Creating Usable Policies for Stronger Passwords with MTurk
作者: Richard Shay
DOI:
关键词: restrict 、 Password 、 Password policy 、 Password strength 、 Internet privacy 、 Computer security 、 Business 、 Cognitive password 、 Usability 、 Service provider 、 Heuristics
摘要: People are living increasingly large swaths of their lives through online accounts. These accounts brimming with sensitive data, and they often protected only by a text password. Attackers can break into service providers steal the hashed password files that store users’ passwords. This lets attackers make number guesses to crack The stronger is, more difficult it is for an attacker guess. Many have implemented password-composition policies. policies constrain or restrict passwords in order prevent users from creating easily guessed Too lenient policy may permit cracked passwords, too strict encumber users. ideal balances security usability. Prior work this thesis, many were based on heuristics speculation, rather than scientific analysis. Passwords research examined constructed under single uniform policy, unknown In I contrast strength usability created different do online, crowdsourced human-subjects studies randomized, controlled result comparison how affect both studied range policies, including those similar found wild, trade requiring longer which system-assigned known security. One contribution thesis tested methodology collecting Another between find some favorable tradeoffs usability, allowing evidence-based recommendations providers. also offer insights researchers interested conducting larger-scale studies, having collected data tens thousands participants.
参考文章(67)
Panagiotis G. Ipeirotis, Demographics of Mechanical Turk Social Science Research Network. ,(2010)
Moshe Zviran, William J. Haga, Password security: an empirical study Journal of Management Information Systems. ,vol. 15, pp. 161- 185 ,(1999) , 10.1080/07421222.1999.11518226
Andrew Mehler, Steven Skiena, Improving usability through password-corrective hashing string processing and information retrieval. pp. 193- 204 ,(2006) , 10.1007/11880561_16
David Mazières, Niels Provos, A future-adaptive password scheme usenix annual technical conference. pp. 32- 32 ,(1999)
Gregory V. Bard, Spelling-error tolerant, order-independent pass-phrases via the damerau-levenshtein string-edit distance metric ACSW '07 Proceedings of the fifth Australasian symposium on ACSW frontiers - Volume 68. pp. 117- 124 ,(2007)
Josip Knezovic, Katja Malvoni, Solar Designer, Are your passwords safe: energy-efficient bcrypt cracking with low-cost parallel hardware WOOT'14 Proceedings of the 8th USENIX conference on Offensive Technologies. pp. 10- 10 ,(2014)
Lorrie Faith Cranor, Cormac Herley, Stuart Schechter, Saranga Komanduri, Richard Shay, Telepathwords: preventing weak passwords by reading users' minds usenix security symposium. pp. 591- 606 ,(2014)
Stanley A. Kurzban, Easily remembered passphrases: a better approach ACM Sigsac Review. ,vol. 3, pp. 10- 21 ,(1985) , 10.1145/1058406.1058408
Sigmund N. Porter, A password extension for improved human factors Computers & Security. ,vol. 1, pp. 54- 56 ,(1982) , 10.1016/0167-4048(82)90025-6
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Encountering stronger password requirements: user attitudes and behaviors symposium on usable privacy and security. pp. 2- ,(2010) , 10.1145/1837110.1837113