ebook img

Exploring the 'Weakest Link': A Study of Personal Password Security PDF

137 Pages·2007·2.4 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Exploring the 'Weakest Link': A Study of Personal Password Security

Computer Science Department, The University of Auckland, New Zealand Exploring the ‘Weakest Link’: A Study of Personal Password Security Gilbert Notoatmodjo Submitted, 15 July 2007 Accepted for MSc (First Class Honours), 15 November 2007 Minor revisions, 06 December 2007 Supervisor: Clark Thomborson A THESIS SUBMITTED IN FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN COMPUTER SCIENCE Abstract The security of most password authentication mechanisms hinges on the secrecy of only a single word – if an adversary obtains knowledge of a victim’s password, the adversary will be able to impersonate the victim and gain access to the resources to which the victim is entitled. Although cryptographic means and protocols offer some degree of protection during the transmission and storage of passwords, users are often left unprotected by nothing but security policies and guidelines which are often neglected. Various literatures have shown that users are the ‘weakest link’ in any password authentication mechanism, due to their propensity to create weak passwords and reuse passwords on multiple accounts. While various identity management solutions have been developed to address the prevalence of users’ insecure password practices, these solutions still suffer from their own problems and drawbacks. Before we could work towards a more appropriate solution to users’ insecure password practices, it would be necessary to study the underlying cause of these practices, which lies within users’ perceptions of their accounts and passwords. In this thesis, we present the findings from our exploratory, survey-based study, which investigated how user’s perceptions of their accounts and passwords influence their password selection. Our findings revealed that our participants mentally classified their accounts and passwords in several groups based on various perceived similarities. We also discovered that they tended to use passwords that they perceived to be stronger and did not reuse passwords as often in account groups which they considered important. Exploring the ’Weakest Link’: A Study of Personal Password Security ii Acknowledgement After countless sleepless nights accompanied by hundreds of cups of coffee and bars of chocolate, finally comes the time to write my acknowledgement page. I would like to first and foremost express my gratitude to my supervisor, Clark Thomborson, for providing his constructive advice, guidance, expertise and friendship during this whole year (…and free luncheon, a spot in a ‘corner’ office…the list goes on! ). I would also like to thank (‘Lord Professor’) Stephen Drape (‘FRS’), (‘Dr.’) Anirban Majumdar, David Leung, Jasvir Nagra and Jinho Lee at the Secure Systems Group (SSG) for their friendship and support during this project. Thanks to Robin Young and Anita Lai from the Computer Science Department for providing me with all the necessary help during the survey and allowing me to use (read: drag and abuse) the departmental shredder. I am also grateful to Shirley Gaw at Princeton University for sharing her survey instruments. Special thanks go to both of my awesome parents for their love, emotional and financial th support, and also for coping with me during my 5 Eriksonian stage. I would also like to credit my dad for raising my interest in computer security and my mom for her tireless efforts. Special thanks also go to Angela Halim from the Physiology Department for providing editorial help, constant support and TLC. Last but not least, I would like to thank all participants who took part in this study (and also all subjects who were involved in my earlier, not-so-ethical security ‘experiments’). As much as I would like to mention your names, my signature on the ethics application Exploring the ’Weakest Link’: A Study of Personal Password Security iii form which was scribbled at a gunpoint prohibits me from doing so – I can only hope that the compensation was well spent! Thanks to everyone who helped make this possible. Exploring the ’Weakest Link’: A Study of Personal Password Security iv Table of Contents Abstract .................................................................................................................... iii Acknowledgement..................................................................................................... iii 1. Introduction .......................................................................................................... 1 1.1. What Is Identity? .............................................................................................. 2 1.2. Digital Identity ................................................................................................. 5 1.3. Digital Persona ............................................................................................... 11 2. Password Authentication ...................................................................................... 13 2.1. Overview of Password Authentication ............................................................ 13 2.2. Issues with Password Authentication .............................................................. 15 2.2.1. Attacks on Password Authentication Mechanisms ................................... 16 2.2.2. Human Factor and Insecure Password Practices ...................................... 24 2.2.3. The Danger of Password Reuse ............................................................... 26 2.2.4. Current Solutions: One Password, Many Accounts ................................. 27 2.2.5. Summary ................................................................................................. 35 3. Our Study ............................................................................................................ 37 3.1. Motivation ..................................................................................................... 37 3.2. Previous User Studies on Password Authentication ......................................... 38 3.2.1. Morris and Thompson (1979)................................................................. 39 3.2.2. Riddle et al. (1989) ................................................................................. 39 3.2.3. Adams and Sasse (1999) .......................................................................... 40 3.2.4. Dhamija and Perrig (2000) ..................................................................... 41 3.2.5. Petrie (2001) ........................................................................................... 42 3.2.6. Brown et al. (2004) ................................................................................. 43 3.2.7. Yan et al. (2004) ...................................................................................... 44 3.2.8. Riley (2006) ............................................................................................ 45 3.2.9. Gaw and Felten (2006) ........................................................................... 46 3.2.10. Florencio and Herley (2007) ............................................................... 48 3.3. Discussion ...................................................................................................... 50 4. Survey Design ...................................................................................................... 55 4.1. Ethical Issues and Considerations ................................................................... 55 4.2. Survey Methods .............................................................................................. 58 4.2.1. Preparation .............................................................................................. 58 Exploring the ’Weakest Link’: A Study of Personal Password Security v 4.2.2. Survey Procedures ................................................................................... 60 5. Results ................................................................................................................. 68 5.1. Data Description ............................................................................................ 70 5.1.1. Descriptive Statistics................................................................................ 70 5.1.2. Effects of Gender and Qualifications ....................................................... 75 5.2. Password Properties: What Do People Think of Their Passwords? ................. 79 5.3. Password Reuse Statistics ................................................................................ 83 5.3.1. The growth of accounts and passwords .................................................... 83 5.3.2. Occurrences of Password Reuse ............................................................... 86 5.3.3. Why Do People Reuse Passwords? .......................................................... 89 5.4. Account and Password Groupings .................................................................. 90 5.4.1. Similarities Used For Grouping ............................................................... 90 5.4.2. Association between Account Groups and Password Groups ................... 96 5.4.3. High Importance Account Groups .......................................................... 97 5.5. Compliance with University of Auckland Regulations .................................. 101 6. Conclusion .........................................................................................................104 6.1. Summary and Comparison of Our Findings ................................................. 106 6.2. Implications of Our Findings ....................................................................... 110 6.3. Future Directions ......................................................................................... 112 Appendix A .............................................................................................................115 Appendix B .............................................................................................................139 Appendix C ............................................................................................................163 References ..............................................................................................................188 Exploring the ’Weakest Link’: A Study of Personal Password Security vi Table of Figures Figure 1: Examples of biometric characteristics. 9 Figure 2: New Zealand Biometric Passport. 10 Figure 3 a, b: Typical enrolment procedures in password authentication mechanisms (simplified). 14 Figure 4: Password authentication process. 15 Figure 5: Classification of attacks on password authentication mechanisms based on targets of the attacks. 16 Figure 6: Ethereal in action. 19 Figure 7: Phishing e-mail targeted to Westpac Bank customers, received by the author on 27 September 2006. 23 Figure 8: A simplified illustration of the current password authentication scenario (also termed isolated identity model). 28 Figure 9: A simplified illustration of the centralized identity model. 29 Figure 10: A simplified illustration of the federated identity model. 31 Figure 11: Chronologies of user studies on password authentication. 38 Figure 12: Plot of reuse ratio vs. number of accounts from Gaw & Felten’s findings. 48 Figure 13: Example of account and password groupings. 52 Figure 14: Example of account and password groupings. 53 Figure 15: Our posters in various locations within The University of Auckland. 59 Figure 16: Seating arrangements during our survey. 61 Figure 17: A bar plot showing the distribution of the participants by degrees pursued. 70 Figure 18 a, b: A comparison of the distribution of degrees pursued between the overall student population at The University of Auckland [144] (a) and our survey participants (b). 71 Figure 19: A bar plot showing the distribution of the participants by majors of study. 72 Figure 20: Histograms showing the distribution of number of passwords (NOP), number of accounts (NOA), number of password groups (NOPG) and number of account groups (NOAG). 73 Figure 21: Histograms showing the distribution of Years of Computing Experience (YOCE) and Years of Internet Experience (YOIE). 75 Figure 22: Scatter plot showing the relationship between length of passwords and perceived security level, and length of passwords and difficulty of recall. 81 Figure 23: Scatter plot showing a positive relationship between perceived security level and difficulty of recall. 82 Figure 24: Two scatter plots showing the relationships between Number of Passwords and Years of Computing Experience (YOCE) and Number of Passwords and Years of Internet Experience (YOIE). 85 Figure 25. A scatter plot showing the relationship between number of accounts and number of password reuse occurrences. 86 Figure 26: A histogram showing the distribution of high importance account groups per participant. 98 Figure 27: Box plot showing the differences in size of high importance account groups and low importance account groups. 99 Exploring the ’Weakest Link’: A Study of Personal Password Security vii Figure 28: Who knows your password? Part of a series of posters published by The University of Auckland Information Security Management Team to promote safe IT practices in 2006. 102 Exploring the ’Weakest Link’: A Study of Personal Password Security viii Table of Tables Table 1: Erikson’s eight stages of identity formation (adapted from [9]). 4 Table 2. An example of the table used in Step 2. 62 Table 3: An example of the table used in Step 3. 63 Table 4: An example of the table used in Step 4. 64 Table 5. An example of the table used in Step 5. 64 Table 6: Descriptive statistics of number of passwords (NOP), number of accounts (NOA), number of password groups (NOPG) and number of account groups (NOAG). 74 Table 7: Descriptive statistics of Years of Computing Experience (YOCE) and Years of Internet Experience (YOIE). 75 Table 8 a, b, c, d: Results of Two-way ANOVA assessing the effects of gender and qualifications to Number of Passwords (NOP), Number of Password Groups (NOPG), Number of Accounts (NOA), and Number of Account Groups (NOAG). 78 Table 9: Summary of the coefficients in our regression model using Years of Internet Experience (YOIE) as a predictor for Number of Accounts (NOA). 84 Table 10: Summary of all possible linear regression models using Years of Internet Experience (YOIE) and Years of Computing Experience (YOCE) as predictors for Number of Passwords (NOP) 85 Table 11 : Summary of our linear regression model, which uses Number of Accounts (NOA) as a predictor for the number of password reuse occurrences. 87 Table 12: Password reuse statistics. 88 Table 13: Reasons cited for not reusing passwords (sorted by frequency). 89 Table 14: Reasons cited for reusing passwords (sorted by frequency). 90 Table 15: Distribution of types of similarity used for grouping accounts. 93 Table 16: Distribution of types of similarity used for grouping passwords. 95 Table 17: Illustration of the distribution of passwords and accounts distribution groups. 96 Table 18: Descriptions of account groups which are considered of high importance. 101 Exploring the ’Weakest Link’: A Study of Personal Password Security ix “There is nothing more difficult to take in hand, more perilous to conduct or more uncertain in its success than to take the lead in the introduction of a new order of things. “ –Niccolo Machiavelli 1 Introduction As most modern computer systems are intended to accommodate multiple users, the ability to authenticate different users becomes imperative. Up to the time of this writing, password authentication is the most commonly used authentication method in computer systems. In password authentication, the identity of an individual is verified based on his/her ability to present a previously agreed word. For this reason, the security of password authentication schemes hinges on the secrecy of only a single word – if an adversary obtains knowledge of a victim’s password, the adversary will be able to impersonate the victim and gain access to the resources to which the victim is entitled. Although cryptographic means and protocols offer some degree of protection during the transmission and storage of passwords, users are often left unprotected by nothing but security policies and guidelines which are often neglected, making them the ‘weakest link’ of any password authentication mechanism. Previous studies have shown that users have a propensity to create weak passwords and reuse passwords across multiple accounts. Password reuse was cited in various literatures

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.