Section 7.1. Introduction


7.1. Introduction

Many of the deficiencies of password authentication systems arise from the limitations of human memory. If humans were not required to remember the password, a maximally secure textual password would be one with maximum entropy: it would consist of a string as long as the system allows, made up of characters selected from all those allowed by the system, and in a manner that provides no redundancy that is, a totally random selection.

Each of these requirements is contrary to a well-known property of human memory:

  • Human memory for sequences of items is temporally limited,[2] with a short-term capacity of around seven (plus or minus two items).[3]

    [2] G. J. Johnson, "A Distinctiveness Model of Serial Learning," Psychological Review 98:2 (1991), 204217.

    [3] G. A. Miller, "The Magical Number Seven, Plus or Minus Two: Limits on Our Capacity for Processing Information," Psychological Review 63 (1956), 8187.

  • When humans remember a sequence of items, those items cannot be drawn from an arbitrary and unfamiliar range, but must be familiar "chunks," such as words or familiar symbols.[4]

    [4]

  • Human memory thrives on redundancywe are far better at remembering information that can be encoded in multiple ways.[5]

    [5] A. Paivio, "The Empirical Case for Dual Coding," in J.C. Yuille (ed.), in Imagery, Memory and Cognition: Essays in Honor of Allan Paivio (Hillsdale, NJ: Erlbaum, 1983), 307322.

Password authentication, therefore, appears to involve a tradeoff. Some passwords are very easy to remember (e.g., single words in the user's native language) but also very easy to guess with dictionary searches. In contrast, some passwords are very secure against guessing but are difficult to remember. In the latter case, the security of a superior password may be compromised as a result of human limitations, because the user may keep an insecure written record of it or resort to insecure backup authentication procedures after forgetting it.[6]

[6] This doesn't mean we accept the common doctrine that writing down passwords is always wrong. For machines not in publicly accessible areas, it may be good sense to have a long, random-boot password written down in an envelope taped to the machine, as one can then have a strict policy that passwords are never, under any circumstances, to be disclosed over the phone. However, the prevention of "social engineering" attacks is beyond the scope of this chapter.

In 1999, we started an empirical study investigating this tradeoff in the context of an actual population of password users. Research in cognitive psychology has defined many limits of human performance in laboratory settings where experimental subjects are required to memorize random and pseudorandom sequences of symbols. However, it is very difficult to generalize from such research to password users, who can select the string themselves, are able to rehearse it while memorizing, and need to recall it at regular intervals over a long period of time.

We show that this user context allows the exploitation of mnemonic strategies for password memorization. Many successful mnemonic techniques can be used to achieve impressive performance when memorizing apparently random sequences. Password alternatives such as passfaces exploit superior human memory for faces, for example.[7] However, instead of changing the password authentication procedure, we investigate changing the advice that is given to the user when selecting a password.

[7] H. Davies, "Physiognomic Access Control," Information Security Monitor 10:3 (Feb. 1995, 5-8.



Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net