Human Selection of Mnemonic Phrase-based Passwords, SOUPS, 06
In mnemonic password, a user chooses a memorable phrase and uses a character (often the first letter) to represent each word in the phrase. The authors created a 400,000-entry dictionary and cracked 4% of the mnemonic passwords as a proof of concept for the possibility of building much better dictionary. Survey respondents in the mnemonic condition based their passwords on external sources, e.g., music, literature, movies, TV shows, speech, scientific or education mnemonic, nursery rhyme, and ads. The authors found 65% of the phrases by googling.
Citation (ACM Ref): Cynthia Kuo, Sasha Romanosky, and Lorrie Faith Cranor. 2006. Human selection of mnemonic phrase-based passwords. In Proceedings of the second symposium on Usable privacy and security(SOUPS '06). ACM, New York, NY, USA, 67-78. DOI=10.1145/1143120.1143129 http://doi.acm.org/10.1145/1143120.1143129
Citation (ACM Ref): Cynthia Kuo, Sasha Romanosky, and Lorrie Faith Cranor. 2006. Human selection of mnemonic phrase-based passwords. In Proceedings of the second symposium on Usable privacy and security(SOUPS '06). ACM, New York, NY, USA, 67-78. DOI=10.1145/1143120.1143129 http://doi.acm.org/10.1145/1143120.1143129
Reducing Shoulder-surfing by Using Gaze-based Password Entry, SOUPS, 07
Users enter their password using their eye-gaze on a 1280 x 1024 screen at 96 dpi equipped with Tobii 1750 eye tracker. Two methods of gaze-entry were explored: trigger based and dwell based. In trigger based entry, the user presses a specific key e.g. the space bar each time he has focused on a character. Time between consecutive presses may leak information. In dwell based entry, the user fixes his gaze on a particular password-character for a while before moving onto finding the next. Error was higher for the trigger based method, may be because, it was hard for him to time and coordinate between pressing a button and his gaze fixation precisely. This might be accounted for algorithmically from the history of gaze-path of the user.
Lab-based study on 18 users (50% male) of average 21 years of age reveals that the gaze-based password entry takes 5 times longer (average 10 seconds) than usual keyboard-based input. However, more than 80% users expressed their preference for gaze-based in a public setting. Error was not significantly higher. Eyeglasses did not hamper the eye tracker. QWERTY layout proved faster than alphabetic layout, presumably due to user's prior experience with the former. Over time, the users may develop muscle memory in their eyes and become more accurate and faster in eye-gazing. The method does not produce any mouse or keyboard event and thus is more resistant to keyloggers. The entropy of the gaze-based password (authors call EyePassword) can be increased further by taking into account the user-specific gaze-path and dwell time patterns.
Users may not remain equally positive about the gaze-based method if they had to use it more frequently in real life scenarios. Mobile phone or other screens with much smaller real state might cause problems. What about squint-eyed or blind to near-blind users?
Citation (ACM Ref): Manu Kumar, Tal Garfinkel, Dan Boneh, and Terry Winograd. 2007. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security (SOUPS '07). ACM, New York, NY, USA, 13-19. DOI=10.1145/1280680.1280683 http://doi.acm.org/10.1145/1280680.1280683
Lab-based study on 18 users (50% male) of average 21 years of age reveals that the gaze-based password entry takes 5 times longer (average 10 seconds) than usual keyboard-based input. However, more than 80% users expressed their preference for gaze-based in a public setting. Error was not significantly higher. Eyeglasses did not hamper the eye tracker. QWERTY layout proved faster than alphabetic layout, presumably due to user's prior experience with the former. Over time, the users may develop muscle memory in their eyes and become more accurate and faster in eye-gazing. The method does not produce any mouse or keyboard event and thus is more resistant to keyloggers. The entropy of the gaze-based password (authors call EyePassword) can be increased further by taking into account the user-specific gaze-path and dwell time patterns.
Users may not remain equally positive about the gaze-based method if they had to use it more frequently in real life scenarios. Mobile phone or other screens with much smaller real state might cause problems. What about squint-eyed or blind to near-blind users?
Citation (ACM Ref): Manu Kumar, Tal Garfinkel, Dan Boneh, and Terry Winograd. 2007. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security (SOUPS '07). ACM, New York, NY, USA, 13-19. DOI=10.1145/1280680.1280683 http://doi.acm.org/10.1145/1280680.1280683
Improving Text Passwords Through Persuation, SOUPS, 08
Ideas from Persuasive Technology were applied to influence users to create more secure passwords. Users chose an initial password (minimum of 8 characters) and then the system either replaced some characters at random positions with randomly chosen characters or the system inserted few randomly chosen characters into the user chosen password at random positions. The user then can shuffle the resulting password to find one that he thinks is memorable enough.
A lab study with 83 participants was conducted. Traditional password group took an average of 33 seconds to create their passwords where as PTP groups (replace-2, insert-2,3,4) took an an average 65 seconds to create.
PTP insert variants improved security by pushing the users' passwords into larger password-spaces. The metric used to evaluate security was per character entropy multiplied by the number of characters in the password. For example, if a password contains 6 letters, among which one is uppercase and the rest are lowercase, the metric assigns 6*lg(52) bits of security to it. The metric is too simple to account for user-biases towards English words, predictable character positioning, or relationships between adjacent characters. Participants who had more characters inserted into their password chose to create initial passwords with fewer estimated bits of security. Dictionary attacks using Bartvelle-patched version of John The Ripper with "All+Rules" and "Mangled" options failed to crack any PTP-improved password. PTP users did not feel more difficulty in creating their passwords, they felt that the improved passwords would be far less likely to be guessed by the attacker. Longer login times for PTP did not have a negative impact on users' perception of the system. Insertion of 3 random characters was the most that users can remember without exerting too much mental effort.
Long term memorability and multiple password interference were not tested.
Citation (ACM Ref): Alain Forget, Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. 2008. Improving text passwords through persuasion. In Proceedings of the 4th symposium on Usable privacy and security (SOUPS '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1408664.1408666 http://doi.acm.org/10.1145/1408664.1408666
A lab study with 83 participants was conducted. Traditional password group took an average of 33 seconds to create their passwords where as PTP groups (replace-2, insert-2,3,4) took an an average 65 seconds to create.
PTP insert variants improved security by pushing the users' passwords into larger password-spaces. The metric used to evaluate security was per character entropy multiplied by the number of characters in the password. For example, if a password contains 6 letters, among which one is uppercase and the rest are lowercase, the metric assigns 6*lg(52) bits of security to it. The metric is too simple to account for user-biases towards English words, predictable character positioning, or relationships between adjacent characters. Participants who had more characters inserted into their password chose to create initial passwords with fewer estimated bits of security. Dictionary attacks using Bartvelle-patched version of John The Ripper with "All+Rules" and "Mangled" options failed to crack any PTP-improved password. PTP users did not feel more difficulty in creating their passwords, they felt that the improved passwords would be far less likely to be guessed by the attacker. Longer login times for PTP did not have a negative impact on users' perception of the system. Insertion of 3 random characters was the most that users can remember without exerting too much mental effort.
Long term memorability and multiple password interference were not tested.
Citation (ACM Ref): Alain Forget, Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. 2008. Improving text passwords through persuasion. In Proceedings of the 4th symposium on Usable privacy and security (SOUPS '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1408664.1408666 http://doi.acm.org/10.1145/1408664.1408666
User Evaluation of Lightweight User Authentication with a Single Tri-axis Accelerometer, MHCI, 09
Authors propose a gesture based user identification and authentication method. uWave is the underlying gesture recognition system and it requires a single tri-axis accelerometer. Users select their own gestures and training a personalized gesture can be done with a single sample.
A user study with 25 participants was conducted over one month. For identification 98% accuracy was achieved. Without visual disclosure the equal error rate was 3% for authentication. With visual disclosure (likely for gestures), false positive increases to 10%, implying that gesture based authentication can be used only when mild security is needed or some other methods must be employed alongside. For user-identification (e.g., multiple accounts on TV), not surprisingly, it was found out that selection constraints improve accuracy as the complexity constraint eliminates simple gestures which can be easily confused with each other and the rejection procedure guarantees enough difference between gesture templates. Also regular template replacement improves accuracy. Compared to text ID, users did not find it more difficult to remember or perform gestures.
For user-authentication (password gestures), users chose highly symbolic gestures such as regular shapes, letters in their native language. Users also chose gestures having personal meaning because it helped them remember complicated gestures. Both of the choice-patterns make gesture passwords vulnerable to dictionary or social engineering attacks. Presumably, sharing gesture passwords with others is easy.
Citation (ACM Ref): Jiayang Liu, Lin Zhong, Jehan Wickramasuriya, and Venu Vasudevan. 2009. User evaluation of lightweight user authentication with a single tri-axis accelerometer. In Proceedings of the 11th International Conference on Human-Computer Interaction with Mobile Devices and Services(MobileHCI '09). ACM, New York, NY, USA, , Article 15 , 10 pages. DOI=10.1145/1613858.1613878 http://doi.acm.org/10.1145/1613858.1613878
A user study with 25 participants was conducted over one month. For identification 98% accuracy was achieved. Without visual disclosure the equal error rate was 3% for authentication. With visual disclosure (likely for gestures), false positive increases to 10%, implying that gesture based authentication can be used only when mild security is needed or some other methods must be employed alongside. For user-identification (e.g., multiple accounts on TV), not surprisingly, it was found out that selection constraints improve accuracy as the complexity constraint eliminates simple gestures which can be easily confused with each other and the rejection procedure guarantees enough difference between gesture templates. Also regular template replacement improves accuracy. Compared to text ID, users did not find it more difficult to remember or perform gestures.
For user-authentication (password gestures), users chose highly symbolic gestures such as regular shapes, letters in their native language. Users also chose gestures having personal meaning because it helped them remember complicated gestures. Both of the choice-patterns make gesture passwords vulnerable to dictionary or social engineering attacks. Presumably, sharing gesture passwords with others is easy.
Citation (ACM Ref): Jiayang Liu, Lin Zhong, Jehan Wickramasuriya, and Venu Vasudevan. 2009. User evaluation of lightweight user authentication with a single tri-axis accelerometer. In Proceedings of the 11th International Conference on Human-Computer Interaction with Mobile Devices and Services(MobileHCI '09). ACM, New York, NY, USA, , Article 15 , 10 pages. DOI=10.1145/1613858.1613878 http://doi.acm.org/10.1145/1613858.1613878
Mobile User Location-specific Encryption (MULE): Using Your Office as Your Password, WISEC, 10
A simple to use and manage file encryption scheme to defend data breaches from lost or stolen laptops has been proposed. The laptop needs a Trusted Platform Module and the place where decryption takes place must have a Trusted Location Device (TLD) that communicates with the laptop using constrained channel, e.g., infrared LED. The security of the scheme relies on the fact that the attacker cannot physically be present at the user's home or that when a laptop is stolen or lost it be reported quickly so that the company can include the laptop in a blacklist. When the user needs to access a sensitive file, MULE contacts TLD. The TLD generates a nonce (location specific message, m) and transmits using IR LED blinks (laptop uses webcam to see it) so that the attacker outside the trusted location cannot access m. The laptop then uses m and TLD to derive a decryption key. Without access to the constrained channel (IR LED), an attacker is unable to recover m needed to interact with the TLD and will fail to recover the signature needed to decrypt the files.
In case the legitimate user needs to access a sensitive file outside of trusted locations (missing TLD), he can use a secondary password and the TPM on the laptop makes it much harder to guess the secondary password. One limitation of LED-blink based communication of m is low bit rate which contributes to the five seconds delay during the initial access to sensitive files.
Citation (ACM Ref): Ahren Studer and Adrian Perrig. 2010. Mobile user location-specific encryption (MULE): using your office as your password. In Proceedings of the third ACM conference on Wireless network security(WiSec '10). ACM, New York, NY, USA, 151-162. DOI=10.1145/1741866.1741892 http://doi.acm.org/10.1145/1741866.1741892
In case the legitimate user needs to access a sensitive file outside of trusted locations (missing TLD), he can use a secondary password and the TPM on the laptop makes it much harder to guess the secondary password. One limitation of LED-blink based communication of m is low bit rate which contributes to the five seconds delay during the initial access to sensitive files.
Citation (ACM Ref): Ahren Studer and Adrian Perrig. 2010. Mobile user location-specific encryption (MULE): using your office as your password. In Proceedings of the third ACM conference on Wireless network security(WiSec '10). ACM, New York, NY, USA, 151-162. DOI=10.1145/1741866.1741892 http://doi.acm.org/10.1145/1741866.1741892
A Diary Study of Password Usage in Daily Life, CHI, 11
20 people: 11 females participated in the user study. Among the participants: 12 university students, 3 housewives, 2 university staffs, 2 self-employed, and 1 unemployed. They were given a diary and were told to record password events in their daily lives. The study lasted for 2 weeks. Exactly 1500 password events were recorded.
The most common purpose of these events was to log into online service (75.6%), followed by to log into computers (20.3%), to use applications on computer (7.4%), and to unlock screensavers (3.3%). Estimated number of online accounts per user was 11.4 on an average. The authors suggested novel authentication schemes be tested for interference from multiple passwords with about 12 passwords - matching the average number of accounts per user. Emails and messaging (e.g., twitter) had the largest number of password events, about 40%. Email, messaging, university, and company consisted of 68.4% of the events and 45.6% of the accounts.
84.3% of the events occurred at home or at office. Only 13.1% of the events occurred in public places (e.g., library, school). 93.9% events occurred on either personal or work computers. The authors noted if login process can be made easier for user's work and home computers, that would be a great help. A user's current location can be used a context for strengthening or easying the authentication process.
All participants except one reused passwords across accounts. The authors noted that the low rate of adoption of password aids suggests that there is a lot of room for helping people and examining why people are not using aids might be fruitful. Demographics not diverse, self-reports, password events on computers only (not including smartphones or tablets), and short period of study are the limitations.
Citation (ACM Ref): Eiji Hayashi and Jason Hong. 2011. A diary study of password usage in daily life. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 2627-2630. DOI=10.1145/1978942.1979326 http://doi.acm.org/10.1145/1978942.1979326
The most common purpose of these events was to log into online service (75.6%), followed by to log into computers (20.3%), to use applications on computer (7.4%), and to unlock screensavers (3.3%). Estimated number of online accounts per user was 11.4 on an average. The authors suggested novel authentication schemes be tested for interference from multiple passwords with about 12 passwords - matching the average number of accounts per user. Emails and messaging (e.g., twitter) had the largest number of password events, about 40%. Email, messaging, university, and company consisted of 68.4% of the events and 45.6% of the accounts.
84.3% of the events occurred at home or at office. Only 13.1% of the events occurred in public places (e.g., library, school). 93.9% events occurred on either personal or work computers. The authors noted if login process can be made easier for user's work and home computers, that would be a great help. A user's current location can be used a context for strengthening or easying the authentication process.
All participants except one reused passwords across accounts. The authors noted that the low rate of adoption of password aids suggests that there is a lot of room for helping people and examining why people are not using aids might be fruitful. Demographics not diverse, self-reports, password events on computers only (not including smartphones or tablets), and short period of study are the limitations.
Citation (ACM Ref): Eiji Hayashi and Jason Hong. 2011. A diary study of password usage in daily life. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 2627-2630. DOI=10.1145/1978942.1979326 http://doi.acm.org/10.1145/1978942.1979326
Self-reported Password Sharing Strategies, CHI, 11
The author argues that password sharing can be a tool used thoughtfully to manage the complexities of everyday life.
Citation (ACM Ref): Joseph 'Jofish' Kaye. 2011. Self-reported password sharing strategies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 2619-2622. DOI=10.1145/1978942.1979324 http://doi.acm.org/10.1145/1978942.1979324
Citation (ACM Ref): Joseph 'Jofish' Kaye. 2011. Self-reported password sharing strategies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 2619-2622. DOI=10.1145/1978942.1979324 http://doi.acm.org/10.1145/1978942.1979324
Assessing the Vulnerability of Magnetic Gestural Authentication to Video-Based Shoulder Surfing Attacks, CHI, 12
Vulnerability of an authentication scheme for magnetometer-equipped smart phone has been explored. The user produces a signature around the device with a magnetic token, stylus, or finger ring and that can be sensed in 3D by the phone's magnetometer. Dynamic Time Warping (DTW) is used to match the current signature against the stored template. The magnetic signature was recoded using 4 cameras from four angles: front, rear, left, and right. 22 participants tried to forge the signature by observing the video-recording. With a marching threshold of 1.67 the number of successful attacks is zero while authentication of legitimate users was always successful.
Citation (ACM Ref): Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(CHI '12). ACM, New York, NY, USA, 2045-2048. DOI=10.1145/2207676.2208352 http://doi.acm.org/10.1145/2207676.2208352
Citation (ACM Ref): Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(CHI '12). ACM, New York, NY, USA, 2045-2048. DOI=10.1145/2207676.2208352 http://doi.acm.org/10.1145/2207676.2208352
Do You See Your Password? Applying Recognition to Textual Passwords, SOUPS, 12
Like PassFaces, recognition based text password scheme has been proposed with the hope that it would be more memorable than pure recall. Three conditions: 6 randomly generated lowercase letters, 4 randomly generated whole words, and several panels of words where each panel contained 26 words. A user study over one week with 36 participants (15 males) having an average age of 29.8 years revealed that recognition based textual password scheme was not superior to letter password in terms of memorability and that word recall was the worst. One great disadvantage of recognition scheme was lengthy login time. [very badly written]
Citation (ACM Ref): Nicholas Wright, Andrew S. Patrick, and Robert Biddle. 2012. Do you see your password?: applying recognition to textual passwords. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12). ACM, New York, NY, USA, , Article 8 , 14 pages. DOI=10.1145/2335356.2335367 http://doi.acm.org/10.1145/2335356.2335367
Citation (ACM Ref): Nicholas Wright, Andrew S. Patrick, and Robert Biddle. 2012. Do you see your password?: applying recognition to textual passwords. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12). ACM, New York, NY, USA, , Article 8 , 14 pages. DOI=10.1145/2335356.2335367 http://doi.acm.org/10.1145/2335356.2335367
Correct horse battery staple: Exploring the usability of system-assigned passphrases, SOUPS, 12
Usability of system-assigned passphrases was compared to that of system-assigned passwords and to the contrary to expectation, the former was not found to be significantly more usable.
Using mechanical turk a user study among 1476 participants was conducted for 11 experimental conditions: 3 for passwords with 30 or 36 bits of entropy and one condition had pronounceable password and 8 conditions for passphrases of about 30 bits of entropy. First part of the study was immediate recall and second part was recall after 48 hours. From memorability, tendency to write down, and user sentiment passwords and passphrases fared equally. But passphrases took longer to type in and involved more typographical errors. Relaxing word-order in the passphrase did not make it more memorable. Number of characters in the phrase, not the number per word affected usability.
Pronounceable password performed very well in accuracy and speed, may be because they contained only lowercase letters.
Citation (ACM Ref): Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: exploring the usability of system-assigned passphrases. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12). ACM, New York, NY, USA, , Article 7 , 20 pages. DOI=10.1145/2335356.2335366 http://doi.acm.org/10.1145/2335356.2335366
Using mechanical turk a user study among 1476 participants was conducted for 11 experimental conditions: 3 for passwords with 30 or 36 bits of entropy and one condition had pronounceable password and 8 conditions for passphrases of about 30 bits of entropy. First part of the study was immediate recall and second part was recall after 48 hours. From memorability, tendency to write down, and user sentiment passwords and passphrases fared equally. But passphrases took longer to type in and involved more typographical errors. Relaxing word-order in the passphrase did not make it more memorable. Number of characters in the phrase, not the number per word affected usability.
Pronounceable password performed very well in accuracy and speed, may be because they contained only lowercase letters.
Citation (ACM Ref): Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: exploring the usability of system-assigned passphrases. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12). ACM, New York, NY, USA, , Article 7 , 20 pages. DOI=10.1145/2335356.2335366 http://doi.acm.org/10.1145/2335356.2335366
Magnetic Signatures in Air for Mobile Devices, MHCI, 12
The user uses a permanent magnet shaped like a ring or pen to "write" his signature in air around the free space of his smart phone. Authentication is based on the temporal variation in the magnetic field sensed by the magnetometer of the phone. Training phase receives and stores the user's signature and in the authentication phase Dynamic Time Warping is used to match the current signature against the template. The user has to click a button to signal that he is about to input his signature.
Authors claim that 3D signature is hard to copy and it allows for more options for possible signatures than its 2D counterpart.
Observing the signature or even recording it is very easy and it should be tested how hard it is to recreate the 3D signature for an attacker. Besides the user needs the permanent magnet in addition to the phone, why not use a cryptographic token?
Citation (ACM Ref): Hamed Ketabdar, Peyman Moghadam, Babak Naderi, and Mehran Roshandel. 2012. Magnetic signatures in air for mobile devices. In Proceedings of the 14th international conference on Human-computer interaction with mobile devices and services companion (MobileHCI '12). ACM, New York, NY, USA, 185-188. DOI=10.1145/2371664.2371705 http://doi.acm.org/10.1145/2371664.2371705
Authors claim that 3D signature is hard to copy and it allows for more options for possible signatures than its 2D counterpart.
Observing the signature or even recording it is very easy and it should be tested how hard it is to recreate the 3D signature for an attacker. Besides the user needs the permanent magnet in addition to the phone, why not use a cryptographic token?
Citation (ACM Ref): Hamed Ketabdar, Peyman Moghadam, Babak Naderi, and Mehran Roshandel. 2012. Magnetic signatures in air for mobile devices. In Proceedings of the 14th international conference on Human-computer interaction with mobile devices and services companion (MobileHCI '12). ACM, New York, NY, USA, 185-188. DOI=10.1145/2371664.2371705 http://doi.acm.org/10.1145/2371664.2371705
A Research Agenda Acknowledging the Persistence of Passwords, S&P, 12
No scheme over the last 20 years was able to replace passwords, there is no silver bullet, trade-off between security and privacy seems inevitable. Not all accounts in all environments have the same security needs. We need to rank attacks according to the harm they can cause, we need data.
Given the cost, confusion, training, and customer support calls that novel systems bring, it can be better to let others go first and learn from their experience.
The advantages of passwords are: free, users understand them well, accessible from anywhere, and revocation is cheap; passwords seem to be the worst possible authentication system, except for all the other systems. Relatively little effort has focused on studying plain old text passwords - how they're used and reused, how often they fail or are confused between accounts, and how to improve things. Mandating password changes once hashes leak might be better than strong policies all the time. The authors suggest that expiration policies be eliminated as they affect usability without offering any real security benefits. Users need realistic guidance to cope with the dozens of passwords they must now manage, needed are: development and analysis of serious password managers and recognition of their potential benefits.
Citation: C. Herley, P.C. van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. DOI: 10.1109/MSP.2011.150. IEEE Security & Privacy 10(1):28-36 (Jan/Feb 2012).
Given the cost, confusion, training, and customer support calls that novel systems bring, it can be better to let others go first and learn from their experience.
The advantages of passwords are: free, users understand them well, accessible from anywhere, and revocation is cheap; passwords seem to be the worst possible authentication system, except for all the other systems. Relatively little effort has focused on studying plain old text passwords - how they're used and reused, how often they fail or are confused between accounts, and how to improve things. Mandating password changes once hashes leak might be better than strong policies all the time. The authors suggest that expiration policies be eliminated as they affect usability without offering any real security benefits. Users need realistic guidance to cope with the dozens of passwords they must now manage, needed are: development and analysis of serious password managers and recognition of their potential benefits.
Citation: C. Herley, P.C. van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. DOI: 10.1109/MSP.2011.150. IEEE Security & Privacy 10(1):28-36 (Jan/Feb 2012).