The International Arab Journal of Information Technology (IAJIT)


User-Centric Adaptive Password Policies to Combat Password Fatigue

Today, online users will have an average of 25 password-protected accounts online, yet use, on average, 6.5 passwords. The excessive cognitive burden of remembering large amounts of passwords causes Password Fatigue. Therefore users tend to reuse passwords or recycle password patterns whenever prompted to change their passwords regularly. Researchers have created Adaptive Password Policies to prevent users from creating new passwords similar to previously created ones. However, this approach creates user frustration as it neglects users’ cognitive burden. This paper proposes a novel User-Centric Adaptive Password Policy (UCAPP) Framework for password creation and management that assigns users system-generated passwords based on a cognitive-behavioural agent-based model. The framework comprises a Password Policy Assignment Test (PassPAST), a Cognitive Burden Scale (CBS), a User Profiling Algorithm, and a Password Generator (PassGEN). The framework creates tailor-made password policies that maintain password memorability for users of different cognitive thresholds without sacrificing password strength and entropy. The framework successfully created 30- 40% stronger passwords for Critical users and random (non-mnemonic) passwords for Typical users based on each individual’s cognitive password thresholds in a preliminary test.

[1] Adams A. and Sasse M., “Users Are Not The Enemy,” Communications of the ACM, vol. 42, no. 12, pp. 40-46, 1999.

[2] Alin Z., Boncea R., and Rotuna Carmen B., “user Behavior Characteristics for Mobile and Web Applications,” in Proceedings of The 12th International Conference on Virtual Learning, Sibiu, 2006.

[3] Becker I., Parkin S., and Sasse M., “The Rewards and Costs of Stronger Passwords in a University: Linking Password Lifetime to Strength,” in Proceedings of 27th USENIX Security Symposium, Usenix, pp. 239-253, 2018.

[4] Campbell J., Kleeman D., and Ma W., “Password Composition Policy: Does Enforcement Lead to Better Password Choices?,” in Proceedings of the 17th Australasian Conference on Information Systems, South Australia, pp. 1-8, 2006.

[5] Campbell J., Ma W., and Kleeman D., “Impact of Restrictive Composition Policy on user Password Choices,” Behaviour and Information Technology, vol. 30, no. 3, pp. 379-388, 2011.

[6] Castelluccia C., Dürmuth M., and Perito D., “Adaptive Password-Strength Meters from Markov Models,” in Proceedings of 19th Annual Network and Distributed System Security Symposium, San Diego, 2012.

[7] Cooke N. and McNeese M., “Preface to Special Issue on the Cognitive Science of Cyber Defence Analysis,” EAI Endorsed Transactions on Security and Safety, vol. 13, no. 1-6, pp. 1-3, 2013.

[8] Evans M., Maglaras L., He Y., and Janicke H., “Human Behaviour as an Aspect of Cybersecurity Assurance,” Security and Communication Networks, vol. 9, no. 17, pp. 4667-4679, 2016.

[9] Gratian M., Bandi S., Cukier M., Dykstra J., and Ginther A., “Correlating Human Traits and Cyber Security Behavior Intentions,” Computers and Security, vol. 73, pp. 345-358, 2018.

[10] Guo Y., Zhang Z., Guo Y., and Guo X., “Nudging Personalized Password Policies By Understanding Users’ Personality,” Computers and Security, vol. 94, pp. 101801, 2020.

[11] Halevi T., Memon N., Lewis J., Kumaraguru P., Arora S., Dagar N., Aloul F., and Chen J., “Cultural and Psychological Factors in Cyber- Security,” Journal of Mobile Multimedia, vol. 13 no. 1-2, pp. 43-56, 2017.

[12] Huh J., Oh S., Kim H., Beznosov K., Mohan A., and Rajagopalan S., “Surpass: System-initiated User-replaceable Passwords,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, New York, pp. 170-181, 2015. User-Centric Adaptive Password Policies to Combat Password Fatigue 61

[13] Inglesant P. and Sasse M., “The True Cost of Unusable Password Policies,” in Proceedings of the 28th International Conference on Human Factors in Computing System, Atlanta, pp. 383- 392, 2010.

[14] Kiefer F. and Manulis M., “Zero-Knowledge Password Policy Checks and Verifier-Based Pake,” in Proceedings of 19th European Symposium on Research in Computer Security, Wroclaw, pp. 295-312, 2014.

[15] Komanduri S., Shay R., Gage Kelley P., Mazurek M., Bauer L., Christin N., Cranor L., and Egelman S., “of Passwords and People: Measuring the Effect of Password-Composition Policies,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, New York, pp. 2595-2604, 2011.

[16] Korbar B., Blythe J., Koppel R., Kothari V., and Smith S., “Validating an Agent-Based Model of Human Password Behavior,” in Proceedings of Workshops at the 30th AAAI Conference on Artificial Intelligence, Arizona, pp. 167-174, 2016.

[17] Kothari V., Blythe J., Smith S., and Koppel R., “Measuring the Security Impacts of Password Policies Using Cognitive Behavioral Agent- Based Modeling,” in Proceedings of the Symposium and Bootcamp on the Science of Security, New York, pp. 1-9, 2015.

[18] Mansour K. and Mahmoud K., “A New Approach for Textual Password Hardening using Keystroke Latency Times,” The International Arab Journal of Information Technology, vol. 18, no. 3, pp. 336-346, 2021.

[19] Oltramari A., Henshel D., Cains M., and Hoffman B., “Towards A Human Factors Ontology for Cyber Security,” in Proceedings of CEUR Workshop, pp. 26-33, 2015.

[20] Pilar D., Jaeger A., Gomes C., and Stein L., “Passwords Usage and Human Memory Limitations: A Survey across Age and Educational Background,” PLoS ONE, vol. 7, no. 12, pp. e51067, 2012.

[21] Rinn C., Summers K., Rhodes E., Virothaisakun J., and Chisnell D., “Password Creation Strategies Across High- And Low-Literacy Web Users,” in Proceedings of the 78th ASIS&T Annual Meeting: Information Science with Impact: Research in and for the Community, USA, pp.1-9, 2015.

[22] Segreti S., Melicher W., Komanduri S., Melicher D., Shay R., Ur B., Bauer L., and Christin N., “Diversify to Survive: Making Passwords Stronger with Adaptive Policies,” in Proceedings of 30th Symposium on Usable Privacy and Security, pp. 1-12, 2017.

[23] Shannon C., “A Mathematical Theory of Communication,” The Bell System Technical Journal, vol. 27, no. 3, pp. 379-423, 1948.

[24] Singh A. and Raj S., “Securing Password Using Dynamic Password Policy Generator Algorithm,” Journal of King Saud University-Computer and Information Sciences, 2019.

[25] Stobert E. and Biddle R., “Expert Password Management,” in Proceedings of International Conference on Passwords, Cambridge, pp. 3-20, 2015.

[26] Van Der Horst L., Choo K., and Le-Khac N., “Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core,” IEEE Access, vol. 5, pp. 22385-22398, 2017.

[27] Wang D. and Wang P., “The Emperor’s New Password Creation Policies: an Evaluation of Leading Web Services And The Effect of Role in Resisting Against Online Guessing,” in Proceedings of European Symposium on Research in Computer Security, Vienna, pp. 456- 477, 2015.

[28] Widdowson A., “CHEAT: An Updated Approach for Incorporating Human Factors in Cyber- Security Assessments,” Engineering and Technology Reference, pp. 1-7, 2016.

[29] Woods N., “Frequently Using Passwords Increases Their Memorability-A False Assumption or Reality?,” in Proceedings of the 23rd Americas Conference on Information Systems, pp. 1-5, 2017.

[30] Yan J., Blackwell A., Anderson R., and Grant A., “Password Memorability and Security: Empirical Results,” IEEE Security and Privacy, vol. 2, no. 5, pp. 25-31, 2004.

[31] Yang S., Ji S., and Beyah R., “DPPG: A Dynamic Password Policy Generation System,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 3, pp. 545-558, 2018.

[32] Zhang J., Luo X., Akkaladevi S., and Ziegelmayer J., “Improving Multiple-Password Recall: An Empirical Study,” European Journal of Information Systems, vol. 18, no. 2, pp. 165- 176, 2009.

[33] Zhang-Kennedy L., Chiasson S., and Van Oorschot P., “Revisiting Password Rules: Facilitating Human Management of Passwords,” in Proceedings of APWG Symposium on Electronic Crime Research, Toronto, pp. 81-90, 2016.