PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security
CURRENT STATUS Problem Statement Stringent requirements in password policies lead to coping mechanisms in users when creating passwords. These coping mechanisms decrease the strength of the passwords created, and the question is whether this decreases the security sought by creating a strict policy. Motivation • Passwords are the most commonly used authentication measure • Often require frequent modification • Predominantly, studies in the past have reviewed how hard or easy it is to crack a password • Most studies have ignored or only minimally focused on the issue of user coping mechanisms • Only a few studies have looked at how modification of passwords over time effects coping mechanisms or password strength 2
ENTROPY WHAT T IS IS EN ENTRO ROPY? PY? • A calculation used by NIST to determine the strength of a password. • Points are assigned based upon specific factors of a password or password policy • Factors • Length of password • Use of non-alphabetic characters • Use of capital letters • Use of a dictionary 3
DESIGN OF STUDY • Participants login to Mechanical Turk website and choose the HIT 4
DESIGN OF STUDY (CONT NTIN INUED) ED) • Open the HIT and click on the link to the website • Upon arrival, the participant is assigned a password policy (that follows the participant throughout the study) • User creates a password and then completes a survey • User logs in every week for 7 weeks • Every week user is required to change password • After creating password, user takes a short survey • First is demographic • Second through Sixth are filler questions about info sec • Seventh is about specific coping mechanisms used throughout study 5
COLLECTION OF DATA FROM WEBSITE Data is automatically stored in a mysql database where it can be downloaded via .csv and opened in excel or analyzed in a statistical analysis package like SAS 6
COPING MECHANISMS IDENTIFIED ANALYS YSIS IS OF COPIN ING G MECHAN ANISM ISMS S IN IN U USER CREATE TED D PASSWORD WORDS Coping Mechanism Identified Decrease in Entropy Divide actual entropy by the number of A Repeating digits within the same password repeats B Repeating passwords across time Subtract entropy for the portion repeated Decrease entropy by 6 (entropy gained by C Incrementing numbers across time adding non-alphanumeric characters) Decrease entropy by 6 (entropy gained by D Repeating non-alphabetic or capital letters adding non-alphanumeric characters) Changing letter from lowercase to capital, but keep Subtract entropy for the word, but maintain E the same word across time the increase of 6 for the capital letter Decrease entropy by 6 (entropy gained by F Capital letter first or number/special character last adding non-alphanumeric character or capital letter) 7
POLICIES CO COMPRE PREHENSIV HENSIVE 8 -At Least 8 characters -At least one lower case character -At least one capital letter -At least one number -At least one special character BLACKL ACKLIST T HARD RD -At least 8 characters -No English words BASIC SIC 16 -At least 16 characters long
SURVEY QUESTIONS DEMOG OGRAPH RAPHIC IC AND COPIN ING G MECHAN ANISM ISMS S USED* COPING MECHANISMS USED DEMOGRAPHIC QUESTIONS 1. Did you use the same password here that you use on 1. Gender another account 2. Did you use a similar password here that you use on 2. Age another account (with def’n of similar) 3. Was English first language 3. Did you write down your password (when and why) 4. Race 4. Did you use personal info when creating your password 5. Marital status 5. Were you frustrated with the password policy 6. Ethnicity 6. What type of device did you use to access this study 7. Education level attained 7. In previous experience with passwords, have you ever been frustrated by a policy 8. Primary occupation 8. Does having to change your password often frustrate 9. Income level you 9. How many accounts do you have with passwords 10. Have you ever written down a password 11. Have you ever used the same password for different *The actual questions used in the accounts survey are available upon request 9
SURVEY QUESTIONS FIL ILLER R QUESTIO TIONS S ON IN INFOSE SEC* 1. Were you affected by the Home Depot breach 2. Do you subscribe to Wired magazine 3. Do you read terms of service policies 4. Do you regularly back up your computer system 5. Are you more concerned with your financial data or health data 6. Are you familiar with Stuxnet 7. What computer operating system do you use 8. Are you concerned about cybercrime 9. Are you able to recognize spam 10.Are you concerned about identity theft 11.Have you ever heard of Stop, Think, Connect 12.Have you heard of Stop, Drop, and Roll *The full list of questions is available upon request 10
PROPOSED DATA ANALYSIS CONDUC UCTE TED D ON PRACTI CTICE PASSWO SWORDS RDS Comprehensive8 BlacklistHard Basic16 N 33 34 37 NIST Entropy 24 24 30 Mean Entropy 29.31 29.69 38.79 Standard Deviation 6.09 3.80 6.52 Confidence Interval (27.16, 31.48) (28.37, 31.02) (37.91, 42.25) (95%) Post Coping Entropy 25.86 28.93 34.68 11
PRACTICE DATA ENTROPY ANALYSIS NIST Entropy Basic16 Mean Entropy BlacklistHard Comprehensive8 Post Coping Entropy 0 10 20 30 40 50 Interesting Note: All post coping entropy calculations are greater than the NIST entropy for each policy 12
ANALYSIS Within Policy Within Week Within Policy Across Weeks -Average of NIST Entropy for each participant -NIST entropy of each password -Confidence Interval of entropy for policy -Average NIST Entropy at each Week across participants -Average of Entropy Loss per week -Confidence Interval of entropy at each week -Sum of Entropy Loss per user -Post Coping Entropy -Confidence Interval of Entropy loss of all - Entropy loss from coping mechanisms at users per policy Week -ANOVA test of Post Coping Entropy against -ANOVA test of Post Coping Entropy against NIST policy entropy NIST average entropy -ANOVA test of Post Coping Entropy against -Does Entropy change each week NIST average entropy at each week independently of the policy Across Policies Within Weeks Across Policies Across Weeks - ANOVA And Tukey test of Post Coping - ANOVA and Tukey test of Post Coping Entropy against NIST average entropy Entropy against NIST average entropy - Do different policies lose entropy through - Does one of our policies provide a more coping mechanisms at different points in the effective protection than the others? password change cycle? 13
PROGRESS IN INSTIT ITUTIO UTIONAL AL REVIEW IEW BOARD D AND MECHAN ANIC ICAL AL TURK • IRB • Approval received • Mechanical Turk • Results of first HIT published • Restrictions on allowed Workers for first HIT • IRB Amendment • Approval just received • Mechanical Turk • Next step is to reenter information and fax a copy of driver’s license for validation 14
WORK REMAINING FIN INAL REPORT RT AND PRESE SENT NTATIO ION • Upon IRB Amendment Approval…… • Collect Data on Mechanical Turk • Analyze Data collected • Continue to work on reconciling Amazon Mechanical Turk validation problem QUESTIONS, COMMENTS, OR SUGGESTIONS? 15
Recommend
More recommend