Password Policies Research Articles

New Textual Authentication Method to Resistant Shoulder-Surfing Attack

Using textual passwords suffer from the balance between security and usability. Password policies are usually adopted by system administrators to force users to choose strong passwords. However, users often use a simple password to make it easy to remember, which reduces the password strength and make it vulnerable to information security threats. When users enter their passwords in public places like airports or cafes, they become exposed to shoulder surfing attacks which are considered as a kind of social engineering. With a little effort, an attacker can capture a password by recording the individual’s authentication session or by direct observation. To overcome this vulnerability, we propose a new textual-password approach that uses camouflage characters and a virtual keyboard which leads to generating strong and easy to remember passwords. The perspective of usability and security was evaluated by experimental studies conducted with 65 users and then compared with recent studies. The results showed that the proposed technique has the lowest shoulder surfing success rate with just 3.63% with reasonable usability.

Dynamically Generate Password Policy via Zipf Distribution

Password composition policies are helpful in strengthening password’s resistance against guessing attacks. Sadly, existing off-the-shelf composition policies often remain static, which creates potential security vulnerability. In this paper, we propose a new adaptive password policy generation framework called HTPG. Based on the Zipf distribution of passwords, HTPG classifies all passwords in data set into two categories, that is, head passwords and tail passwords. We find that head passwords are vulnerable and high-value for attackers because they are most frequently used, while tail passwords have higher strength than head passwords. According to this fact, HTPG dynamically generates policies to enhance head passwords by modifying them so as to be closer to tail passwords on feature space. By introducing the idea of machine learning, we propose a policy sort method based on information gain ratio to help user choose more effective policies in enhancing head passwords. HTPG can effectively improve the security of entire password data set and make the password distribution more uniform. Experiments show that the number of cracked head passwords decreases 69% on average, compared with the original head passwords, by adopting policies generated by HTPG. Surveys on usability show that 80.23% enhanced passwords can be recalled by those who remember the corresponding original passwords.

A Novel Password Policy Focusing on Altering User Password Selection Habits: A Statistical Analysis on Breached Data

Online services generally employ password-based systems to enable users to access personal/private content. These services also force their users to change their passwords periodically under specific policies to increase security. However, analysis of breached data reveals that current policies do not consider user password selection habits and pose critical security and privacy concerns. Additionally, when passwords are leaked, attackers have the opportunity to study - and possibly identify - the structure or pattern of the user password selection set. This way, attackers could predict the next password or reduce the search space considerably in their attacks. Therefore, this study proposes a novel behavior-based password policy to increase the present security level and avoid further exploitations if a breach occurs. This study uses statistical methods and visualization techniques to examine the password selection behaviors of over ten million UserID-password pairs collected from anonymously shared data breaches. The data set is anonymized while keeping the uniqueness of userID-password pairs and shared with other researchers along with extracted features. Results show that user password selection patterns can be generalized and used to increase the success rate of attacks.

Open sesame: Lessons in password-based user authentication

The cost of unusable password policies in the wild is well documented. These costs impinge both business and security. The alternative is to move to multi-factor and risk-based authentication, which include software authenticators, hardware tokens, and biometrics. This paper provides an overview of the research in this area and concludes with guidance on how to best leverage password-based authentication. We recommend that designers should only implement efforts backed by empirical evidence, offer solutions to reduce user effort, and use compensating controls to address the underlying limitations of passwords.

A Multi-Tier Security Analysis of Official Car Management Apps for Android

Using automotive smartphone applications (apps) provided by car manufacturers may offer numerous advantages to the vehicle owner, including improved safety, fuel efficiency, anytime monitoring of vehicle data, and timely over-the-air delivery of software updates. On the other hand, the continuous tracking of the vehicle data by such apps may also pose a risk to the car owner, if, say, sensitive pieces of information are leaked to third parties or the app is vulnerable to attacks. This work contributes the first to our knowledge full-fledged security assessment of all the official single-vehicle management apps offered by major car manufacturers who operate in Europe. The apps are scrutinised statically with the purpose of not only identifying surfeits, say, in terms of the permissions requested, but also from a vulnerability assessment viewpoint. On top of that, we run each app to identify possible weak security practices in the owner-to-app registration process. The results reveal a multitude of issues, ranging from an over-claim of sensitive permissions and the use of possibly privacy-invasive API calls, to numerous potentially exploitable CWE and CVE-identified weaknesses and vulnerabilities, the, in some cases, excessive employment of third-party trackers, and a number of other flaws related to the use of third-party software libraries, unsanitised input, and weak user password policies, to mention just a few.

Password policy characteristics and keystroke biometric authentication

Behavioural biometrics have the potential to provide an additional or alternative authentication mechanism to those involving a shared secret (i.e. a password). Keystroke timings are the focus of this study, where key press and release timings are acquired whilst monitoring a user typing a known phrase. Many studies exist in keystroke biometrics, but there is an absence of literature aiming to understand the relationship between characteristics of password policies and the potential of keystroke biometrics. Furthermore, benchmark datasets used in keystroke biometric research do not enable useful insights into the relationship between their capability and password policy. Herein, substitutions of uppercase, numeric, special characters, and their combination of passwords derived from English words are considered. Timings for 42 participants for the same 40 passwords are acquired. A matching system using the Manhattan distance measure with seven different feature sets is implemented, culminating in an Equal Error Rate of between 6% and 11% and accuracy values between 89% and 94%, demonstrating comparable accuracy to other threshold-based systems. Further analysis suggests that the best feature sets are those containing all timings and trigraph press to press. Evidence also suggests that phrases containing fewer characters have greater accuracy, except for those with special character substitutions.

Захист інформації відомчої інформаційно-телекомунікаційної мережі за допомогою парольної системи

The approach to quantitative estimation of stability of password systems taking into account power of space of passwords and length of the password is theoretically substantiated. The formalized idea of information entropy as an approach to measuring the amount of information that is unknown through random variables is determined by the randomness of a variable based on the knowledge contained in another part of the message. It is established that the greater the entropy in a given distribution of passwords, the more difficult it is to guess the password that was chosen from this distribution; passwords with higher entropy values require more expected assumptions, which makes entropy useful as a measure of password strength. Proposals for password management of the departmental information and telecommunication network of the object of critical information infrastructure are given. Studies show that much of the entropy introduced by uppercase and lowercase characters is created by users who exceed the minimum requirements of the password strength policy. Secure password creation is complicated by the trade-off between developing passwords that are both difficult to crack and use. Accordingly, the access control policy is important. Studies show that much of the entropy introduced by large and non-alphanumeric characters is created by users who exceed the minimum requirements of the password strength policy: the use of more digits than necessary, different positions of special characters. It is concluded that text passwords remain the dominant method of authentication in computer systems, despite significant improvements, including smart cards, RFID cards, USB tokens and graphic passwords, which have their advantages and are suitable for use in a particular environment or for a specific program. It is noted that there are few published empirical studies that would examine the strategies used by users under different password policies. Further research is planned in this direction/

Hybrid Security AssessmentMethodology forWeb Applications

This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications. The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box, to carry out the security validation of a web application in an agile and precise way. The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks. Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage, so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result. The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle (SSDLC). A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics. Dynamic analysis with manual checking is used to audit the results, 24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally. This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally. Dynamic analysis finds six (6) additional critical vulnerabilities. Access control analysis finds other five (5) important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks, two vulnerabilities that permit brute force attacks.

О проблеме аутентификации с использованием паролей при информационном взаимодействии

There is an ongoing debate among users and specialists about the effectiveness of passwords used to authenticate subjects of access to information systems. The relevance of choosing the topic of the article is explained by the use of passwords in almost any information system, and in many systems password protection is used as the only means. At the same time, the password's resistance to opening often determines the security of the entire information system. Domestic and foreign modern approaches to password policy formation are analyzed and generalized. On this basis, proposals have been developed to improve the protection of information using passwords.

TransPCFG: Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively

Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods’ performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> , that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${10}^{14}$ </tex-math></inline-formula> offline guesses. For passwords with 16 characters, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">12zxcvbnword1997</i> has four segments since it follows the template <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ </tex-math></inline-formula> . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

Development of Technology-Based Requirement Planning System in Connection with Advanced Technology in the Fourth Industrial Revolution

While the Ministry of National Defense (MND) is pushing for the defense reform that applied the fourth industrial revolution technology, various countermeasure tools were required, including technological obsolescence in areas where the existing system of planning required long-term acquisition. To this end, we will examine the application of the 'technology-based planning process', which is a technology-driven force planning, in order to anticipate development trends of key core technologies and to meet future military demand capability in a timely manner through appropriate allocation of resource and leading development do. In order to apply the technology-based development process, the level of military capability to be secured in the future and the development of advanced technology should be identified first, and procedures should be prepared to identify the optimal key joint power needs suitable for the balanced development of the three armed forces, and to link them to the deployment in a short period of time. First, it identified ‘8 core technologies for future national defense’ that can lead future national defense for the development of high-tech. The next step was to identify the ‘10 key military capabilities’ such as high-power, ultra-precision, stealth and other ‘10 key military capabilities’ by applying the ‘8 core technologies for future defense’ and to examine the application of future core technologies within the long-term period and the feasibility of implementing them as military capabilities to identify the ‘18 core weapons systems’ that can be realised as weapons systems. The following should be preceded by an institutional framework to enable the application of the ‘technology-based required planning system’ to rapidly apply superior technology elements by replacing the existing ‘concept-based demand planning system’. First, a ‘military pilot use system’ that can prove the military practicality of high-tech should be introduced to ensure the military’s test-bed role for proving the superior technology and performance of products by the private sector. Second, ‘Development of Technology Leading Rapid Acquisition System’ is required so that superior products with proven performance can be directly linked to power generation by applying simplified procedures. Third, the application of ‘small sandbox’ that allows application of technology-based demand planning should be considered for a limited time in order to be applied as soon as possible, considering the difficulty of immediate application under the revision of regulations, etc. Fourth, the government should improve its wireless password policy by specifying the criteria for application of wireless codes to address regulatory problems under military security.What should be done in parallel with institutional supplementation is to expand and strengthen future challenge technology development projects. To this end, an environment that tolerates the failure of challenging R&D projects should be created, and a co-prosperity arena should be created where economic growth and military strength will be strengthened through the creation of an ecosystem in the field of defense, in addition to economic growth in the defense sector.

Nudging personalized password policies by understanding users’ personality

Password composition policies are used to prevent users from picking weak passwords. A website usually provides a unified password policy for each user but ignores the fact that people have a variety of preferences due to individual differences, which makes it difficult to achieve the expected strong password goals. In order to improve the effectiveness of password composition policies, we propose a dynamic personalized password policy (DPPP), which can personally recommend different password policies according to the user’s personality traits. We conduct an online study to evaluate the security and usability of DPPP and the two common password composition policies Basic8 and 3class8. The study results show that DPPP is more effective than Basic8 and 3class8 in resisting online and offline guessing attacks. DPPP is inferior to Basic8 and 3class8 only in the creation time and outperforms 3class8 in creating difficulty with significant differences.

Penerapan Privileged Access Management Menggunakan One Identity Pada Sebuah Perusahaan

&lt;p&gt;&lt;em&gt;One Identity Priveged Access Management (PAM) is a solution for a series of efforts to reduce security risks and help companies secure, control, monitor, analyze, and regulate privileged access rights to data and applications from very important organizations. The PAM solution allows companies to provide full credentials such as Administrators on Windows, Root on UNIX, Cisco Enable on Cisco devices, and embedded passwords found in applications and scripts or restricting access to ordinary users. All privileged account activities are recorded by analyzing real time activities and data. Password sharing activities can be eliminated, so security can be improved and compliance with privileges of privileged access rights is more efficient and manageable. Problems that can be explained when the user privileges password access rights do not have regular rules to change the password periodically in accordance with the security policy (password policy) even to obtain information that has accessed the network device using a special account or other permitted account . The purpose of this study is (i) to obtain information about changes in passwords periodically based on the configuration that has been set in the PAM system and adjusted to the password policy rules, (ii) get information about who is accessing the network device and the account accessed. The research method that is carried out is (i) collecting data from the system that will be implemented, (ii) directly accessing the system that has data and viewing information thoroughly into the system, (iii) matching the type of system with the system supported by the PAM application system then integrate it. Testing is done by accessing the target system using privileged access rights through the PAM application system. The results obtained (i) can facilitate password users not to remember passwords too often, (ii) can avoid sharing password information, (iii) change passwords regularly, (iv) find out all user password activities against a set of targets network systems that are permitted to be accessed, (v) record all access activities in the form of videos.&lt;/em&gt;&lt;/p&gt;

Implementation of a Secured Authentication System using a Policy Generator with Email Notifications

For securing the login, passwords of users from intruders and hackers, the website owners and administrators are providing certain guidelines to the users to create secure and strong passwords using a mechanism called Password Checkers. These guidelines which are provided helps the users to create strong passwords, these guidelines are also becoming the raw input for the hackers as they clearly show based on which policy the password was generated which increases the risk for brute force attacking with more ease. There by increasing the success rate probability for the brute force attackers. To overcome and to decrease the success probability for brute force attacking the Dynamic Password Policy Generator is being devised.The profiles of users are built and maintained by the system automatically bases on the interaction with the monitored database in training phase. This DBSAFE system will help both the administrator as well as the users to feel secured in terms with their data security. Also whenever, an unsuccessful attempts leaving a notification through an email will always add a extra layer of security to the system. When the system’s critical files were all under watch and someone try to access those, concerned people will be intimated to verify the system security keeping the system and database safe and healthy.

Hybritus: a password strength checker by ensemble learning from the query feedbacks of websites

Password authentication is vulnerable to dictionary attacks. Password strength measurement helps users to choose hard-to-guess passwords and enhance the security of systems based on password authentication. Although there are many password strength metrics and tools, none of them produces an objective measurement with inconsistent policies and different dictionaries. In this work, we analyzed the password policies and checkers of top 100 popular websites that are selected from Alexa rankings. The checkers are inconsistent and thus they may label the same password as different strength labels, because each checker is sensitive to its configuration, e.g., the algorithm used and the training data. Attackers are empowered to exploit the above vulnerabilities to crack the protected systems more easily. As such, single metrics or local training data are not enough to build a robust and secure password checker. Based on these observations, we proposed Hybritus that integrates different websites’ strategies and views into a global and robust model of the attackers with multiple layer perceptron (MLP) neural networks. Our data set is comprised of more than 3.3 million passwords taken from the leaked, transformed and randomly generated dictionaries. The data set were sent to 10 website checkers to get the feedbacks on the strength of passwords labeled as strong, medium and weak. Then we used the features of passwords generated by term frequency-inverse document frequency to train and test Hybritus. The experimental results show that the accuracy of passwords strength checking can be as high as 97.7% and over 94% even if it was trained with only ten thousand passwords. User study shows that Hybritus is usable as well as secure.

Assessing password practices of mobile apps

Mobile devices have become an essential part of human life and their increasing use has given rise to a number of innovative applications (e.g. finance manager). As far as we know, no prior work has examined the password practices on mobile apps. Therefore, we focus on the password implementation of mobile apps with the primary objective of assessing their authentication practices. Specifically, we analyze 50 leading mobile apps, which belong to 10 different categories of innovative mobile applications by dividing them into 2 groups based on the sensitivity of the information they hold. Our work can be considered as a follow-up to the study conducted by Bonneau and Preibusch for evaluating password practices of leading websites, which was published at WEIS 2010. We address the following four research questions: (a) How does the user experience vary from app to app? (b) How do the password policies of mobile apps compare with those of websites? (c) Are sensitive group of apps designed with stronger security policies as compared to the non-sensitive group of apps? and (d) What security weaknesses exist in the password implementation of mobile apps? Finally, we propose design recommendations to increase the overall security of password-protected accounts.

Can individuals’ neutralization techniques be overcome? A field experiment on password policy

Individuals’ lack of adherence to password security policy is a persistent problem for organizations. This problem is especially worrisome because passwords remain the primary authentication mechanism for information systems, and the number of passwords has been increasing. For these reasons, determining methods to improve individuals’ adherence to password-security policies constitutes an important issue for organizations.Extant research has shown that individuals use neutralization techniques, i.e., types of rationalizations, to disregard organizational information-security policies. What has not been determined from extant information security research is whether these neutralizations can be changed through educational training interventions. We argue that training based on principles of cognitive dissonance theory is a promising method for reducing individuals’ use of neutralization techniques. We contribute by showing empirically that training based on cognitive dissonance theory can reduce the use of neutralization techniques when such training is designed to counter such techniques.Using a quasi-experimental design at an organization, individuals received training on neutralization techniques in the context of password security. Using a quasi-experimental design, we found that individuals who received our training treatment exhibited substantially less intent to use neutralization techniques and were significantly more likely to use secure passwords. Additionally, a follow-up measurement three weeks after the training session showed that the experimental treatment retained its effectiveness, i.e., the experimental group exhibited substantially less intent to use neutralization techniques and a greater likelihood of using strong passwords in the future. Additionally, intent was significantly greater in the experimental group. Implications for practice and future research are discussed.

Securing password using dynamic password policy generator algorithm

It is proposed to tackle the problem of password leakage of popular websites like Linked-In, Adobe, Gmail, Yahoo, eHarmony, etc. by using dynamic password policy and enhanced hash algorithm. Here, an algorithm is developed that will generate password policies dynamically depending on the frequency of characters. Time complexity is computed, and it is found that the algorithm works fast. Since the algorithm creates password policies dynamically, it will be tough for the attacker to guess the characteristics of the password database.

Optiwords: A new password policy for creating memorable and strong passwords

User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.

Evaluating Passwords User Behavior and the Psychology of Password Management

Regardless of how complex an association's security framework is, it stays helpless because of the human factor. Content based passwords are usually utilized for verification in figuring condition. Despite the fact that passwords are considered as the underlying line of assurance for users, they stay simple to compromise. To improve the security of frameworks, different password synthesis policies are embraced. These strategies guarantee that users are made to pick solid passwords that assistance anticipate online ruptures and information spills. Be that as it may, it likewise make passwords hard to retain and review, diminishing the general ease of use. In this examination we researched the ease of use of password strategies and users' view of password security. We additionally reviewed and examined the patterns practiced by users while producing passwords (Crantor, Hong and Reiter, 2016).&#x0D; Users are not as mindful of security prerequisites and practices as they think. By far most of users' passwords are breakable within days or shorter. Strikingly, we found that the utilization of numbers and uppercase letters is common among clients. Numbers are generally utilized toward the end of the passwords and uppercase letters are for the most part utilized toward the start of passwords. The presence of such patterns makes it simpler for attackers to create progressively compelling dictionaries. In light of the examination in this investigation, we make suggestions to the IT office to improve the password policy (Shen, 2016).