Section 7.4. Method

Previous page
Table of content
Next page

7.4. Method

In October 1999, students attending the introductory lecture were told that they would be subjects (with their consent) in an experiment on password selection. At the tutorial session, they were then asked for consent and were randomly assigned to one of three experimental groups. Each student was given a sheet of advice depending on the group to which they had been assigned. The three different types of advice were:

  • Control group. Students in this group were given the same advice as in previous years, which was simply that "Your password should be at least seven characters long and contain at least one non-letter."

  • Random password group. Students in this group were given a sheet of paper with the letters A-Z and the numbers 19 printed repeatedly on it. They were told to select a random password by closing their eyes and picking eight characters at random. They were advised to keep a written record of the password, but to destroy it once the password was memorized. This is very similar to the advice given by banks when issuing PIN numbers, which are issued in written form, but with the user advised to destroy the written slip as soon as it has been memorized.

  • Passphrase group. Students in this group were told to choose a password based on a mnemonic phrase.

The text of the instructions given to the three groups is reproduced in Figures 7-1, 7-2, and 7-3, respectively.[18]

[18] Lent and Easter are the names of the second and third academic terms in Cambridge, respectively. We started this experiment in the first term.

Our hypothesis was that the random password group would have stronger passwords than the passphrase group, but would find them harder to remember and/or easier to forget, while the passphrase group would stand in the same relation to the control group.

One month after the tutorial sessions, we took a snapshot of all password files, and conducted four types of attack on the passwords:

  • Dictionary attack. Simply use different dictionary files to crack passwords. This attack was attempted against all passwords.

  • Permutation of words and numbers. For each word from a dictionary file, permute with 0, 1, 2, and 3 digit(s) to construct possible password candidates. Also, make common number substitutions, such a 1 for I, 5 for S, etc. This attack was attempted against all passwords.

  • User information attack. Exploit user information collected from password files (e.g., user ID, user full name, initial substring of name) to crack passwords. This attack was attempted against all passwords.

    Figure 7-1. Control group instruction sheet; participants were asked to choose a seven-character password with at least one non-letter


    Figure 7-2. Random password group instruction sheet; group members chose their passwords by closing their eyes and pointing randomly to a grid of numbers and letters


    Figure 7-3. Passphrase group instruction sheet; group members were asked to choose passwords based on mnemonic phrases


  • Brute force attack. Try all possible combinations of keys. We performed this attack on any passwords that were only six characters long (the password system used in our study allows us to know the length of a password without cracking it).

We collected information on the distribution of password lengths and on the number of cracked passwords in each group. We monitored the number of times that users requested that their passwords be reset by the system administrators, on the assumption that passwords that were difficult to remember may be forgotten. In such a case, the user would either have to ask for his password to be reset, or stop using the central facilities in favor of those provided elsewhere. We also surveyed all experimental subjects by email four months after the tutorial session, asking whether they'd had any difficulty remembering their password. This survey asked the following questions:

  • How hard did you find it to memorize your password, on a scale from 1 (trivial) to 5 (impossible)?

  • For how long did you have to carry around a written copy of the password to refer to? Please estimate the length of time in weeks.

We also tested the validity of our experimental sample by making the same attacks on the accounts of 100 first-year students who had not attended the introductory lecture or received any experimental instructions.


Previous page
Table of content
Next page
Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295
Authors: Lorrie Faith Cranor, Simson Garfinkel
BUY ON AMAZON
MySQL Stored Procedure Programming
Beginning Cryptography with Java
Cisco IOS Cookbook (Cookbooks (OReilly))
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy