Encouraging users to improve password security and memorability

Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords.

     

Effective information system security with password controls

Password systems are a first line of defense that can prevent, deter, and detect abusive acts. They are one of the most cost effective computer resource control mechanisms presently available. This piece explores some of the more salient aspects of password system design, including objectives of password controls, design philosophies, man-machine interface design, system administration, and technical system implementation.     

信息安全等级保护浅析

信息安全等级保护已经作为实现信息安全的一项根本制度确定下来,并正在全国范围内全力推进。但是,对于信息安全等级保护,人们的认识还远远不能适应形势发展的需要。全面认识信息安全,正确理解等级保护,对于信息安全等级保护制度的贯彻执行显得十分重要。本文将从信息安全等级保     

Password memorability and security: empirical results

Users rarely choose passwords that are both hard to guess and easy to remember. To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenge the established wisdom.     

Human and organizational factors in computer and information security: Pathways to vulnerabilities

The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).     

商业银行如何有效保障网上银行的信息安全

随着互联网技术的发展,金融信息化程度越来越高,网上银行这种高效快捷的金融服务也得到了快速发展。由于互联网的不安全性,网上银行容易受到不法分子的攻击,严重威胁了用户的个人隐私和资金安全。近年来,针对网上银行的安全事件一直持续不断。本文针对这种情况,对商业银行如何有效保障网上银行的信息安全提出了一些建议。     

天阗IDS全方位保障金融信息系统安全

建立金融系统信息安全体系要做到:明确信息安全现状、及时掌握发展趋势;识别系统安全要保护的对象,明确关键资产;分析安全风险,确定系统安全需求;针对不同的业务、应用提出需要采取的安全策略、安全措施与解决方案;同时确定保护等级、参照标准、指导原则、操作规范等。下面就以     

个人信息安全保障能力建设研究

在互联网、大数据时代背景下,迅速发展的大数据信息系统对个人信息保护的要求不断提高,安全事件频发,从法律法规层面将个人信息保护提升到一个前所未有的高度。从个人信息泄露造成影响的现状出发,深入分析了个人信息的泄露源、泄露风险、泄露原因、泄露方式和泄露渠道。最后在各个方向上提出了对个人信息保护的解决措施,以纵深防护的思想让恶意人员无法获取个人信息、无法使用个人信息和无法逃脱法律惩戒。为加强信息系统个人信息保护能力提供参考。     

互联网个人信息挖掘模型设计

互联网个人信息挖掘技术是指综合利用搜索引擎、博客、网络社交平台等一系列互联网公开资源挖掘某个人物的个人信息。通过从互联网上海量信息中提取线索,寻找关联,最终获取所需信息。本文设计了一种互联网个人信息挖掘模型并详细介绍了其工作原理与应用,利用该模型所提供的方法可以有效进行互联网个人信息挖掘。     

SRP协议及其安全改进

SRP(安全远程密码协议)是一种安全的新型密码鉴别和密钥交换协议。由于采用了鉴别符而不是密码的明文等价，攻击者即使得到了鉴别符数据库也难以破坏系统的安全性。同时，协议也提供了完善的向前保密性(PFS)，能抵抗主动或者被动的字典攻击。但是SRP未充分考虑到协议信息被篡改的情况，如果对此不做改进，系统将无法抵抗主动式拒绝服务攻击。因此提出了一种改进措施，提高了SRP协议对技主动式拒绝服务攻击的能力。     

Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, an effort that provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.     

Improving personal information detection using OCR feature recognition rate

The Journal of Supercomputing - With the recent advancements in information and communication technologies, the creation and storage of documents has become digitalized. Therefore, many documents...     

动态字典破解用户口令与安全口令选择

口令认证一直是最主要的身份认证方式。考虑到口令要满足口令策略和易记忆的要求,用户常常会将个人信息组合起来作为口令。因此,为了调查此类口令的比例,以2011年泄露的四种真实口令集为实验素材,预先设定口令的组合结构和格式,使用程序统计使用个人信息组合作为口令的比例。实验结果表明,使用姓名、电话号码、特殊日期等信息组合而成的口令比例为12.41%~25.53%。根据这一规律,提出了动态字典攻击。攻击者可以在获得用户部分个人信息后,生成具有针对性的动态字词典,并以此来破解用户口令。最后,还讨论了如何选择口令以防止攻击者通过动态字典破解用户口令。     

Differentiated security levels for personal identifiable information in identity management system

With the rapid development of Internet services, identity management (IdM) has got widely attraction as the credit agency between users and service providers. It facilitates users to use the Internet service, promotes service providers to enrich services, and makes Internet more security. Personally identifiable information (PII) is the most important information asset with which identity provider (IdP) can provide various services. Since PII is sensitive to users, it has become a serious problem that PII is leaked, illegal selected, illegal accessed. In order to improve security of PII, this study develops a novel framework using data mining to forecast information asset value and find appropriate security level for protecting user PII. The framework has two stages. In the first stage, user information asset is forecasted by data mining tool (decision tree) from PII database. Then security level for user PII is determined by the information asset value assuming that the higher information asset is, the more security requirement of PII is. In the second stage, with time being, number of illegal access and attack can be accumulated. It can be used to reconstruct the decision tree and update the knowledge base combined with the result of the first stage. Thus security level of PII can be timely adjusted and the protection of PII can be guaranteed even when security threat changes. Furthermore, an empirical case was studied in a user dataset to demonstrate the protection decision derived from the framework for various PII. Simulation results show that the framework with data mining can protect PII effectively. Our work can benefit the development of e-business service.     

我国个人信息安全乱象及治理措施研究

在大数据时代,个人信息收集乱象突出,个人信息泄露事件频发,数据黑色产业链逐渐完善,我国个人信息安全面临着严峻的挑战。与此同时,我国在个人信息保护方面还存在着法律法规原则分散、政府监管能力不足、企业安全管理不规范等痛点难点问题,对此文章从国家、企业、个人三个维度,提出了加强个人信息保护的措施建议。     

基于云计算的个人信息安全保护研究

针对当前个人信息安全现状,本文分析了导致个人信息不安全的原因及泄露途径;提出了基于云计算的个人信息安全保护体系重点探讨个人数据信息在存储介质中的安全保护研究,并在云服务器上构建了一个云计算环境下的云存储安全架构体系．     

Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords

Complex passwords are hard to remember, so people often pick simple passwords, write complex ones down, and reuse the same password across multiple accounts. Proactive password checking (PPC) restrictions and mnemonic techniques can enhance password security and memorability. Participants in this study were assigned to one of three password generation groups: PPC restrictions alone, image-based mnemonic, or text-based mnemonic. They were asked to generate and later recall passwords for five separate fictitious online accounts. The use of mnemonic techniques resulted in the generation of longer and more complex passwords. Furthermore, passwords were more accurately recalled when they were generated using the image-based mnemonic technique or PPC restrictions alone, as opposed to the text-based mnemonic technique. However, passwords generated using PPC restrictions alone were more easily forgotten and susceptible to being cracked. Thus, the image-based mnemonic technique was shown to be the most effective method for generating secure and memorable passwords.