SICSA Cyber Nexus DVF Professor Stephen Flowerday ‘Passwords vs Passphrases plus Security vs Usability’

Date(s) - 23/05/2019
2:00 pm - 3:30 pm

University of Aberdeen

The SICSA Cyber Nexus invites you to attend a talk by Professor Stephen Flowerday, Rhodes University, South Africa on Thursday 23 May at the University of Aberdeen

Title: Passwords vs Passphrases plus Security vs Usability

Abstract: It was found during an 85-day study that some users will create up to 25 unique accounts which they secure with 6.5 unique passwords on average, thus reusing passwords over 3.9 accounts. Another study found that users spend between 1.5 to 2.25 business days each year generating new passwords because they could no longer recall their passwords or their passwords had expired. From this one notes that for users to secure multiple accounts they are required to generate multiple unique passwords. In order to circumvent the need to maintain a number of secure passwords, resulting from users attempting to reduce the cognitive load of recalling multiple passwords for multiple accounts, simplistic passwords are used and reused for login convenience.

Research on more than 100 million passwords that have been leaked to the public domain, have uncovered various security limitations associated with user-generated passwords. Long passwords (passphrases) are considered an alternative solution that can provide a balance between security and usability; however, the literature shows a lack of consistency in the security and usability contributions of passphrases.
A study was conducted which proposes that system designers should consider encouraging users to generate passphrases that are based on substrings from different languages. The study went on to extend the use of Shannon’s entropy to prompt the use of multilingual passphrases instead of placing emphasis on multi-character class passwords. As such, this study proposes the use of juxtaposed substrings from different languages, increasing passphrase length, and using a dictionary check to attain passphrase security. The factors in the ISO 9241-11 standard were used to evaluate usability.

The study was split into two halves, each conducted separately by a PhD student using design science research in order to investigate the problem. 350 participants were invited to take part in a short password and passphrase generation and recall experiment that was made available using a web-based application. These passwords were generated by participants under pre-specified conditions, after which, participants were also asked to complete an online questionnaire.

Usability tests conducted during the experiment suggest that, even though passphrases were found to be usable, they were not easy to create when compared to short passwords. In contrast, password re-use during short password generation by participants was a problem. Security tests using the Probabilistic Context-Free Grammar (PCFG) suggests that short passwords are weaker. Marginally above 50% of the short passwords were cracked while none of the passphrases were guessed. To some extent, this justified the study’s proposition that juxtaposing substrings from different languages enhances passphrase security. Thus, policies that require the user to change passwords as regularly as one currently does, could be relaxed.

The host of Professor Flowerday is Professor Karen Renaud

This entry was posted in .