Pattern-based and Time-Synchronised Passwords

Full Text (PDF, 576KB), PP.11-19

Views: 0 Downloads: 0

Author(s)

Mian Saeed Akbar 1,* Asif Khan 2 Sara 3

1. Department of Computer Science, University of Engineering and Technology Mardan, Pakistan

2. Department of Computer Science, Virtual University of Pakistan

3. Department of Computer Science, Abdul Wali Khan University Mardan, Pakistan

* Corresponding author.

DOI: https://doi.org/10.5815/ijwmt.2021.04.02

Received: 15 Jun. 2021 / Revised: 1 Jul. 2021 / Accepted: 25 Jul. 2021 / Published: 8 Aug. 2021

Index Terms

Pattern-based Passwords, Time-Synchronised Password (TSP), Password Memorability, Password Security.

Abstract

World has been changed; every person is using a number of software, websites, and other systems that are using text-based passwords as a method of authentication.  These passwords need to be strong, hard to guess, and need to be stored in a secure environment. Major problems with passwords are caused by human limitations to remember passwords for different accounts. A trade-off between password security and human-memorability made it difficult to create passwords that are strong enough and easy to remember. No satisfactory solutions have been offered to problems associated with a password such as shoulder surfing, eavesdropping, keylogging programs, Trojan horse, brute force attacks, etc. This study suggests a new easy to use approach for creating a password that is easy to remember even for a large number of accounts. Here in this paper, we proposed two methods one is pattern-based passwords, a simple method that is solving the problem of memorability, another is the idea of Time-Synchronized Passwords (TSP), a novel method for creating passwords that are dynamic in nature and change with the passage of time. The novality of TSP is that instead of storing the passwords in database the patterns are stored, and these patterns are related linked with time. The significance of storing pattern instead of actual password is that at a specific time, the password will have only one instance known to the creator of the password, and this particular instance will be different from instances at other times and thus avoids shoulder surfing, eavesdropping, keylogging, and other problems associated with passwords. These methods are easy to implement and can be used in any system.

Cite This Paper

Mian Saeed Akbar, Asif Khan, Sara, " Pattern-based and Time-Synchronised Passwords", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.11, No.4, pp. 11-19, 2021. DOI: 10.5815/ijwmt.2021.04.02

Reference

[1]A. Forget, A world with many authentication schemes, Ph.D. thesis, Carleton University, 2013.

[2]J. Goldberg, J. Hagman, V. Sazawal, Doodling our way to better authentication, in: CHI'02 extended abstracts on Human factors in computing systems, pp. 868-869.

[3]J. Thorpe, B. MacRae, A. Salehi-Abari, Usability and security evaluation of geopass: A geographic location-password scheme, in: Proceedings of the Ninth symposium on usable privacy and security, pp.1-14.

[4]J. Bonneau, C. Herley, P. C. Van Oorschot, F. Stajano, The quest to replace passwords: A framework for comparative evaluation of web authentication schemes, in: 2012 IEEE Symposium on Security and Privacy, IEEE, pp. 553-567.

[5]C. Herley, P. C. Van Oorschot, A. S. Patrick, Passwords: If we're so smart, why are we still using them?, in: International Conference on Financial Cryptography and Data Security, Springer, pp. 230-237.

[6]S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords: E_ects of tolerance and image choice, in: Proceedings of the 2005 symposium on Usable privacy and security, pp. 1-12.

[7]E. F. Gehringer, Choosing passwords: security and human factors, in: IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No. 02CH37293), IEEE, pp. 369-373.14

[8]S. Gar_nkel, G. Spa_ord, Practical UNIX security, O'Reilly & Associates, Inc., 1991.J. Yan, A. Blackwell, R. Anderson, A. Grant, Password memorability and security: Empirical results, IEEE Security & privacy 2 (2004) 25-31.

[9]W. C. Summers, E. Bosworth, Password policy: the good, the bad, and the ugly, in: Proceedings of the winter international synposium on Information and communication technologies, pp. 1-6. 

[10]D. Florencio, C. Herley, A large-scale study of web password habits, in: Proceedings of the 16th international conference on World Wide Web, pp. 657-666.

[11]L. Zhang, W. C. McDowell, Am i really at risk? determinants of online users' intentions to use strong passwords, Journal of Internet Commerce 8 (2009) 180-197.

[12]M. Shahid, M. A. Qadeer, Novel scheme for securing passwords, in: 2009 3rd IEEE International Conference on Digital Ecosystems and Technologies, IEEE, pp. 223-227.

[13]D. Choi, S. Jin, H. Yoon, A user friendly internet identity management system, in: 2008 10th International Conference on Advanced Communication Technology, volume 2, IEEE, pp. 1163-1166.

[14]E.-J. Yoon, K.-Y. Yoo, Breaking a smart card based secure password authentication scheme, in: 2008 International Conference on Information Security and Assurance (isa 2008), IEEE, pp. 83-86.

[15]D. Wood, J. S. Bruner, G. Ross, The role of tutoring in problem solving, Journal of child psychology and psychiatry 17 (1976)  89-100.

[16]P. G. Inglesant, M. A. Sasse, The true cost of unusable password policies: password use in the wild, in: Proceedings of the sigchi conference on human factors in computing systems, pp. 383-392.

[17]J. J. Yan, A note on proactive password checking, in: Proceedings of the 2001 workshop on New security paradigms, pp. 127-135.15

[18]Y. Zhang, F. Monrose, M. K. Reiter, The security of modern password expiration: An algorithmic framework and empirical analysis, in: Proceedings of the 17th ACM conference on Computer and communications security, pp. 176-186.

[19]R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, G. Salvendy, Improving computer security for authentication of users: Inuence of proactive password restrictions, Behavior Research Methods, Instruments, & Computers 34 (2002) 163-169.

[20]J. Roig, Do smarter people have better passwords?, arXiv preprint arXiv:1805.02931 (2018).

[21]M. Kotadia, Gates predicts death of the password, CNET News, February 25 (2004).

[22]S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, S. Egelman, Of passwords and people: measuring the e_ect of password-composition policies, in: Proceedings of the sigchi conference on human factors in computing systems, pp. 2595-2604.

[23]B. Grawemeyer, H. Johnson, Using and managing multiple passwords: A week to a view, Interacting with computers 23 (2011) 256-267.

[24]W. E. Burr, D. F. Dodson, W. T. Polk, et al., Electronic authentication guideline, Citeseer, 2006.

[25]C. E. Shannon, Prediction and entropy of printed english, Bell system technical journal 30 (1951) 50-64.

[26]C. Castelluccia, M. Durmuth, D. Perito, Adaptive password-strength meters from markov models., in: NDSS.

[27]L. S. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel, T. Jaeger, Password exhaustion: Predicting the end of password usefulness, in: International Conference on Information Systems Security, Springer, pp. 37-55.

[28]M.Weir, S. Aggarwal, M. Collins, H. Stern, Testing metrics for password creation policies by attacking large sets of revealed passwords, in: Proceedings of the 17th ACM conference on Computer and communications security, pp. 162-175.

[29]A. Adams, M. A. Sasse, Users are not the enemy, Communications of the ACM 42 (1999) 40-46.

[30]K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, E. E. Schultz, Improving password security and memorability to protect personal and organizational information, international journal of human-computer studies 65 (2007) 744-757. 

[31]M. Keith, B. Shao, P. J. Steinbart, The usability of passphrases for authentication: An empirical _eld study, International journal of human computer studies 65 (2007) 17-28.

[32]D. Flor^encio, C. Herley, Where do security policies come from?, in: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp. 1-14.

[33]P. A. Grassi, M. E. Garcia, J. L. Fenton, Digital identity guidelines (), NIST special publication 800 (2017) 63-3.

[34]M. Ciampa, A comparison of password feedback mechanisms and their impact on password entropy, Information Management & Computer Security (2013).

[35]M. Hub, J. Capek, R. Myskova, Relationship between security and usability-authentication case study, Int. J. Comput. Commun 5 (2011) 1-9.

[36]S. Chiasson, A. Forget, E. Stobert, P. C. Van Oorschot, R. Biddle, Multiple password interference in text passwords and click-based graphical passwords, in: Proceedings of the 16th ACM conference on Computer and communications security, pp. 500{511.

[37]K. Chanda, Password security: an analysis of password strengths and vulnerabilities, International Journal of Computer Network and Information Security 8 (2016) 23.

[38]P. Sriramya, R. Karthika, Providing password security by salted password hashing using bcrypt algorithm, ARPN journal of engineering and applied sciences 10 (2015) 5551-5556.

[39]Al-Hammadi, Yousef Ali and Fadl, Mohamed Fadl Idris, Reducing hash function complexity: MD5 and SHA-1 as Examples, IJ Mathematical Sciences and Computing, 5 (2019) 1-17

[40]shi2012scheme, A Scheme of IBE Key Issuing Protocol Based on Identity-password Pair, International Journal of Engineering and Manufacturing, 2 (2012).