Identyfikatory
Warianty tytułu
Wykorzystanie gamifikacji i komunikatów wywołujących strach zamiast mierników siły haseł w celu zwiększenia entropii haseł
Języki publikacji
Abstrakty
It is very common for users to create weak passwords. Currently, the majority of websites deploy password strength meters to provide timely feedback. These meters are in wide use and their effects on the security of passwords have been relatively well studied. In this paper another type of feedback is studied: a gamified approach supported by fear appeal. In this approach, users are encouraged to make passwords stronger through the use of visual and textual stories. This ap-proach is supported by data-driven suggestions about how to improve password security as well as by fear appeal. To prove the effectiveness of this gamified password creation process, an ex-periment was performed in which users changed their passwords in two ways: without any feed-back, and with gamified feedback with fear appeal. To support the initial findings a questionnaire was completed by participants at the end of research.
Użytkownicy systemów informatycznych bardzo często tworzą słabe hasła. W celu dostarczenia informacji zwrotnej o skuteczności tworzonego hasła część stron internetowych wykorzystuje mierniki jego siły. Ich wpływ na bezpieczeństwo został stosunkowo dobrze zbadany. W artykule zaproponowano i zbadano nowe podejście do dostarczania informacji zwrotnej o sile tworzonego hasła. Opiera się ono na gamifikacji wzmocnionej komunikatami wywołującymi poczucie strachu. Użytkownicy są tu motywowani do tworzenia silniejszych haseł poprzez wykorzystanie wizualnych i tekstowych historyjek. Podejście to jest wspierane przez komunikaty informujące o tym, w jaki sposób można poprawić bezpieczeństwo haseł oraz komunikaty wywołujące strach u użytkowników (na przykład powiadamiające, ile czasu potrzeba hakerowi do złamania hasła). W celu udowodnienia skuteczności zaproponowanej metody przeprowadzono eksperyment, w którym użytkownicy zmieniali swoje hasła na dwa sposoby: bez żadnej informacji zwrotnej oraz przy wykorzystaniu zaproponowanej metody. Uzyskane tezy o skuteczności zaproponowanego podejścia zostały wsparte wynikami przeprowadzonej ankiety.
Słowa kluczowe
Czasopismo
Rocznik
Tom
Strony
17--33
Opis fizyczny
Bibliogr. 49 poz., rys., tab.
Twórcy
autor
- Polish Naval Academy, Faculty of Navigation and Naval Weapons, Śmidowicza 69 Str., 81-127 Gdynia, Poland
Bibliografia
- [1] Bishop M., Klein D. V., Improving system security via proactive password checking, ‘Computers & Security’, 1995, 14(3), pp. 233–249.
- [2] Bonneau J., Herley C., Oorschot P. C. van, Stajano F., Passwords and the evolution of imperfect authentication, ‘Communications of the ACM’, 2015, 58(7), pp. 78–87.
- [3] Bonneau J., The science of guessing: analyzing an anonymized corpus of 70 million passwords, Security and Privacy (SP), IEEE, Symposium, 2012, pp. 538–552.
- [4] Carné de Carnavalet de X., Mohammad M., From Very Weak to Very Strong: Analyzing Pass-word-Strength Meters 2014, Conference ‘Network and Distributed System Security Symposium’, DOI: 10.14722/ndss.2014.23268 10.14722/ndss.2014.23268.
- [5] Das A., Bonneau J., Caesar M., Borisov N., Wang X., The tangled web of password reuse, Symposium on Network and Distributed System Security, 2014, Vol. 14, pp. 23–26. 30 Scientific Journal of PNA
- [6] Dell’Amico M., Michiardi P., Roudier Y., Password strength: An empirical analysis, Proceedings IEEE, INFOCOM, 2010, pp. 1–9.
- [7] Deterding S., Dixon D., Khaled R., Nacke L., From game design elements to gamefulness: defining gamification, Proceedings of the 15th International Academic MindTrek Conference ‘Envisioning future media environments’, 2011, pp. 9–15.
- [8] Deterding S., Sicart M., Nacke L., O’Hara K., Dixon D., Gamification. using game-design elements in non-gaming contexts, CHI’11 — Extended abstracts on human factors in computing systems, 2011, pp. 2425–2428.
- [9] Egelman S., Sotirakopoulos A., Muslukhov I., Beznosov K., Herley C., Does my password go up to eleven? The impact of password meters on password selection, Proceedings of the SIGCHI Con-ference on Human Factors in Computing Systems, 2013, pp. 2379–2388.
- [10] Furnell S., An assessment of website password practices, ‘Computers & Security’, 2007, Vol. 26(7–8), pp. 445–451.
- [11] Hamari J., Koivisto J., Sarsa H., Does gamification work? A literature review of empirical studies on gamification, IEEE, System Sciences (HICSS), 47th Hawaii International Conference, 2014, pp. 3025–3034.
- [12] Huang X., Xiang Y., Bertino E., Zhou J., Xu L., Robust multifactor authentication for fragile com-munications, IEEE, ‘Transactions on Dependable and Secure Computing’, 2014, Vol. 11, No. 6, pp. 568–581, DOI: 10.1109/TDSC.2013.2297110.
- [13] Johnston A. C., Warkentin M., Fear appeals and information security behaviors: an empirical study, ‘MIS Quarterly’, 2010, pp. 549–566.
- [14] Kelley P. G., Komanduri S., Mazurek M. L., Shay R., Vidas T., Bauer L., Lopez J., Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms, Security and Privacy (SP), IEEE, Symposium, 2012, pp. 523–537.
- [15] Melicher W., Ur B., Segreti S. M., Komanduri S., Bauer L., Christin N., Cranor L. F., Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks, USENIX Security Symposium, 2016, pp. 175–191.
- [16] Naiakshina A., Danilova A., Tiefenau C., Herzog M., Dechand S., Smith M., Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study, ACM, Proceedings of the SIGSAC Conference on Computer and Communications Security, 2017, pp. 311–328.
- [17] Rodwald P., Biernacik B., Password protection in IT systems, ‘Bulletin of the Military University of Technology’, 2018, Vol. 67, pp. 73–92, DOI: 10.5604/01.3001.0011.8036.
- [18] Seitz T., Hussmann H., PASDJO: quantifying password strength perceptions with an online game, ACM, Proceedings of the 29th Australian Conference on Computer-Human Interaction, 2017, pp. 117–125.
- [19] Shannon C. E., A mathematical theory of communication, ‘Bell System Technical Journal’, 1948, Vol. 27, pp. 379–423, 623–656.
- [20] Shannon C. E., Prediction and Entropy of Printed English, ‘Bell System Technical Journal’, 1951, Vol. 30, No. 1, pp. 50–64.
- [21] Sotirakopoulos A., Influencing User Password Choice Through Peer Pressure, master thesis, The University of British Columbia, Vancouver 2011.
- [22] Stobert E., Biddle R., The password life cycle: user behavior in managing passwords, Proceedings SOUPS, 2014.
- [23] Ur B., Alfieri F., Aung M., Bauer L., Christin N., Colnago J., Johnson N., Design and evaluation of a data-driven password meter, Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017, pp. 3775–3786.
- [24] Ur B., Kelley P. G., Komanduri S., Lee J., Maass M., Mazurek M. L., Christin N., How does your password measure up? The effect of strength meters on password creation, USENIX Security Symposium, 2012, pp. 65–80.
- [25] Vance A., Eargle D., Ouimet K., Straub D., Enhancing password security through interactive fear appeals: A web-based field experiment, IEEE, System Sciences (HICSS), 46th Hawaii Interna-tional Conference, 2013, pp. 2988–2997.
- [26] Weir M., Aggarwal S., Collins M., Stern H., Testing metrics for password creation policies by attacking large sets of revealed passwords, Proceedings of the 17th ACM conference on Com-puter and communications security, 2010, pp. 162–175.
- [27] Zezschwitz E. von, Luca A. de, Hussmann H., Survival of the shortest: A retrospective analysis of influencing factors on password composition, ‘Proceedings of the IFIP Conference on Human- -Computer Interaction’, 2013, Publ. Springer, Berlin, Heidelberg, 2013, pp. 460–467.
- [28] Zhang-Kennedy L., Chiasson S., Biddle R., Password advice shouldn’t be boring: Visualizing password guessing attacks, IEEE, ‘eCrime Researchers Summit’, 2013, pp. 1–11.
- [29] Zhao Z., Ahn G.-J., Hu H., Picture gesture authentication: Empirical analysis, automated attacks, and scheme evaluation, ACM, ‘Transactions on Information and System Security (TISSEC)’, 2015, Vol. 17, No. 4, pp. 1–37.
- [30] Zhu B., Yan J., Bao G., Mao M., Xu N., Captcha as graphical passwords–a new security primitive based on hard AI problems, IEEE, ‘Transactions on Information Forensics and Security’, 2014, Vol. 9, No. 6, pp. 891–904, DOI: 10.1109/TIFS.2014.2312547.
- [31] Castelluccia C., Dürmuth M., Perito D., Adaptive Password-Strength Meters from Markov Models, Symposium on Network and Distributed System Security, 2012, [online], https://www.ei.ruhr-uni-bochum.de/media/ei/veroeffentlichungen/2016/01/15/2012-ndss-pwd-strength.pdf [access 02.11.2018].
- [32] Habib H., Colnago J., Melicher W., Ur B., Segreti S., Bauer L., Cranor L., Password creation in the presence of blacklists, Proceedings USEC, 2017, [online], https://www.archive.ece.cmu.edu/ ~lbauer/papers/2017/usec2017-blacklists.pdf [access 02.11.2018].
- [33] Reilly M., Google Has a Plan to Kill Off Passwords, [online], https://www.technologyreview.com/s/ 601575/google-has-a-plan-to-kill-off-passwords [access 02.11.2018].
- [34] Thomas K., Li F., Zand A., Barrett J., Ranieri J., Invernizzi L., Markov Y., Comanescu O., Eranti, V., Moscicki A., Margolis D., Paxson V., Bursztein E., Data Breaches, Phishing, or Malware? Under-standing the Risks of Stolen Credentials, 2017, [online], https://research.google.com/pubs/ pub46437.html [access 02.11.2018].
- [35] 2016 Data Security Incident, Uber Newsroom, [online], www.uber.com/newsroom/2016-data-incident/ [access 02.11.2018].
- [36] Adobe breach impacted at least 38 million users, Krebs on Security, [online], https://krebsonsecurity.com/ 2013/10/adobe-breach-impacted-at-least-38-million-users/ [access 02.11.2018].
- [37] Advanced password recovery, Hashcat, [online] www.hashcat.net/hashcat/ [access 02.11.2018].
- [38] AntMiner S9, BITMAIN, [online], https://shop.bitmain.com/antminer_s9_asic_bitcoin_miner.htm [access 02.11.2018].
- 32 Scientific Journal of PNA
- [39] Digital Identity Guidelines Authentication and Lifecycle Management, NIST Special Publication 800-63B [online], https://pages.nist.gov/800-63-3/sp800-63b.html, DOI: 10.6028/NIST.SP.800-63-3 [access 02.11.2018].
- [40] Dropbox hack leads to leaking of 68m user passwords on the internet, The Guardian, [online], https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach [access 02.11.2018].
- [41] Hacker tries to sell 427 million stolen myspace passwords for $2,800, Vice, [online], https://motherboard.vice.com/en_us/article/427-million-myspace-passwords-emails-data-breach [access 02.11.2018].
- [42] Have I been pwned, API, [online], https://haveibeenpwned.com/API/v2 [access 02.11.2018].
- [43] LinkedIn lost 167 million account credentials in data breach, Fortune, [online], http://fortune.com/2016/05/18/linkedin-data-breach-email-password/ [access 02.11.2018].
- [44] Mobile Push Authentication, RSA, [online], https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/mobile-push-authentication [access 02.11.2018].
- [45] Password cracker, John the Ripper, [online], www.openwall.com/john/ [access 02.11.2018].
- [46] Special Publication 800-63-2 Electronic Authentication Guideline, NIST, [online], https://csrc.nist.gov/ publications/detail/sp/800-63/2/archive/2013-08-29, DOI: 10.6028/NIST.SP.800-63-2 [access 02.11.2018].
- [47] Visualizing Data Breaches, Center Mast, [online], https://centermast.com/2017/03/17/ visualizing-data-breaches/ [access 02.11.2018].
- [48] Web Authentication: An API for accessing Public Key Credentials, WC3, [online], https://www.w3.org/TR/2018/CR-webauthn-20180320 [access 02.11.2018].
- [49] Yahoo hacked, 450,000 passwords posted online, CNN, [online], www.cnn.com/2012/07/12/ tech/web/yahoo-users-hacked [access 02.11.2018].
Uwagi
Opracowanie rekordu w ramach umowy 509/P-DUN/2018 ze środków MNiSW przeznaczonych na działalność upowszechniającą naukę (2019).
Typ dokumentu
Bibliografia
Identyfikator YADDA
bwmeta1.element.baztech-1f05d329-862f-41b0-8ad1-a2f867795df1