PASSWORD STRENGTH ANALYSIS

Similar documents
PORTLANDDIOCESE.ORG - How to Connect Table of Contents

Business ebanking - User Sign On & Set Up

Virtual Cabinet Document Portal User Guide

AESDIRECT ACCOUNT ADMINISTRATION USER GUIDE

UC Irvine Health Secure Mail Message Center

Migration Manual (For Outlook 2010)

Hosted PBX Administrator Quick Start Guide

How to Reset Your Password for the ONRR Data Warehouse Portal

Personal and Small Business Login Guide

Monash Health Self Service

USER GUIDE WEB HOSTING SERVICE

Best Practices: Reducing the Risks of Corporate Account Takeovers

Parent Portal: Single Sign-On Account Creation

Overview The following instructions are to be used to download the Citrix Client to your PC and access the CVHP network via Citrix.

DELSIA DOCUMENTS MANAGEMENT SYSTEM USER GUIDE AND GUIDANCE FOR SUMITTING INVESTMENT PROPOSALS

4. Enter a Password, and then Confirm the new Password by typing it again. NOTE: Passwords must contain at least 6 characters (numbers or letters).

PORTLANDDIOCESE.ORG - How to Connect Table of Contents

Electronic Questionnaires for Investigations Processing (e-qip)

Prescription Review (PMP) - SAW Integration

How to Resolve Login Errors with Business Objects XI

M&T Web InfoPLU$ GETTING STARTED GUIDE

GUIDELINE FOR PME 35 ONLINE BOOKING SYSTEM

Barracuda Spam Firewall Users Guide. Greeting Message Obtaining a new password Summary report Quarantine Inbox Preferences

Job Applicant Guidance Notes

Insolvency System. For further information and assistance please contact ABR Customer Service

electronic Declaration of Interests System (edis) User Guide

understanding MyAccount

Create your portal account, and connect to your medical records.

Solon Community School District PowerSchool E-Registration Parent Guide

Registration & Payment FAQs

NetSupport DNA Configuration of Microsoft SQL Server Express

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Installing the Citrix Online Plug-In

Entrust Certificate Services for Adobe CDS

List Service List Ownership Basics. Introduction. Navigating the Web Interface. Process Summary Introduction. Navigating the Web Interface

Howell Township Public Schools: Instructions for Online Student Registration

Job Application Portal. Manual for the Job Application Portal in the University of Gothenburg e-recruitment system

Using McAfee Quarantine Manager

IRS TAX RETURN TRANSCRIPT. Step-by-Step Instructions for Getting your IRS Transcript Online

Migration Manual (For Outlook Express 6)

Welcome to Business Internet Banking

MIDAS Authorization User Guide. Provider Portal

Enterprise Server Setup Guide

How to create an Expense Report through iexpense in the iphone Mobile App

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

Creating an account and Common Application with GoArmyEd

To participate, property owners must sign up and keep their own information up to date. This is the do-ityourself part of the system.

of Delaware, Inc. a subsidiary of Universal Health Services UHS FUSION CERNER MILLENNIUM APPLICATION PORTAL USER GUIDE

Online Employment Application Guide

V30 Software Update Instruction. 2.3 Software upgrading

Employee Self Service Instructions

User Manual FOR KYC Registration Agency

Costumer Documentation

BUSINESS ONLINE BANKING QUICK GUIDE For Company System Administrators

Trupointe Cooperative On Line Payment by Checking or Savings Account Procedure for Original Date: 10/19/12 Customers Revised Date: 11/18/13

BROKER MANAGEMENT SYSTEM (BMS) User Manual

Accessing and utilizing CCSF Spam Filter Program Barracuda

SELF-SERVICE PASSWORD RESET PORTAL:

Quick Start Guide Getting started with your Hetzner package

SNAMP Data Server Tutorial

Division of School and Community Nutrition Child Nutrition and Information Payment System (CNIPS)

Online Railway Reservation. Intel Easy Steps Intel Corporation All rights reserved.

Barracuda Spam Control System

L T A O N L I N E R E C R U I T M E N T

Your guide to the HSBC Digital Security Device. HSBC Bank USA, N.A All rights reserved.

Computer Security Self-Test: Questions & Scenarios

Center for Educational Performance and Information (CEPI) Student Data System (SDS)

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Proven. Trusted.

NetSupport DNA Configuration of Microsoft SQL Server Express

State of Hawaii Department of Education. Self-Service Password Manager User Guide.

For additional assistance, contact the CEDI Help Desk at or via at

Privacy Policy and Notice of Information Practices

The FlexiSchools Online Order Management (FOOM) Installation Guide

OnDemand. Getting Started Guide

Bank of America Background Check Fingerprint Registration and Scheduling Quick Start Guide

State Health Repository Tool (SHRT) Testing Instructions

Barracuda Spam Firewall User s Guide

PloneSurvey User Guide (draft 3)

IT Services page 1 of 10 Spam Filtering. Overview

The Toyota Foundation Grant Programs Guide for Web-based Grant Applications (Project Proposals)

Virtual Code Authentication User s Guide. June 25, 2015

OneNet Cloud Services

Instructions For Opening UHA Encrypted

Access the DSSTraining Web Site

Barracuda Spam Firewall User s Guide

Welcome to Cox Business Security Suite:

Research Information Security Guideline

Quick Reference Guide PAYMENT GATEWAY (Virtual Terminal)

WordPress File Monitor Plus Plugin Configuration

Transcription:

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security

CURRENT STATUS Problem Statement Stringent requirements in password policies lead to coping mechanisms in users when creating passwords. These coping mechanisms decrease the strength of the passwords created, and the question is whether this decreases the security sought by creating a strict policy. Motivation Passwords are the most commonly used authentication measure Often require frequent modification Predominantly, studies in the past have reviewed how hard or easy it is to crack a password Most studies have ignored or only minimally focused on the issue of user coping mechanisms Only a few studies have looked at how modification of passwords over time effects coping mechanisms or password strength 2

ENTROPY WHAT IS ENTROPY? A calculation used by NIST to determine the strength of a password. Points are assigned based upon specific factors of a password or password policy Factors Length of password Use of non-alphabetic characters Use of capital letters Use of a dictionary 3

DESIGN OF STUDY Participants login to Mechanical Turk website and choose the HIT 4

DESIGN OF STUDY (CONTINUED) Open the HIT and click on the link to the website Upon arrival, the participant is assigned a password policy (that follows the participant throughout the study) User creates a password and then completes a survey User logs in every week for 7 weeks Every week user is required to change password After creating password, user takes a short survey First is demographic Second through Sixth are filler questions about info sec Seventh is about specific coping mechanisms used throughout study 5

COLLECTION OF DATA FROM WEBSITE Data is automatically stored in a mysql database where it can be downloaded via.csv and opened in excel or analyzed in a statistical analysis package like SAS 6

COPING MECHANISMS IDENTIFIED ANALYSIS OF COPING MECHANISMS IN USER CREATED PASSWORDS A Coping Mechanism Identified Repeating digits within the same password Decrease in Entropy Divide actual entropy by the number of repeats B Repeating passwords across time Subtract entropy for the portion repeated C Incrementing numbers across time Decrease entropy by 6 (entropy gained by adding non-alphanumeric characters) D Repeating non-alphabetic or capital letters Decrease entropy by 6 (entropy gained by adding non-alphanumeric characters) E F Changing letter from lowercase to capital, but keep the same word across time Capital letter first or number/special character last Subtract entropy for the word, but maintain the increase of 6 for the capital letter Decrease entropy by 6 (entropy gained by adding non-alphanumeric character or capital letter) 7

POLICIES COMPREHENSIVE 8 -At Least 8 characters -At least one lower case character -At least one capital letter -At least one number -At least one special character BLACKLIST HARD -At least 8 characters -No English words BASIC 16 -At least 16 characters long

SURVEY QUESTIONS DEMOGRAPHIC AND COPING MECHANISMS USED* DEMOGRAPHIC QUESTIONS 1. Gender 2. Age 3. Was English first language 4. Race 5. Marital status 6. Ethnicity 7. Education level attained 8. Primary occupation 9. Income level *The actual questions used in the survey are available upon request COPING MECHANISMS USED 1. Did you use the same password here that you use on another account 2. Did you use a similar password here that you use on another account (with def n of similar) 3. Did you write down your password (when and why) 4. Did you use personal info when creating your password 5. Were you frustrated with the password policy 6. What type of device did you use to access this study 7. In previous experience with passwords, have you ever been frustrated by a policy 8. Does having to change your password often frustrate you 9. How many accounts do you have with passwords 10. Have you ever written down a password 11. Have you ever used the same password for different accounts 9

SURVEY QUESTIONS FILLER QUESTIONS ON INFOSEC* 1. Were you affected by the Home Depot breach 2. Do you subscribe to Wired magazine 3. Do you read terms of service policies 4. Do you regularly back up your computer system 5. Are you more concerned with your financial data or health data 6. Are you familiar with Stuxnet 7. What computer operating system do you use 8. Are you concerned about cybercrime 9. Are you able to recognize spam 10. Are you concerned about identity theft 11. Have you ever heard of Stop, Think, Connect 12.Have you heard of Stop, Drop, and Roll *The full list of questions is available upon request 10

PROPOSED DATA ANALYSIS CONDUCTED ON PRACTICE PASSWORDS Comprehensive8 BlacklistHard Basic16 N 33 34 37 NIST Entropy 24 24 30 Mean Entropy 29.31 29.69 38.79 Standard Deviation 6.09 3.80 6.52 Confidence Interval (95%) (27.16, 31.48) (28.37, 31.02) (37.91, 42.25) Post Coping Entropy 25.86 28.93 34.68 11

PRACTICE DATA ENTROPY ANALYSIS NIST Entropy Mean Entropy Basic16 BlacklistHard Comprehensive8 Post Coping Entropy 0 10 20 30 40 50 Interesting Note: All post coping entropy calculations are greater than the NIST entropy for each policy 12

ANALYSIS Within Policy Within Week -NIST entropy of each password -Average NIST Entropy at each Week across participants -Confidence Interval of entropy at each week -Post Coping Entropy - Entropy loss from coping mechanisms at Week -ANOVA test of Post Coping Entropy against NIST policy entropy -ANOVA test of Post Coping Entropy against NIST average entropy at each week Within Policy Across Weeks -Average of NIST Entropy for each participant -Confidence Interval of entropy for policy -Average of Entropy Loss per week -Sum of Entropy Loss per user -Confidence Interval of Entropy loss of all users per policy -ANOVA test of Post Coping Entropy against NIST average entropy -Does Entropy change each week independently of the policy Across Policies Within Weeks - ANOVA And Tukey test of Post Coping Entropy against NIST average entropy - Do different policies lose entropy through coping mechanisms at different points in the password change cycle? Across Policies Across Weeks - ANOVA and Tukey test of Post Coping Entropy against NIST average entropy - Does one of our policies provide a more effective protection than the others? 13

PROGRESS INSTITUTIONAL REVIEW BOARD AND MECHANICAL TURK IRB Approval received Mechanical Turk Results of first HIT published Restrictions on allowed Workers for first HIT IRB Amendment Approval just received Mechanical Turk Next step is to reenter information and fax a copy of driver s license for validation 14

WORK REMAINING FINAL REPORT AND PRESENTATION Upon IRB Amendment Approval Collect Data on Mechanical Turk Analyze Data collected Continue to work on reconciling Amazon Mechanical Turk validation problem QUESTIONS, COMMENTS, OR SUGGESTIONS? 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information