PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION - - PowerPoint PPT Presentation

The Center for Education and Research in Information Assurance and Security

PASSWORD STRENGTH ANALYSIS

Brian Curnett and Teri Flory

Masters Students

COPING MECHANISMS IN PASSWORD SELECTION

CURRENT STATUS

• Passwords are the most commonly used authentication measure
• Often require frequent modification
• Predominantly, studies in the past have reviewed how hard or easy it is to

crack a password

• Most studies have ignored or only minimally focused on the issue of user

coping mechanisms

• Only a few studies have looked at how modification of passwords over time

effects coping mechanisms or password strength Stringent requirements in password policies lead to coping mechanisms in users when creating passwords. These coping mechanisms decrease the strength of the passwords created, and the question is whether this decreases the security sought by creating a strict policy.

Motivation Problem Statement

2

ENTROPY

3

WHAT T IS IS EN ENTRO ROPY? PY?

• A calculation used by NIST to determine the strength of a password.
• Points are assigned based upon specific factors of a password or password policy
• Factors
• Length of password
• Use of non-alphabetic characters
• Use of capital letters
• Use of a dictionary

DESIGN OF STUDY

4

• Participants login to Mechanical Turk website and choose the HIT

DESIGN OF STUDY

5

(CONT NTIN INUED) ED)

• Open the HIT and click on the link to the website
• Upon arrival, the participant is assigned a password policy (that follows the participant

throughout the study)

• User creates a password and then completes a survey
• User logs in every week for 7 weeks
• Every week user is required to change password
• After creating password, user takes a short survey
• First is demographic
• Second through Sixth are filler questions about info sec
• Seventh is about specific coping mechanisms used throughout study

COLLECTION OF DATA FROM WEBSITE

6

Data is automatically stored in a mysql database where it can be downloaded via .csv and

• pened in excel or analyzed in a statistical analysis package like SAS

COPING MECHANISMS IDENTIFIED

ANALYS YSIS IS OF COPIN ING G MECHAN ANISM ISMS S IN IN U USER CREATE TED D PASSWORD WORDS

Coping Mechanism Identified Decrease in Entropy A Repeating digits within the same password Divide actual entropy by the number of repeats B Repeating passwords across time Subtract entropy for the portion repeated C Incrementing numbers across time Decrease entropy by 6 (entropy gained by adding non-alphanumeric characters) D Repeating non-alphabetic or capital letters Decrease entropy by 6 (entropy gained by adding non-alphanumeric characters) E Changing letter from lowercase to capital, but keep the same word across time Subtract entropy for the word, but maintain the increase of 6 for the capital letter F Capital letter first or number/special character last Decrease entropy by 6 (entropy gained by adding non-alphanumeric character or capital letter)

7

POLICIES

CO COMPRE PREHENSIV HENSIVE 8

• At Least 8 characters
• At least one lower case character
• At least one capital letter
• At least one number
• At least one special character

BLACKL ACKLIST T HARD RD

• At least 8 characters
• No English words

BASIC SIC 16

• At least 16 characters long

SURVEY QUESTIONS

9

DEMOG OGRAPH RAPHIC IC AND COPIN ING G MECHAN ANISM ISMS S USED*

DEMOGRAPHIC QUESTIONS 1. Gender 2. Age 3. Was English first language 4. Race 5. Marital status 6. Ethnicity 7. Education level attained 8. Primary occupation 9. Income level

*The actual questions used in the survey are available upon request

COPING MECHANISMS USED

1. Did you use the same password here that you use on another account 2. Did you use a similar password here that you use on another account (with def’n of similar) 3. Did you write down your password (when and why) 4. Did you use personal info when creating your password 5. Were you frustrated with the password policy 6. What type of device did you use to access this study 7. In previous experience with passwords, have you ever been frustrated by a policy 8. Does having to change your password often frustrate you 9. How many accounts do you have with passwords

• 10. Have you ever written down a password
• 11. Have you ever used the same password for different

accounts

SURVEY QUESTIONS

10

FIL ILLER R QUESTIO TIONS S ON IN INFOSE SEC*

• 1. Were you affected by the Home Depot breach
• 2. Do you subscribe to Wired magazine
• 3. Do you read terms of service policies
• 4. Do you regularly back up your computer system
• 5. Are you more concerned with your financial data or health data
• 6. Are you familiar with Stuxnet
• 7. What computer operating system do you use
• 8. Are you concerned about cybercrime
• 9. Are you able to recognize spam

10.Are you concerned about identity theft 11.Have you ever heard of Stop, Think, Connect 12.Have you heard of Stop, Drop, and Roll

*The full list of questions is available upon request

PROPOSED DATA ANALYSIS

CONDUC UCTE TED D ON PRACTI CTICE PASSWO SWORDS RDS Comprehensive8 BlacklistHard Basic16 N 33 34 37 NIST Entropy 24 24 30 Mean Entropy 29.31 29.69 38.79 Standard Deviation 6.09 3.80 6.52 Confidence Interval (95%) (27.16, 31.48) (28.37, 31.02) (37.91, 42.25) Post Coping Entropy 25.86 28.93 34.68

11

PRACTICE DATA ENTROPY ANALYSIS

10 20 30 40 50 Post Coping Entropy Mean Entropy NIST Entropy Basic16 BlacklistHard Comprehensive8

Interesting Note: All post coping entropy calculations are greater than the NIST entropy for each policy

12

ANALYSIS

13

Across Policies Within Weeks

• ANOVA And Tukey test of Post Coping

Entropy against NIST average entropy

• Do different policies lose entropy through

coping mechanisms at different points in the password change cycle?

Within Policy Across Weeks

• Average of NIST Entropy for each participant
• Confidence Interval of entropy for policy
• Average of Entropy Loss per week
• Sum of Entropy Loss per user
• Confidence Interval of Entropy loss of all

users per policy

• ANOVA test of Post Coping Entropy against

NIST average entropy

• Does Entropy change each week

independently of the policy

Across Policies Across Weeks

• ANOVA and Tukey test of Post Coping

Entropy against NIST average entropy

• Does one of our policies provide a more

effective protection than the others?

Within Policy Within Week

• NIST entropy of each password
• Average NIST Entropy at each Week across

participants

• Confidence Interval of entropy at each week
• Post Coping Entropy
• Entropy loss from coping mechanisms at

Week

• ANOVA test of Post Coping Entropy against

NIST policy entropy

• ANOVA test of Post Coping Entropy against

NIST average entropy at each week

PROGRESS

14

IN INSTIT ITUTIO UTIONAL AL REVIEW IEW BOARD D AND MECHAN ANIC ICAL AL TURK

• IRB
• Approval received
• Mechanical Turk
• Results of first HIT published
• Restrictions on allowed Workers for first HIT
• IRB Amendment
• Approval just received
• Mechanical Turk
• Next step is to reenter information and fax a copy of driver’s license for

validation

WORK REMAINING

FIN INAL REPORT RT AND PRESE SENT NTATIO ION

• Upon IRB Amendment Approval……
• Collect Data on Mechanical Turk
• Analyze Data collected
• Continue to work on reconciling Amazon Mechanical Turk validation problem

QUESTIONS, COMMENTS, OR SUGGESTIONS?

15