Password security: An empirical study

Journal of Management Information Systems

Volumn 15, Issue 4, 1998, Pages 161-185

  Zviran, Moshe ^a,b,c   Haga, William J ^c,d,e  

^a TEL AVIV UNIVERSITY   (Israel)

^b CLAREMONT GRADUATE UNIVERSITY   (United States)

^c NAVAL POSTGRADUATE SCHOOL   (United States)

^d UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

^e Inter Univ Sem Armed Forces Soc

Author keywords

Access control; Information system security; Passwords; User authentication

Indexed keywords

EID: 0033277446     PISSN: 07421222     EISSN: None     Source Type: Journal    
DOI: 10.1080/07421222.1999.11518226     Document Type: Article

References (65)

1. Adams, S. How to keep a secret. Forbes, 157, 7 (April 1996), 108-109.
2. Ahituv, N.; Lapid, Y.; and Neumann, S. Verifying the authentication of an information system user. Computers and Security, 6, 2 (1987), 152-157.
3. Avarne, S. How to find out a password. Data Processing & Communication Security, 12, 2 (Spring 1988), 16-17.
4. Ball, L., and Harris, R. SMIS member, a membership analysis. MIS Quarterly, 6, 1 (March 1982), 19-38.
5. Barton, B.F., and Barton, M.S., User-friendly password methods for computer-mediated information systems. Computers and Security, 3, 3 (1988), 186-195.
6. Bishop, M., and Klein, D.V. Improving system security via proactive password checking. Computers and Security, 14, 3 (1995), 233-249.
7. Botting, J. Security on the Internet: authenticating the user. Telecommunications, 31, 12 (December 1997), 77-79.
8. Bradner, S. But will they pay attention this time? Network World, 14, 4 (January 1997), 32-34.
9. Brancheau, J.C., and Wetherbe, J.C. Key issues in information systems management. MIS Quarterly, 12, 1 (March 1987), 23-36.
10. Brancheau, J.C., and Wetherbe, J.C. Key issues in information systems management: 1994-95 SIM/Delphi results. MIS Quarterly, 20, 2 (June 1996), 225-242.
11. Broderick, J. Who knows who you are? Infoworld, 19, 24 (June 1997), 108-112.
12. Cooper, D.R., and Emory, C.W., Business Research Methods, 5th ed. Dubuque, IA: Irwin, 1995.
13. Cooper, J.A. Computer and Communications Security, Strategies for the 1990s. New York: McGraw-Hill, 1989.
14. Corbitt, T. Ensure your datafiles are secure even if the Pentagon's are not. Management Services, 41, 5 (May 1997), 24-26.
15. Cronbach, L. Test validation. In R.L. Thorndike (ed.), Educational Measurement, 2d ed. Washington, DC: American Council on Education, 1971, pp. 443-507.
16. Denzin, N.K. The Research Act, 3d ed. Englewood Cliffs, NJ: Prentice-Hall, 1989.
17. Dichter, C. Easy Unix security. Unix Review, 11, 4 (April 1993), 42-51.
18. DiDio, L. Major hacks raise hackles, spur defenders. ComputerWorld, 32, 13 (April 1998), 49-50.
19. DiDio, L. Cyberattack prompts DoD to boost security. ComputerWorld, 32, 9 (March 1998), 14.
20. DoD. Department of Defense Password Management Guideline. Washington, DC: National Computer Security Center, CSC-STD-002-85, 1985.
21. Ernst & Whinney. U.S. Computer Security Survey of Fortune 500 Industrial Companies. Cleveland: Ernst & Whinney, 1987.
22. Ernst & Whinney. The 1989 Computer Abuse Survey: A Report. Cleveland: Ernst & Whinney, 1989.
23. Goodell, J. The Cyber Thief and the Samurai. Menlo Park, CA: Dell, 1996.
24. Graziano, A.M., and Raulin, M.L. Research Methods, 3d ed. Reading, MA: Addison-Wesley, 1997.
25. Grossman, W. Net Wars. New York: New York University Press, 1997.
26. Herschberg, I. The hacker's comfort. Comity, 6, 2 (1987), 133-138.
27. Highland, J.H. Demise of passwords. Computers and Security, 9, 4 (1990), 196-200.
28. Highland, J.H. How to prevent the use of weak passwords. EDPACS, 18, 9 (March 1991), 7-12.
29. Highland J.H. Changing passwords. Computers and Security, 16, 3 (1997), 183-184.
30. Hoffer, J., and Straub, D.W. The 9 to 5 underground: are you policing computer crimes? Sloan Management Review, 30, 4 (Summer 1989), 35-44.
31. Hoffman, L.J. Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ: Prentice-Hall, 1977.
32. Hunt Sparkman, R.D., Jr., and Wilcox J.B. The pretest in survey research: issues and preliminary findings. Journal of Marketing Research, 19, 2 (1982), 269-273.
33. Icove, D. Computer Crime: A Crime Fighter's Handbook. Sebastopol, CA: O'Reilly & Associates, 1995.
34. Jobusch, D.L., and Oldhoeft, A.E. A survey of password mechanisms: weaknesses and potential improvements, part 1. Computers and Security, 8, 7 (1989), 587-601.
35. Jobusch, D.L., and Oldhoeft, A.E. A survey of password mechanisms: weaknesses and potential improvements, part 2. Computers and Security, 8, 8 (1989), 675-689.
36. Kearns, D. Paying attention to passwords. Network World, 13, 23 (June 1996), 28-29.
37. LaPlante, A. Computer fraud threat increasing, study says. Infoworld, 18 (May 1987), 47.
38. Loch, K.R.; Carr, H.H.; and Warkentin, M.E. Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly, 16, 2 (June, 1992), 173-186.
39. Menkus, B. Understanding the use of passwords. Computers and Security, 7, 2 (1988), 132-136.
40. Miller, G.A. The magical number seven, plus or minus two: some limits on our capacity for processing information. Psychological Review, 63, 3 (March 1956), 81-97.
41. Morrey, B. Beefing up NT's security out of the box. Inforworld, 19, 24 (June 1997), 122-124.
42. Morris, R., and Thompson, K. Password security: a case history. Communications of the ACM, 22, 11 (November 1979), 594-597.
43. Neiderman, F.; Brancheau, J.C.; and Wetherbe, J.C. Information systems issues for the 1990s. MIS Quarterly, 15, 4 (December 1991), 475-502.
44. Nelson, M. PGP's Business Security Suite spotlights corporate users. ComputerWorld, 31, 21 (October 1997), 88.
45. Paans, R., and Herschberg, I.S. Computer security: the long road ahead. Computers and Security, 6, 5 (1987), 403-416.
46. Parker, D. Fighting Computer Crime. New York: Charles Scribner's Sons, 1983.
47. Pfleeger, C.P. Security in Computing, 2d ed. Englewood Cliffs, NJ: Prentice-Hall, 1997.
48. Porter, S.N. A password extension for human factors. Computers and Security, 1, 1 (1982), 54-56.
49. Seeley D. Password cracking: a game of wits. Communications of the ACM, 32, 6 (June 1989), 700-703.
50. Siand Castellan, J.N. Nonparametric Statistics for the Behavioral Sciences, 2d ed. Boston: McGraw-Hill, 1988.
51. Spafford, E. The Internet worm: crisis and aftermath. Communications of the ACM, 32, 6 (June 1989), 203-227.
52. Spender, J.C. Identifying computer users with authentication devices (tokens). Computers and Security, 6, 6 (1987), 385-395.
53. Stoll, C. The Cuckoo's Egg. New York: Pocket Books, 1995.
54. Stoll, C. Stalking the willy hacker. Communications of the ACM, 31, 5 (May 1988), 484-497.
55. Straub, D.W. Computer abuse and computer security: update on an empirical study. Security, Audit and Control Review, 4, 2 (Spring 1986), 21-31.
56. Straub, D.W. Validating instruments in MIS research. MIS Quarterly, 13, 2 (June 1989), 146-169.
57. Straub, D.W., and Nance, W.D. Discovering and disciplining computer abuse in organizations: a field study. MIS Quarterly, 14, 1 (March 1990), 45-60.
58. Tom, P.L. Managing Information as a Corporate Resource, 2d ed. New York: HarperCollins, 1991.
59. Ungoed-Thomas, J. The schoolboy spy. Sunday Times (London) (March 29, 1998), section 5, 1-2.
60. Wood, C.C. Effective information system security with password controls. Computers and Security, 2, 1 (1983), 5-10.
61. Wu, T.C., and Sung, H.S. Authenticating passwords over an insecure channel. Computers and Security, 15, 5 (1996), 431-439.
62. Yager, T. Taking command of Windows NT. Unix Review, 15, 12 (November 1997), pp.33-42.
63. Zviran, M., and Haga, W.J. Cognitive passwords: the key for easy access control. Computers and Security, 9, 8 (1990), 723-736.
64. Zviran, M., and Haga, W.J. Evaluating password techniques for multilevel authentication mechanisms. Computer Journal, 36, 3 (1993), 227-237.
65. Zwass, V. Foundations of Information Systems. Boston: Irwin/McGraw-Hill, 1997.