Text passwords pose a number of difficulties for end users, who must create, remember, and manage large numbers of passwords. Users are often regarded as the weak link in security systems, but they are a crucial component of the system, and need to be better considered in the design of security products. Many password alternatives have been proposed, but none have successfully replaced ordinary text passwords, and the potential consequences of password problems grow as more information relating to work and life is stored online. This thesis explores practical approaches to helping users select, securely reuse, and manage passwords, and investigates questions about password alternatives. The attention is on the end user, and how authentication affects these users in their daily lives. Our focus is on practical, actionable results to assist end users in their daily tasks. The thesis begins by investigating issues of memorability with graphical passwords, and proposes the design of PassTiles, a new graphical password system that allows secure random memorable passwords to be easily assigned. This graphical password system is used to explore what type of memory retrieval best supports the memorability of graphical passwords, and the results show that cued-recall graphical passwords give an advantageous combination of memorability and usability. Password coping strategies are next explored through interviews with end users, and investigation into the techniques that users rely on to handle current password demands. Interviews with expert users were conducted to understand how their additional expertise helps them manage the same problems faced by end users. Grounded Theory analysis led to the emergence of a password life cycle model. A survey study suggested that the coping strategies discussed in the interviews are widespread. Finally, the thesis proposes the design of a password manager to support users' existing coping strategies by protecting password reuse, and to securely protect users' accounts with memorable assigned random graphical passwords.
[1]
Joseph Bonneau,et al.
Towards Reliable Storage of 56-bit Secrets in Human Memory
,
2014,
USENIX Security Symposium.
[2]
John Aycock,et al.
Kwyjibo: automatic domain name generation
,
2008
.
[3]
Jason I. Hong,et al.
A diary study of password usage in daily life
,
2011,
CHI.
[4]
Manuel Blum,et al.
Naturally Rehearsing Passwords
,
2013,
ASIACRYPT.
[5]
Joseph Kaye.
Self-reported password sharing strategies
,
2011,
CHI.
[6]
Anselm L. Strauss,et al.
Basics of qualitative research : techniques and procedures for developing grounded theory
,
1998
.
[7]
F. Craik,et al.
Levels of Pro-cessing: A Framework for Memory Research
,
1975
.
[8]
M. Angela Sasse,et al.
Users are not the enemy
,
1999,
CACM.
[9]
Gunela Astbrink,et al.
Password sharing: implications for security design based on social practice
,
2007,
CHI.
[10]
Larry L. Jacoby,et al.
Rehearsal and transfer to LTM
,
1972
.
[11]
Blase Ur,et al.
Measuring password guessability for an entire university
,
2013,
CCS.
[12]
Eugene H. Spafford,et al.
Observing Reusable Password Choices
,
1992
.
[13]
Cormac Herley,et al.
Where do security policies come from?
,
2010,
SOUPS.
[14]
M.D. Leonhard,et al.
A comparative study of three random password generators
,
2007,
2007 IEEE International Conference on Electro/Information Technology.
[15]
Bin B. Zhu,et al.
Security Analyses of Click-based Graphical Passwords via Image Point Memorability
,
2014,
CCS.