Free Essay

Password Strength Is Not Password Security

In:

Submitted By marino0142
Words 1960
Pages 8
Password Strength is not Password Security
Kevin Marino
November 11, 2013

MSCC697, Regis University

Professor Garcia

Password Strength is not Password Security When password security becomes the topic of conversation it generally focuses on how strong a password is and whether or not the user reuses a password across multiple sites. While these aspects can affect password security, there are certain measures that the server side of the authentication process can implement to increase security without the user changing their habits. This approach would solve many of the security problems that authentication servers are facing. The goal of this study is to determine a set of best practices that can be implemented to increase security without the intervention of the user. While passwords may not be around forever, due to the introduction of new authentication hardware, they will be around until one of these hardware become mainstream and readily available to the general public. These practices will offer greater security until that time comes. User authentication in today's world generally requires a user name and a password. Though the strength of the user's password is generally seen as the base line for security, the authenticating server can implement certain security measures that can compensate for weak passwords. One main factor for considering different security measures is the advancement of brute force attack techniques on passwords. These techniques make even very strong, by accepted standards, random character passwords susceptible to being cracked through brute force cracking techniques (Gosney, 2013). With the number of services requiring log in credentials, often comprising of a password, the risk of account compromise grows, leading to the need of more secure authentication techniques. There are a number of alternative authentication techniques, such as biometrics, certificates, and tokens, however, these are not the within the scope of this problem. Xiong, Jianwei, Muhammad, and Junguo (2013) offer a scheme to for smart card based authentication that is secure and very user friendly, however this study doesn't account for the lack of smart card readers on client systems. These solutions require that user hardware be modified and the current authenticating scheme within the server be changed to accommodate these new technologies. The problem at hand is how to make minimal adjustments on the server side of the authentication process to allow clients the use of easy to remember, non-random, passwords considered weak by today's standards while also increasing the the security of the authentication process. The purpose of this research is to provide best practices regarding password security, that if adopted by authenticating entities, will allow their clients to use easy to remember passwords while decreasing the risk of compromise of the client's account. There are a number of best practices with regard to password security on the client side, which studies have shown that most users rarely implement. One of these best practices is the use of unique passwords between multiple sites (Duggan, Johnson, & Grawemeyer, 2012; Campbell, Ma, & Kleeman, 2011; Brown, Bracken, Zoccoli, & Douglas, 2004), which may be the most ignored practice by users. Brown et al. (2004) estimates that two thirds of passwords are used across multiple accounts. These studies all show the bad practices used by clients, however, they do not account for practices used by attackers. Even the most complex password with regard to password strength is of no match to attack techniques that involve key-loggers and password sniffers (Stross, 2010) and only slow down brute force techniques on hardware that can execute 350 billion password guesses per second (Gosney, 2013). The Gosney (2013) attack is an offline attack, meaning that the password list has been retrieved from the authenticating server. If the authenticating entity puts measures in place to properly safeguard this list, this threat can be avoided. Gosney's (2013) attack also depends heavily on the hashing algorithm used to store the passwords. The same system that can perform 350 guesses per second can reduced to less than 18 thousand per second by changing the hashing algorithm. A 6 character password, with 94 possible characters, can be guessed in half an hour with one hashing algorithm, while changing the algorithm reduces this to about 443 days. This shows one simple change that the authenticating service can make to greatly increase the security of even simple passwords. Thangavel and Krishnan (2010) address the issue of hashing. There research shows the importance of choosing the proper hashing algorithm to use when storing passwords. This directly confirms the statements made earlier. However, Tangavel and Krishnan (2010) also suggest a scheme to help the users with their bad habits. The scheme that is suggested involves the authenticating server using a random password generator to issue their users a password, along with periodically issuing a new password. This issue with this scheme is the memorability of the issued passwords. Users may be more likely to write these passwords down, or even worse, storing these passwords in a file on their computer with all of their issued passwords, completely negating the benefits gained from this scheme. Stross (2010) discusses the differences in password requirements between different domains of sites. He mentions that a trend is the more sensitive the information is, the more lax the restrictive password composition policies are. This means that financial institutes will allow a weaker password than a social networking site. The suggestion behind the phenomenon is the fact that servers that house more sensitive data implement more password security measures, not relying on the strength of the password for security. Tam, Glassman, and Vandenwauver (2010) explore the reasons why users ignore good password behaviors. Their study shows that users are aware of what is good and bad with regard to password security and they choose bad practices. The user perceives that the risk to their account being compromised is very low. Since the user is choosing bad password practices, it can be assumed that even educating them on the risks associated with their password choices will not make a difference. For this reason, it should be on the authenticating entity to secure their users information to provide a better experience for their users. It has been shown that websites vary greatly amongst each other with regard to password policies (Furnell, 2007). These websites vary their password restrictions, some allowing shorter passwords while others requiring longer passwords with a mix of alpha numeric characters. These websites also differ in password recovery schemes. The majority of the websites in the study would send a link to the user's email to allow the user to reset their password (Furnell, 2007). This scheme is especially dangerous, as a compromised email account could lead to numerous other accounts being compromised, even if the user uses good password practices. Brown et al. (2004) found that users use personal information when generating passwords, such as birth dates, family member's and significant other's information, and pet information. This scheme makes passwords very easy for the user to remember, however, it also makes them easier to guess. This increases the risk to user's accounts through social engineering and can lead to cross-site impersonation attacks, as the user's passwords are all related to personal information. They also found that users will forget their passwords for infrequently accessed accounts. This increases the need for secure password retrieval policies, which contradicts reality according to Furnell (2007).

Restrictive composition policies are a common practice among authentication entities to help enforce good password practices in their users. However, Campbell et al. (2011) state that these policies have no effect on user behaviors. These policies only slow down brute force attacks, however, with the increase in password cracking power shown by Gosney (2013), these policies do not slow the attack process down enough. Campbell et al. (2011) also mention that these policies don't actually increase the security of the system and system administrators should not rely on these policies alone for security. The Campbell et al. (2011) suggests a study of this nature to be conducted to assist system administrators in making the best choices with regard to password security. Acar, Belenkiy, and Kupcu (2013) suggest an authentication scheme that would allow for clients to maintain a single password for all of their accounts that, if discovered, would prevent attackers access to other accounts through cross-site impersonation attacks. The problem with this solution is it requires the client to implement the use of cloud services or a secondary device. This single scheme has the ability to fulfill the problem associated with this research. The major downfall to this scheme is the necessity for secondary equipment, requiring habit changes by the user. The scope of this research is to determine best authentication practices that only affect the server side without requiring a change by the user an making password creation and remembrance easier on the user. While there are many problems with user password habits, there are somethings that the authenticating entity can implement to compensate for some of these short comings. It has been shown that choosing the correct hashing algorithm can greatly increase the security of simple passwords. This is just one thing can be implemented to compensate for user habits. There has been a lot of research and reports on what users can do to increase the security of their accounts, however, Campbell et al. (2011) and Tam et al. (2010) have effectively shown that users choose to have bad habits. If the user isn't going to put forth the effort of increasing their security, then it is the responsibility of the service provider to protect their customers. This area of password security has had little attention. There are numerous studies that focus on the users and their behaviors and securing the password during transmission, but little work has been published on the aspect of the best practices for authenticating servers. It has been noted that more sensitive information requires weaker passwords than the protection of less sensitive information, but little has been done to explain this phenomenon. This work will fill the gaps in the knowledge base of authenticating server security. Even though it is quite possible that passwords will be replaced in the future by some other authentication technique, smart cards or biometrics are some of these techniques, this work will provide increased security until that time comes.

References
Acar, T., Belenkiy, M., & Kupcu, A. (2013). Single password authentication. Computer Networks, 57(13), 2597-2614. doi: 10.1016/j.comnet.2013.05.007

Brown, A., Bracken, E., Zoccoli, S., & Douglas, D. (2004). Generating and remembering passwords. Applied Cognitive Psychology, 18, 641-651. doi: 10.1002/acp.1014

Campbell, J., Ma, W., & Kleeman, D. (2011). Impact of restrictive composition policy on user password choices. Behaviour & Information Technology, 30(3), 379-388. doi:10.1080/0144929X.2010.492876

Duggan, G., Johnson, H., & Grawemeyer, B. (2012). Rational Security: Modelling Everyday Password Use. International Journal of Human Computer Studies, 70, 415-431. doi: 10.1016/j.ijhcs.2012.02.008
Furnell, S. (2007). An assessment of website password practices. Computers & Security, 26, 445-451.
Gosney, J. (2013, December). Password cracking HPC. In Passwords^12 Security Conference.
Stross, R. (2010, September, 5). A strong password isn't the strongest security. The New York Times, p. BU3.
Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password management: A tradeoff between security and convenience. Behavior & Information Technology 29(3), 233-244. doi: 10.1080/01449290903121386
Thangavel, T. S. & Krishnan, A. (2010). Efficient secured hash based password authentication in multiple websites. International Journal on Computer Science & Engineering, 2(5), pp 1846-1851.
Xiong, L., Jianwei, N., Muhammad K. K., & Junguo, L. (2013). An enhanced smart card based remote user password authentication scheme. Journal of Network & Computer Applications, 36(5), 1365-1371. doi: 10.1016/j.jnca.2013.02.034

Similar Documents

Premium Essay

It Cns

...in this mode.Multi-user mode is the normal mode of the system, with all resources available to users both locally and via the network. 2. How would you communicate each of the following messages? a. The system is coming down tomorrow at 6:00 in the evening for periodic maintenance. Use the /etc/motd file and/or email. b. The system is coming down in 5 minutes. Use wall. c. Jenny’s jobs are slowing the system down drastically, and she should postpone them. Use write or talk. d. Alex’s wife just had a baby girl. Use the motd file and/or email. 3. What do the letters of the su command stand for?    satisfaction units 4. How would you allow a user to execute privileged commands without giving the user the Superuser password? You can create a setuid program that belongs to a group that only the user who is to execute it belongs to and that has no permissions for other users. Alternatively you can implement sudo to grant the user permission to execute the file (see the sudo and sudoers man pages). 5. Assume you are working as superuser. How do you kill process 1648? How do you kill all processes running kmail? to kill processes click ctr+alt f3 and it will bring up a prompt and log in as root, ( ctr+alt f7 to leave this menu) type in top. next type in the letter 'k' to bring up the kill command. type in the process to kill then your good. 6. How can you disable SELinux? Either use the SELinux tab of the...

Words: 811 - Pages: 4

Free Essay

Disseminating Organizational It Security & Trouble Shooting

...Disseminating Organizational IT Security & Trouble Shooting When we talk about the increase security with proper authentication policies; infrastructure security is more than just firewalls and security patches. Most IT environments have some type of remote access. VPN, e-mail, and many other services expose your user accounts to the world. This article will focus on how to deal with user accounts of your current and former employees. Proper password aging policies will naturally take care of old or unused accounts. The idea behind password aging is that after a certain amount of time, a password expires. A password is less prone to compromise if it is changed frequently. Likewise, if an account is compromised, its usefulness will be limited to the amount of time left before the expiry timer concludes. Aging account passwords can reduce exposure if brute-force, social engineering, or sniffing attempts are successful. The strength of the password itself is also extremely important. It is imperative that the systems requiring users to change their passwords also enforce some level of strictness with regards to what passwords are accepted. An un-guessable password makes brute-force attacks the premiere method by which accounts are compromised mostly ineffective. An exhaustive brute-force attack will eventually discover all passwords, given enough time, but the idea is to use a password of sufficient length, so that it can’t be guessed in a reasonable amount of attempts. The successful...

Words: 3223 - Pages: 13

Premium Essay

Nt1330 Unit 3 Assignment 1

...Password authentication The guidelines that are being used for authentication systems feel outdated as these guidelines were mostly written for security concerns that are decades old and these guidelines should be reconsidered for today’s security concerns.A huge annoyance of the current authentication system is having same password across different system poses as a huge security threat as if one of them systems is compromised, the attacker can easily gain access to the other systems that the user uses by using the same password so not only is it recommended for the user to have a strong password , but also a strong password for each authentication system the user uses. Remembering all these passwords is not an easy task, if the user was to use easily remembered passwords, almost all of them are considered weak passwords, but on the other hand if the user was to use machine generated...

Words: 459 - Pages: 2

Premium Essay

NT1330 Unit 3 Assignment 1

...the password at all. WhatIs at TechTarget.com posted that NIST recommends the following minimum guidelines for password creation (Rouse, M. and Haughn, M., 2014): • Use a minimum of 8 characters selected from a 94-character set. • Include at least one upper case letter, one lower case letter, one number and one special character. • Use a dictionary of common words that user should avoid. • Don’t use any permutation of your username as your password. That being said some sites or systems are still allowing users to create passwords such as “123456”, “password”, and “12345678” according to SplashData’s annual worst password list (SplashData, 2014). The advances in software setup and checking should prevent a user from ever creating a password so simple. The issues stem from a couple of problems. One is not educating users more on the concept of complex password creation. Two not all administrators of systems...

Words: 661 - Pages: 3

Free Essay

Risk Assessment Plate

...Richman Investments Risk Assessment Plan There are currently 5000 Employees at Richman Investments. There are 2000 computers spread out between the 7 locations across the United States and the one sight in Canada. After having a security audit I have come to realize there are many security risks at Richman. I will go over a few risks and hopefully from this presentation I will have the ability to start a companywide project to correct all of these risks. List of Risks: 1. Wireless mice and keyboards 2. Bluetooth being enabled on Laptops 3. Wireless network signals reaching outside of buildings 4. Passwords Policies 5. No NAT between the internal and external networks. 6. Too many/the wrong people have admin rights. 7. Cell phones 8. Out of date security policy 9. Different types of computer programs 10. To many active directory forests 11. No policy on removal able media. How to Handle the Risks of Wireless Devices A lot of employees will say they cannot work without their wireless keyboards and mice. This will probably be the hardest policy to enforce. Knowing what can happen from a simple wireless mouse and keyboard set up I do not think it would be wise to allow the use of these devices within Richman Investments. If an employee is using a certain wireless keyboard and mouse set there is a chance of someone else using the same type and being able to control their computer form up to a football field’s length away. When a key is pressed on the keyboard...

Words: 1455 - Pages: 6

Premium Essay

Risk Management

...Insurance Information Security Policy Proposal By Thomas Groshong A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management procedures...

Words: 1045 - Pages: 5

Premium Essay

Heart-Health Insurance Information Security Policy Proposal

...Heart-Health Insurance Information Security Policy Proposal A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users “New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” Current Policies: Password Requirements “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.” A: Revised Policies: New Users “New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management procedures, remote...

Words: 1042 - Pages: 5

Free Essay

Tft2 Task 1

...The current new user security policy for Heart-Healthy Insurance states the following: “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” The following changes are based upon the PCI-DSS Compliace: 1. Usage policies must be developed for critical technologies and defined for proper use of these technologies (PCI DSS 12.3). With this first policy an organization with prohibit or allow the usage of equipment and/or accounts depending on the individual’s permitted access. 2. Explicit approval by authorized parties (PCI DSS 12.3.1). This policy will grant specific approval by management to match the business needs. Proper approval to individual personnel will create a secured environment with critical systems. 3. Authentication for use of the technology (PCI DSS 12.3.2) Personnel will use passwords to authenticate the access they have to specific technology. This will hinder any individual who is trying to breach the environment and gain access to critical information. 4. Automatic disconnect of sessions after a specific period of inactivity (PCI-DSS 12.3.7) Users must log out if they plan to step away from their accounts and/or devices. Automatic log-off will stop any individual who is trying to gain access to the system without authorization...

Words: 627 - Pages: 3

Premium Essay

Huffman Trucking Benefits Election System Risks

...Election System Security Lisa M. Gardner CMGT442: Information Systems Risk Management March 19, 2012 Craig McCormick Huffman Trucking: Benefits Election System Huffman Trucking Company has requested a new Benefits Election System to be implemented within the organization. The current benefit packages include medical, dental, and vision plans for employees. For the Benefit Election System, employee information and the benefit package they choose are stored and managed on a database system. This can either be a hardcopy paper file or an electronic file. Regardless of the storage method, security measures need to be implemented to protect employee’s privacy and information as well as preserve company assets from theft and/or litigation. Huffman Trucking Huffman Trucking has implemented such a system called the Benefits Election System, which assists management in tracking and reporting employee benefits (University of Phoenix, 2005). This paper will examine the security risks and requirements of the Benefits Election System of the organization. Security Requirements Ensuring the security of organizational and employee information is vital for any organization. Security misfortune can be damaging to the organization and the affected employees. In the case of Huffman Trucking information stored in the database includes names, social security numbers,...

Words: 1194 - Pages: 5

Premium Essay

Quantitative Research Synthesis Essay

...(2014). Improving Password Cybersecurity through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time fear appeals. Information Technology for Development, 20(2), 196-213. doi:10.1080/02681102.2013.814040 This study attempts to create an algorithm to detect password reuse and determine if warning messages concerning their dangers will deter password reuse. The researchers created a test website where 135 students were asked to create a password. Then randomly selected students were shown a warning message about the dangers of password reuse. Their keystroke timing was recorded. They were asked to complete a questionnaire to determine if they created unique passwords initially and after receiving the warning. The researchers found they could detect unique passwords. They also found that only 4.45% of users created a unique password initially while 88.41% created a unique password after receiving the warning message. The article is well written with sound research. However, the premise of the research is troubling. The authors cite a study of over 500,000 users showing they have on average...

Words: 1948 - Pages: 8

Free Essay

Intro to Computer Security

...Name 4 Security Tips that the end user can implement. For this week`s task we have been asked to name four security tips that users can do themselves to help protect their computers. The four security tips that I have selected to discuss are; update Windows software, use strong passwords, run a virus scan on a schedule, and update virus definitions daily. Describe the goal of each security tip. Windows update should be run to make sure that your computer has the latest patches. These updates are designed to close security holes that have been found in the operating system and hopefully will help guard your computer from getting infected or hacked. Strong passwords can be very helpful in slowing down or even defeating different attack methods of compromising the user`s computer. Users should think of passwords like a lock on their door, a strong password will make a strong lock. A hacker`s software toolkit will most likely include an offline dictionary, this automated program can quickly identify simple and commonly used passwords. Running a scheduled virus scan should be done by anyone who has a computer. If the user is running AVG for their anti-virus it is pretty easy to set up a scheduled scan. The user can just right click the AVG icon in the system tray, select the tools menu > advanced settings > schedules. From here the user can set the day and time for the schedule to run. It can be set to run a scan once a week or each day. This software scans for any viruses...

Words: 803 - Pages: 4

Free Essay

Lab 1 Assessment Questions

...department LANs, departmental folders, and data. By establishing security principle within the Active Directory Domain. 2. Is it a good practice to include the account and user name in the password? Why or Why not? No it is not a good idea to include the account and user name in the password because there are Hackers out there who would use either a dictionary attack or brute force attacks which go though lists to find the correct combination of words, letters, numbers and characters in order to crack user names and passwords which depending on how simple or complex it is can take anywhere from 5 minutes or 5 months to decrypt, so it is a good practice to keep everything as unique as possible. 3. To enhance the strength of user passwords, what are some of the best practices to implement for user password definitions to maximize confidentiality? In this case the best way to ensure a strong password is to use 8 or more characters such as a mixture of Uppercase. Lowercase, numbers, and symbols in order to create a complex password that would be very difficult to crack. 4. Can a defined user in Active Directory access a shared drive if that user is not part of the domain? No they should not be able to access the shared folders unless they have authorized access. 5. Does Windows Server 2008 R2 require a user’s logon/password credentials prior to accessing shared drives? Yes this has to be done in order to ensure security. 6. When looking at the Active Directory structure for Users...

Words: 469 - Pages: 2

Premium Essay

Bp Papaers

...Need a custom research paper on Technology? Click here to buy a custom term paper. About two hundred years before, the word "computer" started to appear in the dictionary. Some people even didn't know what is a computer. However, most of the people today not just knowing what is a computer, but understand how to use a computer. Therefore, computer become more and more popular and important to our society. We can use computer everywhere and they are very useful and helpful to our life. The speed and accuracy of computer made people felt confident and reliable. Therefore, many important information or data are saved in the computer. Such as your diary, the financial situation of a oil company or some secret intelligence of the military department. A lot of important information can be found in the memory of computer. So, people may ask a question: Can we make sure that the information in the computer is safe and nobody can steal it from the memory of the computer? Physical hazard is one of the causes of destroying the data in the computer. For example, send a flood of coffee toward a personal computer. The hard disk of the computer could be endangered by the flood of coffee. Besides, human caretaker of computer system can cause as much as harm as any physical hazard. For example, a cashier in a bank can transfer some money from one of his customer's account to his own account. Nonetheless, the most dangerous thief are not those who work with computer every day, but youthful amateurs...

Words: 1020 - Pages: 5

Premium Essay

Nt1310 Unit 3 Network Analysis

...– Section A) will discuss how to protect passwords/user credentials. Protecting user credentials as well as user information brings into play all relevant security models. I have created my security model into the following: Process Physical Network Application Database Process The process layer defines the overall setup of the security architecture. It indicates how the security structure should be laid out. For...

Words: 2321 - Pages: 10

Free Essay

Security Protocols

...1. Basic access authentication In the context of an HTTP transaction, basic access authentication is a method for a web browser or other client program to provide a user name and password when making a request. Before transmission, the user name is appended with a colon and concatenated with the password. The resulting string is encoded with the Base64 algorithm. For example, given the user name 'Aladdin' and password 'open sesame', the string 'Aladdin:open sesame' is Base64 encoded, resulting in 'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='. The Base64-encoded string is transmitted in the HTTP and decoded by the receiver, resulting in the colon-separated user name and password string. While encoding the user name and password with the Base64 algorithm makes them unreadable to the unaided eye, they are trivially decoded by software. Confidentiality is not the intent of the encoding step; HTTP in general does not provide such guarantees (see HTTPS). Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible. One advantage of the basic access authentication is all web browsers support it. But due to the fact that the username and password are passed in cleartext, it is rarely used by itself on publicly accessible Internet web sites. However, it is somewhat commonly found on publicly accessible sites if combined with SSL/TLS (HTTPS). One other advantage of basic authentication is that it avoids...

Words: 1600 - Pages: 7