Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Understanding passwords – a taxonomy of password creation strategies

Understanding passwords – a taxonomy of password creation strategies Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to present a taxonomy of those password creation strategies in the form of a model describing various strategies used to create passwords.Design/methodology/approachThe study was conducted in a three-step process beginning with a short survey among forensic experts within the Swedish police. The model was then developed by a series of iterative semi-structured interviews with forensic experts. In the third and final step, the model was validated on 5,000 passwords gathered from 50 different password databases that have leaked to the internet.FindingsThe result of this study is a taxonomy of password creation strategies presented as a model that describes the strategies as properties that a password can hold. Any given password can be classified as holding one or more of the properties outlined in the model.Originality/valueOn an abstract level, this study provides insight into password creation strategies. As such, the model can be used as a tool for research and education. It can also be used by practitioners in, for instance, penetration testing to map the most used password creation strategies in a domain or by forensic experts when designing dictionary attacks. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Information & Computer Security Emerald Publishing

Understanding passwords – a taxonomy of password creation strategies

Download PDF
15 pages

Loading next page...
 
/lp/emerald-publishing/understanding-passwords-a-taxonomy-of-password-creation-strategies-WJPDbgzskI
Publisher
Emerald Publishing
Copyright
© Emerald Publishing Limited
ISSN
2056-4961
DOI
10.1108/ics-06-2018-0077
Publisher site
See Article on Publisher Site

Abstract

Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to present a taxonomy of those password creation strategies in the form of a model describing various strategies used to create passwords.Design/methodology/approachThe study was conducted in a three-step process beginning with a short survey among forensic experts within the Swedish police. The model was then developed by a series of iterative semi-structured interviews with forensic experts. In the third and final step, the model was validated on 5,000 passwords gathered from 50 different password databases that have leaked to the internet.FindingsThe result of this study is a taxonomy of password creation strategies presented as a model that describes the strategies as properties that a password can hold. Any given password can be classified as holding one or more of the properties outlined in the model.Originality/valueOn an abstract level, this study provides insight into password creation strategies. As such, the model can be used as a tool for research and education. It can also be used by practitioners in, for instance, penetration testing to map the most used password creation strategies in a domain or by forensic experts when designing dictionary attacks.

Journal

Information & Computer SecurityEmerald Publishing

Published: Jun 19, 2019

Keywords: Computer security; Strategies; Passwords; Classification; Categorization

References

  • Challenges to digital forensics: a survey of researchers and practitioners attitudes and opinions
    Al Fahdi, M.; Clarke, N.L.; Furnell, S.M.
  • Game geek’s goss: linguistic creativity in young males within an online university forum (94//3 933k’5 9055oneone)
    Blashki, K.; Nichol, S.
  • Penetration testing: concepts, attack methods, and defense strategies. Systems, applications and technology conference (LISAT)
    Denis, M.; Zena, C.; Hayajneh, T.
  • A large-scale study of web password habits
    Florencio, D.; Herley, C.
  • Advances in forensic data acquisition
    Freiling, F.; GROß, T.; Latzo, T.; Müller, T.; Palutke, R.
  • 1997 Signature based password authentication method. Systems, man, and cybernetics, 1997 computational cybernetics and simulation
    Fung, G.S.; Lau, R.W.; Liu, J.N.A.
  • Organisational security culture: embedding security awareness, education and training
    Furnell, S.; Clarke, N.
  • Digital forensics research: the next 10 years
    Garfinkel, S.L.
  • On the security of cracking-resistant password vaults
    Golla, M.; Beuscher, B.; Dürmuth, M.
  • Taxonomy of challenges for digital forensics
    Karie, N.M.; Venter, H.S.
  • Modeling the adversary to evaluate password strength with limited samples
    Komanduri, S.
  • Human selection of mnemonic phrase-based passwords
    Kuo, C.; Romanosky, S.; Cranor, L.F.
  • Dictionary attack on wordpress: Security and forensic analysis
    Kyaw, A.K.; Sioquim, F.; Joseph, J.
  • Password security: a case history
    Morris, R.; Thompson, K.
  • Fast dictionary attacks on passwords using time-space tradeoff
    Narayanan, A.; Shmatikov, V.
  • Improving usability of passphrase authentication. Privacy, security and trust (PST)
    Nielsen, G.; Vedel, M.; Jensen, C.D.
  • Information security culture: a general living systems theory perspective
    Reid, R.; Van Niekerk, J.; Renaud, K.
  • Writing in the information age
    Ross, N.
  • Password contruction guidelines
  • Ethics in security research which lines should not be crossed?
    Schrittwieser, S.; Mulazzani, M.; Weippl, E.
  • User practice in password security: an empirical study of real-life passwords in the wild
    Shen, C.; Yu, T.; Xu, H.; Yang, G.; Guan, X.
  • The password life cycle: user behaviour in managing passwords
    Stobert, E.; Biddle, R.
  • Cracking more password hashes with patterns
    Tatli, E.I.
  • Added ‘!’at the end to make it secure”: observing password creation in the lab
    Ur, B.; Noma, F.; Bees, J.; Segreti, S.M.; Shay, R.; Bauer, L.; Christin, N.; Cranor, L.F.I.
  • Challenges in digital forensics
    Vincze, E.A.
  • The next domino to fall: empirical analysis of user passwords across online services
    Wang, C.; Jan, S.T.; Hu, H.; Bossart, D.; Wang, G.
  • Zxcvbn: low-budget password strength estimation
    Wheeler, D.L.
  • A comparison of password techniques for multilevel authentication mechanisms
    Zviran, M.; Haga, W.J.