MURAL - Maynooth University Research Archive Library



    Improving Authentication for Users via Better Understanding Password Use and Abuse


    Murray, Hazel (2021) Improving Authentication for Users via Better Understanding Password Use and Abuse. PhD thesis, National University of Ireland, Maynooth.

    [thumbnail of Thesis__Improving_Authentication_for_Users_via_Better_Understanding_of_Password_Use_and_Abuse (1).pdf]
    Preview
    Text
    Thesis__Improving_Authentication_for_Users_via_Better_Understanding_of_Password_Use_and_Abuse (1).pdf

    Download (7MB) | Preview

    Abstract

    Passwords are our primary form of authentication. Yet passwords are a major vulnerability for computer systems due to their predictable nature, in fact Florêncio et al., conclude that human limitations makes what is often considered to be “proper password use” impossible [52]. It is vital we improve authentication with respect to both security and usability. The aim of this research is to investigate password use and abuse in order to improve authentication for users. We investigate circulated password advice that claims to help in this security fight. We find that it is contradictory, often at odds with best practice and research findings, and can be ambiguous and taxing on users. We complete a user study investigating user and administrator perceptions of the password advice collected. We leverage knowledge of security benefits, usability and organisation costs to investigate the trade-offs that exist when security advice is enforced. To improve password systems, effective and accurate information is needed regarding the prevalence of security vulnerabilities. We develop a guessability metric which produces guessing success results that are independent of the underlying distribution of the data. We use this to prove that small password breaches can lead to major vulnerabilities to entire cohorts of other users. We also demonstrate that a tailored learning algorithm can actively learn characteristics of the passwords it is guessing, and that it can leverage this information to improve its guessing. We demonstrate that characteristics such as nationality can be derived from data and used to improve guessing, this reduces security in an online environment and potentially leaks private information about cohorts of users. Finally, we design models to quantify the effectiveness of security policies. We demonstrate the value of the NIST 2017 guidelines. We find that if an organisation is willing to bear costs on themselves, they can significantly improve usability for their end-users, and simultaneously increase their security.
    Item Type: Thesis (PhD)
    Keywords: Improving Authentication; Users; Password Use and Abuse;
    Academic Unit: Faculty of Science and Engineering > Mathematics and Statistics
    Item ID: 14880
    Depositing User: IR eTheses
    Date Deposited: 01 Oct 2021 15:21
    URI: https://mu.eprints-hosting.org/id/eprint/14880
    Use Licence: This item is available under a Creative Commons Attribution Non Commercial Share Alike Licence (CC BY-NC-SA). Details of this licence are available here

    Repository Staff Only (login required)

    Item control page
    Item control page

    Downloads

    Downloads per month over past year

    Origin of downloads