Sage Journals: Discover world-class research

Abstract

Previous work has examined whether keyboards that have multiple levels of entry (e.g., soft keyboards, found on mobile devices) increase users’ perceptions of password security. That work found that passwords that required greater numbers of keyboard transitions had higher perceived strength. Unfortunately, it was impossible to determine whether this increase in perceived strength was due solely to the extra keyboard transition steps or whether the inclusion of special characters in the passwords (which is required in order to increase the number of keyboard transitions) was driving that perception. The research described in this paper aims to disambiguate these two possibilities. In these experiments, rather than typing the passwords on keyboards, the users simply spoke the password. In this case, there is no additional effort or keypress required in order to enter the special character(s). Results showed that there was a positive correlation between the perceived password strength and the number of keyboard transition for spoken passwords, in a fashion nearly identical to the typed password study. This suggests that the increase in perceived password strength cannot be explained simply as a function of the additional expended effort required to enter additional keyboard transition steps, although it may play a role.

Get full access to this article

View all access options for this article.

References

Adams

Sasse

M. A.

Lunt

(1997). Making passwords secure and usable. In People and Computers XII (pp. 1-19). Springer, London.

Bianchi

Oakley

Kwon

D. S.

(2010). The secure haptic keypad: a tactile password system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 1089-1092). ACM.

Bonneau

Herley

Van Oorschot

P.C.

Stajano

(2015). Passwords and the Evolution of Imperfect Authentication. Communications of the ACM 58(7). 78–87.

Burr

W. E.

Dodson

D. F.

Newton

E. M.

Perlner

R. A.

Polk

W. T.

Gupta

Nabbus

E. A.

(2011). NIST SP 800-63-1 Electronic Authentication Guideline. National Institute of Standards and Technology, U.S. Department of Commerce.

Dell'Amico

Michiardi

Roudier

(2010). Password Strength: An Empirical Analysis. In INFOCOM, 10, (pp. 983-991).

De Luca

Weiss

Hussmann

(2007). PassShape: stroke based shape passwords. In Proceedings of the 19th Australasian Conference on Computer-Human interaction: Entertaining User interfaces (pp. 239-240). ACM.

Fleishman

(2018). Equifax Data Breach, One Year Later: Obvious Errors and No Real Changes, New Report Says. Fortune. Retrieved from http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/

Furnell

Zekri

(2006). Replacing passwords: in search of the secret remedy. Network Security, 2006(1), 4-8.

Grassi

P. A.

Newton

E. M.

Perlner

R. A.

Regenscheid

A. R.

Burr

W. E.

Richer

J. P.

… Theofanos

M.F.

(2017). Digital identity guidelines: authentication and lifecycle management (Special Publication (NIST SP)-800-63B).

10.

Gressin

(2018). Federal Trade Commission: The Marriott data breach. Retrieved from https://www.consumer.ftc.gov/blog/2018/12/marriott-data-breach

11.

Kortum

Acemyan

C.Z.

(in press). How Does Keyboard Type Impact Password Strength Perceptions? User Assessments of Password Security Across Onscreen and Desktop Keyboards. International Journal of Technology and Human Interaction.

12.

Kumar

Garfinkel

Boneh

Winograd

(2007). Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security (pp. 13-19). ACM.

13.

(2017). Yahoo now says all 3 billion accounts hit in 2013 breach. c|net Security. Retrieved from https://www.cnet.com/news/yahoo-announces-all-3-billion-accounts-hit-in-2013-breach/

14.

Porter

S. N.

(1982) A Password Extension for Improved Human Factors, Computers & Security, 1(1), 54-56.

15.

Siddique

Akhtar

Kim

(2017). Biometrics vs passwords: a modern version of the tortoise and the hare. Computer Fraud & Security, 2017(1), 13-17.

16.

Sperling

(2018). Ticketmaster Knew of Data Breach Months Before It Alerted Customers, Bank Says. Fortune. Retrieved from http://fortune.com/2018/06/29/ticketmaster-data-breach-monzo/

17.

Tam

Glassman

Vandenwauver

(2010). The psychology of password management: a tradeoff between security and convenience. Behaviour & Information Technology, 29(3), 233-244.

18.

Bees

Segreti

S. M.

Bauer

Christin

Cranor

L. F.

(2016). Do Users' Perceptions of Password Security Match Reality?. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (pp. 3748-3760). ACM.

19.

Zakaria

N. H.

Griffiths

Brostoff

Yan

(2011). Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security (p. 6). ACM.

An examination of the effort hypothesis for the perceived strength of passwords

Abstract

Get full access to this article

References