Figure 2 - uploaded by Xin (Robert) Luo
Content may be subject to copyright.
Source publication
As one of the most common authentication methods, passwords help secure information by granting access only to authorized parties. To be effective, passwords should be strong, secret, and memorable. While password strength can be enforced by automated information technology policies, users frequently jeopardize secrecy to improve memorability. The...
Context in source publication
Citations
... Individuals do not need to struggle to remember the password of each account. Consequently, as an ideal alternative, biometric characteristics fulfill the "memorability" requirement, alleviating the memory burden imposed on users [50]. The semi-structured interviews also reflected similar claims. ...
... This digital technology is a resource in that it enables connection to the Internet-which was needed by both WFH employees as well as their work/study-from-home family members. Computer technology, however, demands time, attention, and effort if one is to abide by cybersecurity protocols and policies (Aurigemma, 2013;Zhang et al., 2009). There is demonstrated fatigue in complying with security regulations (Cram et al., 2021), and such regulations themselves may become stressful aspects of the job. ...
Whether malicious or not, employees’ actions can have significant and detrimental outcomes for their organizations. Such is the case in organizational cybersecurity, as many issues stem from trusted individuals who have access to sensitive data, information, and systems. We explore the phenomenon of employees’ security violations in the context of pandemic-induced stressors among employees working from home (WFH) during a 10-day period of the COVID-19 pandemic. By assessing several categories of stressors and violation behaviors among 333 WFH employees daily for two work weeks, we discovered several stressors that significantly explained security violations during the pandemic. Within-person deviations in competing demands due to security emerged as a significant predictor of a subsequent increase in violations, and the effect of privacy invasion/monitoring concerns was marginally significant. We also found evidence that family-to-work conflict resulted in higher levels of daily security violations, but work-to-family conflict failed to exhibit any significant relationship with our outcome of interest. Unexpectedly, moderator analyses indicate that employees’ sharing of digital devices with others in the WFH environment might limit rather than exacerbate the effects of daily stressors on security violations. Thus, technology- and non-technology-related factors are associated with employees’ decisions to violate their organizations’ security expectations in a WFH environment. Our findings provide an expanded view of how stressors relate to employees’ security violations and what organizations can do to limit them in times of crises.
... On the other hand, a one-class SVM classifier is expected to output a Boolean value (i.e., "True" indicating that the user is genuine or "False" indicating that the user is suspicious). In case that the output is "False", Misbahuddin et al. propose the following Equation (13) to estimate the probability of this user being suspicious, also known as a risk score: ...
... user parameter value i × user parameter weight i (13) where, user parameter value = 0, i f user behavior exists in user's past login records 1, i f user behavior does not exist in user's past login records After evaluating the impact that each user_parameter would have in determining potential risk for their system, Misbahuddin et al. proposed the user_parameter_weight, as appears in Table 1 (from least severe potential risk to most severe potential risk). Afterwards, the Risk Engine combined the 3 different outputs from the 3 classifiers and assigned different risk levels according to Table 2. Table 2 also presents the required further actions that the user should perform based on the identified risk level. ...
Mobile user authentication acts as the first line of defense, establishing confidence in the claimed identity of a mobile user, which it typically does as a precondition to allowing access to resources in a mobile device. NIST states that password schemes and/or biometrics comprise the most conventional user authentication mechanisms for mobile devices. Nevertheless, recent studies point out that nowadays password-based user authentication is imposing several limitations in terms of security and usability; thus, it is no longer considered secure and convenient for the mobile users. These limitations stress the need for the development and implementation of more secure and usable user authentication methods. Alternatively, biometric-based user authentication has gained attention as a promising solution for enhancing mobile security without sacrificing usability. This category encompasses methods that utilize human physical traits (physiological biometrics) or unconscious behaviors (behavioral biometrics). In particular, risk-based continuous user authentication, relying on behavioral biometrics, appears to have the potential to increase the reliability of authentication without sacrificing usability. In this context, we firstly present fundamentals on risk-based continuous user authentication, relying on behavioral biometrics on mobile devices. Additionally, we present an extensive overview of existing quantitative risk estimation approaches (QREA) found in the literature. We do so not only for risk-based user authentication on mobile devices, but also for other security applications such as user authentication in web/cloud services, intrusion detection systems, etc., that could be possibly adopted in risk-based continuous user authentication solutions for smartphones. The target of this study is to provide a foundation for organizing research efforts toward the design and development of proper quantitative risk estimation approaches for the development of risk-based continuous user authentication solutions for smartphones. The reviewed quantitative risk estimation approaches have been divided into the following five main categories: (i) probabilistic approaches, (ii) machine learning-based approaches, (iii) fuzzy logic models, (iv) non-graph-based models, and (v) Monte Carlo simulation models. Our main findings are summarized in the table in the end of the manuscript.
... Text-based password authentication is one of the most prevalent ways to secure these systems and accounts within organisations and within users' personal lives (Florêncio and Herley 2010;Keith, Shao, and Steinbart 2009;Seitz et al. 2017;Ur et al. 2016;Wang et al. 2016;Yang et al. 2016). However, the user is undermining the current authentication mechanism (Grawemeyer and Johnson 2011; Zhang et al. 2009). With widespread technology usage being an integral part of most people's life (Legner et al. 2017), the number of accounts and systems has exponentially increased. ...
... With widespread technology usage being an integral part of most people's life (Legner et al. 2017), the number of accounts and systems has exponentially increased. This is resulting in users struggling to remember all their passwords, and adopting insecure password behaviours, choosing memorability and/or convenience over password security (Grawemeyer and Johnson 2011;Tam, Glassman, and Vandenwauver 2010;Weir et al. 2009;Zhang et al. 2009). Users will adopt insecure password behaviours such as choosing weak passwords, reusing passwords, writing passwords down and storing them in an unsecured way (Adams and Sasse 1999;Campbell, Kleeman, and Ma 2006;Inglesant and Sasse 2010;Merdenyan and Petrie 2022;Seo and Park 2019;Zhang et al. 2009). ...
... This is resulting in users struggling to remember all their passwords, and adopting insecure password behaviours, choosing memorability and/or convenience over password security (Grawemeyer and Johnson 2011;Tam, Glassman, and Vandenwauver 2010;Weir et al. 2009;Zhang et al. 2009). Users will adopt insecure password behaviours such as choosing weak passwords, reusing passwords, writing passwords down and storing them in an unsecured way (Adams and Sasse 1999;Campbell, Kleeman, and Ma 2006;Inglesant and Sasse 2010;Merdenyan and Petrie 2022;Seo and Park 2019;Zhang et al. 2009). Insecure password behaviours lead to a significant amount of money being lost and spent on security breaches (Brown et al. 2004;Ives, Walsh, and Schneider 2004;Mamonov and Benbunan-Fich 2018;Vu et al. 2007). ...
The authentication process is the first line of defence against potential impostors, and therefore is an important concern when protecting personal and organisational data. Although there are many options to authenticate digital users, passwords remain the most common authentication mechanism. However, with password numbers increasing, many users struggle with remembering multiple passwords, which affects their security behaviour. Previous researchers and practitioners have attempted to suggest ways to improve password memorability and security simultaneously. We introduce novel approach that utilises colour as a memory cue to increase password memorability and security. A longitudinal study examined in total over 3000 passwords that were created, learnt and recalled (password process) over a period of five-weeks. By adding colour to the password process, our results suggest that password memorability and security can be increased simultaneously. Through giving the user the option of choosing the colours (compared with colours being preselected), encourages users to create more personal and meaningful memory cues when creating their passwords. Additionally, colour also provided another security parameter by increasing password entropy. These unique results have practical implications for researchers and practitioners that could positively impact password security, and the financial losses suffered due to password security breaches.
... Research is conducted to determine the causes for difficulty in remembering multiple passwords in terms of long-term memory [27], exploring methods for improving memorability via multiple verification [23], and studying users password recall ability versus their perceptions of their recall ability to determine why users have difficulty remembering passwords [22]. Password memorability and security have also been studied together in the context of studying methods of creating memorable passwords that must also satisfy certain security conscious password criteria [20], and in studying how password policy affects recall, and the entropy, of passwords [14]. ...
... Empirical studies on improving multiple password recall is conducted by a number of researchers over time [24] [27]. In work of Zhang et al. [27], users were asked to recall their own generated passwords one week after creating them for the purpose of engaging their long-term memory, Zhang et. ...
... Empirical studies on improving multiple password recall is conducted by a number of researchers over time [24] [27]. In work of Zhang et al. [27], users were asked to recall their own generated passwords one week after creating them for the purpose of engaging their long-term memory, Zhang et. al. proposed that -"interference between different passwords is one of the major challenges to multiple-password recall and that interference alleviation methods can significantly improve multiple-password recall". ...
Passwords are a ubiquitous element of our digital age, and the need for secure passwords is indispensable. However, traditionally secure passwords tends to be very difficult to remember, leading users to frustration in having to remake them or even abandoning secure ones for the sake of memorability. On the other hand, passwords that are considered memorable have a tendency to be less secure. Despite many studies on passwords, the process of the users' perceiving password memorability is still abstract. This security and memorability trade-off brings out the need to find a middle ground leaving the research question on the ground whether finding passwords that are both memorable and secure is a possibility or not. In this paper, we address this very question by conducting a survey and a user-study of memorability for certain categories of popular password styles. Next, we take the most memorable of these passwords and determine their security via a bits of entropy calculation commonly used to determine a password's strength against a traditional brute force attack. Finally, we find the best performers of both memorability and security to find the middle ground of password security and memorability. Our findings present a collection of both memorable and secure styles of passwords including an infrequent but effective tactic for password remembrance.
... Perceived threat initiates protection motivation; when a threat is perceived, individuals then use a safeguard to prevent or mitigate the impact of the threat. Despite the rise in account hacking and ATO (Javelin, 2018), many users still employ weak passwords, share passwords, or improperly use passwords (Zhang et al. 2009). These actions often show a lack of motivation on the user's part to properly secure their accounts. ...
Authentication plays an important role in securing our systems but is threatened by increasingly sophisticated account hacking and account take over. Several security services have been developed, including multi-factor authentication (MFA) designed to cope with online account authentication. It remains unknown how users perceive and evaluate secure authentication for online account threats and consequently use it to protect their online account. Drawing on the Protection Motivation Theory (PMT) and the literature on anticipated regret, this study investigates the factors that affect the use of MFA secure authentication to avoid online account threats. This work extends PMT by showing how the emotion of anticipated regret heightens appraisals of threat and coping.
... Firstly, these techniques are not able to distinguish the users, rather they authenticate everyone with the valid credentials. Zhang et al. [20] describe the user's difficulties in memorizing and correctly recalling the several passwords. Consequently, the users set easy or simple passwords to remember making the mobile devices vulnerable to numerous attacks, e.g., guessing and dictionary attacks. ...
... Therefore, users set simple patterns, that a malicious actor could possibly guess or observe them. This illustrates the generally acknowledged conception that knowledge-based schemes are problematic [15], [16], [20]. ...
Nowadays the critical sector of transport becomes progressively more dependent on digital technologies to perform essential activities and develop novel efficient transport services and infrastructure to empower economic and social cohesion exploiting the economic strengths of the European Union (EU). However, although the continuously increasing number of visitors, entering the EU through land-border crossing points or seaports, brings immense economic value, novel border control solutions, such as mobile devices for passenger identification for land/sea border control, are essential to precisely identify passengers “on the fly” ensuring their comfort. Nevertheless, these devices are expected to handle highly confidential personal data and thus, it is very likely to become an attractive target to malicious actors. Therefore, to ensure high level of device security without interrupting border control activities, strong secure and usable user authentication mechanisms are required. Towards this direction, we, firstly, discuss risk-based and adaptive authentication for mobile devices as a suitable approach to deal with the security vs. usability challenge and a novel risk-based adaptive user authentication mechanism is proposed to address this challenge. Afterwards, a set of popular Machine Learning (ML) classification algorithms for risk-based authentication was tested and evaluated on the HuMIdb (Human Mobile Interaction database) dataset to identify the most appropriate ones for the proposed mechanism. The evaluation results demonstrated impact of overfitting (i.e., accuracy: 1,0000) and therefore, we considered novelty detection algorithms to overcome this challenge and demonstrate high performance. To the best of our knowledge, this is the first time that novelty detection algorithms have been considered for risk-based adaptive user authentication showing promising results (OneClassSVM 0,9536, LOF 0,9740, KNN_average 0,9998).
... Splashdata 1 , a password management company, publishes the world's 100 worst passwords every year to raise awareness of the dangers of using weak passwords. When users choose their passwords without guidance, they are usually weak and easy to guess [32,33]. Therefore, organizations and services opt for enforcing password policies to encourage users to create strong passwords. ...
Today, online users will have an average of 25 password-protected accounts online, yet use, on average, 6.5 passwords. The excessive cognitive burden of remembering large amounts of passwords causes Password Fatigue. Therefore users tend to reuse passwords or recycle password patterns whenever prompted to change their passwords regularly. Researchers have created Adaptive Password Policies to prevent users from creating new passwords similar to previously created ones. However, this approach creates user frustration as it neglects users’ cognitive burden. This paper proposes a novel User-Centric Adaptive Password Policy (UCAPP) Framework for password creation and management that assigns users system-generated passwords based on a cognitive-behavioural agent-based model. The framework comprises a Password Policy Assignment Test (PassPAST), a Cognitive Burden Scale (CBS), a User Profiling Algorithm, and a Password Generator (PassGEN). The framework creates tailor-made password policies that maintain password memorability for users of different cognitive thresholds without sacrificing password strength and entropy. The framework successfully created 30-40% stronger passwords for Critical users and random (non-mnemonic) passwords for Typical users based on each individual’s cognitive password thresholds in a preliminary test.
... A user would require at least four passwords per year for each service (the permanent personnel possess at least two accounts for a PC in the intranet and the military email). Although the individual passwords comply with the typical secure password strategies, the common choice is a memorable prefix appended with some additional characters [33]. The problem is dominant in the case of conscript privates. ...
Pairs of usernames and passwords are widely used nowadays by mobile and web applications to identify users. The exposure of this data harms both users and vendors. The client-server model is the most common. The provided services implement front-end interfaces that run on the client's side and back-end interfaces that run on the server side. A proper password management policy administrates the password creation, storage, processing, and transmission in both ends. This article overviews the theory and provides a practical guide for password management and implementation of a safe login process for mobile and web application developers, and IT organizations. An empirical research and several case studies are surveyed for the password habits of three universities, an army school, an IT company, and two accounting offices in the province of Crete in Greece. Moreover, a software benchmark analysis is conducted for the computational demanding primitives of the secure login operations .
... Despite this, they require users to memorize their passwords to unlock the device every time that is needed. At [9], Zhang at al. describe the difficulties of the users in memorizing and correctly recalling the several passwords. As a consequence, the users set easy or simple passwords to remember making the mobile devices vulnerable to numerous attacks, e.g. ...
