nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords

verfasst von : Cathryn A. Ploehn, Kristen K. Greene

Erschienen in: Human Aspects of Information Security, Privacy, and Trust

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Password management is a ubiquitous struggle of the modern human. Despite usability playing a vital role in authentication, many password policies and requirements focus on security without sufficient consideration of human factors. In fact, security and usability needs are often in contention. Until an improved authentication method beyond character input is implemented on a large scale, developing new methodologies for balancing competing requirements is vital.

This research project focused on building a data visualization tool to explore password usability and security metrics. The visualization tool integrates various measurements of passwords, enabling exploration of the intersection of their usability and security components. The tool is based on insight from previously gathered data from usability studies conducted at the United States National Institute of Standards and Technology. It also leverages web technologies to flexibly display data sets computed from sets of passwords. The tool is available at https://github.com/usnistgov/DataVis.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Human Generated Passwords – The Impacts of Password Requirements and Presentation Styles

Nächstes Kapitel Investigating the Use of Gesture-Based Passwords by the Seniors

National Institute of Standards and Technology.

In contrast to the variability that exists in human generated passwords, system generated passwords can be created with more control. Multiple sets of system generated passwords were readily available from previous research. Therefore, system generated passwords were used as a starting point in the current work with a future goal of investigating user generated passwords.

Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.

The source code for the tool can be found at https://github.com/usnistgov/DataVis.

Parallel coordinates are commonly used to visualize multivariate data. Coordinate axes are placed in parallel with associated data points connected by lines.

Note that the “Number of Characters” in the LPD rules refers to the number of characters within each chunk a password is divided into [16].

Choong, Y.Y., Theofanos, M., Liu, H.K.: United States Federal Employees Password Management Behaviors-a Department of Commerce Case Study. National Institute of Standards and Technology Interagency Report (NISTIR) (2014)

Stanton, B.C., Greene, K.K.: Character strings, memory and passwords: what a recall study can tell us. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 195–206. Springer, Heidelberg (2014)

Cheswick, W.: Rethinking passwords. Commun. ACM 56, 40–44 (2013)CrossRef

Florêncio, D., Herley, C., Van Oorschot, P.C.: Password portfolios and the finite-effort user: sustainably managing large numbers of accounts. In: Proceedings of the USENIX Security (2014)

Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Thimbleby, H., O’Conaill, B., Thomas, P.J. (eds.) People and Computers XII, pp. 1–19. Springer, London (1997)CrossRef

Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23, 256–267 (2011)CrossRef

Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 2. ACM (2010)

Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)

Boothroyd, V., Chiasson, S.: Writing down yourPassword: does it help? In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust (PST), pp. 267–274. IEEE (2013)

10.

Greene, K.K., Gallagher, M.A., Stanton, B.C., Lee, P.Y.: I can’t type that! p@$$w0rd entry on mobile devices. In: Askoxylakis, I., Tryfonas, T. (eds.) HAS 2014. LNCS, vol. 8533, pp. 160–171. Springer, Heidelberg (2014)

11.

Hayashi, E., Hong, J., Christin, N.: Security through a different kind of obscurity: evaluating distortion in graphical authentication schemes. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2055–2064. ACM (2011)

12.

Somayaji, A., Mould, D., Brown, C.: Towards narrative authentication: or, against boring authentication. In: Proceedings of the 2013 Workshop on New Security Paradigms Workshop, pp. 57–64. ACM (2013)

13.

National Strategy for Trusted Identities in Cyberspace: Enhancing online choice, efficiency, security, and privacy (2011)

14.

Marty, R.: Applied Security Visualization. Addison-Wesley, Upper Saddle River (2009)

15.

Shneiderman, B.: The eyes have it: a task by data type taxonomy for information visualizations. In: Proceedings of the IEEE Symposium on Visual Languages, pp. 336–343. IEEE (1996)

16.

Bergstrom, J.R., Frisch, S.A., Hawkins, D.C., Hackenbracht, J., Greene, K.K., Theofanos, M.F., Griepentrog, B.: Development of a scale to assess the linguistic and phonological difficulty of passwords. In: Rau, P.L.P. (ed.) CCD 2014. LNCS, vol. 8528, pp. 131–139. Springer, Heidelberg (2014)

17.

von Zezschwitz, E., De Luca, A., Hussmann, H.: Honey, i shrunk the keys: influences of mobile devices on password composition and authentication performance. In: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational, pp. 461–470. ACM (2014)

18.

Shannon, C.E.: A mathematical theory of communication. ACM SIGMOBILE Mob. Comput. Commun. Rev. 5, 3–55 (2001)MathSciNetCrossRef

19.

Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: Nist sp800-63-2-electronic authentication guideline. National Institute of Standards and Technology (2013)

20.

Greene, K., Kelsey, J., Franklin, J.: Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. National Institute of Standards and Technology Interagency Report (NISTIR) 8040 (2015)

21.

Bostock, M., Ogievetsky, V., Heer, J.: D$^3$ data-driven documents. IEEE Trans. Vis. Comput. Graph. 17, 2301–2309 (2011)CrossRef

22.

Tufte, E.R., Graves-Morris, P.: The Visual Display of Quantitative Information, vol. 2. Graphics Press, Cheshire (1983)

23.

Tyler, C.W.: Human Symmetry Perception and its Computational Analysis. Psychology Press, Hove (2003)

24.

Florêncio, D., Herley, C., Van Oorschot, P.C.: An administrators guide to internet password research. In: Proceedings of the USENIX LISA (2014)

25.

Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537. IEEE (2012)

26.

Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)

27.

Galbally, J., Coisel, I., Sanchez, I.: A probabilistic framework for improved password strength metrics. In: 2014 International Carnahan Conference on Security Technology (ICCST), pp. 1–6. IEEE (2014)

Titel: The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords
verfasst von: Cathryn A. Ploehn
Kristen K. Greene
Verlag: Springer International Publishing
Buch: Human Aspects of Information Security, Privacy, and Trust
Print ISBN: 978-3-319-20375-1

Electronic ISBN: 978-3-319-20376-8

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-20376-8_9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"