Murray, Hazel (2021) Improving Authentication for Users via Better Understanding Password Use and Abuse. PhD thesis, National University of Ireland, Maynooth.
Preview
Thesis__Improving_Authentication_for_Users_via_Better_Understanding_of_Password_Use_and_Abuse (1).pdf
Download (7MB) | Preview
Abstract
Passwords are our primary form of authentication. Yet passwords are a major
vulnerability for computer systems due to their predictable nature, in fact Florêncio
et al., conclude that human limitations makes what is often considered to be
“proper password use” impossible [52]. It is vital we improve authentication with
respect to both security and usability. The aim of this research is to investigate
password use and abuse in order to improve authentication for users.
We investigate circulated password advice that claims to help in this security fight.
We find that it is contradictory, often at odds with best practice and research
findings, and can be ambiguous and taxing on users. We complete a user study
investigating user and administrator perceptions of the password advice collected.
We leverage knowledge of security benefits, usability and organisation costs to
investigate the trade-offs that exist when security advice is enforced.
To improve password systems, effective and accurate information is needed regarding
the prevalence of security vulnerabilities. We develop a guessability metric
which produces guessing success results that are independent of the underlying distribution
of the data. We use this to prove that small password breaches can lead
to major vulnerabilities to entire cohorts of other users. We also demonstrate that
a tailored learning algorithm can actively learn characteristics of the passwords
it is guessing, and that it can leverage this information to improve its guessing.
We demonstrate that characteristics such as nationality can be derived from data
and used to improve guessing, this reduces security in an online environment and
potentially leaks private information about cohorts of users.
Finally, we design models to quantify the effectiveness of security policies. We
demonstrate the value of the NIST 2017 guidelines. We find that if an organisation
is willing to bear costs on themselves, they can significantly improve usability for
their end-users, and simultaneously increase their security.
Item Type: | Thesis (PhD) |
---|---|
Keywords: | Improving Authentication; Users; Password Use and Abuse; |
Academic Unit: | Faculty of Science and Engineering > Mathematics and Statistics |
Item ID: | 14880 |
Depositing User: | IR eTheses |
Date Deposited: | 01 Oct 2021 15:21 |
URI: | https://mu.eprints-hosting.org/id/eprint/14880 |
Use Licence: | This item is available under a Creative Commons Attribution Non Commercial Share Alike Licence (CC BY-NC-SA). Details of this licence are available here |
Repository Staff Only (login required)
Downloads
Downloads per month over past year