ABSTRACT
Password restriction policies and advice on creating secure passwords have limited effects on password strength. Influencing users to create more secure passwords remains an open problem. We have developed Persuasive Text Passwords (PTP), a text password creation system which leverages Persuasive Technology principles to influence users in creating more secure passwords without sacrificing usability. After users choose a password during creation, PTP improves its security by placing randomly-chosen characters at random positions into the password. Users may shuffle to be presented with randomly-chosen and positioned characters until they find a combination they feel is memorable. In this paper, we present an 83-participant user study testing four PTP variations. Our results show that the PTP variations significantly improved the security of users' passwords. We also found that those participants who had a high number of random characters placed into their passwords would deliberately choose weaker pre-improvement passwords to compensate for the memory load. As a consequence of this compensatory behaviour, there was a limit to the gain in password security achieved by PTP.
- Adams, A. and Sasse, M. A. Users Are Not The Enemy. Communications of the ACM 42, 12 (1999), 41--46. Google ScholarDigital Library
- Bartavelle. Patches for John the Ripper. Accessed February 2008, http://www.banquise.net/misc/patch-john.htmlGoogle Scholar
- Burr, W. E., Dodson, D. F., and Polk, W. T. Electronic Authentication Guideline. NIST Special Publication 800-63, Version 1, 2004.Google Scholar
- Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. British Computer Society HCI 2008. Google ScholarDigital Library
- Chiasson, S., van Oorschot, P. C., and Biddle, R. A Usability Study and Critique of Two Password Managers. USENIX Security Symposium 2006, 1--16. Google ScholarDigital Library
- Designer, S. John the Ripper password cracker. Accessed February 2008, http://www.openwall.com/john/Google Scholar
- Florencio, D., Herley, C., and Coskun, B. Do Strong Passwords Accomplish Anything? USENIX Workshop on Hot Topics in Security 2007. Google ScholarDigital Library
- Florencio, D. and Herley, C. A Large-Scale Study of Web Password Habits. WWW 2007, ACM Press, 657--666. Google ScholarDigital Library
- Fogg, B. J. Persuasive Technology: Using Computers to Change What We Think and Do. Morgan Kaufmann, San Francisco, USA, 2003. Google ScholarDigital Library
- Forget, A., Chiasson, S., van Oorschot, P. C., and Biddle, R. Persuasion for Stronger Passwords. Persuasive Technology 2008, Springer-Verlag. Google ScholarDigital Library
- Forget, A., Chiasson, S., and Biddle, R. Persuasion as Education for Computer Security. AACE E-Learn 2007, 822--829.Google Scholar
- Furnell, S. An assessment of website password practices. Computers & Security 26, 7--8 (2007), 445--451.Google ScholarDigital Library
- Halderman, J. A., Waters, B., and Felten, E. W. A Convenient Method for Securely Managing Passwords. ACM WWW 2005, 471--479. Google ScholarDigital Library
- Jeyaraman, S. and Topkara, U. Have the cake and eat it too - Infusing usability into text-password based authentication systems. IEEE ACSAC 2005, 473--482. Google ScholarDigital Library
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., and Rubin, A. D. The Design and Analysis of Graphical Passwords. USENIX Security Symposium 1999. Google ScholarDigital Library
- Kuo, C., Romanosky, S., and Cranor, L. F. Human Selection of Mnemonic Phrase-based Passwords. ACM SOUPS 2006, 67--78. Google ScholarDigital Library
- Leonhard, M. D. and Venkatakrishnan, V. N. A Comparative Study of Three Random Password Generators. IEEE EIT 2007, 227--232.Google Scholar
- Peterson, L. R. and Peterson, M. J. Short-term retention of individual verbal items. Experimental Psychology 58, 3 (1959), 193--198.Google ScholarCross Ref
- Pond, R., Podd, J., Bunnell, J., and Henderson, R. Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates. Computers & Security 19, 7 (2000), 645--656.Google Scholar
- Proctor, R. W., Lien, M.-C., Vu, K.-P.L. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers 32, 2 (2002), 163--169.Google Scholar
- Ramsbrock, D., Berthier, R., and Cukier, M. Profiling Attacker Behaviour Following SSH Compromises. IEEE International Conference on Dependable Systems and Networks 2007. Google ScholarDigital Library
- Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. Stronger Password Authentication Using Browser Extensions. USENIX Security Symposium 2005, 17--31. Google ScholarDigital Library
- Shannon, C. E. Prediction and Entropy of Printed English. Bell System Technical Journal 30, 1 (1951), 50--64.Google ScholarCross Ref
- St. Clair, L., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., and Jaeger, T. Password Exhaustion: Predicting the End of Password Usefulness. ICISS 2006, Springer-Verlag, 37--55. Google ScholarDigital Library
- Seifert, C. Analyzing Malicious SSH Login Attempts. Security Focus Infocus article, September 2006. http://www.securityfocus.com/infocus/1876, accessed May 2008.Google Scholar
- Thames, J. L., Abler, R., and Keeling, D. A Distributed Active Response Architecture for Preventing SSH Dictionary Attacks. IEEE Southeastcon 2008, 84--89.Google Scholar
- Vu, K.-P.L., Proctor, R. W., Bhargav-Spantzel, A., Tai, B.-L., Cook, J., and Schultz, E. E. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies 65, 8 (2007), 744--757. Google ScholarDigital Library
- Whitten, A. and Tygar, J. D. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. USENIX Security Symposium 1999, 169--183. Google ScholarDigital Library
- Yan, J., Blackwell, A., Anderson, R., and Grant, A. Password Memorability and Security: Empirical Results. IEEE Security & Privacy Magazine 2, 5 (2004), 25--31. Google ScholarDigital Library
Index Terms
- Improving text passwords through persuasion
Recommendations
Persuasion for Stronger Passwords: Motivation and Pilot Study
PERSUASIVE '08: Proceedings of the 3rd international conference on Persuasive TechnologyText passwords are the ubiquitous method of authentication, used by most people for most online services. Many people choose weak passwords that are vulnerable to attackers who simply guess all the passwords within the most probable password spaces. ...
Memorability of persuasive passwords
CHI EA '08: CHI '08 Extended Abstracts on Human Factors in Computing SystemsText passwords are the primary authentication method used for most online services. Many online users select weak passwords. Regrettably, most proposed methods of strengthening passwords compromise memorability. This paper explores a lightweight ...
Helping users create and remember more secure text passwords
BCS-HCI '08: Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 2This doctoral research aims to persuade users to choose and remember more secure text passwords. The first component involved user studies demonstrating that users can be persuaded to create more secure text passwords. Unfortunately, the stronger ...
Comments