Use this URL to cite or link to this record in EThOS:
Title: Password security and usability : from password checkers to a new framework for user authentication
Author: Aljaffan, Nouf
ISNI:       0000 0004 6494 8706
Awarding Body: University of Surrey
Current Institution: University of Surrey
Date of Award: 2017
Availability of Full Text:
Access from EThOS:
Access from Institution:
Passwords have been dominating user authentication for more than half a century, and many researchers believe that they will continue as a key part of the user authentication world in the foreseeable future. The well-known usability-security problem of textual passwords, i.e., the difficulty for human users to choose strong and easy-to-remember passwords, has received a considerable attention over many years. Many alternative solutions have been proposed to replace textual passwords, however, none of them can keep all advantages of textual passwords without bringing new problems. As a consequence, hybrid user authentication systems such as multi-factor authentication (MFA) has been widely suggested for security-critical applications such as e-banking systems. Such hybrid user authentication systems normally lead to higher usability costs, so are not ideal solutions for all applications. The hybrid nature also means organizations and service providers have to deploy and maintain different user authentication components, thus making reconfiguration of such systems more complicated. This thesis looks at several less-studies but still important areas of user authentication: how human users perceive objective ratings given by computer programs such as proactive password checkers (PPCs) and subjective ratings given by human experts, how human users can be better educated about password security, and how we can overcome the current drawbacks of hybrid user authentication systems to improve user experience and enhance reconfigurability of such systems. Our research led to some new insights on how human users perceive password strength ratings, a new password security education tool, and a novel ``all in one'' and backward compatible user authentication framework. For the first work, we conducted a user study with over 1,000 crowdsourcing workers to gather information about how they perceived their trusts on objective and subjective ratings of a number of given passwords. The results shed light on the influence of personalization and contextualization on users' perceived trusts on password ratings, implying human users' decisions on textual passwords depend on highly on their personal characteristics, individual passwords and their own subjective judgments on given passwords. We observed several typical behavioral patterns in terms of human users' perceived trust on subjective and objective ratings. These findings can help support better designs of PPCs and other password security tools. One finding of the above-mentioned user study is that many human users clearly trusted their own subjective judgments more than ratings given by others. This suggests better password educational tools are needed to help human users make better subjective judgments on password strength. We noticed PPCs have a natural side effect of educating users, but this effect has not been well studied and most designs are not optimal in terms of password security education. We therefore proposed Password Security Visualizer (PSV), an interactive visualization system specifically designed for password security education. PSV can provide many new features that do not exist in traditional PPCs, thus having a greater potential to achieve its goals of educating users. A 2-D prototype of PSV was implemented, and a number of user studies were conducted to investigate its performance as both a PPC and a password security education tool. The results showed that PSV was considered the most informative and recommended by most participants as a good educational tool. The personalization effect observed in our user studies on passwords led us to consider how we can generalize existing user authentication framework to allow personalization beyond textual passwords. This led us to discover Pass∞ , a novel ``all in one'' and backward compatible framework which can support all four authentication factors (knowledge-based, token-based, biometric-based and context-aware authentication) and many different schemes in each factor. Pass∞ enables users to freely combine diverse authentication actions while keeping compatibility with textual passwords so that a user can continue to use his/her old textual password even after Pass∞ is introduced. The diversity of different authentication actions supported by Pass∞ can help users to personalize their individual choices of passwords to reach a better trade-off between security and usability: a human user can define his/her password as a sequence of simple authentication actions that can be easily remembered, and Pass∞ will convert the simple hybrid password into a much more complicated password that a password cracker will find very difficult to guess. Being able to support many different user authentication actions in a single framework also helps make Pass∞ highly reconfigurable, e.g., different password policies can be defined for different user groups to allow different types of combinations of user authentication actions. A prototype of Pass∞ prototype was implemented which will be tested in a number of user studies we plan to conduct in near future.
Supervisor: Li, Shujun Sponsor: King Saud University
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available