CT876: Research Project

A more user-friendly password method would allow

users to generate passwords that are more resistant to
cracking than present standards









Mohannad Al-ahmadi: 12232198














1 Introduction
At present, the majority of people use weak passwords to secure entry into their
online accounts, re-using the same password over multiple accounts. These Eye-of-
Newt passwords are an insecure, dated way of keeping client information secret [1].

With the right tools, passwords can be easily cracked, stolen or guessed [2], and
once someone's username and password has been sLolen, LhaL person's enLlre
digital identity is vulnerable. The attacker may instantly acquire all the privileges of
his/her victim, gaining access to sensitive information or financial details.

All this can happen without the victim being aware that his or her password has
been compromised and, if the attacker is careful, no one may ever know that an
attack has even happened.

For users, this means confidential information can be used, changed or distributed
by unknown sources without the alarm being raised. Most people have a poor
understanding of the vulnerability of their accounts. With current password
practices, individuals re-use the same credentials each time they log in, and they are
compared against a password database, which is typically stored on the company
system.

The password can be acquired either by snooping on the user's neLwork connecLlon
or hacklng Lhe sysLem's password flle. AddlLlonal approaches are convenLlonal
shoulder surfing, guesswork and key logging. Passwords are typically stored in an
encrypLed or 'hashed' formaL, buL Lhere are now powerful password cracks.

The aim of our research is to find an alternative method of knowledge factor
authentication that provide better security and resistance to hacking, but that is also
easy for consumers to adopt and use.

Our hypothesis is:
"A more user-friendly password method would allow users to generate
passwords that are more res|stant to crack|ng than present standards."

We hope, from our research, to identify a system that satisfies the needs and
preferences of users and service provides. This means minimizing the presumed
payoff between security and ease of use.

We will outline several password formats and mathematically analyze their security
and cracking resistance. We will also survey internet consumers and interpret the
results as a measure of usability.





2 Literary Review
2.1 Authentication Factors
Authentication takes three basic forms;

1. Knowledge Factor
2. Possession Factor
3. Inherence Factor
The Knowledge Factor is the most common authentication device, and centers on
something that only the user or, in some circumstances, a certain group knows.
Passwords, PIN numbers and patterns are all authentication methods which are
based on the knowledge factor. It is use on nearly every account and service, on and
off the internet. Even where other authentication factors are used, there is often still
a knowledge component to security. In this project we focus only on the knowledge
factor as it is the most widely used form of authentication [27].

The Possession Factor is based on the user having an item which can be used for
authentication. There are a wide range of items that can be used for authentication.
Obviously a system that uses the possession factor as authentication relies on the
user protecting the item and not losing it or having it stolen. The following are a few
examples of items that are currently being used for authentication on systems.

USB Tokens: These are USB memory devices which can be used for authentication.
Security certificates and user data is stored on the USB memory stick. The USB
device is put into the USB port of the system which requires the authentication of
the user and the system reads the information on the device. The problem with
using this type of item for authentication is that the information can be easily copied
from the USB memory device.
Smart Cards: A fairly common method of authentication used mainly by financial
institutions, Smart cards, are user-unique account references, similar in size to credit
cards. There are two types of smart cards. One type requires contact with the
system and gold contacts on the card. The other type, known as Proximity Cards,
doesn'L requlre any conLacL and can be used wlLhln a cerLaln speclfled dlsLance from
the system. There is an RFID chip embedded in the plastic of proximity cards that
allow them to work. Generally these smart cards are used along with another factor
of authentication such as a PIN number. One of the main disadvantages to smart
cards is that the card readers can be very expensive. The cards can also get damaged
very easily and stop working.
Display Tokens: These are pocket-sized tokens which have an electronic display on
them. The display shows a password which changes after a specified time. The
password is constantly changing. The user must use the token to read the current
password and enter it into the system in order to gain access. Some of the
advanLages of Lhese dlsplay Lokens are LhaL Lhey don'L requlre an elecLronlc
interface or drivers and they generally come with some level of copy protection.
Magnetic Stripe Cards: Magnetic stripe cards have been largely replaced by smart
cards as they can be easily cloned [3]. The user information is stored on a magnetic
strip on the card and this information can be easily copied which is one of the main
reasons why magnetic stripe cards are being replaced by smart cards.
Mobile Phones: Mobile phones are being used in a number of different ways for
auLhenLlcaLlon. Cne Llme passwords can be senL Lo Lhe user's moblle phone vla M.
The user then enters the password into the system. Users can also download
specially designed applications for their smart phones which can be used as
authentication on some systems.
These are just some of the items which a user can use for authentication.

The Inherence Factor utilizes something that the user is. This involves biometric
auLhenLlcaLlon. A blomeLrlc ls a measurable physlologlcal and/or behavloral LralL
that can be captured and subsequently compared with another instance at the time
of verlflcaLlon" [4]. 8lomeLrlc auLhenLlcaLlon lncludes fingerprint, voiceprint and iris
scan. 1hese can be used alLogeLher or separaLely. A loL of users don'L llke uslng
blomeLrlc auLhenLlcaLlon as Lhey don'L llke Lhelr personal physlcal feaLures belng
recorded. The main disadvantage of Inherence Factor authentication is that users
cannot change their biometric information should the information be mechanically
copied by an unauthorized entity. The advantage of biometric authentication is that
it cannot be lost, nor can it be stolen as easily as the other two authentication
factors.


















2.2 Web Password Habits
There was a large study carried out on half a million users over a three month period
which focused on their web password habits. This research was carried out by Dinei
Florencio and Cormac Perley from MlcrosofL esearch ln 2006. 1he users' password
habits were recorded by an optional component which came with the Windows Live
Toolbar. A total of 544960 users activated this component by 10/01/2006. The data
collected over the three month study period revealed some very interesting details
on user password habits. The study was designed to measure quantities such as:

Average number of passwords.
Average number of accounts each user has.
How many passwords the user types each day.
How often passwords are shared amongst sites.
Password Strength.
The types and lengths of passwords.
How they vary by site.
The data was stored in two different lists. The Protected Password List (PPL)
contained the password hash, the full URL of the receiving server, the bit-strength of
the password, the current time and minutes since both the first and last time that
the password was sent to that server. The other list was called the Password Re-use
Event (PRE) and contained the following:

The current URL.
All the URLs previously associated with the password
Time since last login at each URL.
Time since first login at each URL.
The password strength.
Number of entries in the PPL and number of PREs filed by the client.
Number of unique passwords used by this client.
The age of the client.
Florencio and Herley identified some limitations of their study and outlined these in
their report. These included:

User may type passwords from more than one computer.
More than one user might be signing into various online accounts using the same
Windows session.
If a user chooses a password that is a common word a Password Re-use Event will be
generated every time they type that word.
There will be a bias towards sites maintained by Microsoft since the component was
contained in a Windows Toolbar.
Users who downloaded the windows toolbar can be expected to be more active
than the general web using population.

The results of the study gave a great insight into people habits when it comes to
passwords. There were approximately 6400 activations of the component per day. It
was found that the average number of sites sharing the same password is 5.67. This
confirms the idea that in general users have a handful of passwords which they
reuse and LhaL Lhey don'L creaLe new passwords for each web account that they
create. On average users have 25 accounts that require passwords and a typical user
types on average just over 8 passwords per day. They used Bitstrength analysis to
gauge how strong each password was. The bitstrength of a password was calculated
using the following formula.

|ug
2
((a|phahet x|ze)
paxxwurd |ength
)

It was found that user choose passwords with an average bitstrength of 40.54bits.
The study also showed that about 20% of all passwords were purely numeric and
had no letters present in them at all.


























2.3 Types of Attack
Since passwords are used to protect sensitive and valuable information about users,
the hacking community has extensively developed procedures to facilitate password
recovery. This section of the project covers the different types of attack that a
password can come under and explains how they work. It is important to be familiar
with these types of attacks in order to better protect yourself against them.

Password Guessing
The most common type of attack is password guessing. Even within password
guessing there are a number of different methods of carrying it out. Password
guessing can be made easier if the attacker is familiar with the target user or if the
attacker can gather some basic information about the target user. There are many
different tools available for password guessing such as Hydra. Hydra can be used for
guessing all kinds of passwords including Windows and HTTP logons. It automates
the process of typing password after password which greatly reduces the amount of
effort required by the attacker.

Brute Force
Brute force is the most successful method of password guessing, however it is the
most time consuming. It involves trying every possible combination of characters,
given a maximum password length and a character set. It gets exponentially more
difficult to crack a password using brute force every time the password length is
increased by one character. Once a password passes a certain length it may not be
feasible for the attacker to try and crack the password as it may not be worth the
time needed. Brutus is a program which can be used to carry out these brute force
attacks [5]. Brutus works online, trying to break telnet, POP3, FTP, HTTP, RAS or
IMAP by simply trying to login as a legitimate users. A lot of companies use Brutus to
attack their own systems in order to gauge how good their own security is and if it
needs to be improved.

Dictionary Attack
Dictionary attacks are based around the assumption that passwords are mostly
made up of whole words and numbers from the dictionary. Unlike the brute force
attack, the dictionary attack will only try the possibilities which are most likely to
succeed from a set of words such as the English dictionary. Dictionary attacks are
generally more successful with short simple passwords made up of one word [6]. A
dictionary attack can sometimes be beaten by simply adding a random character in
the middle of the one word password. John the Ripper is a program that uses the
dictionary attack, as well as the brute force. It is one of the most popular password
cracking programs available partly because it comes with a large set of dictionaries
already included. John the Ripper runs on fifteen different platforms and was
developed by Russian security specialist, Alexander Peslyak [7].




Hybrid Guessing
This form of password attacks have been developed to deal with systems that
outline rules to ensure that users make stronger passwords rather than using simple
one word passwords. Most hybrid guessing tools mix uppercase and lowercase
characters, include numbers and special characters into possible passwords. Some
Hybrid guessing tools even slightly misspell words and try them as passwords. John
the Ripper as mentioned above is a tool which uses hybrid guessing password
attacks. Another program called Cain & Abel can use hybrid guessing password
attacks. Cain & Abel is a password recovery tool designed for Microsoft operating
systems [8].

Password Resetting
omeLlmes lL can be a loL easler for Lhe aLLacker Lo reseL Lhe LargeL user's password
rather than trying to guess the password. An attacker only needs a boot CD in order
Lo galn access Lo a person's lapLop or C. A loL of webslLes only requlre a number of
security questions to be answered correctly by the attacker before the password can
be reset. These security questions can often be based on very basic information
about the target user. Password resetting can attract unwanted attention for the
attacker as the target user will notice that the password has been changed the next
time he tries to logon.

Password Cracking
Password Cracking is the process of capturing a password hash and changing it back
into the plaintext original. There are a number of tools required to carry out a
password crack - these include: extractors for hash guessing, password sniffers to
extract authentication information and rainbow tables for looking up plaintext
passwords. Hash guessing involves trying to crack the password by extracting the
password hash and trying to guess the password from the password hash. Pwdump
is the most popular program for extracting password hashes. The password hashes
are saved to the screen but you can output the password hashes to a file which can
then be fed to a password cracker such as John the Ripper. The cracking process
involves generating some guesses, then hashing the guesses and comparing those
hashes with the extracted hash. The password cracking tool Cain & Abel can break
more than 20 kinds of password hashes, including LM, NT, Cisco and RDP. Password
crackers have begun to develop a lookup table made up of all possible passwords
and their hashes which called a rainbow table. A rainbow table can be used to crack
any LM hashes in a few seconds. Rainbow tables range in size from hundreds of
megabytes to hundreds of gigabytes and can be purchased. Rainbow Crack is a
program which allows you to generate your own rainbow table. Using long complex
passwords and disabling LM hashes will severely reduce the effectiveness of rainbow
tables. Password sniffing involves a password cracker sniffing authentication traffic
between a user and a server and extracting password hashes or enough
authentication information to begin trying to crack the password.



Password Capturing
assword capLurlng lnvolves Laklng a user's password by lnsLalllng a keyboard-
sniffing Trojan horse or using a physical key logger. Keystroke loggers can store more
than 2 million keystrokes. SniffPass is an example of a program which can be used to
capture passwords [9]. lL monlLors Lhe user's neLwork and capLures Lhe passwords
that pass through the network adaptor. SniffPass can capture the passwords of the
following protocols: POP3, IMAP4, SMTP, FTP and HTTP.






























2.4 Hacker Programs
Cain and Abel
Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft
Windows. It can recover many kinds of passwords using approaches such as network
packet sniffing, cracking various password hashes by using techniques such as
dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are
done through rainbow tables, which can be produced with the winrtgen.exe
program provided with Cain and Abel. Cain and Abel is supported by Massimiliano
Montoro and Sean Babcock [10].

Certain virus scanners detect Cain and Abel as malware. Avast! Detects it as
"Win32:Cain-B" and classifies it as "Other potentially dangerous program", while
Microsoft Security Essentials identifies it as "Win32/Cain!4_9_14" and classifies it as
"Tool: This program has potentially unwanted behavior." Even if Cain's install
directory, as well as the expression "Cain", are added to Avast's exclude list, the real-
time scanner has been recognized to stop Cain from performing. However, the latest
version of Avast no longer blocks Cain.

Montoro, the owner of oxid.it and maintainer of Cain and Abel, has identified that
his packages do not contain malware or backdoors [11]. Nonetheless, as the source
code for Cain and Abel is not accessible for independent security review, a measure
of caution is advised as with any software acquired from the Internet.


John the Ripper
John the Ripper is a free password cracking software tool [12]. Primarily developed
for the UNIX operating system, it currently runs on fifteen different platforms. It is
one of the most prevalent password testing and breaking programs as it combines a
number of password crackers into one package, automatically distinguishes
password hash types, and incorporates a customizable cracker. It can be run
alongside various encrypted password formats including several crypt password hash
types most frequently discovered on various Unix flavors Kerberos AFS, and
Windows NT/2000/XP/2003 LM hash. Supplementary modules have extended its
ability to include MD4-based password hashes and passwords stored in LDAP,
MySQL, and others [13].

One of the modes John can use is the dictionary attack. It takes text string examples
encrypting it in the similar format as the password being examined and matching the
output to the encrypted string. It can also perform an assortment of modifications to
the dictionary words. Many of these modifications are also used in John's single
attack mode, which transforms an associated plaintext and checks the variations
against the encrypted hashes.

John also offers a brute force mode. In this kind of attack, the program goes through
all the probable plaintexts, hashing each one and then associating it to the input
hash. John uses character frequency tables to try plaintexts comprising more
frequently used characters first. This method is suitable for cracking passwords,
which do not appear in dictionary wordlists, but it does take a long time to run.


DaveGrohl
DaveGrohl is a brute-force password cracker for Mac OS X. It was originally created
in 2010 as a password hash extractor but has subsequently evolved into a
standalone or distributed password cracker [14]. It supports all the standard Mac OS
X user password hashes used since OS X Lion and also can extract them configured
for other popular password crackers like John the Ripper. The newest stable release
is intended specifically for Mac OS X Lion and Mountain Lion.

DaveGrohl supports both dictionary and incremental attacks [15]. It may also run in
distributed mode, which allows it to use numerous computers to attack the same
password hash. A dictionary attack will scan through a number of pre-defined
wordlists whilst an incremental attack will count through a character set until it
discoveries the password. When in distributed mode, it uses Bonjour to find all the
server nodes on the local network and consequently needs no configuration [16].





























2.5 Password Formats
Eye of Newt
A term coined by William Cheswick [1], Eye-of-Newt is currently widely used and
recommended. This industry standard calls for complicated character strings of
lower case, upper case, special characters and numbers. This is can be ambiguous for
users, and issues arise with memory and ease of use [2].

Cheswick highlights that guidelines are not consistent; all services encourage special
characLers, buL some don'L allow Lhe use of quoLaLlon marks, underscores, hyphens
or spaces. In our analysis of the current guidelines suggested by major internet
businesses, there is a trend towards passwords of between 6 and 16 characters in
length and an insistence on the use of upper and lower case letters, numbers and
special characters. They suggest avoiding dictionary words, keyboard patterns (e.g.
asdf" or 1234") and uslng Lhe same password on mulLlple accounts.

We examined the password guidelines proclaimed by Google [17], Microsoft [18],
Facebook [19], Apple [20] and eBay [21].

Facebook provided the least about of guidance to users; in a short paragraph they
insist on a length of greater than 6 characters, encourage a mix of numbers, letters
(upper and lower case) and punctuation, and remind users to avoid using the same
password on multiple accounts. They also offered an optional authentication for new
devices signing into the account, which means that even a hacker with the password
would have difficulties.

Google, Microsoft, Apple and eBay all held to similar principals. Passwords should be
over eight characters, and Microsoft does allow passwords to be up to 127
characters. Apple and eBay insist on the inclusion of special characters and numbers,
while Microsoft and Google only encourage it. eBay, Microsoft and Google explicitly
encourage Lhe use of slmllar subsLlLuLlons" llke zero for C and t for L, for example,
and phoneLlc replacemenLs, llke u" for you" and fone" for phone". All
mentioned to avoid using the account name, real name, real information (which
could be researched and guessed) and the same password for multiple accounts.
These companies typically encouraged the use of punctuation and other special
characters, numbers a mix of both upper and lower case characters and numbers.
Microsoft, Google and Apple set a minimum of 8 characters, while Facebook allows a
password of 6 characters.

For example, a football fan, that supports Liverpool lC, mlghL plck llverpool" as
their password. This not a dictionary word, is greater than 6 letters and it is not a
keyboard pattern. If we include some similar substitutions and random
caplLallzaLlons, we'd geL someLhlng llke 1lvtrp0oL". 1he LoLal range of characters
available on the key board, including upper and lower case letters, numbers, and
special characters, is 93.


Other suggestions include the use of Mnemonic phrases. Take, for example, the
sentence:

Calway sLudenLs all look forward Lo AC week!"



We simply abbreviate it to:

Csal4d2ACw!"





































Matrix Passwords
This form of authentication was developed by Zhang and Clark (2012) [22]. Rather
than relying on linear text, matrix passwords are filled into a grid, recommended to
be of between 4x4 and 10x10 boxes in size.

The grid nature of the Matrix format allows several proposed advantages over the
traditional Eye-of-Newt. Firstly, it may allow users to adopt dictionary words, which
are strongly discouraged in current industry guidelines. Since the grid allows users to
code their password to a shape or pattern, it adds an extra layer of encryption. The
password is stored as a much more complex hash, without greatly increasing the
complexity for users. For example, lf Lhe password Lhunderclap", whlch ls 11
characters long, were entered into a 4x4 matrix, there are 174,356,582,400 possible
arrangements of the letters. Since they can choose a dictionary word, users can
choose one that has some sort of meaning to them, rather than a random series of
characters. This would improve memorability.

Similarly, since users must select the square they enter a given character, it grants a
protection against key-logging malware. If we continue the example from above, the
hacker wlll know LhaL Lhelr LargeL's password ls Lhunderclap", buL would sLlll
174,356,582,400 possibilities to work through. This could mean 5.5 years of hacking
at 1000 guesses a second. Figure 1 and Figure 2 display the same word in different
orders. The human eye sees the letters as being in very similar orders, but, from a
hacking point of view, they are widely different.



Figure 1


Figure 2

Since the user is creating a shape with their password, they can choose to use the
same password on multiple accounts, but use a different shape. This still creates a
very different password between accounts, but may serve as a memory aid to
someone with strong spatial cognition.

When the matrix password is coded and sLored on Lhe servlce's daLabase, lL can be
coded in an order specific to that organization. Continuing from the example above,
the arrangement displayed in Figure 1 could be coded in many orders. For example,
horizontally it would be;

t-h-u-_-n-d-e-r-c-_-a-_-_-l-_-p

Vertically;

t-n-c-_-h-d-_-l-u-e-a-_-_-r-_-p

Or diagonally, starting in the bottom left corner;

_-c-l-n-_-_-t-d-a-p-h-e_-u-r-_

The possible orders are vast; 2.092279e+13 to be more accurate. The service
provider may choose any order they wish, even including specific orders for
individual accounts.

The main disadvantage is one of entry time and effort. The added clicks to access
different boxes in grid will add a few seconds on to login times. Users should be
willing to adopt this new authentication method as long as they perceive the added
benefit and the need [23].

Word String Passwords or Passphrases
Suggested in by Porter [24] (supported by Holt 2011; Keith et al. 2009; Yan et al.
2004) as an effective way to make passwords easy to remember and hard to crack,
Word String Passwords are a series of random dictionary words, which avoid the
complexity of Eye-of-Newt passwords. The suggested strength of these passwords
comes from their length, rather than the size of the character pool from which they
are chosen, and their memorability.

For example, a nine letter Eye-of-Newt password would have 4.510355e+21
variations, while three words, each 11 letters long, could have 3.0294406e+39
possible combinations.

Yan et al. (2004) [25] compared three types of password; traditional password,
Passphrases and random character passwords. It concluded that traditional
passwords were easily cracked, and random character passwords were difficult to
remember. Passphrases were found to be easily remembered and difficult to crack.
With the prevalence of mobile technologies in modern society, it important to
consider the limitations of small touch screen keyboards. Word string passwords
may be an effective alternative, in memorability and security, to Eye-of-Newt
passwords on mobile devices [26].

The main limitations of Passphrases stem from the limit, though large, vocabulary
and human behavior.
























2.6 References
1. Burkeman, Oliver (2012) Online Passwords: keep it complicated [Internet], The
Guardian, Available from:
<http://www.guardian.co.uk/technology/2012/oct/05/online-security-passwords-
tricks-hacking> [Accessed Feburary 2013].
2. Anderson, Nate (2013) How I became a password cracker [Internet], Ars Technica.
Available from: <http://arstechnica.com/security/2013/03/how-i-became-a-
password-cracker/> [Accessed April 2013].
3. Fitzpatrick, Tony (2004) Boon to security [Internet], Washington University in St.
Louis. Available from: < http://news.wustl.edu/news/Pages/4159.aspx> [Accessed
April 2013]
4. Harris, A., Yen, D. (2002) Biometric authentication: assuring access to information,
Information Management & Computer Security, Vol. 10 Iss: 1, pp.12 - 19
5. (1999) Brutus- a Brute force online password cracker [Internet], SecuriTeam.
Available from: <http://www.securiteam.com/tools/2QUQ2PPRPG.html> [Accessed
April 2013]
6. By Publisher Disclosure Project [Internet] Dazzlepod. Available from:
<http://dazzlepod.com/disclosure/> [Accessed April 2013].
7. By Publisher Alexander Peslyak [Internet] Wikipeadia. Available from:
<http://en.wikipedia.org/wiki/Alexander_Peslyak> [Accessed April 2013]
8. By Publisher Cain and Abel Disclosure Project [Internet] Oxid.it. Available from:
<http://www.oxid.it/cain.html> [Accessed April 2013]
9. By Publisher SniffPass [Internet], Nirsoft. Available from:
<http://www.nirsoft.net/utils/password_sniffer.html> [Accessed April 2013]
10. Zorz, Mirko (2009) Q&A: Cain & Abel, the password recovery tool [Internet],
Webcitation.org. Available from: <http://www.webcitation.org/5z5iAtm4L>
[Accessed April 2013]
11. Zorz, Mirko (2011) Oxid.it Information [Internet], Oxid.it. Available from:
<http://www.oxid.it/info.html> [Accessed April 2013]
12. By Publisher John the Ripper password cracker [Internet], Openwall. Available from:
<http://www.openwall.com/john/> [Accessed April 2013]
13. By Publisher DJohn [Internet], ktulu. Available from:
<http://ktulu.com.ar/blog/projects/djohn/> [Accessed April 2013]
14. Dunstan, Patrick (2011) Cracking OS X Lion Passwords [Internet], Publisher. Available
from: <http://www.defenceindepth.net/2011/09/cracking-os-x-lion-
passwords.html> [Accessed April 2013]
15. Graham (2012) Password checking with CommonCrypto [Internet], Secure Mac
Programming. Available from:
<http://blog.securemacprogramming.com/2012/07/password-checking-with-
commoncrypto/> [Accessed April 2013]
16. By Publisher (2013) Dave Grohl 2.1 Information [Internet], Dave Grohl. Available
from: <http://davegrohl.org/faq.html> [Accessed April 2013]
17. Google (2013) Password Help [Internet], Google Inc. Available from:
<https://accounts.google.com/PasswordHelp> [Accessed April 2013]
18. Microsoft (2013) Tips for Creating a Strong Password [Internet], Microsoft
Corporation. Available from: <http://windows.microsoft.com/en-ie/windows-
vista/tips-for-creating-a-strong-password> [Accessed April 2013]
19. Facebook (2013) Create an Account [Internet], Facebook Inc. Available from:
<http://www.facebook.com/help/345121355559712/> [Accessed April 2013]
20. Apple (2013) Security and your Apple ID [Internet], Apple Inc. Available from:
<http://support.apple.com/kb/HT4232> [Accessed April 2013]
21. eBay (2013) Creating and protecting your password [Internet], eBay Inc. Available
from: <http://pages.ebay.com/help/account/create-password.html> [Accessed April
2013]
22. Zhang, X., Clark, J. (2012) Matrix Passwords: A Proposed Methodogy of Password
Authentication, AMCIS 2012 Proceedings. Paper 11.
23. Adams, A., Sasse, M. A. (1999) Users are not the enemy, Communication of the
ACM (42:12) pp 40-46.
24. Porter, Sigmund N. (1982) A Password Extension for Improved Human Factors,
Computers and Security (1:1) pp 54-56.
25. Yan, J., Blackwell, A., Anderson, R., and Grant, A. (2004) Password memorability and
security: Empirical results, Security & Privacy, IEEE (2:5) pp 25-31
26. Jakobsson, M., Akavipat, R. (2011) Rethinking Passwords to Adapt to Constrained
Keyboards, ACM.
27. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L. Bauer, L., Christin,
N., Cranor, L. F. (2010) Encountering stronger password requirement: user
attitudes and behaviors, ACM p 2.






















3 Experimentation
3.1 Mathematical Analysis
In this section of the project, analysis is carried out on three different password
methods. The three password methods are:

1. Eye of Newt passwords
2. Word string passwords
3. Matrix passwords

These different password methods are analysed in both their usability and their
strength against attack. The strength of the passwords will be calculated using
permutations which will give the number of possibilities an attacker may have to try.
The formula for the permutations is as follows:

n
r


Where n is the number of available characters to choose from and r is the length of
the passwords.

The bit strength of the eye of newt and word string passwords will also be used to
compare the strength. It would be very difficult to calculate the bit strength of a
matrix password as they are multi-directional. The bit strength of a password is
calculated using the following formula:

|ug
2
((a|phahet x|ze)
paxxwurd |ength
)

The usability of the different password methods is assessed by carrying out an online
survey which will look at how easy users find the different password methods.

A password length of just two characters is taken to begin comparing the strength of
the eye of newt method against the matrix method. The amount of characters of
characters found on a standard keyboard is 93. This figure is taken as the number of
available characters for both the eye of newt method and the matrix method. The
number of different possibilities is then calculated as follows:

93
2


This results in 8649 different possibilities using the eye of newt method with
password length of two characters.


The matrix password has the advantage that it can be multi-directional. In a 2x2
matrix there are 12 possible directions for a two character password; 4 horizontal, 4
vertical and 4 diagonal. This means that the number of possibilities is 12 times
greater than an eye of newt password of the same length. The number of
possibilities for a 2 character password in a 2x2 matrix is 103788 which is 12 times
8649.








If the password length is increased to three characters the number of different
possibilities is greatly increased for both methods. The matrix size is increased to a
3x3 matrix. The number of possibilities for the eye of newt password is increased to
804357.
When the matrix is increased to a 3x3, the number of possible patterns is
significantly increased. The number of possible patterns for a 3 character password
in a 3x3 matrix is 504. The images below show some examples of possible patterns.









The amount of pattern possibilities increases exponentially as the size of the matrix
increases. The number of possibilities of a 3 character password in a 3x3 matrix is
equal to 405395928 which is 804357 x 504. This is clearly stronger than the eye of
newt method. A 3 character password in a 3x3 matrix provides more possibilities
than a 4 character eye of newt password. Even if the matrix remains at 3x3 it will
always create more possibilities than the equivalent password length that uses the
eye of newt method. As the matrix password method is able to create more
possibilities than the eye of newt, it should be stronger against attack.

The word string method involves just lowercase characters from the alphabet in
order to make it more user-friendly. The number of available characters (n) for a
password from the word string method is just 26. A twelve character word string
password would have 9.543 x 10
16
different possibilities. An eye of newt password
with the same amount of characters would have 4.186 x 10
23
possibilities. Clearly
eye of newt passwords of the same length are much stronger than word string
passwords. The bit strength of a 12 character word string password is 56.405 bits
which is calculated using the above mentioned formula. The bit strength of a 12
character eye of newt password is 78.47. This clearly indicates that a word string
password is weaker than an eye of newt password of the same length.

From the results of the survey however it was found that passwords made up of
solely words are much easier to remember. The length of a word string password
has the capability to be much longer than that of an eye of newt password based on
the survey carried out. The survey suggests that a word string password could be
double the length of an eye of newt password and still be as easy to remember. A
word string password with 16 characters would have 4.36 x 10
22
possibilities while
an eye of newt password which is 8 characters long would have 5.596 x 10
15
. The bit
strength of a 16 character word string password is 75.207 while the bit strength of
an 8 character eye of newt password is 52.313. This suggests that a word string
password may be better than an eye of newt password especially for users who
struggle when trying to remember random characters which make up eye of newt
passwords.

Word string passwords are capable of being longer than eye of newt passwords
which increases the number of different possibilities an attacker may have to try.
Word string passwords are far more susceptible to dictionary attacks than eye of
newt passwords. This threat can be greatly reduced by slightly altering one of the
words in the word string password.





























3.2 Survey Experimentation
Our hypotheses, a more user-friendly password method would allow users to
generate passwords that are more resistant to cracking than present standards,
obviously has a focus on the usability of passwords. From that point of view, we
needed to identify user habits and needs. In order to get this information we carried
out a survey.
The survey was hosted on Google Drive and distributed through social networking
sites. The first few questions centred on users current habits. We wanted to
establish how willing users were to enter complicated passwords, and how strong
they are making their passwords. This will allow us to compare to other formats that
we believe to be more user-friendly.
With matrix passwords, there is an emphasis on shape memory, or spatial cognition.
Two questlons ln Lhe survey alm Lo deLermlne users' capaclLy ln Lhls regard. Androld
phones and tablets use a patterned code to authenticate users and unlock the
device. By establishing consumer willingness to adopt this method of authentication,
links may be drawn to the matrix password format.
users' relucLance Lo answer surveys abouL Lhelr onllne securlLy was encounLered,
which led to a reduced return rate. 52 surveys were returned.


Password Survey
1. Do you use one or more passwords for you accounts?
a. I have one password that I use everywhere
b. I have one basic password that I alter slightly between accounts
c. I have a few passwords, but not one for every account
d. I have a different password for every account
2. Which of the following do you use in your password?
a. (Respondents could choose multiple)
b. Lowercase letters (abc)
c. Uppercase letters (ABC)
d. Numbers (123)
e. Punctuation and other symbols (!?/@#)
3. Do you allow your browser to store your passwords?
a. Never
b. On some accounts
c. Most of my accounts
d. All my accounts
4. How long is your average password?
a. 6 to 10
b. 11 to 16
c. 17 to 20
d. Greater than 20
5. How many times do you enter a password, on a usual day?
a. Less than 3 times
b. Less than 7 times
c. Less than 10 times
d. Less than 15 times
e. 15 times or more
6. Do you use an Android phone and, if so, do you use Pattern Unlock?
a. l don'L have an Androld phone
b. l don'L use Lhls feaLure
c. I use this feature
7. Do you think a password of 3 random words (all lower case) would be easier for
you to remember than a shorter password that includes upper and lower case
letters, numbers and special characters?
a. Words would be easier
b. No difference for me
c. Random characters would be easier
8. When entering a PIN, how do you recall it?
a. I remember the shape my hand makes
b. I remember the numbers
c. I have a rhyme, or I mentally sound it out
d. Other
Survey Results


No. of Character Types Used
N
o
.

o
f

P
a
s
s
w
o
r
d
s


1 2 3 4
One password that I use everywhere 3 5 1 1
One basic password that I alter slightly
between accounts
3 3 3 4
A few passwords, but not one for every
account
5 9 12 3
A different password for every account 0 0 0 0






Password Length (in characters)
D
a
i
l
y

L
o
g
i
n

F
r
e
q
u
e
n
c
y

6-10 11-16 17-20 >20
< 3 6 1 1 2
< 7 4 7 2
< 10 10 6 1
< 15 1 1
>=15 5 2 2 1




Graph 1
27
1
24
Do you think a password of 3 random words all lower
case would be easier for you to remember than a
shorter password that includes upper and lower case
letters numbers and special characters?
No difference for me
Random characters would be easier
Words would easier

Graph 2


Graph 3



10
30
22
When entering a PIN how do you recall it ?
I have rhyme, or I mentally sound
it out
I remember the numbers
I remember the shape my hand
makes
27
13
12
Do you use an Android phone and if so do you
use the Pattern Unlock?
I don't have an Android phone
I don't use this feature
I use this feature
4 Evaluation
From the results of the mathematical analysis, it is clear to see that the matrix
password is much stronger than an eye of newt password of the same length. As the
size of the matrix increases, the number of different possibilities increases
exponentially. This was in line with expectations and resulted in the matrix password
format being the strongest of the three types as it had the most different
possibilities. The advantage of the word string password is that it is easier to
remember than the eye of newt method and can therefore be longer. Word string
passwords are weaker than eye of newt passwords that have the same length but
since users are capable of remembering longer word string passwords, this can result
in a harder password to crack. An increase in length of any password increases the
number of possibilities exponentially which in turn increases the strength of the
password hugely. The analysis clearly shows however that the matrix password
format is by far the strongest as it has the added number of possible patterns that
can be made within the matrix on top of the possibilities due to the different
characters.
The survey revealed that, generally, consumers were not taking full advantage of the
range of characters on the keyboard. The majority respondents currently keep their
passwords to two character types, and minimal length at 6 to 10 characters. Those
surveyed re-use their password, perhaps with some alterations, over multiple
accounts. This behavior undermines the strength of the Eye-of-Newt format.
Users were generally either indifferent to or in favor of Word-Strings over the Eye-
of-Newt format from a memorability perspective. However, their preference for
shorter passwords suggests an unwillingness to spend more time at login. While
Word-Strings maybe as strong, or stronger, than Eye-of-Newt, it may be best to
reserve them for rarely accessed accounts that require a high level of security, like
online bank accounts or health insurance.
Respondents had good spatial cognition, which suggests that a pattern or shape
based passwords, like the Matrix format, would be favorable. The vast number of
orders possible within a matrix allows users to pick dictionary words or numbers that
have some meaning to them, which improves memorability.
From the research carried out, it was found that the proposed hypothesis to be
proven. Matrix and Word-String are more user friendly, as they are easier to
remember and less susceptible to attack. Strong spatial cognition in respondents to
the survey, along with the superior strength offered by the Matrix format against
attacks, suggest that matrix passwords would be an improvement on current
practices.









5 Conclusion
For any format to be viable, it needs universal application by service providers. Users
will be unhappy with different formats on different sites. From that point of view, it
would be difficult to introduce a new form of password authentication. An extended
transitional period would be required in the event of a change in password format.
Information should be provided to consumer highlighting the benefits of any change,
which would improve acceptance.

Rather than introducing a completely new format, a standard set of rules developed
for all service providers may be preferable. This could serve to improve clarity for
users, and encourage better password habits.

The growing usage of smart-phones cannot be ignored. These devices offer service
providers the opportunity to introduce application authenticators for accounts.
These are resistant to key-logging as they generate a random code at login.
We accept that there are important areas of this topic we did not have the resources
to explore. No data is available on user habits with Matrix passwords, as it is not
commonly used. To our knowledge, no hacking tools or protocols have been
developed to breach the Matrix format. Had this been available, attack based testing
could have been carried out over all formats.