A Design and Analysis of Graphical Password

Suo, Xiaoyuan

03 August 2006

The most common computer authentication method is to use alphanumerical usernames and passwords. This method has been shown to have significant drawbacks. For example, users tend to pick passwords that can be easily guessed. On the other hand, if a password is hard to guess, then it is often hard to remember. To address this problem, some researchers have developed authentication methods that use pictures as passwords. In this paper, I conduct a comprehensive survey of the existing graphical password techniques. I classify these techniques into two categories: recognition-based and recall-based approaches. I discuss the strengths and limitations of each method and point out the future research directions in this area. I also developed three new techniques against the common problem exists in the present graphical password techniques. In this thesis, the scheme of each new technique will be proposed; the advantages of each technique will be discussed; and the future work will be anticipated.

Authentication

Security

Survey

Password space

Graphical password

Aspects of computer network security

Lomas, Thomas Mark Angus

January 1992

No description available.

005

Password schemes

Design and Analysis of Quantum Password Authentication Protocol

Zhuang, Er-Shuo

27 August 2007

In recent years, scientists have some inspiring breakthroughes in quantum algorithm. In 1994, Peter Shor published the Shor's Algorithm. He used the parallel property of quantum computing to do the quantum Fourier transform. In this way, quantum computer can both factor large integers and solve discrete logarithm problems in polynomial time. Shor's Algorithm proved that most of current used public key systems such as RSA and ElGamal will be solved with quantum computers in polynomial time. Therefore, scientists began to research on cryptography which is based on quantum physical qualities. In this paper, we designed two password authentication protocols. The security of the protocols is not based on classical computational complexity but on the principle of quantum mechanics. The first protocol uses additional quantum bits to prevent attackers. In this protocol, the transmitted bits are less than directly using BB84 protocol to generate a key and encode the password. The second protocol uses the property of quantum transmission. We used hash functions to increase the relationship between quantum bits, so the attackers can not get direct information from eavesdropped quantum bits. Our objective is to show that the security of the protocols is not based on the irreversibility of functions, but on the properties of quantum mechanics.

Quantum Password Protocol

Creating Usable Policies for Stronger Passwords with MTurk

Shay, Richard

01 February 2015

People are living increasingly large swaths of their lives through their online accounts. These accounts are brimming with sensitive data, and they are often protected only by a text password. Attackers can break into service providers and steal the hashed password files that store users’ passwords. This lets attackers make a large number of guesses to crack users’ passwords. The stronger a password is, the more difficult it is for an attacker to guess. Many service providers have implemented password-composition policies. These policies constrain or restrict passwords in order to prevent users from creating easily guessed passwords. Too lenient a policy may permit easily cracked passwords, and too strict a policy may encumber users. The ideal password-composition policy balances security and usability. Prior to the work in this thesis, many password-composition policies were based on heuristics and speculation, rather than scientific analysis. Passwords research often examined passwords constructed under a single uniform policy, or constructed under unknown policies. In this thesis, I contrast the strength and usability of passwords created under different policies. I do this through online, crowdsourced human-subjects studies with randomized, controlled password-composition policies. This result is a scientific comparison of how different password-composition policies affect both password strength and usability. I studied a range of policies, including those similar to policies found in the wild, policies that trade usability for security by requiring longer passwords, and policies in which passwords are system-assigned with known security. One contribution of this thesis is a tested methodology for collecting passwords under different policies. Another contribution is the comparison between password policies. I find that some password-composition policies make more favorable tradeoffs between security and usability, allowing evidence-based recommendations for service providers. I also offer insights for researchers interested in conducting larger-scale online studies, having collected data from tens of thousands of participants.

password

policy

usability

security

KeySafe The platform-independent password safe with external security

Björklund, Olof

January 2015

Storing and accessing sensitive data has become an important task in today’s society. Many different services require login credentials for users to remember in order to authenticate themselves. A common habit is to use the same password for several services. This is considered a security risk since if someone uncovers the user’s password they will gain access to all of the different accounts using the same password. Hence users are encouraged to use different login credentials for different services, resulting in an increasingly large list of sensitive data the user needs to remember. KeySafe provides a password storage service which makes all your digital keys available with the use of physical one. In this project, a platform independent service has been created with an Android application which implements external authentication using NFC tags. Using Google App Engine with the Endpoints API backend the service becomes available to a range of different devices such as iPhone, PC, Tablet or Mac. This resulted in a flexible, secure system that makes it an easy task to use strong and independent passwords for different login-services. All data stored by the application is encrypted using the AES encryption cipher and the AES key needed for decryption is stored on the external NFC tag.

Password management

security

Lösenordsovanor – åldersrelaterat? / Password obsolete – age related?

Andersson, Sandra

January 2019

This study aimed primarily at investigating if the role of age was important regarding password management and password habits of different users. Despite extensive research in password management, the problem remains that users create insecure passwords, leaving personal information and systems vulnerable to attackers. In order to examine users’ different password habits in different age categories, a multi-strategy study was conducted, which consisted of two methods, with both a questionnaire and interviews. The areas discussed in the study were whether the age was important on the user's password habits and the knowledge different users had about attacker's different methods. The study also discusses how the user thought about the creation of passwords in comparison with recommendations from existing studies of how a secure password is created and how the user remembered their password. The results of the surveys show no correlation between the user's age and password habits. However, a possible solution to the problem is finally discussed, as both previous studies and this study proves users today lack knowledge of secure passwords and lack of password habits.

passwords

password management

password habits

differences in password habits

age differences

password authentication

password knowledge

Computer and Information Sciences

Data- och informationsvetenskap

Lösenordshantering : Är lösenordspolicyn i en verksamhet tillräcklig för att de anställda ska bedriva säker lösenordshantering enligt ISO-standarder?

Soliman, Galal

January 2018

Lösenord är en viktig del av informationssäkerhet och fungerar som primär autentiseringsmetod för att skydda användarkonton.  Syftet med denna studie är att ta reda på hur väl en verksamhets anställda följer verksamhetens lösenordspolicy och undersöka om lösenordshanteringen sker på ett accepterat och godkänt sätt utifrån ett säkerhetsperspektiv i enlighet med ISO-standarder. Metoden har bestått av en enkätundersökning och intervjuundersökning vars resultat jämförts med relevanta riktlinjer från ISO-standarder och verksamhetens lösenordspolicy, en riskanalys och utvecklandet av ett verktyg för att memorera lösenord. Resultat visade brister på säker lösenordshantering bland verksamhetens anställda. Genom analysen har en rad åtgärder framtagits för att upprätta, återställa och förbättra lösenordshanteringen samt förebyggande åtgärder för den lösenordshantering som redan är godkänd. De slutsatser som dragits utifrån denna studie är att det finns ett behov för förbättring av lösenordshanteringen och utifrån behovet har förslag på både åtgärder och förebyggande åtgärder tagits fram. / Passwords are an important part of information security and works as a primary authentication method to protect user accounts. The purpose of this study is to investigate how an organisation’s employees follow the password policy and investigate if the password management is executed in an acceptable fashion from a security perspective and according to ISO standards. The method consisted of a survey, interviews of which the results has been compared to ISO standards guidelines and the organisation’s password policy, a risk analysis and a development of a tool to memorize passwords. The result showed insufficiency in the password management of the employees. Thru the analysis several actions have been found to constitute, restore and improve the password management and also preventing actions to keep the password management that is already sufficient. The conclusions are that there is a need for improvement of the password management and from these needs proposals for actions have been extracted.

password

password habits

password management

password policy

information security

web development

lösenord

lösenordsvanor

lösenordshantering

lösenordspolicy

informationssäkerhet

webbutveckling

Computer Engineering

Datorteknik

Password Management : A Study about Current Challenges with Password Management

Jalali, Ali, Assadi, Laila, Osman, Asma

January 2023

Effective password management is crucial for safeguarding online accounts and sensitive information. This research examines the current challenges and provides alternative solutions for better password management. This study encompasses a comprehensive survey and interviews conducted with individuals across various professional backgrounds. A total of 137 online users participated in the survey, which spanned over a duration of 15 days. Additionally, four individuals were interviewed to gather more indepth data. The study aimed to understand password selection behaviors and the factors influencing them. The goal is to develop practical strategies to enhance password security and mitigate unauthorized access to sensitive information. The purpose of the study is to provide valuable insights into the complexities of password management and contribute to the development of informed approaches for stronger password security. The study emphasizes the significance of password management and highlights the importance of educating users about the risks associated with weak passwords. The findings have implications not only for the research community but also for individuals and organizations seeking to understand user behavior and attitudes towards password systems. By gaining a deeper understanding of these aspects, it becomes possible to design more effective strategies to protect online accounts and sensitive data.

Password managers

password management

password security

user behavior

authentication methods

Computer Sciences

Datavetenskap (datalogi)

Mechanism Design in Defense against Offline Password Attacks

Wenjie Bai (16051163)

15 June 2023

<p>The prevalence of offline password attacks, resulting from attackers breaching authentication servers and stealing cryptographic password hashes, poses a significant threat. Users' tendency to select weak passwords and reuse passwords across multiple accounts, coupled with computation advancement,  further exacerbate the danger.</p> <p><br></p> <p>This dissertation addresses this issue by proposing password authentication mechanisms that aim to minimize the number of compromised passwords in the event of offline attacks, while ensuring that the server's workload remains manageable. Specifically, we present three mechanisms: (1) DAHash: This mechanism adjusts password hashing costs based on the strength of the underlying password. Through appropriate tuning of hashing cost parameters, the DAHash mechanism effectively reduces the fraction of passwords that can be cracked by an offline password cracker. (2) Password Strength Signaling: We explore the application of Bayesian Persuasion to password authentication. The key idea is to have the authentication server store a noisy signal about the strength of each user password for an offline attacker to find. We demonstrate that by appropriately tuning the noise distribution for the signal, a rational attacker will crack fewer passwords. (3) Cost-Asymmetric Memory Hard Password Hashing: We extend the concept of password peppering to modern Memory Hard password hashing algorithms. We identify limitations in naive extensions and introduce the concept of cost-even breakpoints as a solution. This approach allows us to overcome these limitations and achieve cost-asymmetry, wherein the expected cost of validating a correct password is significantly smaller than the cost of rejecting an incorrect password.</p> <p><br></p> <p>When analyzing the behavior of a rational attacker it is important to understand the attacker’s guessing curve i.e., the percentage of passwords that the attacker could crack within a guessing budget B. Dell’Amico and Filippone introduced a Monte Carlo algorithm to estimate the guessing number of a password as well as an estimate for the guessing curve. While the estimated guessing number is accurate in expectation the variance can be large and the method does not guarantee that the estimates are accurate with high probability. Thus, we introduce Confident Monte Carlo as a tool to provide confidence intervals for guessing number estimates and upper/lower bound the attacker’s guessing curves.</p> <p><br></p> <p>Moreover, we extend our focus beyond classical attackers to include quantum attackers. We present a decision-theoretic framework that models the rational behavior of attackers equipped with quantum computers. The objective is to quantify the capabilities of a rational quantum attacker and the potential damage they could inflict, assuming optimal decision-making. Our framework can potentially contribute to the development of effective countermeasures against a wide range of quantum pre-image attacks in the future.</p>

Data security and protection

Password Authentication Mechanism

Stackelberg Game

Password Strength Estimation

Offline Password Attacks

Quantum Pre-image Attacks

Distributed cipher chaining for increased security in password storage

Odelberg, David, Holm, Carl Rasmus

January 2014

As more services move on to the web and more people use the cloud for storage of important information, it is important that providers of such services can guarantee that information is kept safe. The most common way of protecting that data is to make it impossible to access without being authenticated as the user owning the data. The most common way for a user to authenticate and thereby becoming authorized to access the data, or service, is by making use of a password. The one trying to safeguard that password must make sure that it is not easy to come by for someone trying to attack the system. The most common way to store a password is by first running that password through a one way function, known as a hash function, that obfuscates it into something that does not at all look related to the password itself. Whenever a user tries to authenticate, they type in their password and it goes through the same function and the results are compared. While this model makes sure that the password is not stored in plain text it contains no way of taking action in case the database of hashed passwords is leaked. Knowing that it is nearly impossible to be fully protected from malevolent users, the ones trying to safe guard information always need to try to make sure that it is difficult to extract information about users' passwords. Since the 70s the password storage has to a large extent looked the same. What is researched and implemented in this thesis is a different way of handling passwords, where the main focus is on making sure there are countermeasures in case the database leaks. The model described and implemented consist of software that make use of the current best practices, with the addition of encrypting the passwords with a symmetric cipher. This is all done in a distributed way to move towards a paradigm where a service provider does not need to rely on one point of security. The end result of this work is a working proof-of-concept software that runs in a distributed manner to derive users' passwords to an obfuscated form. The system is at least as secure as best current practice for storing users passwords but introduces the notion of countermeasures once information has found its way into an adversary's hands.

Cryptography

Password storage

AES

KDF

Scrypt