users to generate passwords that are more resistant to cracking than present standards
Mohannad Al-ahmadi: 12232198
1 Introduction At present, the majority of people use weak passwords to secure entry into their online accounts, re-using the same password over multiple accounts. These Eye-of- Newt passwords are an insecure, dated way of keeping client information secret [1].
With the right tools, passwords can be easily cracked, stolen or guessed [2], and once someone's username and password has been sLolen, LhaL person's enLlre digital identity is vulnerable. The attacker may instantly acquire all the privileges of his/her victim, gaining access to sensitive information or financial details.
All this can happen without the victim being aware that his or her password has been compromised and, if the attacker is careful, no one may ever know that an attack has even happened.
For users, this means confidential information can be used, changed or distributed by unknown sources without the alarm being raised. Most people have a poor understanding of the vulnerability of their accounts. With current password practices, individuals re-use the same credentials each time they log in, and they are compared against a password database, which is typically stored on the company system.
The password can be acquired either by snooping on the user's neLwork connecLlon or hacklng Lhe sysLem's password flle. AddlLlonal approaches are convenLlonal shoulder surfing, guesswork and key logging. Passwords are typically stored in an encrypLed or 'hashed' formaL, buL Lhere are now powerful password cracks.
The aim of our research is to find an alternative method of knowledge factor authentication that provide better security and resistance to hacking, but that is also easy for consumers to adopt and use.
Our hypothesis is: "A more user-friendly password method would allow users to generate passwords that are more res|stant to crack|ng than present standards."
We hope, from our research, to identify a system that satisfies the needs and preferences of users and service provides. This means minimizing the presumed payoff between security and ease of use.
We will outline several password formats and mathematically analyze their security and cracking resistance. We will also survey internet consumers and interpret the results as a measure of usability.
1. Knowledge Factor 2. Possession Factor 3. Inherence Factor The Knowledge Factor is the most common authentication device, and centers on something that only the user or, in some circumstances, a certain group knows. Passwords, PIN numbers and patterns are all authentication methods which are based on the knowledge factor. It is use on nearly every account and service, on and off the internet. Even where other authentication factors are used, there is often still a knowledge component to security. In this project we focus only on the knowledge factor as it is the most widely used form of authentication [27].
The Possession Factor is based on the user having an item which can be used for authentication. There are a wide range of items that can be used for authentication. Obviously a system that uses the possession factor as authentication relies on the user protecting the item and not losing it or having it stolen. The following are a few examples of items that are currently being used for authentication on systems.
USB Tokens: These are USB memory devices which can be used for authentication. Security certificates and user data is stored on the USB memory stick. The USB device is put into the USB port of the system which requires the authentication of the user and the system reads the information on the device. The problem with using this type of item for authentication is that the information can be easily copied from the USB memory device. Smart Cards: A fairly common method of authentication used mainly by financial institutions, Smart cards, are user-unique account references, similar in size to credit cards. There are two types of smart cards. One type requires contact with the system and gold contacts on the card. The other type, known as Proximity Cards, doesn'L requlre any conLacL and can be used wlLhln a cerLaln speclfled dlsLance from the system. There is an RFID chip embedded in the plastic of proximity cards that allow them to work. Generally these smart cards are used along with another factor of authentication such as a PIN number. One of the main disadvantages to smart cards is that the card readers can be very expensive. The cards can also get damaged very easily and stop working. Display Tokens: These are pocket-sized tokens which have an electronic display on them. The display shows a password which changes after a specified time. The password is constantly changing. The user must use the token to read the current password and enter it into the system in order to gain access. Some of the advanLages of Lhese dlsplay Lokens are LhaL Lhey don'L requlre an elecLronlc interface or drivers and they generally come with some level of copy protection. Magnetic Stripe Cards: Magnetic stripe cards have been largely replaced by smart cards as they can be easily cloned [3]. The user information is stored on a magnetic strip on the card and this information can be easily copied which is one of the main reasons why magnetic stripe cards are being replaced by smart cards. Mobile Phones: Mobile phones are being used in a number of different ways for auLhenLlcaLlon. Cne Llme passwords can be senL Lo Lhe user's moblle phone vla M. The user then enters the password into the system. Users can also download specially designed applications for their smart phones which can be used as authentication on some systems. These are just some of the items which a user can use for authentication.
The Inherence Factor utilizes something that the user is. This involves biometric auLhenLlcaLlon. A blomeLrlc ls a measurable physlologlcal and/or behavloral LralL that can be captured and subsequently compared with another instance at the time of verlflcaLlon" [4]. 8lomeLrlc auLhenLlcaLlon lncludes fingerprint, voiceprint and iris scan. 1hese can be used alLogeLher or separaLely. A loL of users don'L llke uslng blomeLrlc auLhenLlcaLlon as Lhey don'L llke Lhelr personal physlcal feaLures belng recorded. The main disadvantage of Inherence Factor authentication is that users cannot change their biometric information should the information be mechanically copied by an unauthorized entity. The advantage of biometric authentication is that it cannot be lost, nor can it be stolen as easily as the other two authentication factors.
2.2 Web Password Habits There was a large study carried out on half a million users over a three month period which focused on their web password habits. This research was carried out by Dinei Florencio and Cormac Perley from MlcrosofL esearch ln 2006. 1he users' password habits were recorded by an optional component which came with the Windows Live Toolbar. A total of 544960 users activated this component by 10/01/2006. The data collected over the three month study period revealed some very interesting details on user password habits. The study was designed to measure quantities such as:
Average number of passwords. Average number of accounts each user has. How many passwords the user types each day. How often passwords are shared amongst sites. Password Strength. The types and lengths of passwords. How they vary by site. The data was stored in two different lists. The Protected Password List (PPL) contained the password hash, the full URL of the receiving server, the bit-strength of the password, the current time and minutes since both the first and last time that the password was sent to that server. The other list was called the Password Re-use Event (PRE) and contained the following:
The current URL. All the URLs previously associated with the password Time since last login at each URL. Time since first login at each URL. The password strength. Number of entries in the PPL and number of PREs filed by the client. Number of unique passwords used by this client. The age of the client. Florencio and Herley identified some limitations of their study and outlined these in their report. These included:
User may type passwords from more than one computer. More than one user might be signing into various online accounts using the same Windows session. If a user chooses a password that is a common word a Password Re-use Event will be generated every time they type that word. There will be a bias towards sites maintained by Microsoft since the component was contained in a Windows Toolbar. Users who downloaded the windows toolbar can be expected to be more active than the general web using population.
The results of the study gave a great insight into people habits when it comes to passwords. There were approximately 6400 activations of the component per day. It was found that the average number of sites sharing the same password is 5.67. This confirms the idea that in general users have a handful of passwords which they reuse and LhaL Lhey don'L creaLe new passwords for each web account that they create. On average users have 25 accounts that require passwords and a typical user types on average just over 8 passwords per day. They used Bitstrength analysis to gauge how strong each password was. The bitstrength of a password was calculated using the following formula.
|ug 2 ((a|phahet x|ze) paxxwurd |ength )
It was found that user choose passwords with an average bitstrength of 40.54bits. The study also showed that about 20% of all passwords were purely numeric and had no letters present in them at all.
2.3 Types of Attack Since passwords are used to protect sensitive and valuable information about users, the hacking community has extensively developed procedures to facilitate password recovery. This section of the project covers the different types of attack that a password can come under and explains how they work. It is important to be familiar with these types of attacks in order to better protect yourself against them.
Password Guessing The most common type of attack is password guessing. Even within password guessing there are a number of different methods of carrying it out. Password guessing can be made easier if the attacker is familiar with the target user or if the attacker can gather some basic information about the target user. There are many different tools available for password guessing such as Hydra. Hydra can be used for guessing all kinds of passwords including Windows and HTTP logons. It automates the process of typing password after password which greatly reduces the amount of effort required by the attacker.
Brute Force Brute force is the most successful method of password guessing, however it is the most time consuming. It involves trying every possible combination of characters, given a maximum password length and a character set. It gets exponentially more difficult to crack a password using brute force every time the password length is increased by one character. Once a password passes a certain length it may not be feasible for the attacker to try and crack the password as it may not be worth the time needed. Brutus is a program which can be used to carry out these brute force attacks [5]. Brutus works online, trying to break telnet, POP3, FTP, HTTP, RAS or IMAP by simply trying to login as a legitimate users. A lot of companies use Brutus to attack their own systems in order to gauge how good their own security is and if it needs to be improved.
Dictionary Attack Dictionary attacks are based around the assumption that passwords are mostly made up of whole words and numbers from the dictionary. Unlike the brute force attack, the dictionary attack will only try the possibilities which are most likely to succeed from a set of words such as the English dictionary. Dictionary attacks are generally more successful with short simple passwords made up of one word [6]. A dictionary attack can sometimes be beaten by simply adding a random character in the middle of the one word password. John the Ripper is a program that uses the dictionary attack, as well as the brute force. It is one of the most popular password cracking programs available partly because it comes with a large set of dictionaries already included. John the Ripper runs on fifteen different platforms and was developed by Russian security specialist, Alexander Peslyak [7].
Hybrid Guessing This form of password attacks have been developed to deal with systems that outline rules to ensure that users make stronger passwords rather than using simple one word passwords. Most hybrid guessing tools mix uppercase and lowercase characters, include numbers and special characters into possible passwords. Some Hybrid guessing tools even slightly misspell words and try them as passwords. John the Ripper as mentioned above is a tool which uses hybrid guessing password attacks. Another program called Cain & Abel can use hybrid guessing password attacks. Cain & Abel is a password recovery tool designed for Microsoft operating systems [8].
Password Resetting omeLlmes lL can be a loL easler for Lhe aLLacker Lo reseL Lhe LargeL user's password rather than trying to guess the password. An attacker only needs a boot CD in order Lo galn access Lo a person's lapLop or C. A loL of webslLes only requlre a number of security questions to be answered correctly by the attacker before the password can be reset. These security questions can often be based on very basic information about the target user. Password resetting can attract unwanted attention for the attacker as the target user will notice that the password has been changed the next time he tries to logon.
Password Cracking Password Cracking is the process of capturing a password hash and changing it back into the plaintext original. There are a number of tools required to carry out a password crack - these include: extractors for hash guessing, password sniffers to extract authentication information and rainbow tables for looking up plaintext passwords. Hash guessing involves trying to crack the password by extracting the password hash and trying to guess the password from the password hash. Pwdump is the most popular program for extracting password hashes. The password hashes are saved to the screen but you can output the password hashes to a file which can then be fed to a password cracker such as John the Ripper. The cracking process involves generating some guesses, then hashing the guesses and comparing those hashes with the extracted hash. The password cracking tool Cain & Abel can break more than 20 kinds of password hashes, including LM, NT, Cisco and RDP. Password crackers have begun to develop a lookup table made up of all possible passwords and their hashes which called a rainbow table. A rainbow table can be used to crack any LM hashes in a few seconds. Rainbow tables range in size from hundreds of megabytes to hundreds of gigabytes and can be purchased. Rainbow Crack is a program which allows you to generate your own rainbow table. Using long complex passwords and disabling LM hashes will severely reduce the effectiveness of rainbow tables. Password sniffing involves a password cracker sniffing authentication traffic between a user and a server and extracting password hashes or enough authentication information to begin trying to crack the password.
Password Capturing assword capLurlng lnvolves Laklng a user's password by lnsLalllng a keyboard- sniffing Trojan horse or using a physical key logger. Keystroke loggers can store more than 2 million keystrokes. SniffPass is an example of a program which can be used to capture passwords [9]. lL monlLors Lhe user's neLwork and capLures Lhe passwords that pass through the network adaptor. SniffPass can capture the passwords of the following protocols: POP3, IMAP4, SMTP, FTP and HTTP.
2.4 Hacker Programs Cain and Abel Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using approaches such as network packet sniffing, cracking various password hashes by using techniques such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done through rainbow tables, which can be produced with the winrtgen.exe program provided with Cain and Abel. Cain and Abel is supported by Massimiliano Montoro and Sean Babcock [10].
Certain virus scanners detect Cain and Abel as malware. Avast! Detects it as "Win32:Cain-B" and classifies it as "Other potentially dangerous program", while Microsoft Security Essentials identifies it as "Win32/Cain!4_9_14" and classifies it as "Tool: This program has potentially unwanted behavior." Even if Cain's install directory, as well as the expression "Cain", are added to Avast's exclude list, the real- time scanner has been recognized to stop Cain from performing. However, the latest version of Avast no longer blocks Cain.
Montoro, the owner of oxid.it and maintainer of Cain and Abel, has identified that his packages do not contain malware or backdoors [11]. Nonetheless, as the source code for Cain and Abel is not accessible for independent security review, a measure of caution is advised as with any software acquired from the Internet.
John the Ripper John the Ripper is a free password cracking software tool [12]. Primarily developed for the UNIX operating system, it currently runs on fifteen different platforms. It is one of the most prevalent password testing and breaking programs as it combines a number of password crackers into one package, automatically distinguishes password hash types, and incorporates a customizable cracker. It can be run alongside various encrypted password formats including several crypt password hash types most frequently discovered on various Unix flavors Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Supplementary modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others [13].
One of the modes John can use is the dictionary attack. It takes text string examples encrypting it in the similar format as the password being examined and matching the output to the encrypted string. It can also perform an assortment of modifications to the dictionary words. Many of these modifications are also used in John's single attack mode, which transforms an associated plaintext and checks the variations against the encrypted hashes.
John also offers a brute force mode. In this kind of attack, the program goes through all the probable plaintexts, hashing each one and then associating it to the input hash. John uses character frequency tables to try plaintexts comprising more frequently used characters first. This method is suitable for cracking passwords, which do not appear in dictionary wordlists, but it does take a long time to run.
DaveGrohl DaveGrohl is a brute-force password cracker for Mac OS X. It was originally created in 2010 as a password hash extractor but has subsequently evolved into a standalone or distributed password cracker [14]. It supports all the standard Mac OS X user password hashes used since OS X Lion and also can extract them configured for other popular password crackers like John the Ripper. The newest stable release is intended specifically for Mac OS X Lion and Mountain Lion.
DaveGrohl supports both dictionary and incremental attacks [15]. It may also run in distributed mode, which allows it to use numerous computers to attack the same password hash. A dictionary attack will scan through a number of pre-defined wordlists whilst an incremental attack will count through a character set until it discoveries the password. When in distributed mode, it uses Bonjour to find all the server nodes on the local network and consequently needs no configuration [16].
2.5 Password Formats Eye of Newt A term coined by William Cheswick [1], Eye-of-Newt is currently widely used and recommended. This industry standard calls for complicated character strings of lower case, upper case, special characters and numbers. This is can be ambiguous for users, and issues arise with memory and ease of use [2].
Cheswick highlights that guidelines are not consistent; all services encourage special characLers, buL some don'L allow Lhe use of quoLaLlon marks, underscores, hyphens or spaces. In our analysis of the current guidelines suggested by major internet businesses, there is a trend towards passwords of between 6 and 16 characters in length and an insistence on the use of upper and lower case letters, numbers and special characters. They suggest avoiding dictionary words, keyboard patterns (e.g. asdf" or 1234") and uslng Lhe same password on mulLlple accounts.
We examined the password guidelines proclaimed by Google [17], Microsoft [18], Facebook [19], Apple [20] and eBay [21].
Facebook provided the least about of guidance to users; in a short paragraph they insist on a length of greater than 6 characters, encourage a mix of numbers, letters (upper and lower case) and punctuation, and remind users to avoid using the same password on multiple accounts. They also offered an optional authentication for new devices signing into the account, which means that even a hacker with the password would have difficulties.
Google, Microsoft, Apple and eBay all held to similar principals. Passwords should be over eight characters, and Microsoft does allow passwords to be up to 127 characters. Apple and eBay insist on the inclusion of special characters and numbers, while Microsoft and Google only encourage it. eBay, Microsoft and Google explicitly encourage Lhe use of slmllar subsLlLuLlons" llke zero for C and t for L, for example, and phoneLlc replacemenLs, llke u" for you" and fone" for phone". All mentioned to avoid using the account name, real name, real information (which could be researched and guessed) and the same password for multiple accounts. These companies typically encouraged the use of punctuation and other special characters, numbers a mix of both upper and lower case characters and numbers. Microsoft, Google and Apple set a minimum of 8 characters, while Facebook allows a password of 6 characters.
For example, a football fan, that supports Liverpool lC, mlghL plck llverpool" as their password. This not a dictionary word, is greater than 6 letters and it is not a keyboard pattern. If we include some similar substitutions and random caplLallzaLlons, we'd geL someLhlng llke 1lvtrp0oL". 1he LoLal range of characters available on the key board, including upper and lower case letters, numbers, and special characters, is 93.
Other suggestions include the use of Mnemonic phrases. Take, for example, the sentence:
Calway sLudenLs all look forward Lo AC week!"
We simply abbreviate it to:
Csal4d2ACw!"
Matrix Passwords This form of authentication was developed by Zhang and Clark (2012) [22]. Rather than relying on linear text, matrix passwords are filled into a grid, recommended to be of between 4x4 and 10x10 boxes in size.
The grid nature of the Matrix format allows several proposed advantages over the traditional Eye-of-Newt. Firstly, it may allow users to adopt dictionary words, which are strongly discouraged in current industry guidelines. Since the grid allows users to code their password to a shape or pattern, it adds an extra layer of encryption. The password is stored as a much more complex hash, without greatly increasing the complexity for users. For example, lf Lhe password Lhunderclap", whlch ls 11 characters long, were entered into a 4x4 matrix, there are 174,356,582,400 possible arrangements of the letters. Since they can choose a dictionary word, users can choose one that has some sort of meaning to them, rather than a random series of characters. This would improve memorability.
Similarly, since users must select the square they enter a given character, it grants a protection against key-logging malware. If we continue the example from above, the hacker wlll know LhaL Lhelr LargeL's password ls Lhunderclap", buL would sLlll 174,356,582,400 possibilities to work through. This could mean 5.5 years of hacking at 1000 guesses a second. Figure 1 and Figure 2 display the same word in different orders. The human eye sees the letters as being in very similar orders, but, from a hacking point of view, they are widely different.
Figure 1
Figure 2
Since the user is creating a shape with their password, they can choose to use the same password on multiple accounts, but use a different shape. This still creates a very different password between accounts, but may serve as a memory aid to someone with strong spatial cognition.
When the matrix password is coded and sLored on Lhe servlce's daLabase, lL can be coded in an order specific to that organization. Continuing from the example above, the arrangement displayed in Figure 1 could be coded in many orders. For example, horizontally it would be;
t-h-u-_-n-d-e-r-c-_-a-_-_-l-_-p
Vertically;
t-n-c-_-h-d-_-l-u-e-a-_-_-r-_-p
Or diagonally, starting in the bottom left corner;
_-c-l-n-_-_-t-d-a-p-h-e_-u-r-_
The possible orders are vast; 2.092279e+13 to be more accurate. The service provider may choose any order they wish, even including specific orders for individual accounts.
The main disadvantage is one of entry time and effort. The added clicks to access different boxes in grid will add a few seconds on to login times. Users should be willing to adopt this new authentication method as long as they perceive the added benefit and the need [23].
Word String Passwords or Passphrases Suggested in by Porter [24] (supported by Holt 2011; Keith et al. 2009; Yan et al. 2004) as an effective way to make passwords easy to remember and hard to crack, Word String Passwords are a series of random dictionary words, which avoid the complexity of Eye-of-Newt passwords. The suggested strength of these passwords comes from their length, rather than the size of the character pool from which they are chosen, and their memorability.
For example, a nine letter Eye-of-Newt password would have 4.510355e+21 variations, while three words, each 11 letters long, could have 3.0294406e+39 possible combinations.
Yan et al. (2004) [25] compared three types of password; traditional password, Passphrases and random character passwords. It concluded that traditional passwords were easily cracked, and random character passwords were difficult to remember. Passphrases were found to be easily remembered and difficult to crack. With the prevalence of mobile technologies in modern society, it important to consider the limitations of small touch screen keyboards. Word string passwords may be an effective alternative, in memorability and security, to Eye-of-Newt passwords on mobile devices [26].
The main limitations of Passphrases stem from the limit, though large, vocabulary and human behavior.
2.6 References 1. Burkeman, Oliver (2012) Online Passwords: keep it complicated [Internet], The Guardian, Available from: <http://www.guardian.co.uk/technology/2012/oct/05/online-security-passwords- tricks-hacking> [Accessed Feburary 2013]. 2. Anderson, Nate (2013) How I became a password cracker [Internet], Ars Technica. Available from: <http://arstechnica.com/security/2013/03/how-i-became-a- password-cracker/> [Accessed April 2013]. 3. Fitzpatrick, Tony (2004) Boon to security [Internet], Washington University in St. Louis. Available from: < http://news.wustl.edu/news/Pages/4159.aspx> [Accessed April 2013] 4. Harris, A., Yen, D. (2002) Biometric authentication: assuring access to information, Information Management & Computer Security, Vol. 10 Iss: 1, pp.12 - 19 5. (1999) Brutus- a Brute force online password cracker [Internet], SecuriTeam. Available from: <http://www.securiteam.com/tools/2QUQ2PPRPG.html> [Accessed April 2013] 6. By Publisher Disclosure Project [Internet] Dazzlepod. Available from: <http://dazzlepod.com/disclosure/> [Accessed April 2013]. 7. By Publisher Alexander Peslyak [Internet] Wikipeadia. Available from: <http://en.wikipedia.org/wiki/Alexander_Peslyak> [Accessed April 2013] 8. By Publisher Cain and Abel Disclosure Project [Internet] Oxid.it. Available from: <http://www.oxid.it/cain.html> [Accessed April 2013] 9. By Publisher SniffPass [Internet], Nirsoft. Available from: <http://www.nirsoft.net/utils/password_sniffer.html> [Accessed April 2013] 10. Zorz, Mirko (2009) Q&A: Cain & Abel, the password recovery tool [Internet], Webcitation.org. Available from: <http://www.webcitation.org/5z5iAtm4L> [Accessed April 2013] 11. Zorz, Mirko (2011) Oxid.it Information [Internet], Oxid.it. Available from: <http://www.oxid.it/info.html> [Accessed April 2013] 12. By Publisher John the Ripper password cracker [Internet], Openwall. Available from: <http://www.openwall.com/john/> [Accessed April 2013] 13. By Publisher DJohn [Internet], ktulu. Available from: <http://ktulu.com.ar/blog/projects/djohn/> [Accessed April 2013] 14. Dunstan, Patrick (2011) Cracking OS X Lion Passwords [Internet], Publisher. Available from: <http://www.defenceindepth.net/2011/09/cracking-os-x-lion- passwords.html> [Accessed April 2013] 15. Graham (2012) Password checking with CommonCrypto [Internet], Secure Mac Programming. Available from: <http://blog.securemacprogramming.com/2012/07/password-checking-with- commoncrypto/> [Accessed April 2013] 16. By Publisher (2013) Dave Grohl 2.1 Information [Internet], Dave Grohl. Available from: <http://davegrohl.org/faq.html> [Accessed April 2013] 17. Google (2013) Password Help [Internet], Google Inc. Available from: <https://accounts.google.com/PasswordHelp> [Accessed April 2013] 18. Microsoft (2013) Tips for Creating a Strong Password [Internet], Microsoft Corporation. Available from: <http://windows.microsoft.com/en-ie/windows- vista/tips-for-creating-a-strong-password> [Accessed April 2013] 19. Facebook (2013) Create an Account [Internet], Facebook Inc. Available from: <http://www.facebook.com/help/345121355559712/> [Accessed April 2013] 20. Apple (2013) Security and your Apple ID [Internet], Apple Inc. Available from: <http://support.apple.com/kb/HT4232> [Accessed April 2013] 21. eBay (2013) Creating and protecting your password [Internet], eBay Inc. Available from: <http://pages.ebay.com/help/account/create-password.html> [Accessed April 2013] 22. Zhang, X., Clark, J. (2012) Matrix Passwords: A Proposed Methodogy of Password Authentication, AMCIS 2012 Proceedings. Paper 11. 23. Adams, A., Sasse, M. A. (1999) Users are not the enemy, Communication of the ACM (42:12) pp 40-46. 24. Porter, Sigmund N. (1982) A Password Extension for Improved Human Factors, Computers and Security (1:1) pp 54-56. 25. Yan, J., Blackwell, A., Anderson, R., and Grant, A. (2004) Password memorability and security: Empirical results, Security & Privacy, IEEE (2:5) pp 25-31 26. Jakobsson, M., Akavipat, R. (2011) Rethinking Passwords to Adapt to Constrained Keyboards, ACM. 27. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L. Bauer, L., Christin, N., Cranor, L. F. (2010) Encountering stronger password requirement: user attitudes and behaviors, ACM p 2.
3 Experimentation 3.1 Mathematical Analysis In this section of the project, analysis is carried out on three different password methods. The three password methods are:
1. Eye of Newt passwords 2. Word string passwords 3. Matrix passwords
These different password methods are analysed in both their usability and their strength against attack. The strength of the passwords will be calculated using permutations which will give the number of possibilities an attacker may have to try. The formula for the permutations is as follows:
n r
Where n is the number of available characters to choose from and r is the length of the passwords.
The bit strength of the eye of newt and word string passwords will also be used to compare the strength. It would be very difficult to calculate the bit strength of a matrix password as they are multi-directional. The bit strength of a password is calculated using the following formula:
|ug 2 ((a|phahet x|ze) paxxwurd |ength )
The usability of the different password methods is assessed by carrying out an online survey which will look at how easy users find the different password methods.
A password length of just two characters is taken to begin comparing the strength of the eye of newt method against the matrix method. The amount of characters of characters found on a standard keyboard is 93. This figure is taken as the number of available characters for both the eye of newt method and the matrix method. The number of different possibilities is then calculated as follows:
93 2
This results in 8649 different possibilities using the eye of newt method with password length of two characters.
The matrix password has the advantage that it can be multi-directional. In a 2x2 matrix there are 12 possible directions for a two character password; 4 horizontal, 4 vertical and 4 diagonal. This means that the number of possibilities is 12 times greater than an eye of newt password of the same length. The number of possibilities for a 2 character password in a 2x2 matrix is 103788 which is 12 times 8649.
If the password length is increased to three characters the number of different possibilities is greatly increased for both methods. The matrix size is increased to a 3x3 matrix. The number of possibilities for the eye of newt password is increased to 804357. When the matrix is increased to a 3x3, the number of possible patterns is significantly increased. The number of possible patterns for a 3 character password in a 3x3 matrix is 504. The images below show some examples of possible patterns.
The amount of pattern possibilities increases exponentially as the size of the matrix increases. The number of possibilities of a 3 character password in a 3x3 matrix is equal to 405395928 which is 804357 x 504. This is clearly stronger than the eye of newt method. A 3 character password in a 3x3 matrix provides more possibilities than a 4 character eye of newt password. Even if the matrix remains at 3x3 it will always create more possibilities than the equivalent password length that uses the eye of newt method. As the matrix password method is able to create more possibilities than the eye of newt, it should be stronger against attack.
The word string method involves just lowercase characters from the alphabet in order to make it more user-friendly. The number of available characters (n) for a password from the word string method is just 26. A twelve character word string password would have 9.543 x 10 16 different possibilities. An eye of newt password with the same amount of characters would have 4.186 x 10 23 possibilities. Clearly eye of newt passwords of the same length are much stronger than word string passwords. The bit strength of a 12 character word string password is 56.405 bits which is calculated using the above mentioned formula. The bit strength of a 12 character eye of newt password is 78.47. This clearly indicates that a word string password is weaker than an eye of newt password of the same length.
From the results of the survey however it was found that passwords made up of solely words are much easier to remember. The length of a word string password has the capability to be much longer than that of an eye of newt password based on the survey carried out. The survey suggests that a word string password could be double the length of an eye of newt password and still be as easy to remember. A word string password with 16 characters would have 4.36 x 10 22 possibilities while an eye of newt password which is 8 characters long would have 5.596 x 10 15 . The bit strength of a 16 character word string password is 75.207 while the bit strength of an 8 character eye of newt password is 52.313. This suggests that a word string password may be better than an eye of newt password especially for users who struggle when trying to remember random characters which make up eye of newt passwords.
Word string passwords are capable of being longer than eye of newt passwords which increases the number of different possibilities an attacker may have to try. Word string passwords are far more susceptible to dictionary attacks than eye of newt passwords. This threat can be greatly reduced by slightly altering one of the words in the word string password.
3.2 Survey Experimentation Our hypotheses, a more user-friendly password method would allow users to generate passwords that are more resistant to cracking than present standards, obviously has a focus on the usability of passwords. From that point of view, we needed to identify user habits and needs. In order to get this information we carried out a survey. The survey was hosted on Google Drive and distributed through social networking sites. The first few questions centred on users current habits. We wanted to establish how willing users were to enter complicated passwords, and how strong they are making their passwords. This will allow us to compare to other formats that we believe to be more user-friendly. With matrix passwords, there is an emphasis on shape memory, or spatial cognition. Two questlons ln Lhe survey alm Lo deLermlne users' capaclLy ln Lhls regard. Androld phones and tablets use a patterned code to authenticate users and unlock the device. By establishing consumer willingness to adopt this method of authentication, links may be drawn to the matrix password format. users' relucLance Lo answer surveys abouL Lhelr onllne securlLy was encounLered, which led to a reduced return rate. 52 surveys were returned.
Password Survey 1. Do you use one or more passwords for you accounts? a. I have one password that I use everywhere b. I have one basic password that I alter slightly between accounts c. I have a few passwords, but not one for every account d. I have a different password for every account 2. Which of the following do you use in your password? a. (Respondents could choose multiple) b. Lowercase letters (abc) c. Uppercase letters (ABC) d. Numbers (123) e. Punctuation and other symbols (!?/@#) 3. Do you allow your browser to store your passwords? a. Never b. On some accounts c. Most of my accounts d. All my accounts 4. How long is your average password? a. 6 to 10 b. 11 to 16 c. 17 to 20 d. Greater than 20 5. How many times do you enter a password, on a usual day? a. Less than 3 times b. Less than 7 times c. Less than 10 times d. Less than 15 times e. 15 times or more 6. Do you use an Android phone and, if so, do you use Pattern Unlock? a. l don'L have an Androld phone b. l don'L use Lhls feaLure c. I use this feature 7. Do you think a password of 3 random words (all lower case) would be easier for you to remember than a shorter password that includes upper and lower case letters, numbers and special characters? a. Words would be easier b. No difference for me c. Random characters would be easier 8. When entering a PIN, how do you recall it? a. I remember the shape my hand makes b. I remember the numbers c. I have a rhyme, or I mentally sound it out d. Other Survey Results
No. of Character Types Used N o .
o f
P a s s w o r d s
1 2 3 4 One password that I use everywhere 3 5 1 1 One basic password that I alter slightly between accounts 3 3 3 4 A few passwords, but not one for every account 5 9 12 3 A different password for every account 0 0 0 0
Graph 1 27 1 24 Do you think a password of 3 random words all lower case would be easier for you to remember than a shorter password that includes upper and lower case letters numbers and special characters? No difference for me Random characters would be easier Words would easier
Graph 2
Graph 3
10 30 22 When entering a PIN how do you recall it ? I have rhyme, or I mentally sound it out I remember the numbers I remember the shape my hand makes 27 13 12 Do you use an Android phone and if so do you use the Pattern Unlock? I don't have an Android phone I don't use this feature I use this feature 4 Evaluation From the results of the mathematical analysis, it is clear to see that the matrix password is much stronger than an eye of newt password of the same length. As the size of the matrix increases, the number of different possibilities increases exponentially. This was in line with expectations and resulted in the matrix password format being the strongest of the three types as it had the most different possibilities. The advantage of the word string password is that it is easier to remember than the eye of newt method and can therefore be longer. Word string passwords are weaker than eye of newt passwords that have the same length but since users are capable of remembering longer word string passwords, this can result in a harder password to crack. An increase in length of any password increases the number of possibilities exponentially which in turn increases the strength of the password hugely. The analysis clearly shows however that the matrix password format is by far the strongest as it has the added number of possible patterns that can be made within the matrix on top of the possibilities due to the different characters. The survey revealed that, generally, consumers were not taking full advantage of the range of characters on the keyboard. The majority respondents currently keep their passwords to two character types, and minimal length at 6 to 10 characters. Those surveyed re-use their password, perhaps with some alterations, over multiple accounts. This behavior undermines the strength of the Eye-of-Newt format. Users were generally either indifferent to or in favor of Word-Strings over the Eye- of-Newt format from a memorability perspective. However, their preference for shorter passwords suggests an unwillingness to spend more time at login. While Word-Strings maybe as strong, or stronger, than Eye-of-Newt, it may be best to reserve them for rarely accessed accounts that require a high level of security, like online bank accounts or health insurance. Respondents had good spatial cognition, which suggests that a pattern or shape based passwords, like the Matrix format, would be favorable. The vast number of orders possible within a matrix allows users to pick dictionary words or numbers that have some meaning to them, which improves memorability. From the research carried out, it was found that the proposed hypothesis to be proven. Matrix and Word-String are more user friendly, as they are easier to remember and less susceptible to attack. Strong spatial cognition in respondents to the survey, along with the superior strength offered by the Matrix format against attacks, suggest that matrix passwords would be an improvement on current practices.
5 Conclusion For any format to be viable, it needs universal application by service providers. Users will be unhappy with different formats on different sites. From that point of view, it would be difficult to introduce a new form of password authentication. An extended transitional period would be required in the event of a change in password format. Information should be provided to consumer highlighting the benefits of any change, which would improve acceptance.
Rather than introducing a completely new format, a standard set of rules developed for all service providers may be preferable. This could serve to improve clarity for users, and encourage better password habits.
The growing usage of smart-phones cannot be ignored. These devices offer service providers the opportunity to introduce application authenticators for accounts. These are resistant to key-logging as they generate a random code at login. We accept that there are important areas of this topic we did not have the resources to explore. No data is available on user habits with Matrix passwords, as it is not commonly used. To our knowledge, no hacking tools or protocols have been developed to breach the Matrix format. Had this been available, attack based testing could have been carried out over all formats.