Speculations on the science of web user security

There appears to be consensus among seasoned cyber security researchers that there is substantial disconnect between the research community’s priorities and the real world—notwithstanding numerous intellectual advances in the theory and practice of cyber security over the past four decades. This is in part manifested by recent recurring calls for dramatic shifts in cyber security research paradigms, including so called game-changing approaches that go beyond the typical computer science and engineering perspectives. This article focusses on a specially important piece of cyber security called web user security where the prime concern is security for the ordinary consumer of web application services. The proliferation of web services and their enthusiastic reception by the ordinary citizen attests to the tremendous practical success of these technologies. As such it is prima facie evident that the current web is “secure enough” for mass adoption. Now, one certain prediction about the web is that it will continue to evolve rapidly. This article gives the author’s personal perspective on what web user security science might be developed to address the need to be “secure enough” in light of continued evolution. To this end the article begins by considering what happened in evolution of the web in the past and how much of it, if any, was guided by “science.” The article identifies some security principles that can be abstracted from this short but eventful history. The article then speculates on what directions the science of web user security should take.     

Rational security: Modelling everyday password use

To inform the design of security policy, task models of password behaviour were constructed for different user groups—Computer Scientists, Administrative Staff and Students. These models identified internal and external constraints on user behaviour and the goals for password use within each group. Data were drawn from interviews and diaries of password use. Analyses indicated password security positively correlated with the sensitivity of the task, differences in frequency of password use were related to password security and patterns of password reuse were related to knowledge of security. Modelling revealed Computer Scientists viewed information security as part of their tasks and passwords provided a way of completing their work. By contrast, Admin and Student groups viewed passwords as a cost incurred when accessing the primary task. Differences between the models were related to differences in password security and used to suggest six recommendations for security officers to consider when setting password policy.     

Improved remote authentication scheme with smart card

In 2003, Wu and Chieu proposed a user-friendly remote authentication scheme with smart card. In the scheme, a user can freely choose and change his/her password. In this article, we will show a forgery attack on the Wu–Chieu scheme and propose an improvement to resist the security flaw.     

The positive outcomes of information security awareness training in companies – A case study

One of the key factors in successful information security management is the effective compliance of security policies and proper integration of “people”, “process” and “technology”. When it comes to the issue of “people”, this effectiveness can be achieved through several mechanisms, one of which is the security awareness training of employees. However, the outcomes should also be measured to see how successful and effective this training has been for the employees.In this study, an information security awareness project is implemented in a company both by training and by subsequent auditing of the effectiveness and success of this training (which focussed on password usage, password quality and compliance of employees with the password policies of the company). The project was conducted in a Turkish company with 2900 white-collar employees. Each employee took information security training including password usage. Also, there were several supporting awareness campaigns such as educational posters, animations and e-messages on the company Intranet, surveys and simple online quizzes. The project was carried out over a 12 month period and three password security strength audits were made during this period. The results were comparatively and statistically analysed. The results show us the effectiveness of the project and the impact of human awareness on the success of information security management programmes in companies. This study gives us some crucial results, facts and methods that can also be used as a guideline for further similar projects.     

A user authentication system using back-propagation network

Information security has been a critical issue in the field of information systems. One of the key factors in the security of a computer system is how to identify the authorization of users. Password-based user authentication is widely used to authenticate a legitimate user in the current system. In conventional password-based user authentication schemes, a system has to maintain a password table or verification table which stores the information of users IDs and passwords. Although the one-way hash functions and encryption algorithms are applied to prevent the passwords from being disclosed, the password table or verification table is still vulnerable. In order to solve this problem, in this paper, we apply the technique of back-propagation network instead of the functions of the password table and verification table. Our proposed scheme is useful in solving the security problems that occurred in systems using the password table and verification table. Furthermore, our scheme also allows each user to select a username and password of his/her choice.     

一种新的混合式身份认证技术

系统资源的安全与访问者的身份认证有着直接的关系，目前绝大多数系统的身份认证是基于常规口令的，由于人本身的因素使常规口令并不安全，因此在常规口令的基础上结合人对图像很容易识别的现象提出半可视化口令保护技术。这种技术使系统用户免去记忆枯燥的常规口令的麻烦基础上提高口令的记忆效率和安全性。给出了相关的定义和认证过程，实验验证了该技术便于记忆且是安全的。     

Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times

Abstract

Strong passwords are essential to the security of any e-commerce site as well as to individual users. Without them, hackers can penetrate a network and stop critical processes that assist consumers and keep companies operating. For most e-commerce sites, consumers have the responsibility of creating their own passwords and often do so without guidance from the web site or system administrator. One fact is well known about password creation—consumers do not create long or complicated passwords because they cannot remember them. Through an empirical analysis, this paper examines whether the passwords created by individuals on an e-commerce site use either positive or negative password practices. This paper also addresses the issue of crack times in relationship to password choices. The results of this study will show the actual password practices of current consumers, which could enforce the need for systems administrators to recommend secure password practices on e-commerce sites and in general.     

Cognitive passwords: The key to easy access control

This paper suggests the use of cognitive passwords as a method of overcoming the difficulty of creating passwords that are simultaneously memorable and difficult to guess. Cognitive passwords involve a dialogue between a user and a system, where a user answers a rotating set of questions about highly personal facts and opinions. A set of such brief responses replace a single password.The findings of this empirical investigation, focusing on memorability and ease-of-guessing of cognitive passwords, are reported. These findings show that cognitive passwords were easier to recall than conventional passwords, while they were difficult for others to guess, even others who were socially close to the users.     

一种基于ECC口令认证的RFID认证协议

为了确保RFID系统中用户安全风险、隐私及数据安全,分析了相关RFID协议的安全性问题,利用椭圆曲线离散对数问题的难解性,结合一次性口令OTP,提出了一种基于ECC口令认证的RFID双向认证协议。该协议实现了密钥同步更新,读写器与标签、标签与服务器之间的双向认证,有效地抵抗了重放、伪装、流量分析及跟踪等攻击。协议能很好地保护用户的隐私和数据的安全,具有密钥长度短、计算量小及安全性高等特点。     

Impact of restrictive composition policy on user password choices

This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.     

User-friendly and certificate-free grid security infrastructure

Certificate-based public key infrastructures are currently widely used in computational grids to support security services. From a user’s perspective, however, certificate acquisition is time-consuming and public/private key management is non-trivial. In this paper, we propose a security infrastructure for grid applications, in which users are authenticated using passwords. Our infrastructure allows a user to perform single sign-on based only on a password, without requiring a public key infrastructure. Moreover, hosting servers in our infrastructure are not required to have public key certificates. Nevertheless, our infrastructure supports essential grid security services, such as mutual authentication and delegation, using public key cryptographic techniques without incurring significant additional overheads in comparison with existing approaches.     

An Empirical Study of Home IoT Services in South Korea: The Moderating Effect of the Usage Experience

This article examines the responses of users to home Internet of Things (IoT) services in South Korea, which is taking progressive steps in the field of IoT. It is important to investigate the user’s response because home IoT users are the core users of the IoT business. To this end, the research model includes two trust constructs — “trust in the service provider” and “institutional trust”; two risk constructs — “perceived security risk” and “perceived privacy risk”; and “perceived benefit” construct. This study has two main objectives: (1) to establish the functional relationship among the five constructs listed above; (2) to examine the moderating role of home IoT usage experience in these relationships. The study first reviews the literature on home IoT services and describes the Korean situation. Data were collected from residents living in a smart apartment complex. They were made aware of not only the benefits of home IoT but also the security and privacy risks before they moved into their new homes. The research model was empirically analyzed with structural equation modeling (SEM) using Amos 22.0. The results show that (1) “trust in the service provider” negatively influences “perceived security risk” and “perceived privacy risk” while “institutional trust” does not have a significant influence on them, (2) “perceived security risk” and “perceived privacy risk” negatively influence “perceived benefit,” and (3) “trust in service provider” does not directly influence “perceived benefit” while “institutional trust” has a positive and direct influence on it. In addition, there is a significant moderating effect of home IoT usage experience on some paths. Finally, the study’s findings and limitations are discussed, and potential avenues for future research are suggested.     

An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.     

Exploring the inbound and outbound strategies enabled by user generated big data: Evidence from leading smartphone applications

The Open Innovation paradigm has been increasingly considered as a relevant approach to innovation. Among the different sources, end users are particularly meaningful. Scholars have highlighted several methods and strategies to involve them in the innovation process by asking, observing, and giving them the chance to actually co‐create. Digital technologies are expanding the span of opportunities in this direction, gathering a huge amount and variety of data, while the end user enjoys a digital product; these data can be called “user generated big data” (UGBD). The aim of this research is to understand whether UGBD can contribute in user innovation and to highlight the enabled strategies to create value through them. Leveraging on a multiple case study (Twitter, Spotify, Strava, and Deliveroo), the paper first classifies UGBD among the methods to foster user centered innovation, and then it defines two strategies to create value relying on UGBD. First, companies can leverage on a “using data” strategy—addressing both the end user or other player in the ecosystem—fostering service innovation through an inbound approach. Second, a “selling data” strategy can be pursued, addressing new clients and fostering business model innovation, enlarging the company's value chain in an outbound perspective.     

基于混沌映射的用户匿名三方口令认证密钥协商协议

在基于混沌的三方口令认证密钥协商协议中,用户通过低熵的口令实现相互认证和共享会话密钥,以避免在身份认证过程中公钥基础设施或存储用户长期密钥的安全威胁。通过分析Lee提出的基于混沌映射的口令认证密钥协商协议,发现其协议不能进行口令变更,而且仅适用于用户和服务器之间的两方通信。为了改进此方案,提出两个基于切比雪夫混沌映射的用户匿名三方口令认证密钥协商协议,包括基于时钟同步的密钥协商方案和基于随机数的密钥协商方案。其中基于时钟同步的用户匿名三方口令认证密钥协商协议通信量少,基于随机数的用户匿名三方口令认证密钥协商协议更容易实现。两个方案的优点是用户仅选择一个简单的口令进行相互认证和密钥协商,服务器不需要再保护用户口令表,避免了口令相关的攻击,而且在相互认证过程中用户使用临时身份和哈希函数,实现用户匿名性,在增强协议安全性的同时,减少了通信过程中消息的数量,提高了协议的执行效率,具有完美前向安全,并用BAN逻辑证明了其安全性。     

The usability of passphrases for authentication: An empirical field study

In developing password policies, IT managers must strike a balance between security and memorability. Rules that improve structural integrity against attacks may also result in passwords that are difficult to remember. Recent technologies have relaxed the 8-character password constraint to permit the creation of longer pass-“phrases” consisting of multiple words. Longer passphrases are attractive because they can improve security by increasing the difficulty of brute-force attacks and they might also be easy to remember. Yet, no empirical evidence concerning the actual usability of passphrases exists. This paper presents the results of a 12-week experiment that examines users’ experience and satisfaction with passphrases. Results indicate that passphrase users experienced a rate of unsuccessful logins due to memory recall failure similar to that of users of self-generated simple passwords and stringent passwords. However, passphrase users had more failed login attempts due to typographical errors than did users of either simple or highly secure passwords. Moreover, although the typographical errors disappeared over time, passphrase users’ initial problems negatively affected their end-of-experiment perceptions.     

Why That Picture? Discovering Password Properties in Recognition-Based Graphical Authentication

Numerous graphical authentication ideas have been proposed on how to address the security and usability of text-based passwords. However, it remains unclear how users approach graphical password selection and the inherent personal bias when selecting images. This study investigates user choices in password selection for recognition-based graphical authentication. Our analysis is based on a total of 302 participants continuously using a graphical authentication system during a 6-week long study. The results show pronounced preference effects for image properties such as color, shape, and category. Additionally, there is a significant difference between genders in the selected images based on the same properties.     

C#利用MD5增强用户注册、登录和修改密码的安全性

设计新用户注册的时候,采用对C#安全命名空间中的MD5标准算法进行变换,计算用户名和密码的消息摘要、结果保存在数据库中。在登录或修改密码时,将用户名和密码的MD5结果与库中的数据进行比较,有效避免了密码泄露,增强了安全性。     

The effects of recommendations’ presentation on persuasion and satisfaction in a movie recommender system

The explosive growth of Internet applications and content, during the last decade, has revealed an increasing need for information filtering and recommendation. Most research in the area of recommendation systems has focused on designing and implementing efficient algorithms that provide accurate recommendations. However, the selection of appropriate recommendation content and the presentation of information are equally important in creating successful recommender applications. This paper addresses issues related to the presentation of recommendations in the movies domain. The current work reviews previous research approaches and popular recommender systems, and focuses on user persuasion and satisfaction. In our experiments, we compare different presentation methods in terms of recommendations’ organization in a list (i.e. top N-items list and structured overview) and recommendation modality (i.e. simple text, combination of text and image, and combination of text and video). The most efficient presentation methods, regarding user persuasion and satisfaction, proved to be the “structured overview” and the “text and video” interfaces, while a strong positive correlation was also found between user satisfaction and persuasion in all experimental conditions.