Password-based authentication: a system perspective

User authentication in computer systems has been a cornerstone of computer security for decades. The concept of a user id and password is a cost effective and efficient method of maintaining a shared secret between a user and a computer system. One of the key elements in the password solution for security is a reliance on human cognitive ability to remember the shared secret. In early computing days with only a few computer systems and a small select group of users, this model proved effective. With the advent of the Internet, e-commerce, and the proliferation of PCs in offices and schools, the user base has grown both in number and in demographic base. Individual users no longer have single passwords for single systems, but are presented with the challenge of remembering numerous passwords for numerous systems, from email, to web accounts, to banking and financial services. This paper presents a conceptual model depicting how users and systems work together in this function and examines the consequences of the expanding user base and the use of password memory aids. A system model of the risks associated with password-based authentication is presented from a user centric point of view including the construct of user password memory aids. When confronted with too much data to remember, users develop memory aids to assist them in the task of remembering important pieces of information. These user password memory aids form a bridge between otherwise unconnected systems and have an effect on system level security across multiple systems interconnected by the user. A preliminary analysis of the implications of this user centric interconnection of security models is presented.

[1]  Václav Matyás,et al.  Toward Reliable User Authentication through Biometrics , 2003, IEEE Secur. Priv..

[2]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[3]  Chun-Li Lin,et al.  A password authentication scheme with secure password updating , 2003, Comput. Secur..

[4]  Christian Cachin,et al.  Modeling Complexity in Secure Distributed Computing , 2003, Future Directions in Distributed Computing.

[5]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[6]  Ian Sommerville,et al.  Software engineering (6th ed.) , 2001 .

[7]  James J. Whitmore A method for designing secure solutions , 2001, IBM Syst. J..

[8]  Julie Bunnell,et al.  Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates , 2000, Comput. Secur..

[9]  Nevenko Zunic,et al.  Methods for Protecting Password Transmission , 2000, Comput. Secur..

[10]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[11]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[12]  Rune Gustavsson,et al.  Agents with power , 1999, CACM.

[13]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[14]  Shiuh-Pyng Shieh,et al.  Password authentication schemes with smart cards , 1999, Comput. Secur..

[15]  Henk Sol,et al.  Proceedings of the 54th Hawaii International Conference on System Sciences , 1997, HICSS 2015.

[16]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[17]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[18]  Peter Winkler,et al.  Comparing information without leaking it , 1996, CACM.

[19]  Udi Manber,et al.  A simple scheme to make passwords based on one-way functions much harder to crack , 1996, Comput. Secur..

[20]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[21]  Gene Tsudik,et al.  Robust and Secure Password and Key Change Method , 1994, ESORICS.

[22]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[23]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[24]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[25]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[26]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[27]  Martín Abadi,et al.  Authentication and Delegation with Smart-cards , 1991, TACS.

[28]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 2 , 1989, Comput. Secur..

[29]  Khosrow Dehnad A simple way of improving the login security , 1989, Comput. Secur..

[30]  Bruce L. Riddle,et al.  Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[31]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[32]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 1 , 1989, Comput. Secur..

[33]  Belden Menkus,et al.  Understanding the use of passwords , 1988, Comput. Secur..

[34]  Sidney L. Smith,et al.  Authenticating Users by Word Association , 1987, Comput. Secur..

[35]  Niv Ahituv,et al.  Verifying the authentication of an information system user , 1987, Comput. Secur..

[36]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[37]  Sig Porter,et al.  A password extension for improved human factors , 1982, Comput. Secur..

[38]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[39]  Edwin Weiss,et al.  A user authentication scheme not requiring secrecy in the computer , 1974, Commun. ACM.

[40]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .