• No results found

PASSWORD STRENGTH ANALYSIS

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "PASSWORD STRENGTH ANALYSIS"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

The Center for Education and

Research in Information Assurance

PASSWORD STRENGTH ANALYSIS

Brian Curnett and Teri Flory

Masters Students

COPING MECHANISMS

IN PASSWORD

(2)

CURRENT STATUS

• Passwords are the most commonly used authentication measure

• Often require frequent modification

• Predominantly, studies in the past have reviewed how hard or easy it is to

crack a password

• Most studies have ignored or only minimally focused on the issue of user

coping mechanisms

• Only a few studies have looked at how modification of passwords over time

effects coping mechanisms or password strength

Stringent requirements in password policies lead to coping mechanisms in users

when creating passwords. These coping mechanisms decrease the strength of

the passwords created, and the question is whether this decreases the security

sought by creating a strict policy.

Motivation

Problem Statement

(3)

ENTROPY

WHAT IS ENTROPY?

A calculation used by NIST to determine the strength of a password.

Points are assigned based upon specific factors of a password or password policy

Factors

Length of password

Use of non-alphabetic characters

Use of capital letters

(4)

DESIGN OF STUDY

4

(5)

DESIGN OF STUDY

(CONTINUED)

• Open the HIT and click on the link to the website

• Upon arrival, the participant is assigned a password policy (that follows the participant

throughout the study)

• User creates a password and then completes a survey

• User logs in every week for 7 weeks

• Every week user is required to change password

• After creating password, user takes a short survey

• First is demographic

• Second through Sixth are filler questions about info sec

(6)

COLLECTION OF DATA FROM

WEBSITE

6

Data is automatically stored in a mysql database where it can be downloaded via .csv and

opened in excel or analyzed in a statistical analysis package like SAS

(7)

COPING MECHANISMS IDENTIFIED

ANALYSIS OF COPING MECHANISMS IN USER CREATED PASSWORDS

Coping Mechanism Identified Decrease in Entropy

A Repeating digits within the same password Divide actual entropy by the number of repeats

B Repeating passwords across time Subtract entropy for the portion repeated

C Incrementing numbers across time Decrease entropy by 6 (entropy gained by adding non-alphanumeric characters)

D Repeating non-alphabetic or capital letters Decrease entropy by 6 (entropy gained by adding non-alphanumeric characters)

E Changing letter from lowercase to capital, but keep the same word across time

Subtract entropy for the word, but maintain the increase of 6 for the capital letter

F Capital letter first or number/special character last

Decrease entropy by 6 (entropy gained by adding non-alphanumeric character or capital letter)

(8)

POLICIES

COMPREHENSIVE 8

-At Least 8 characters

-At least one lower case character

-At least one capital letter

-At least one number

-At least one special character

BLACKLIST HARD

-At least 8 characters

-No English words

BASIC 16

(9)

SURVEY QUESTIONS

DEMOGRAPHIC AND COPING MECHANISMS USED*

DEMOGRAPHIC QUESTIONS

1. Gender

2. Age

3. Was English first language

4. Race

5. Marital status

6. Ethnicity

7. Education level attained

8. Primary occupation

9. Income level

*The actual questions used in the survey are available upon request

COPING MECHANISMS USED

1. Did you use the same password here that you use on another account

2. Did you use a similar password here that you use on another account (with def’n of similar)

3. Did you write down your password (when and why) 4. Did you use personal info when creating your

password

5. Were you frustrated with the password policy

6. What type of device did you use to access this study 7. In previous experience with passwords, have you ever

been frustrated by a policy

8. Does having to change your password often frustrate you

9. How many accounts do you have with passwords 10. Have you ever written down a password

11. Have you ever used the same password for different accounts

(10)

SURVEY QUESTIONS

10

FILLER QUESTIONS ON INFOSEC*

1. Were you affected by the Home Depot breach

2. Do you subscribe to Wired magazine

3. Do you read terms of service policies

4. Do you regularly back up your computer system

5. Are you more concerned with your financial data or health data

6. Are you familiar with Stuxnet

7. What computer operating system do you use

8. Are you concerned about cybercrime

9. Are you able to recognize spam

10. Are you concerned about identity theft

11. Have you ever heard of Stop, Think, Connect

12. Have you heard of Stop, Drop, and Roll

(11)

PROPOSED DATA ANALYSIS

CONDUCTED ON PRACTICE PASSWORDS

Comprehensive8

BlacklistHard

Basic16

N

33

34

37

NIST Entropy

24

24

30

Mean Entropy

29.31

29.69

38.79

Standard Deviation

6.09

3.80

6.52

Confidence Interval

(95%)

(27.16, 31.48)

(28.37, 31.02)

(37.91, 42.25)

(12)

PRACTICE DATA ENTROPY ANALYSIS

0

10

20

30

40

50

Post Coping Entropy

Mean Entropy

NIST Entropy

Basic16

BlacklistHard

Comprehensive8

Interesting Note: All post coping entropy calculations are greater than the NIST entropy for each policy

(13)

ANALYSIS

Across Policies Within Weeks

- ANOVA And Tukey test of Post Coping Entropy against NIST average entropy - Do different policies lose entropy through

coping mechanisms at different points in the password change cycle?

Within Policy Across Weeks

-Average of NIST Entropy for each participant -Confidence Interval of entropy for policy

-Average of Entropy Loss per week -Sum of Entropy Loss per user

-Confidence Interval of Entropy loss of all users per policy

-ANOVA test of Post Coping Entropy against NIST average entropy

-Does Entropy change each week independently of the policy

Across Policies Across Weeks

- ANOVA and Tukey test of Post Coping Entropy against NIST average entropy - Does one of our policies provide a more

effective protection than the others?

Within Policy Within Week

-NIST entropy of each password

-Average NIST Entropy at each Week across participants

-Confidence Interval of entropy at each week -Post Coping Entropy

- Entropy loss from coping mechanisms at Week

-ANOVA test of Post Coping Entropy against NIST policy entropy

-ANOVA test of Post Coping Entropy against NIST average entropy at each week

(14)

PROGRESS

14

INSTITUTIONAL REVIEW BOARD AND MECHANICAL TURK

IRB

Approval received

Mechanical Turk

Results of first HIT published

Restrictions on allowed Workers for first HIT

IRB Amendment

Approval just received

Mechanical Turk

Next step is to reenter information and fax a copy of driver’s license for

validation

(15)

WORK REMAINING

FINAL REPORT AND PRESENTATION

Upon IRB Amendment Approval……

Collect Data on Mechanical Turk

Analyze Data collected

Continue to work on reconciling Amazon Mechanical Turk validation problem

QUESTIONS, COMMENTS, OR

SUGGESTIONS?

References

Download now ( PDF - 15 Page - 848.64 KB )

Related documents

Volume 6, Issue 3, 2020

In this study, in the case of physical health, the scores of those who are at the stage of Pre-contemplation and Contemplation are significantly lower than those of the students

Vol 32, No 1 (2019)

We used Pearson’s correlation coefficients ( r ) with one tailed tests to study the correlation between local suicide SMR and lithium concentrations, population

Vol 8, No 4 (2017)

Some unexpected results require further investigation, such as the correlations between motivation constructs such as task significance, and listening strategies

Three Essays on the Economic Impact of Firm Activity

All the estimated coefficients of the two wage outcomes are consistently positive and statistically significant, indicating that after a firm goes public, zip codes in the vicinity

Angiotensin-converting enzyme 2 regulates endoplasmic reticulum stress and mitochondrial function to preserve skeletal muscle lipid metabolism

Import- antly, ACE2 may significantly ameliorate skeletal muscle lipid metabolism, ER stress and mitochondrial function in the Ad-ACE2-treated db/db mice.. Increasing fatty

Again, congratulations. If you have any questions, please contact Lauren Maher, Laboratory Accreditation Specialist, at (703)

Accreditation documentation includes the IHLAP accreditation certificate, scope of accreditation document and a copy of the current AIHA-LAP, LLC license agreement (if your

TRAVEL DEMAND MODELING FOR MULTI-AGENT TRANSPORT SIMULATIONS: ALGORITHMS AND SYSTEMS

Nagel (2004) Agent- based activities planning for an iterative traffic simu- lation of Switzerland: Activity time allocation, presen- tation, The 4th Swiss Transport Research

Interference mitigation in cognitive femtocell networks

Figure 1.4: White spaces denoting availability of spectrum 9 Figure 2.1: Interference Mitigation - Hybrid Spectrum Allocation 15 Figure 2.2: Interference Mitigation -