The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January/February (2012 vol.10)
pp: 28-36
Cormac Herley , Microsoft Research
Paul van Oorschot , Carleton University
ABSTRACT
Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. The authors' exploration leads them to argue that no silver bullet will meet all requirements—not only will passwords be with us for some time, but in many instances, they're the solution that best fits the scenario of use. Among broad authentication research directions to follow, they first suggest better means to concretely identify actual requirements (surprisingly overlooked to date) and weight their relative importance in target scenarios. Second, for scenarios where passwords appear to be the best-fit solution, they suggest designing better means to support them. The authors also highlight the need for more systematic research and how the premature conclusion that passwords are dead has led to the neglect of important research questions.
INDEX TERMS
passwords, authentication alternatives, evaluation, systematic research, competing requirements, supporting tools
CITATION
Cormac Herley, Paul van Oorschot, "A Research Agenda Acknowledging the Persistence of Passwords", IEEE Security & Privacy, vol.10, no. 1, pp. 28-36, January/February 2012, doi:10.1109/MSP.2011.150
REFERENCES
1. M. Jakobsson and S. Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, Wiley-Interscience, 2006.
2. M. Just and D. Aspinall, "Personal Choice and Challenge Questions: A Security and Usability Assessment," Proc. 5th Symp. Usable Privacy and Security, ACM, 2009, pp. 1–11.
3. W.H. Gates III Keynote Presentation, RSA Conference, 2004.
4. L. O'Gorman, "Comparing Passwords, Tokens, and Biometrics for User Authentication," Proc. IEEE, vol. 91, no. 12, 2003, pp. 2019–2040.
5. R. Housley and T. Polk, Planning for PKI, Wiley, 2001.
6. R. Biddle, S. Chiasson, and P.C. van Oorschot, "Graphical Passwords: Learning from the First Twelve Years," to be published in ACM Computing Surveys, vol. 44, no. 4, 2012.
7. S.-T. Sun et al., "A Billion Keys, but Few Locks: The Crisis of Web Single Sign-on," Proc. Workshop New Security Paradigms (NSPW 10), ACM, 2010, pp. 61–72.
8. S. Chiasson, P.C. van Oorschot, and R. Biddle, "A Usability Study and Critique of Two Password Managers," Proc. 15th Usenix Security Symp., Usenix, 2006, pp. 1–16.
9. J. Bonneau and S. Preibusch, "The Password Thicket: Technical and Market Failures in Human Authentication on the Web," Proc. 9th Workshop Economics of Information Security (WEIS 10), 2010; http://weis2010.econinfosec.org/papers/session3 weis2010_bonneau.pdf.
10. "National Strategy for Trusted Identities in Cyberspace: Why We Need It," Nat'l Inst. Standards and Tech., 2011; www.nist.gov/nsticNSTIC-Why-We-Need-It.pdf .
11. Y. Zhang, F. Monrose, and M.K. Reiter, "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis," Proc. 17th ACM Conf. Computer and Comm. Security (CCS 10), ACM, 2010, pp. 176–186.
12. 2009 Internet Crime Report, Internet Crime Complaint Center, 2010; www.ic3.gov/media/annualreport2009_ic3report.pdf .
13. Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Response, Senate Hearing 111-43, Committee on Commerce, Science, and Transportation, 19 Mar. 2009; www.gpo.gov/fdsys/pkg/CHRG-111shrg50638/ htmlCHRG-111shrg50638.htm.
14. D. Florêncio and C. Herley, "Phishing and Money Mules," IEEE Workshop Information Forensics and Security (WIFS 10), IEEE CS, 2010, pp. 1–5.
15. C. Herley, "So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users," Proc. Workshop New Security Paradigms (NSPW 09), ACM, 2009, pp. 133–144.
16. M. Weir et al., "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords," Proc. 17th ACM Conf. Computer and Comm. Security (CCS 10), ACM, 2010, pp. 162–175.
17. J. Yan et al., "Password Memorability and Security: Empirical Results," IEEE Security & Privacy, vol. 2, no. 5, 2004, pp. 25–31.
18. S.M. Bellovin and M. Merritt, "Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks," Proc. IEEE Symp. Research in Security and Privacy, IEEE CS, 1992, pp. 72–84.
32 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool