Presentation is loading. Please wait.

Presentation is loading. Please wait.

Investigation of Instructions for Password Generation

Published byShanon Eaton Modified over 6 years ago

Similar presentations

Presentation on theme: "Investigation of Instructions for Password Generation"— Presentation transcript:

1 Investigation of Instructions for Password Generation
Robert W. Proctor Department of Psychological Sciences Ninghui Li Department of Computer Science Based on: Yang, W., Li, N., Chowdhury, O., Xiong, A., & Proctor, R. W. (2016). An empirical study of password generation strategies. Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS 2016).

2 Passwords Primary means of authentication
“The number of accounts we use is growing at a 14% rate… In 2020, the average number of accounts per Internet user will be 207! Are you ready to remember 207 login and password combos?” (Le Bros, 2015, Dashlane blog) Continue to be used because Accepted by users Relatively easy to implement There are figures on the right if you want to use them as an example for the permission list

3 Password Composition Many users do not create secure passwords
(Nicholas, 2016) There are figures on the right if you want to use them as an example for the permission list

4 How do you get users to generate secure and memorable passwords?
Password Composition Rules use of both upper-case and lower-case letters inclusion of one or more numerical digits inclusion of special characters, such #, $ Computer-Generated Passwords Difficult for users to remember There are figures on the right if you want to use them as an example for the permission list

5 How do you get users to generate secure and memorable passwords?
Mnemonic strategies 1. Think of a memorable sentence or phrase containing at least seven or eight words. For example, “Four score and seven years ago our fathers brought forth on this continent”. 2. Select a letter, number, or a special character to represent each word. A common method is to use the first letter of every word. For example: four⇒4, score⇒s, and⇒&. Combine them into a password: 4s&7yaofb4otc. There are figures on the right if you want to use them as an example for the permission list

6 Effect of Instructions
Instructions are provided when people create passwords However, research has not systematically investigated how instructions affect: the security of the generated passwords the usability of the method memorability of the passwords  There are figures on the right if you want to use them as an example for the permission list

7 Study 1: Security of Mnemonic-based Strategy Variants

8 Study 1: Security of Mnemonic-based Strategy Variants

9 Study 1: Security of Mnemonic-based Strategy Variants
MTurk Workers Participants were asked to type the sentence used in the intermediate step, after which they were to enter the password. Participants warned not to use their actual passwords. We forbade passwords that were the same as the examples and that did not appear to be generated following the instructions.

10 Table: Collisions Among the Top and Top 10 Passwords
There are figures on the right if you want to use them as an example for the permission list

11 Study 1 Findings Finding 1: Using generic instructions and examples results in weak passwords. Finding 2: Instructions requesting personal-ized sentences and containing appropriate examples lead to strong passwords. 536 sentences in MnePerEx started with “I” or “my”, suggesting a personalized choice. In comparison, such sentences appeared only 125 times in MneGenEx. There are figures on the right if you want to use them as an example for the permission list

12 Study 1 Findings Finding 3: Commonly suggested instantiations are worse than MnePerEx. Finding 4: Both personalized sentences and high-quality examples are needed to achieve better security. MneEx and MnePer For both MneEx and MnePer, number of collisions was greater than for MnePerEx, although less than for MneGenEx. There are figures on the right if you want to use them as an example for the permission list

13 Study 2: Usability & Memorability of Mnemonic Strategies
Examined the usability and memorability of MneGenEx, MnPerEx, and a Control condition. Told that they would be asked to return and use the password in about one week, and they could take whatever measures they would normally take to remember and protect the passwords. Each participant was asked to create an online account for a bank named “Provident Citizens Bank”. Half of participants tested for recall at end of session; all invited to return 1 week later. Filled out NASA TLX for initial password generation and final recall.

14 Study 2: First Phase Results
Compared with MneGenEx, password generation time was shorter in MnePerEx. The workload required in the Control condition was lower than that in the two mnemonic strategy variants, which did not differ. Short-term recall: Almost all participants entered the correct password.

15 Study 2: Second Phase Results
The final successful recall rate did not differ significantly among the conditions. Those who did short-term recall tended to have higher success rates for long-term recall in all conditions. The password recall time in the Control condition was shorter than that for MneGenEx and MnePerEx conditions, for which there was no significant difference.

16 Study 2: Second Phase Results
NASA TLX subscales: Mental workload and frustration ratings of mnemonic strategy variants were higher than those of the Control. At the end of the task, participants were asked to update the password, without any restriction except that the it could not be the same as the old one. About 70% of participants in MneGenEx and MnePerEx said “yes” to a question about whether they used the strategy we provided.

17 Summary The specific instructions used for mnemonic strategies are important in determining the passwords that are created. Instructions emphasizing personal information and including multiple examples provide the strongest security with no additional cost in usability and memorability. There are figures on the right if you want to use them as an example for the permission list

18 Broader Conclusions Instructions and feedback that highlight declarative and procedural knowledge about security action in which users must engage is essential. Instructions and warnings should be designed to have training embedded in them.

Download ppt "Investigation of Instructions for Password Generation"

Similar presentations

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.
Author Instructions How to upload a full session proposal with abstracts – two step process.

Author Instructions How to upload a full session proposal with abstracts – two step process.
Www.durham.ac.uk/cmp Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.
Multimodal feedback : an assessment of performance and mental workload (NASA-TLX) 남종용.

Multimodal feedback : an assessment of performance and mental workload (NASA-TLX) 남종용.
ACADEMIC COMPUTING ESSENTIALS For SCCC students. Login instructions for My SCCC Student Portal using Banner For access to: Class schedule, SAIN report,

ACADEMIC COMPUTING ESSENTIALS For SCCC students. Login instructions for My SCCC Student Portal using Banner For access to: Class schedule, SAIN report,
Writing Program Assessment Report Fall 2002 through Spring 2004 Laurence Musgrove Writing Program Director Department of English and Foreign Languages.

Writing Program Assessment Report Fall 2002 through Spring 2004 Laurence Musgrove Writing Program Director Department of English and Foreign Languages.
How to Login into SSA ?. Home Page https://ssa.mahindrasatyam.com Click on My Profile.

How to Login into SSA ?. Home Page Click on My Profile.
Linking Studies EOG and NCEXTEND2 EOC and NCEXTEND2 Assessment Training April 3, 2013.

Linking Studies EOG and NCEXTEND2 EOC and NCEXTEND2 Assessment Training April 3, 2013.
1. 2 Overview of AT&T EPIC Ordering Process for SUS (Supply Order) Suppliers 1.AT&T User creates shopping cart on internal web-based portal 2.Shopping.

1. 2 Overview of AT&T EPIC Ordering Process for SUS (Supply Order) Suppliers 1.AT&T User creates shopping cart on internal web-based portal 2.Shopping.
Mobile Text Entry: Methods and Evaluation CSCI 4800 March 31, 2005.

Mobile Text Entry: Methods and Evaluation CSCI 4800 March 31, 2005.
SEVEN STRATEGIES FOR IMPROVING TEST PERFORMANCE

SEVEN STRATEGIES FOR IMPROVING TEST PERFORMANCE
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO-0901223488 Under the guidance of Mrs. Chinmayee Behera.

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.
Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.
The Influence of Blended Learning Model on Developing Leadership Skills of School Administrators Dr. Tufan AYTAÇ Dr. Tufan AYTAÇ Education Specialist The.

The Influence of Blended Learning Model on Developing Leadership Skills of School Administrators Dr. Tufan AYTAÇ Dr. Tufan AYTAÇ Education Specialist The.
Security Planning and Administrative Delegation Lesson 6.

Security Planning and Administrative Delegation Lesson 6.
Your business technologists. Powering progress September 2015 Reset password in the supplier portal.

Your business technologists. Powering progress September 2015 Reset password in the supplier portal.
T 7.0 Chapter 7: Questioning for Inquiry Chapter 7: Questioning for Inquiry Central concepts:  Questioning stimulates and guides inquiry  Teachers use.

T 7.0 Chapter 7: Questioning for Inquiry Chapter 7: Questioning for Inquiry Central concepts:  Questioning stimulates and guides inquiry  Teachers use.
FMCSA Portal Enforcement: Online Self Service Account Management Prioritization Phase I Release, December 2010 v1.0.

FMCSA Portal Enforcement: Online Self Service Account Management Prioritization Phase I Release, December 2010 v1.0.
This tip sheet focuses on the elements required to access SMART. Total Pages: 5 Accessing SMART Logging In Agency/Facility/Program Access Logging Out IGSR.

This tip sheet focuses on the elements required to access SMART. Total Pages: 5 Accessing SMART Logging In Agency/Facility/Program Access Logging Out IGSR.

Similar presentations

Ads by Google