and Novice Performance in Discontinuous Typing , 1983 .

[45]  Giancarlo Ruffo,et al.  Keystroke Analysis of Different Languages: A Case Study , 2005, IDA.

[46]  Yili Liu,et al.  Queuing Network Modeling of Transcription Typing , 2008, TCHI.

[47]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[48]  J. Pick,et al.  Global digital divide: Influence of socioeconomic, governmental, and accessibility factors on information technology , 2008 .

[49]  G. A. Miller The magical number seven plus or minus two: some limits on our capacity for processing information. , 1956, Psychological review.

[50]  Claudia Picardi,et al.  Keystroke analysis of free text , 2005, TSEC.

[51]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[52]  Chun-Ying Huang,et al.  Using one-time passwords to prevent password phishing attacks , 2011, J. Netw. Comput. Appl..

[53]  M. Eric Johnson,et al.  Protecting Critical Information Infrastructure: Developing Cybersecurity Policy , 2010, Inf. Technol. Dev..

[54]  Cormac Herley,et al.  How to Login from an Internet Cafe Without Worrying about Keyloggers , 2006 .

[55]  W. Huang,et al.  E-Government Strategies in Developed and Developing Countries: An Implementation Framework and Case Study , 2006, J. Glob. Inf. Manag..

[56]  Tom L. Roberts,et al.  Motivating the Insider to Protect Organizational Information Assets: Evidence from Protection Motivation Theory and Rival Explanations , 2011 .

[57]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[58]  John Campbell,et al.  User Behaviours Associated with Password Security and Management , 2006, Australas. J. Inf. Syst..

[59]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[60]  Fatemeh Zahedi,et al.  The Measurement of Web-Customer Satisfaction: An Expectation and Disconfirmation Approach , 2002, Inf. Syst. Res..

[61]  Narcyz Roztocki,et al.  Information technology success factors and models in developing and emerging economies , 2011, Inf. Technol. Dev..

[62]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[63]  Gopal K. Gupta,et al.  Identity authentication based on keystroke latencies , 1990, Commun. ACM.

[64]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[65]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[66]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[67]  J. Pick,et al.  Global digital divide: Influence of socioeconomic, governmental, and accessibility factors on information technology , 2008 .

[68]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[69]  Paul Benjamin Lowry,et al.  The CMC Interactivity Model: How Interactivity Enhances Communication Quality and Process Satisfaction in Lean-Media Groups , 2009, J. Manag. Inf. Syst..

[70]  Norman Shapiro,et al.  Authentication by Keystroke Timing: Some Preliminary Results , 1980 .

[71]  R. Stockton Gaines,et al.  Authentication by Keystroke Timing , 1980 .

[72]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .