A Conceptual Framework for Assessing Password Quality

Summary Password authentication is the most widely used authentication mechanism, and it will still be with us for many years yet to come. It is effective, simple, and accurate, with no extra cost. The strength of password authentication relies on the strength of the passwords. Good (or strong) passwords are essential for high level security. End user education and computerized proactive password checking play vital roles in ensuring good passwords. However, both demand clear, simple, and concise rules on what a good password is. It is not hard to find guidelines and advices on good passwords; but it is not so easy to find a clear, simple, and concise rule to be used for end user education and computer programs for proactive password checking. In this paper, we develop a theoretic framework on measuring password quality – password quality indicator (PQI). A PQI of a password is a pair λ=(D, L ) , where D is the Levenshtein's edit distance of the password to the base dictionary words, and

[1]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[2]  John Campbell,et al.  An Empirical Study of User Practice in Password Security and Management , 2005 .

[3]  Peter Tarasewich,et al.  Improving interface designs to help users choose better passwords , 2006, CHI Extended Abstracts.

[4]  Anil K. Jain,et al.  On-line Script Recognition , 2002 .

[5]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[6]  Wanli Ma,et al.  Password Composition Policy: Does Enforcement Lead to Better Password Choices? , 2006 .

[7]  Randy Cisneros,et al.  Password auditing applications , 2006 .

[8]  Wanli Ma,et al.  The Good and Not So Good of Enforcing Password Composition Rules , 2007, Inf. Secur. J. A Glob. Perspect..

[9]  Mitsuo Gen,et al.  Fuzzy Methods for Voice-Based Person Authentication , 2004 .

[10]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[11]  Robin Jeffries,et al.  CHI '06 Extended Abstracts on Human Factors in Computing Systems , 2006, CHI 2006.

[12]  Jeff Yan,et al.  A note on proactive password checking , 2001, NSPW '01.

[13]  Alfredo De Santis,et al.  A Novel Approach to Proactive Password Checking , 2002, InfraSec.

[14]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[15]  Anil K. Jain,et al.  Online script recognition , 2002, Object recognition supported by user interaction for service robots.

[16]  Graham A. Stephen String Searching Algorithms , 1994, Lecture Notes Series on Computing.