the cups blog

07-24-08

Improving Text Passwords Through Persuasion

Persuasive Cued Click-Points is a system used to help persuade users to create better passwords.

We have created the Persuasive Text Passwords System(PTP). The system lets the user write a simple word and the system will insert random characters to create a more secure password. If the user dislikes the password they can have the system re-shuffle the characters to create new password. The system helps users by simplifying the problem of creating secure passwords. Also it helps the user by informing them at the time when they are creating the password and are currently thinking about security. Additionally it adds to the randomness of the password.

User study was conducted in the lab. Users were asked to create a password, confirm the password by re-entering it, answer questions about how they felt about the password, complete a distraction task to clear working memory, and finally log in with their new password. Participant completed all five steps ten times. 83 participants in total.

Found that inserting 2, 3 or 4 characters into the word string was the most secure alteration method for changing the password string. It took Insert-2, Insert-3 and Insert-4 users a only a few more seconds to create a password than the control users. It took Insert users longer to log in (~10 sec).

They ran the passwords through a John the Ripper wordlist attack using the free worldlist on the John the Ripper site plus the word mangling rules (All+Rules) for teh second attack used teh mangled list availible for sale on the site (Mangled). The result was that none of the PTP passwords were cracked.

Next tried giving each password a security measure. Discovered that Insert-4 users started with far less secure passwords (before insertion of characters) than Insert-2 users. This was because the Insert-4 users discovered that four characters were going to be added so start entering shorter passwords to start with.

Questions:
Q: You hypothosise that users were choosing more insecure passwords in the Insert-4 because of memory load. It could be that they were trusting the system to make their passwords more secure.

A: People in the Insert-4 condition actually started by using things like capital letters but they stopped doing that fairly quickly. This was not observed in the Insert-2, or Insert-3 conditions.

Q: Did you try running John the Ripper in brute force search mode.

A: John the ripper only works on passwords of length 8 and our passwords ranged from 8-10 so we chose not to pursue the brute force attack.