A research agenda acknowledging the persistence of passwords

IEEE Security and Privacy

Volumn 10, Issue 1, 2012, Pages 28-36

  Herley, Cormac ^a   Van Oorschot, Paul ^b  

^a MICROSOFT RESEARCH   (United States)

^b CARLETON UNIVERSITY   (Canada)

Author keywords

authentication alternatives; competing requirements; evaluation; passwords; supporting tools; systematic research

Indexed keywords

COMPETING REQUIREMENTS; EVALUATION; PASSWORDS; SUPPORTING TOOL; SYSTEMATIC RESEARCH;

COMPUTER NETWORKS; ELECTRICAL ENGINEERING;

AUTHENTICATION;

EID: 84859800820     PISSN: 15407993     EISSN: None     Source Type: Journal    
DOI: 10.1109/MSP.2011.150     Document Type: Article

References (18)

1. M. Jakobsson and S. Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, Wiley-Interscience, 2006.
2. M. Just and D. Aspinall, "Personal Choice and Challenge Questions: A Security and Usability Assessment," Proc. 5th Symp. Usable Privacy and Security, ACM, 2009, pp. 1-11.
3. W.H. Gates III, Keynote Presentation, RSA Conference, 2004.
4. L. O'Gorman, "Comparing Passwords, Tokens, and Biometrics for User Authentication," Proc. IEEE, vol. 91, no. 12, 2003, pp. 2019-2040.
5. R. Housley and T. Polk, Planning for PKI, Wiley, 2001.
6. R. Biddle, S. Chiasson, and P.C. van Oorschot, "Graphical Passwords: Learning from the First Twelve Years," to be published in ACM Computing Surveys, vol. 44, no. 4, 2012.
7. S.-T. Sun et al., "A Billion Keys, but Few Locks: The Crisis of Web Single Sign-on," Proc. Workshop New Security Paradigms (NSPW 10), ACM, 2010, pp. 61-72.
8. S. Chiasson, P.C. van Oorschot, and R. Biddle, "A Usability Study and Critique of Two Password Managers," Proc. 15th Usenix Security Symp., Usenix, 2006, pp. 1-16.
9. J. Bonneau and S. Preibusch, "The Password Thicket: Technical and Market Failures in Human Authentication on the Web," Proc. 9th Workshop Economics of Information Security (WEIS 10), 2010; http://weis2010.econinfosec. org/papers/session3/weis2010-bonneau.pdf.
10. "National Strategy for Trusted Identities in Cyberspace: Why We Need It," Nat'l Inst. Standards and Tech., 2011; www.nist.gov/nstic/NSTIC-Why- We-Need-It.pdf.
11. Y. Zhang, F. Monrose, and M.K. Reiter, "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis," Proc. 17th ACM Conf. Computer and Comm. Security (CCS 10), ACM, 2010, pp. 176-186.
12. 2009 Internet Crime Report, Internet Crime Complaint Center, 2010; www.ic3.gov/media/annualreport/2009-ic3report.pdf.
13. Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Response, Senate Hearing 111-43, Committee on Commerce, Science, and Transportation, 19 Mar. 2009; www.gpo.gov/fdsys/pkg/CHRG-111shrg50638/html/CHRG- 111shrg50638.htm.
14. D. Florêncio and C. Herley, "Phishing and Money Mules," IEEE Workshop Information Forensics and Security (WIFS 10), IEEE CS, 2010, pp. 1-5.
15. C. Herley, "So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users," Proc. Workshop New Security Paradigms (NSPW 09), ACM, 2009, pp. 133-144.
16. M. Weir et al., "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords," Proc. 17th ACM Conf. Computer and Comm. Security (CCS 10), ACM, 2010, pp. 162-175.
17. J. Yan et al., "Password Memorability and Security: Empirical Results," IEEE Security & Privacy, vol. 2, no. 5, 2004, pp. 25-31. (Pubitemid 40168623)
18. S.M. Bellovin and M. Merritt, "Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks," Proc. IEEE Symp. Research in Security and Privacy, IEEE CS, 1992, pp. 72-84. (Pubitemid 23569189)