Abstract
Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.
- Adams, A. and Sasse, M. Users are not the enemy. Commun. ACM 42, 12 (Dec. 1999), 41--46. Google ScholarDigital Library
- Anderson, R., Bond, M., and Murdoch, S.J. Chip and spin. Computer Security Journal 22, 2 (2006), 1--6.Google Scholar
- Beautement, A., Sasse, M.A., and Wonham, M. The compliance budget: Managing security behaviour in organisations. In Proceedings of the New Security Paradigms Workshop (Lake Tahoe, CA, 2008). Google ScholarDigital Library
- Biddle, R., Chiasson, S., and van Oorschot, P.C. Graphical passwords: Learning from the first 12 years. ACM Computing Surveys 44, 4 (Aug. 2012), article 19:1--41. Google ScholarDigital Library
- Bonneau, J. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, CA, May 20--23). IEEE Press, 2012. Google ScholarDigital Library
- Bonneau, J., Herley, C., van Oorschot, P.C., and Stajano, F. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, CA, May 20--23). IEEE Press, 2012. Google ScholarDigital Library
- Bonneau, J. and Preibusch, S. The password thicket: Technical and market failures in human authentication on the Web. In Proceedings of the Workshop on the Economics of Information Security (Arlington, VA, June 14--15, 2010).Google Scholar
- Burr, W.E., Dodson, D.F., Newton, E.M., Perlner, R.A., Polk, W.T., Gupta, S., and Nabbus, E.A. Electronic Authentication Guideline. National Institute of Standards and Technology S.P. 800-63-2, Gaithersburg, MD, 2013.Google ScholarCross Ref
- Cheswick, W.R. Rethinking passwords. Commun. ACM 56, 2 (Feb. 2013), 40--44. Google ScholarDigital Library
- Das, A., Bonneau, J., Caesar, M., Borisov, N., and Wang, X. The tangled web of password reuse. In Proceedings of the Network and Distributed System Security Symposium (San Diego, CA, Feb. 23--26). Internet Society, Reston, VA, 2014.Google ScholarCross Ref
- De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and I know it's you!: Implicit authentication based on touchscreen patterns. In Proceedings of the ACM CHI Conference (Austin, TX, May 5--10). ACM Press, New York, 2012. Google ScholarDigital Library
- Egelman, A., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of the ACM CHI Conference (Paris, France, Apr. 27--May 2). ACM Press, New York, 2013. Google ScholarDigital Library
- Florêncio, D., Herley, C., and van Oorschot, P.C. An administrator's guide to Internet password research. In Proceedings of the 28th Large Installation System Administration Conference (Seattle, WA, Nov. 9--14). USENIX Association, Berkeley, CA, 2014. Google ScholarDigital Library
- Florêncio, D. and Herley, C. A large-scale study of Web password habits. In Proceedings of the 16th International Conference on the World Wide Web (Banff, Alberta, Canada, May 8--12, 2007). Google ScholarDigital Library
- Florêncio, D. and Herley, C. Where do security policies come from? In Proceedings of the ACM Symposium On Usable Privacy and Security (Redmond, WA, July 14--16). ACM Press, New York, 2010. Google ScholarDigital Library
- Garera, S., Provos, N., Chew, M., and Rubin, A.D. A framework for detection and measurement of phishing attacks. In Proceedings of the Fifth ACM Workshop on Recurring Malcode (Alexandria, VA). ACM Press, New York, 2007. Google ScholarDigital Library
- Grosse, E. and Upadhyay, M. Authentication at scale. IEEE Security & Privacy Magazine 11 (2013), 15--22. Google ScholarDigital Library
- Hearn, M. An update on our war against account hijackers. Google Security Team blog, Feb. 2013.Google Scholar
- Herley, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the ACM New Security Paradigms Workshop (Oxford, U.K., Sept. 8--11). ACM Press, New York, 2009. Google ScholarDigital Library
- Herley, C. and van Oorschot, P.C. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy 10, 1 (2012), 28--36. Google ScholarDigital Library
- Jakobsson, M., Shi, E., Golle, P., and Chow, R. Implicit authentication for mobile devices. In Proceedings of the Fourth USENIX Workshop on Hot Topics in Security (Montreal, Canada, Aug. 11). USENIX Association, Berkeley, CA, 2009. Google ScholarDigital Library
- Karlof, C., Tygar, J.D., and Wagner, D. Conditioned-safe ceremonies and a user study of an application to Web authentication. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (San Diego, CA, Feb. 8--11). Internet Society, Reston, VA, 2009.Google ScholarDigital Library
- Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, CA, May 20--23). IEEE Press, 2012. Google ScholarDigital Library
- Klein, D. Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the Second USENIX Security Workshop. USENIX Association, Berkeley, CA, 1990.Google Scholar
- Massey, J.L. Guessing and entropy. In Proceedings of the 1994 IEEE International Symposium on Information Theory (June 27--July 1). IEEE Press, 1994, 204.Google ScholarCross Ref
- Morris, R. and Thompson, K. Password security: A case history. Commun. ACM 22, 11 (1979), 594--597. Google ScholarDigital Library
- M'Raihi, D., Machani, S., Pei, M., and Rydell, J. TOTP: Time-Based One-Time Password Algorithm, RFC 6238. The Internet Engineering Task Force, Fremont, CA, May 2011.Google Scholar
- Muir, J.A. and van Oorschot, P.C. Internet geolocation: Evasion and counterevasion. ACM Computer Surveys 42, 1 (Dec. 2009), 4:1--13. Google ScholarDigital Library
- Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. Cookieless monster: Exploring the ecosystem of Web-based device fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (Berkeley, CA, May 19--22). IEEE Press, 2013. Google ScholarDigital Library
- Norman, D.A. The way I see it: When security gets in the way. Interactions 16, 6 (Nov. 2009), 60--63. Google ScholarDigital Library
- Oechslin, P. Making a faster cryptanalytic time-memory trade-off. In Proceedings of the 23rd Annual International Advances in Cryptology (Santa Barbara, CA, Aug. 17--21), Springer, 2003.Google ScholarCross Ref
- Pliam, J.O. On the incomparability of entropy and marginal guesswork in brute-force attacks. In Proceedings of INDOCRYPT: The First International Conference on Cryptology in India (Calcutta, India, Dec. 10--13). Springer, 2000. Google ScholarDigital Library
- Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D. Progressive authentication: Deciding when to authenticate on mobile phones. In Proceedings of the 21st USENIX Security Symposium (Bellevue, WA, Aug. 8--10). USENIX Society, Berkeley, CA, 2012. Google ScholarDigital Library
- Schechter, S., Herley, C., and Mitzenmacher, M. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the Fifth USENIX Workshop on Hot Topics in Security (Washington, D.C., Aug. 10). USENIX Society, Berkeley, CA, 2010. Google ScholarDigital Library
- Spafford, E. Observations on reusable password choices. In Proceedings of the USENIX Security Workshop. USENIX Society, Berkeley, CA, 1992.Google Scholar
- Stajano, F. Pico: No more passwords! In Proceedings of the 19th International Security Protocols Workshop Lecture Notes in Computer Science 7114 (Cambridge, U.K., Mar. 28--30). Springer, 2011. Google ScholarDigital Library
- Ur, B., Kelley, P.G., Komanduri, S., Lee, J., Maass, M., Mazurek, M.L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L.F. How does your password measure up? The effect of strength meters on password creation. In Proceedings of the USENIX Security Symposium (Bellevue, WA, Aug. 8--10). USENIX Society, Berkeley, CA, 2012. Google ScholarDigital Library
- U.S. Department of Defense. Password Management Guideline. Technical Report CSC-STD-002-85. Washington, D.C., 1985.Google Scholar
- U.S. National Institute of Standards and Technology. Password Usage. Federal Information Processing Standards Publication 112. Gaithersburg, MD, May 1985.Google Scholar
- Weir, M., Aggarwal, S., Collins, M., and Stern, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL, Oct. 4--8). ACM Press, New York, 2010. Google ScholarDigital Library
- Williamson, G.D. Enhanced authentication in online banking. Journal of Economic Crime Management 4, 2 (2006).Google Scholar
- Yan, J., Blackwell, A., Anderson, R., and Grant, A. Password memorability and security: Empirical results. IEEE Security & Privacy 2, 5 (2004), 25--31. Google ScholarDigital Library
- Zhang, Y., Monrose, F., and Reiter, M. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, IL, Oct. 4--8). ACM Press, New York, 2010. Google ScholarDigital Library
Index Terms
- Passwords and the evolution of imperfect authentication
Comments