Password psychology

Last updated

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

Contents

In order for a password to work successfully and provide security to its user, it must be kept secret and un-guessable; this also requires the user to memorize their password. The psychology behind choosing a password is a unique balance between memorization, security and convenience. Password security involves many psychological and social issues including; whether or not to share a password, the feeling of security, and the eventual choice of whether or not to change a password. Passwords may also be reflective of personality. Those who are more uptight or security-oriented may choose longer or more complicated passwords. Those who are lax or who feel more secure in their everyday lives may never change their password. [1] The most common password is Password1, which may point to convenience over security as the main concern for internet users. [2] [3]

History

The use and memorization of both nonsense and meaningful alphanumeric material has had a long history in psychology beginning with Hermann Ebbinghaus. Since then, numerous studies have established that not only are both meaningful and nonsense "words" easily forgotten, but that both their forgetting curves are exponential with time. [4] Chomsky advocates meaning as arising from semantic features, leading to the idea of "concept formation" in the 1930s. [4]

Current research

Research is being done to find new ways of enhancing and creating new techniques for cognitive ability and memorization when it comes to password selection. [5] A study from 2004 indicates that the typical college student creates about 4 different passwords for use with about 8 different items, such as computers, cell phones, and email accounts, and the typical password is used for about two items. [6] Information about the type of passwords points to an approximate even split between linguistic and numeric passwords with about a quarter using a mix of linguistic/numeric information. Names (proper, nicknames) are the most common information used for passwords, and dates are the second most common type of information used in passwords. [6] Research is also being done regarding the effect of policies that force users to create more secure and effective passwords. [7] The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, such a policy did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling. [7]

Memorization problems

Password psychology is directly linked to memorization and the use of mnemonics. Mnemonic devices are often used as passwords but many choose to use simpler passwords. It has been shown that mnemonic devices and simple passwords are equally easy to remember and that the choice of convenience plays a key role in password creation. [8]

Password alternatives

In order to address the issues presented by memorization and security many businesses and internet sites have turned to accepting different types of authentication. This authentication could be a single use password, non-text based, Biometric, a 2D key, multi-factor authentication, or Cognitive Passwords that are question based. Many of these options are more expensive, time consuming or still require some form of memorization. Thus, most businesses and individuals still use the common format of single word and text-based passwords as security protection.

The most common alternative to tradition passwords and PIN codes has been biometric authentication. [9] Biometric authentication is a method where systems use physical and/or behavioral traits unique to a specific individual to authorize access. [9] Some of the most popular forms of biometric passwords are as follows: fingerprint, palm prints, iris, retina, voice, and facial structure. [10] The appeal of biometrics as a form of passwords is that they increase security. [11] Only one person has access to a set of fingerprints or retinal patterns which means the likelihood of hacking decreases significantly. Biometric authentication has 4 important factors, or modules, that keep systems and accounts from being compromised: sensor module, feature extraction module, template database, and matching module. [9] These 4 sections of biometric authentication, while more involved, create a layer of protection that a tradition password option cannot. The sensor module is responsible for getting a hold of a user’s method of protection whether it be fingerprint scan, facial scan, or voice. [11] [9] The second module, feature extraction, is where all the raw data acquired from the previous module is broken down into the key components. The template, or database module, takes the key components gathered previously and saves them virtually. Lastly, the matching module is employed in order to verify if the inputted biometric method is legitimate. [11] [9] [10] The modules that record, process, and verify biometrics, need to be run in 2 different stages, enrollment and recognition; within these 2 stages we see more sub-stages. In the enrollment stage we see the entirety of the four modules working at once as a digital version of the biometric data is generated and stored. [11] The recognition stage has two sub-sections called verification and identification. [11] During verification process the systems job is to ensure that the individual trying to gain access is who they are stating they are. The identification process fully identifies the individual.

Though biometric authentication is a method that in seen increasingly more often, it isn’t without its issues. A biometric system is affected by similar issues that a tradition password system has. When a user inputs their biometric information one of four things can happen. A user may be truly be who they say they are and are granted access to the system. Conversely, a user may be impersonating someone and will be rejected access. The two other scenarios are when an authentic user is rejected access and an impersonator is granted access. [11] This type of fraud can occur as there are certain individuals that may share virtually identical voices. [11] In other instances, the initial attempt to record the biometric data may have been compromised. During the 4 modules, a user may have inputted corrupted data. An example of this is most commonly seen in fingerprints where an individual may use a wet finger or a scarred finger to record their data. [11] These errors introduce the possibility of insecurity. [9] These issues can occur for facial recognition. If a pair of twins or even two people who like similar try to access a system, they may be granted access.

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion, often the identity of a computer system user

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Biometrics are body measurements and calculations related to human characteristics. Biometric authentication is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance.

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping.

Keystroke dynamics, keystroke biometrics, typing dynamics, andtyping biometrics refer to the detailed timing information that describes each key press related event that occurs when a user types on a keyboard.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate. Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought. It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.

<span class="mw-page-title-main">Smudge attack</span> Discerning a password via screen smudges

A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.

Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an entity. It ensures that the users and services of these digital resources are entitled to what they receive. The most common form of identity-based security involves the login of an account with a username and password. However, recent technology has evolved into fingerprinting or facial recognition.

<span class="mw-page-title-main">Biometric device</span> Identification and authentication device

A biometric device is a security identification and authentication device. Such devices use automated methods of verifying or recognising the identity of a living person based on a physiological or behavioral characteristic. These characteristics include fingerprints, facial images, iris and voice recognition.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

<span class="mw-page-title-main">Face ID</span> Facial recognition system by Apple

Face ID is a facial recognition system designed and developed by Apple Inc. for the iPhone and iPad Pro. The system allows biometric authentication for unlocking a device, making payments, accessing sensitive data, providing detailed facial expression tracking for Animoji, as well as six degrees of freedom (6DOF) head-tracking, eye-tracking, and other features. Initially released in November 2017 with the iPhone X, it has since been updated and introduced to several new iPhone models, and all iPad Pro models.

<span class="mw-page-title-main">WebAuthn</span> Public-key authentication standard

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

Contactless fingerprinting technology (CFP) was described in a government-funded report as an attempt to gather and add fingerprints to those gathered via wet-ink process and then, in a "touchless" scan, verify claimed identify and, a bigger challenge, identify their owners without additional clues.

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

References

  1. Info Security; The contradictions of password psychology 22 February 2012 Copy Right Reed Exhibitions http://www.infosecurity-magazine.com/view/24057/the-contradictions-of-password-psychology/
  2. Cowley, Stacy. "If You're Using 'Password', Change It. Now." CNNMoney. Cable News Network, 01 Mar. 2012. Web. 23 Mar. 2012. http://money.cnn.com/2012/03/01/technology/password_security/index.htm
  3. "Have I Been Pwned: Pwned Passwords".
  4. 1 2 OSTOJIC, P. P., & PHILLIPS, J. G. (2009). MEMORABILITY OF ALTERNATIVE PASSWORD SYSTEMS. International Journal of Pattern Recognition & Artificial Intelligence, 23(5), 987–1004
  5. Nelson, D., vu K. L. (2010). Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords. Computers In Human Behavior, 26(4), 705–715. Doi:10.1016/chb2010.01.007
  6. 1 2 Brown, Alan S.; al, et. (2004), "Generating and Remembering Passwords", Applied Cognitive Psychology 18 (6): 641–651
  7. 1 2 Campbell J, Ma W, Kleeman D. Impact of restrictive composition policy on user password choices. Behaviour & Information Technology [serial online]. May 2011;30(3):379-388.
  8. Yan, Jeff, Alan Blackwell, Ross Anderson, and Alasdair Grant. IEEE SECURITY & PRIVACY. THE IEEE COMPUTER SOCIETY, Sept. 2004. Web. "Archived copy" (PDF). Archived from the original (PDF) on 2012-04-14. Retrieved 2016-02-05.{{cite web}}: CS1 maint: archived copy as title (link)
  9. 1 2 3 4 5 6 Yang, Wencheng; Wang, Song; Hu, Jiankun; Zheng, Guanglou; Valli, Craig (2019-01-28). "Security and Accuracy of Fingerprint-Based Biometrics: A Review". Symmetry. 11 (2): 141. Bibcode:2019Symm...11..141Y. doi: 10.3390/sym11020141 . ISSN   2073-8994.
  10. 1 2 Riaz, Naveed; Riaz, Ayesha; Khan, Sajid Ali (2018-01-15). "Biometric template security: an overview". Sensor Review. 38 (1): 120–127. doi:10.1108/SR-07-2017-0131. ISSN   0260-2288.
  11. 1 2 3 4 5 6 7 8 "What Is A Biometric System, and How To Secure It". Veridium. 2018-07-19. Retrieved 2021-04-16.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.