A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation

Proceedings New Security Paradigms Workshop

Volumn , Issue , 2011, Pages 25-36

  Bicakci, Kemal ^a   Van Oorschot, Paul C ^b  

^a TOBB UNIVERSITY OF ECONOMICS AND TECHNOLOGY   (Turkey)

^b CARLETON UNIVERSITY   (Canada)

Author keywords

evaluation; passwords; science; usable security

Indexed keywords

ACADEMIC RESEARCH; CONCRETE TARGETS; EVALUATION; GRAPHICAL PASSWORD; INTERNET ACCESS; KNOWLEDGE-BASED AUTHENTICATION; MULTI-WORD; PASSWORDS; REMOTE ACCESS; RESEARCH CHALLENGES; SCIENCE; SCIENTIFIC KNOWLEDGE; SECURITY MECHANISM; SECURITY RESEARCH; TEXT INPUT; TOUCH SCREEN; USABILITY AND SECURITY; USABLE SECURITY; VIRTUAL KEYBOARDS;

KNOWLEDGE BASED SYSTEMS; MOBILE DEVICES; MOBILE TELECOMMUNICATION SYSTEMS; NETWORK SECURITY; PUBLISHING; SECURITY SYSTEMS;

RESEARCH;

EID: 84855656434     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2073276.2073280     Document Type: Conference Paper

References (47)

1. E. Adar. Why I hate Mechanical Turk research (and workshops). CHI 2011.
2. G.V. Bard. Spelling-error tolerant, order-independent pass-phrases via the Damerau-Levenshtein string-edit distance metric. Proc. of 5th Australasian Symposium on ACSW Frontiers - volume 68 (ACSW'07), pp.117-124. Australian Computer Society, 2007.
3. B.F. Barton, M.S. Barton. User-friendly password methods for computer-mediated information systems. Computers & Security v.3(1984):186-195.
4. R. Biddle, M. Mannan, P.C. van Oorschot, T. Whalen. User Study, Analysis, and Usable Security of Passwords Based on Digital Objects. IEEE Trans. Info. Forensics and Security 6(3):970-979, Sept. 2011.
5. R. Biddle, S. Chiasson, P.C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys 44(4), 2012 (to appear).
6. M. Bond. Comments on grIDsure authentication. http://www.cl.cam.ac.uk/ ~mkb23/research/ GridsureComments.pdf, March 2008.
7. S. Brostoff, P. Inglesant, and M. A. Sasse. Evaluating the usability and security of a graphical one-time PIN system. BCS-HCI 2010.
8. C. Brown. A Meta-Scheme for Authentication using Text Adventures. Masters thesis, School of Computer Science, Carleton University, Canada, 2010.
9. B. Cheswick. Rethinking passwords. Invited talk, USENIX LISA 2010 (slides available online). See also summary by Rik Farrow, ;login: (USENIX Magazine) 36(2):68-69, April 2011.
10. S. Chiasson, A. Forget, R. Biddle, P.C. van Oorschot. Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. BCS-HCI 2008.
11. S. Chiasson, C. Deschamps, M. Hlywa, G. Chan, E. Stobert, R. Biddle. MVP: A web-based framework for user studies in authentication (poster). SOUPS 2010.
12. S. Chiasson, E. Stobert, A. Forget, R. Biddle, P.C. van Oorschot. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. Dependable and Secure Computing (to appear, 2011 or later).
13. M.K. Chong, G. Marsden. Exploring the Use of Discrete Gestures for Authentication. INTERACT 2009, Part II, Springer LNCS 5727, pp.205-213, 2009.
14. P. Dunphy, A.P. Heiner, N. Asokan. A Closer Look at Recognition-Based Graphical Passwords on Mobile Devices. SOUPS 2010.
15. D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, R. Chandramouli. Proposed NIST standard for role-based access control. ACM TISSEC 4(3):224-274, 2001.
16. R. Feynman. Cargo Cult Science Principles of Research. Commencement Address, Caltech, 1974.
17. D. Florencio, C. Herley. A Large Scale Study of Web Password Habits. WWW 2007.
18. D. Florencio, C. Herley, B. Coskun. Do strong passwords accomplish anything? USENIX HotSec'07.
19. M. Gasser. A Random Word Generator for Pronounceable Passwords. Technical Report AD-A017-676, Mitre Corp., Nov.1975.
20. M.D. Hafiz, A.H. Abdullah, N. Ithnin, and H.K. Mammi. Towards identifying usability and security features of graphical password in knowledge based authentication technique. 2nd Asia Int'l Conf. Modelling & Simulation (2008), 396-403, IEEE.
21. C. Herley, P.C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy (to appear, Jan/Feb 2012).
22. M. Jakobsson, E. Shi, P. Golle, R. Chow. Implicit authentication for mobile devices. USENIX HotSec'09.
23. M. Jakobsson, personal communication, May 2011.
24. D.L. Jobusch, A.E. Oldehoeft. A survey of password mechanisms: weaknesses and potential improvements (Part 1). Computers & Security v.8(1989):587-604.
25. D.L. Jobusch, A.E. Oldehoeft. A survey of password mechanisms: weaknesses and potential improvements (Part 2). Computers & Security v.8(1989):675-689.
26. C. Kuo, S. Romanosky, L.F. Cranor. Human selection of mnemonic phrase-based passwords. SOUPS 2006.
27. T. Longstaff, D. Balenson, Mark Matties. Barriers to Science in Security. ACSAC 2010 (invited essay).
28. R. Maxion, T. Longstaff, J. McHugh. Why is there no science in cyber science? NSPW 2010 (panel report).
29. A. Mehler, S. Skiena. Improving Usability Through Password-Corrective Hashing. SPIRE 2006: String Processing and Info. Retrieval, 13th International Conference. LNCS 4209, pp.193-204, Springer, 2006.
30. NIST. FIPS 181: Automated Password Generator (APG). Oct.5, 1993.
31. NIST Special Pub. 800-63-1 (W. Burr, D. Dodson, R. Perlner, W. Polk, S. Gupta, E. Nabbus). Electronic Authentication Guideline. Gaithersburg, April, 2006.
32. NIST NSTIC. National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy. June 25, 2010 draft. http://www.dhs.gov/xlibrary/assets/ns-tic.pdf
33. A. Paivio. Abstractness, imagery, and meaningfulness in paired-associate learning. Journal of Verbal Learning and Verbal Behavior, 1965.
34. S.N. Patel, J.S. Pierce, F.D. Abowd. A Gesture-based Authentication Scheme for Untrusted Public Terminals. ACM UIST'04.
35. J.R. Platt. Strong Inference. Science 136(3642): 347-353 (Oct.16, 1964).
36. S.N. Porter. A password extension for improved human factors. Computers & Security v.1(1982):54-56.
37. S.E. Schechter, R. Dhamija, A. Ozment, I. Fischer. The Emperor's new security indicators. IEEE Symp. Security and Privacy (Oakland 2007).
38. R. Schell. Information security: the state of science, pseudoscience, and flying pigs. ACSAC 2001 (invited essay).
39. S. Singh, A. Cabraal, C. Demosthenous, G. Astbrink, M. Furlong. Password sharing: implications for security design based on social practice. CHI'07.
40. Y. Spector, J. Ginzberg. Pass-sentence-a new-approach to computer code. Computers & Security v.13(1994):145-160.
41. R. Weber. The Statistical Security of GrIDsure. Technical report, University of Cambridge, 2006.
42. M. Weir, S. Aggarwal, M. Collins, H. Stern. Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. ACM CCS 2010.
43. S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, N. Memon. PassPoints: Design and longitudinal evaluation of a graphical password system. Int'l J. Human-Computer Studies 63(1-2), 2005.
44. J. Yan, A. Blackwell, R. Anderson, A. Grant. Password memorability and security: empirical results. IEEE Security and Privacy magazine 2(5):25-31, 2004.
45. Y. Zhang, F. Monrose, M.K. Reiter. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. ACM CCS 2010.
46. M.E. Zurko, R.T. Simon. User-centered security. NSPW 1996.
47. M. Zviran, W.J. Haga. A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal 36(3):227-237. Updates report NPS-54-90-014 (June 1990), Naval Postgraduate School, Monterey, California. (Note: the term multilevel here relates not to MLS operating systems, but to primary vs. secondary passwords.)