Security

Passwords can serve two functions in the security of computer systems [86]: authenti- cation: to validate the identity of a user based upon knowledge of a shared secret; and key generation: to provide a source of entropy (as termed by Shannon [115]) to seed the generation of cryptographic keys. Today, it has become increasingly important that the same password is usable and secure in both modes of operation. However, in any context of use passwords are vulnerable to a range of attacks:

• Replay Attack: the password of a legitimate user is reused by an unauthorised person.

• Social Engineering: an attacker persuades a legitimate user to reveal a password [84].

• Observation Attack: an attacker captures a password using simple observation techniques at the point of password entry.

• Phishing: the password is captured via an interface that is maliciously designed to masquerade as a trusted entity (this usually culminates in a replay attack) [66].

• Brute Force Attack: an automated guessing attack where every possible valid password is tried until the correct one is discovered. This can take place online, where guesses are mediated by the system under attack (against which certain automated defences can be realised) or offline where the attacker has obtained a copy of an encrypted password database and can make an unrestricted number of guesses. This is guaranteed to succeed, but could take a prohibitively long time.

• Dictionary Attack: an optimised version of a brute force attack that uses the assumption that password content is likely to contain a word found in a typical word dictionary [74]. This can also be executed online or offline.

From the earliest days of password usage, automated guessing has been prioritised as the most potent attack. Automated tools can be configured to make many thousand password guesses per second, whereas a human may be able to make only one or two. The threat of automated attacks meant that without stipulation over the complexity of a password, little confidence could be had in the identity of the individual who would present it to a system. In order to reason over this required complexity, measures of password strength are computed in terms of entropy based upon the seminal work of Shannon [115]. Where each character of a password is chosen randomly, entropy H (measured in bits) can be calculated by H = log2(al). Where a represents the

size of the alphabet from which each character is drawn (e.g. a = 26 where the password is comprised of lowercase alphabetic characters), and l is the length of the

password. However, if it were demonstrated that passwords were chosen in a non- random manner, this computation of entropy would overestimate password strength in practice.

Morris and Thompson [87] present early reflections upon password security through the analysis of the content of over 3000 UNIX passwords. Strikingly, they observed that users were very likely to choose predictable passwords, as many were very short in length, with 15 comprised of only a single ASCII character. Also, as a significant pro- portion of the passwords were comprised of pronounceable words, they propose that a dictionary attack could be a particular threat, and tenuously conclude that ”The use of encrypted passwords appears reasonably secure in the absence of serious attention of experts in the field” (p. 4). This concedes that the security of passwords was based purely upon the hope that nobody would try to exploit their clear weaknesses. In an experiment, Klein [74] carried out such a dictionary attack on a corpus of collected UNIX password files and discovered that using a dictionary of only 62,727 words he was able to guess 25% of 15,000 passwords. Arguably, the first real-world execution of a dictionary attack was by the infamous Morris Worm [122], which infected over 6000 machines [41] using an attack dictionary of just 432 words as seeds for guesses. Measuring password entropy in the presence of such user-imposed bias relies upon an understanding of the particular biases that might manifest in a user population. A report on password choice by the National Institute of Standards and Technology (NIST) [12] bases estimates of the entropy of user-chosen passwords upon Shannon’s analysis of the entropy of English text [116]. This analysis suggests that the first character in a password provides 4 bits of entropy; the next 7 characters provide 2 bits each; characters 9 to 20 provide 1.5 bits each; and beyond 21 each character has 1 bit. For example, a strong eight character password where characters are drawn randomly from the full ASCII character set could have 53 bits of entropy, but a user- chosen eight character password may only have 18 bits. While the NIST analysis has a certain illustrative value, estimates could be refined to account for the idiosyncrasies of a particular user sample.

The typical attack scenario is that the attacker may wish to compromise the pass- word of a particular user in order to abuse their associated system access privileges. In a batch guessing attack [48] the attacker has no specific user target, and so chooses a password considered to be common amongst the user population and uses it to guess the password of a sequence of known users (user identifiers, as compared to passwords, are more readily accessible in many systems). Single Sign On (SSO) is a class of soft- ware tool designed to store all user passwords, and provides functionality to provide the correct password to the correct online service. This potentially removes issues of memorability, although a user must instead remember a single master password to access the SSO system. Chiasson et al. [20] carried out a usability evaluation of two SSO systems but found that users reported usability issues, which included the lack of visibility of when the tools were working. Other disadvantages concern portability, as

SSO software must usually be installed on each system that it is used; also users tend to have difficulty to trust SSO software with their credentials, as this is a convenient instantiation for malware to steal large numbers of passwords.

The literature on password security amply demonstrates that when users are un- constrained in password choice, they are unlikely to create passwords desirable from a security perspective. Indeed, that security is contingent upon behaviour that users are unlikely to display, is a fundamental limitation in the design of a system, and a clear example what Davis termed a compliance defect [26]. However, rather than sim- ply abandon password authentication at this point as being inadequate, the research focus changed to explore how user behaviour could be scaffolded (within the limits of existing infrastructure) to prefer secure passwords. That is, to develop interventions that support users to choose from a class of more desirable passwords.