Human-Computer Interaction. Passwords and Security

Subject:	Tech & Engineering
Pages:	65
Words:	9445
Reading time:	37 min
Study level:	PhD

Introduction

User ID and passwords control authentication is the widely used mechanism to access the data in most of the current conventional information systems. With the rapid increase in the number of password-protected accounts on the internet, users have to create and remember a host of passwords. Despite the rapidity in the pace of progress in technology with increased processor speeds and enlarged data-holding capabilities, the issue of information security in the computer system has continued to remain vulnerable throughout.

Similarly, though there have been advancements in information security protocols, the deployment of user-created passwords still remains an all-pervasive method of system security throughout the world. Thus, human-computer interaction has not attained any sophistication over the period despite the invention of complex hardware/software solutions. Within this context, this study has the objective of presenting the case for an efficient human-computer interaction through the examination of the attempts on the development of varied designs of passwords.

The issue of managing information security has taken the center of focus with the increase in the magnitude and capacities of the networking facilities. The increase in networking facilities has put information security at a very high priority, especially in the wake of increased cyber crimes that are being perpetrated largely.

Private business houses like those engaged in providing financial and investment services to their customers and several other customer-centric business establishments carry a large amount of vital data pertaining to their valued clients in their computers, which are always subjected to the vulnerability of data and identity theft by unscrupulous hackers and perpetrators of cybercrimes. Thus, in the present highly mechanized business environment development of secure passwords is one of the issues of critical importance for the protection of information and data stored in computer systems.

Password as Base of Information Security

Information security in organizations is ensured by implementing a suitable set of controls in the form of policies, procedures, practices, and organizational structure and as a function of software capabilities. Researchers have found human errors to be one of the major causes of information system insecurity (Wood & Banks, 1993). Passwords being the primary aid for user authentication to interact with the computer systems, the issue of creating and maintaining secured passwords has gained prominence in recent researches. Deborah, Pamela, Linda, and Ronald (2004), through their study, have identified the improper use of passwords as the second major cause for concerns regarding information security. Irrespective of any large sums of money expended on sophisticated networking or other technology to protect the data, a weak or poorly constructed password has the potential ability to bypass all the efforts and money spent on the protection of system security.

The drastic increase in the creation and use of a large number of passwords associated with the increased internet activity has really overcrowded the human cognitive capabilities to remember the exact passwords created (Yan, Blackwell, Anderson, & Grant, 2004). This situation gives rise to two issues connected with vulnerabilities of passwords with respect to system security;

users get a tendency to create passwords that can be easily remembered, or
they tend to keep track of the passwords created by jotting it down in some fashion (Adams & Sasse, 1999).

In both cases, there is more likelihood of hackers or unauthorized system users accessing the password information by social engineering or other tracking methods (Adams, Sasse, & Lunt, Making Passwords Secure and Usable, 1997). This tells upon the efficiency of the passwords to protect the information security.

Information security clearly establishes the setting for the creation and use of a more comprehensive approach to the creation of user passwords that can guarantee the protection of the security of information (Cranor & Garfinkel, 2005). This approach envisages the creation of passwords that seldom exceed the limitations of human memory capabilities. The passwords are also expected to meet the expectation level of the system and network administrators in terms of the strengths of the passwords. The focus of this research is directed towards examining the impact of human errors in passwords and suggesting suitable password designs to make them fall within human memory capabilities.

Objectives

An analysis of the extent to which passwords have an impact on information security is the central focus of this study. The study also examines the usability of different passwords like graphic passwords that are currently being developed from the information security perspective. Social engineering and shoulder surfing are also studied in detail to have a better understanding of their effect on data security and the security implications of different passwords. A detailed review of the aspect of human errors in selecting and using passwords and the ways to promote better and efficient human-computer interaction for effective and errorless authentication of computer systems are also in the purview of the current study.

Significance of the Study

In the present day network environment, using user identifications and alphanumerical or any other kinds of passwords are the widely used authentication systems to aid password-protected systems (Zviran & Haga, 1993). This presupposes the necessity of creating and using meaningful and secure passwords to ensure the basic security of information stored in computer systems. Efforts are being directed to developing varied designs for the creation of passwords to make them more secure (Tari, Ozok, & Holden, 2006). It has also been observed that human errors in devising and using secure passwords might lead to information security issues (Tari et al., 2006).

This has made the study of the salient features of the security aspects relating to the creation and use of meaningful passwords an important one. Past research has identified that improperly used or badly designed passwords are one of the major causes of information security concerns (Tari et al., 2006).

This has necessitated a reexamination of the existing designs of passwords to comment on their shortcomings and, at the same time, to evolve new methods and designs of creating passwords so that they remain secure. Thus, this study has taken the objective of critically examining the existing formation of passwords to suggest any possible improvement in them. The later part of this text will present some of the issues discussed within this chapter backed by authentic sources from the available literature on the topic under study.

Research Questions

By adopting established research methods, the study will strive to arrive at plausible answers to the questions mentioned below so that the research shall be able to accomplish its broad objectives.

What are the factors that influence the users in generating their passwords?
What are the potential dangers that can affect information security while using the established passwords?
What are the effective ways to generate stronger passwords, utilizing meaningful data and mnemonic devices?
What is the contribution of graphical passwords and other latest developments in password methods in mitigating authentication issues and protecting information security in general?
What are the ways in which graphical passwords can improve information security issues in particular?

This paper is structured to have different sections presented as chapters, with the first one concentrating on the scope and boundaries of the study. A detailed review of the available literature on the theoretical aspects of the subject of human-computer interaction with specific reference to password security is presented in the second chapter. A descriptive note on the methodology adopted to complete the study is presented in the third chapter. The findings of the study and a discussion on the findings are dealt with in the fourth chapter, and the fifth and final chapter contains some concluding remarks on the issues discussed in the body of the text and few recommendations for further research that would be interesting from the point of augmenting the knowledge on the subject.

Literature Review

It has been widely accepted by organizations and technical experts that traditional passwords are inherently insecure and cannot offer protection to the data stored in the computer. This conclusion is based on the premise that the users create and use weaker passwords due to limitations on their memorability. It is true that with the increase in the number of passwords and their complexity level, extensive password requirements have overloaded the memory capabilities of the users (Deborah et al., 2004).

It is argued that the present password selection mechanisms are not developed to meet the basic human-computer interaction principles, and this might be the principal cause for the failure of the passwords to offer the required security to data stored in the computer systems. It is also true that accidental or deliberate errors caused by individuals may adversely affect the vulnerability of the organizations (Dutta & McCrohan, 2002). According to a study conducted by Computing Technology Industry Association, human errors constitute the predominant factor in causing 60% of corporate information damage due to lack of information security (Nasscom, 2006).

Despite the seriousness of human errors being the highest risk factor in affecting information security, there does not seem to be greater efforts taken to address this issue (Carstens & McCauley-Bell, 2000; McCauley-Bell & Crumpton, 1998). Focusing on these issues, this chapter will review the relevant literature to improve upon the knowledge of human-computer interaction.

Introduction

The present-day business environment banking heavily on the use of the internet and other related technologies has increased the need for the use of personal data for authentication purposes (Bidgoli, 2004). Especially transactions like online trading and net-banking facilities have necessitated the disclosure of personal information and identity details, which are considered as most confidential (Bidgoli, 2004).

The organizations that provide financial and investment services, as well as other customer-centric commercial organizations, are required to gather personal data and information from their customers and other stakeholders and securely maintain them in their computer systems. The organizations have a mandate to ensure that the privacy of the customers and others dealing with them is well protected so that the information does not reach the hands of the people for whom the information is not intended (Ackerman & Mainwaring, 2005). Such confidential information about the customers, when accessed and misused by unscrupulous users, may adversely affect the business prospects of the organization, and therefore, the information needs to be secured with access restricted only to authorized users (Bidgoli H., 2006).

According to Schultz, Proctor, Lien, and Salvendy (2001), there are many methods that are available to restrict the accessibility to the information to the people who are not authorized to receive such information through a process of authentication and authorization. In the current computing and internet environment, password-protected systems that require user identification and password are the most commonly used authentication methods (Tamil, Othman, Abidin, & Zackaria, 2007).

Therefore, it becomes imperative that good and secure password practices are followed to ensure basic data security in the current digital environment. Since Internet accounts are usually protected with passwords, users are expected to use their passwords every now and then for accessing their accounts. With the increase in the number of internet users, the number of password-protected accounts has proliferated to large numbers (Halderman, Waters, & Felten, 2005). Password protection schemes are mainly used to protect the information from unauthorized usage, and until date, these are schemes widely accepted methods of authentication (Ives, Walsh, & Schneider, 2004; Morris & Thompson, 1979) due to the convenience and low cost involved (Abadi, Lomas, & Needham, 1997).

It has been found that insecurity inherent in passwords and the use of weak passwords are considered potential risks and would result in economic loss to the organizations (Summers & Bosworth, 2004). Most of the data theft and misuse of systems have occurred due to the reason that the passwords were weak enough to allow the hackers and other fraudsters to obtain user passwords by resorting to social engineering or any other fraudulent methods of password cracking (Adams et al., 1997). For the password mechanism to be effective, it is vitally important that the users generate and use passwords that are stronger in the sense that they are not easily subjected to guessing or cracking. There always has been a compromise between the memorability of the passwords and the security of data stored (Proctor, Lien, Vu, Schultz, & Salvendy, 2002).

Creation of Passwords

All along, it has been the practice to consider more of the technicalities involved in the creation of the passwords rather than concentrating on the human aspects involved in the creation of passwords. Of late, there has been an increasing awareness among the security community that user behavior is one of the main causes of security concerns, and this has given rise to the study of the impact of a human factor in data security to be ensured through password mechanisms (Zurko & Simon, 1996).

Sasse, Brnstoft, and Weirich (2001) have proved that current password mechanisms have failed to consider the usability aspects and therefore have resulted in serious information security lapses. They are of the view that with the rapidity in the increase in the number of systems and the application of passwords there for most of the users are confronted with the problems of coping up with password management issues. The issue further gets complicated because many of the users do not possess in-depth knowledge on the seriousness of data security and the impact passwords have on information security.

This has inevitably led to situations where the users are made to evolve their own data security arrangements, which are quite often found to lack in several data protection aspects. These security systems are devoid of many important and effective requirements of an efficient data security system. The use of cryptographically weak passwords and the disclosure of them readily to third parties have been observed to be the root cause of several information security issues. Hackers and other perpetrators of cyber fraud wait for these expected behaviors of users to exploit the situation through social engineering (Poulsen, 2000). One of the objectives of this review is to examine some of the salient aspects pertaining to password selection and the related information security concerns from a human-computer interaction perspective.

Passwords and Information Security

Information has become the lifeblood of organizations and is considered a vital business asset in the present day Information Technology enabled world. With the myriad of suppliers, business associates, and markets, it would be impossible for businesses to thrive without information and their contribution to business success. Accurate and easy access to the information, therefore, becomes critically important to make managerial decision-making easier and meaningful.

This also calls for the protection and enhancement in the value of information systems as a central strategic objective of businesses (Olufemi, 2008). It is also true that information security is not just a matter of creating and making use of user names and passwords. In the context of the creation of strong passwords has assumed greater importance in the matter of information security.

It is the usual practice of most of the users to have their biographical information like birth name, date of birth, or names of their favorites or simple words, which are easy to be guessed by many others or specialized computer programs designed to perform this. Studies have proved that users have the tendency to create these kinds of passwords because of the ease of remembering them (Klein, 1990). The most common type of password represents the names of the users themselves, or favorite football team, or the dates of birth of the users. Another issue concerned with passwords is that people make use of the same password for most of their accounts (Ives et al., 2004).

The username-password combination is considered to have lesser security aspects embedded in them as compared to other types of passwords like biometric devices or smart cards (Luis-Garcia, Alberola-Lopez, Aghzout, & Ruiz-Alzola, 2003). However, no other method of authentication and authorization has diminished the use and popularity of username-password combine. The simplicity and ease of access have made the username-password method a widely accepted one (Pinkas & Sander, 2002). It seems this method will continue to be the primary method of authenticating access to information in the future, and therefore, it becomes important that sufficient security aspects be incorporated in the creation of a password.

Passwords and Human Memory

Frequently changing shared secrets and the requirement to use unique shared secrets be used for several security domains usually overloads the memory capabilities of people. As a natural consequence, people tend to remember scores of passwords by writing them down somewhere. Similarly, long and complex passwords are capable of aggravating the limitations on human memory.

Most of the articles on password security and the memorability of users deal with the issue purely from a myopic position that users will possess the capacity to deal with a single security domain, and as a result, have to remember only a single password that will never be subjected to any change. In reality, information security is in jeopardy due to the aids deployed by the users to remember scores of passwords and not the actual passwords (Anne & Wheeler, 2004). On the other hand, studies have proved that many of the deficiencies in password authentication systems have arisen due to the limitations of human memory. The requirements of some complex passwords do not take into account human memory capabilities.

There are certain facts about human memory that need to be considered while creating passwords that are strong and capable of providing enough protection and security to the information;

human memory is observed to be limited with respect to the sequence of items (Johnson, 1991),
with a sequence of items remembered by human beings it is not possible to draw the items from an arbitrary and unfamiliar range but only from the familiar range like words or familiar symbols (Miller, 1956)
human memory thrives on redundancy implying people can easily remember information encoded in multiple ways (Pavio, 1983).

Based on a consideration of these aspects of human memory, it is observed that password authentication seems to be a trade-off between memorability and security. While some passwords are easy to remember but subject to the vulnerability of being easily cracked by sheer guessing or dictionary searches, others are very secure and strong against guessing or any other attacks but beyond the human memory capabilities. In the case of the passwords that are otherwise strong security in them might be compromised due to the limitations of human memory, which leads the user to resort to have a written record of the password or to have insecure backup authentication procedures once they forget the password (Yan et al., 2000).

Self-Generated Passwords

According to Winstanley & Bjork (2004), when human beings generate ideas on their own instead of reading from any available print media, the action enhances the retention capacity of human memory. Therefore the effect of self-generating the ideas with respect to the creation of passwords has an important effect on improving the human memory on remembering passwords with ease. In cases where the users have used their own ideas for generating passwords, they are able to remember those passwords more vividly. The only issue connected with users generating their own passwords is that they invariably lack the security of data.

In contrast to self-generation, users may resort to the use of passwords randomly designed by the computer systems comprising of alphanumerical characters and symbols. Despite being comparatively more secure, these passwords pose difficulty for the user to remember passwords. This is due to the reason that such computer-generated passwords do not convey any meaning to the users, which restricts the memorability of users.

Password Generation and Memory Load

Memory load implies the number of items that are retained in one’s memory. The ability of a person to retrieve items from memory largely depends upon the memory load. With the increase of memory load, there will be an increase in the number of items that slip the memory (Neath, 1998). With regard to passwords, it is possible for the users to retain a few unique passwords easily without much effort. With the increase in the number of passwords that the users have to remember, the chances of the users forgetting some of the passwords increase.

Especially with the rapid growth of e-commerce and other e-services provided through websites, the memory load problems are bound to increase with the necessity for the users to remember more passwords. This is so because the users have to generate multiple passwords that meet different requirements with respect to the use of different websites. The requirements of minimum length in terms of the number of characters, combination of letters and digits add to the complexity of the generation of passwords and leads to memorability issues on the part of the users. The requirement by some websites that some special characters be included in the passwords makes it difficult for the users to remember the password more vividly.

Change of Passwords

This phenomenon of proactive interference occurs when people are unable to recall the items that are currently being used by them. This occurs due to the interference of the items previously learned by them and put in their memories (Bunting, 2006). The incidence of proactive interference is bound to show an increasing trend with the increase in the number of previously learned items and other associated happenings.

Proactive interference has been considered a major issue in the generation and use of a password. Since the users have the habit of giving away their passwords easily when asked (Viega, 2005), many of the websites now require their users to change their passwords at periodic intervals. Hilton (2006) observes that changing the passwords at frequent intervals will deny access to an old password to anyone who wants to gain access to the data stored in others’ computers. Changing passwords may be considered as good from a security angle. Frequent changes in passwords deter the usability of the passwords as the proactive interference from the older passwords may crowd the memory of the users and prevent them from remembering current passwords (Bunting, 2006).

Impact of Elaborative Processing and Mnemonics

According to the literature on memory studies, the ability to recall items may be largely improved by the process of elaborative processing (Craik & Lockhart, 1972; Jacoby & Craik, 1979). Depth of processing refers to how deeply the information is being processed. It is the depth of processing with which one encodes the information that will enable the person to recall the same information sometime later. According to research conducted in this field, the deeper and more elaborately the information is thought about while processing, the better are the chances of recalling the information at a later stage (Parkin, 1984).

Another way of relating different things with each other is through mnemonic techniques that also involve a different kind of elaborative processing (Neath, 1998). Mnemonic techniques enable the recalling of information that is encoded in specifically organized ways that help in their retrieval. One example in this context is people remembering the color of the sky as blue and the mnemonic through the word ‘s2k4y6b1l3u5e7 that spells the color of the sky with some numerals. Mnemonic techniques work by providing connections between different items that need to be remembered and recalled with other established structures or images.

Elaborative techniques aid the recalling the passwords since they allow users to assign meaning to the random string of alphanumeric and other characters. The users are at liberty to use their imagination to assign any meaning to the letters and characters so that they will be able to recall the passwords.

Present Status of Password Selection

Many organizations provide guidance to their employees on the selection of a good password. A good password in normal parlance implies passwords that are reasonably long and use a reasonably large character set, and at the same time, are easy to be remembered by the users. On the other hand, it is observed by Yan et al. (2000) that the advice given by large websites to the new users does not consider the importance of memorability but only is concerned with the resistance to brute force attack. One of the popular recommendations is to use the ‘pass phrase’ approach to the generation of passwords.

Pas phrase is described as “A good technique for choosing a password is to use the first letters of a phrase. It is not advisable to pick up a well-known phrase like ‘An apple a day keeps the doctor away’ (Aaadktda). Instead, pick something like ‘My dog’s first name is Rex’ (MdfniR) or ‘My sister Peg is 24 years old’ (MsPi24yo)”. It is also observed that many of the sites simply advise the users about the minimum requirements for a valid password in terms of length and number of characters and do not bother to provide any information on memorability or security. Such requirements normally result in a tendency of the users to choose a weak password like ‘John05’ for May or ‘John06’ for June, and so on.

This kind of password would obviously be considered weak, making the information security vulnerable. According to Patterson (2000), when the users are compelled to change their passwords periodically, they exhaust the list of passwords so rapidly that they come back to their previously selected favorite password. Therefore it follows that design of the advice on the existing methods of password selection and the degree to which the sites complement the system-level-enforcement of the security issues related to the passwords can clearly be seen as problems that involve questions of applied psychology and hence cannot be comprehended to have valid answers to the security issues connected with the password selection and usage.

Password Selection Mechanisms

Some interesting findings have evolved from the observation of user behavior out of studies conducted. According to a study by 55.2% of the users had around 1 to 5 password-protected accounts, and 86.5% of this group of people were found to use the same password for the different accounts. The study also found that 85.9% of the respondents to the survey rarely or had never changed their passwords and 29.3% of the respondents used passwords containing letters only, and 28.1% of the people surveyed use passwords with letters followed by numerals (Tamil et al., 2007).

The fundamental problem identified is that the users are constrained to manage and maintain a number of user names and passwords that they find convenient to use common phrases or resort to writing down the passwords to enable them to access the passwords quickly. The findings go to prove the fact that password selection mechanisms are most common among users, and because of ignorance, the selection tends to violate basic human-computer interaction rules. As a result, passwords are designed inherently weak.

The objective of password selection mechanisms is to enable the users to select a strong and secure password. The standard password selection mechanisms as existing today do not meet the purpose of enabling the user to select a secure password, as they do not offer any security context at all. In order to address the issue of security in the passwords, password complexity constraints were added to the password selection models. These additional constraints merely added a security threshold without really helping the users to select a secure password (Conlan & PeterTarasewich, 2005).

Since the current password selection mechanisms do not provide any additional information to enable the users to improve upon their selection, users are left with no other alternative except to follow a trial and error method until they arrive at an acceptable password. The findings in Adams & Sasse (1999) and Sasse et al. (2001) support the point that current password selection mechanisms have inadequately incorporated the usability aspects in the design of passwords.

Password Security

Human errors are found to cause more system security issues rather than technological issues. Innocent users have always been the targets of hackers for obtaining authentication information to fulfill their object of entering in an unauthorized manner into the computer systems of other people for collecting valuable personal information. Therefore, the security community has identified the users as the “weakest link” in the operation of a computer system (G. Orgill, Romney, & P. Orgill, 2004).

Although there are other safer methods of authentication that ensure better data security, the lack of cost-effectiveness of those methods has made the username-password method of authentication more popular and indispensable for most computer-related operations like e-commerce and e-government programs (Renaud & Smith, 2001). Even though the username-password authentication process is widely popular, it is vulnerable to data insecurity. Vasiu and Vasiu (2004) have identified three basic classifications of the attacks on the passwords. They are

guessing,
cracking, and
harvesting.

When there are possibilities that a password can easily be guessed, it implies that the user has generated and applied a weak password. In some of the cases, the user fixes the password to be exactly the same as the user name, their own name, or date of birth. Cracking of the passwords happens when the password is found out by using special computer software or algorithms. Password harvesting is an action of deceit undertaken by the attacker where he manipulates the victims physically or psychologically to reveal their passwords (Vu et al., 2007). Since the maintenance of data security has been made an absolute necessity and obligation, several methods have evolved for making the passwords stronger. These methods have the objectives of

improving the quality of the passwords being generated by the users,
improving on the memorability of the passwords being generated, and
improving upon the complexity of the system of encryption that is used to protect the files and data stored in any computer system (Vu et al., 2007).

The requirements to include special characters in the passwords or the passwords to have a certain specific length and combination of words and numbers are expected to improve the quality of passwords (Bergadano & Crispo, 1998). Educating people about the essential qualities of a good password and requiring the users to change their passwords at frequent intervals also is meant to improve the strength of passwords.

Graphical passwords, where the users denote their password by identifying the certain sequence of operations in a scene, are expected to result in the benefit of improving the memory of the users (Wiedenbeck, Birget, Broditskiy, & Memon, 2005). Some other method uses the indicating one of the faces (Tari et al., 2006). According to Halderman et al. (2005), encryption methods which include hashing techniques, make the stored password to be more resistant to attacks.

Social Engineering

Security of computer systems is an ongoing process. Hackers find new ways to break into systems, and organizations find ways to stop them, and both learn from each other. It cannot be really said when a totally foolproof system of security will be developed or even whether such a concept will ever be a reality. One thing that has remained constant throughout the history of systems security is the ‘human factor.’ The human factor, or to be more precise, its inherent weakness, is what makes security vulnerable. So, while hackers use technology to break into a system, ‘social engineers’ use psychology to achieve their aims.

There is a specific style or system, which is followed in the social engineering process. Initial steps involve gathering information about the person who is authorized to log in to the system. This information is used to move on to the next stage, which is building a relationship with the intended victim. In building the relationship, the attacker will try to project himself as a trustworthy person. The next step is the actual gathering of information or exploitation of the victim. Once this is achieved, the final stage is execution, i.e., the actual breaking in into the system (Allen, 2007).

There are some generally accepted emotions, which form the motivating factor for practicing social engineering. These emotions include greed, revenge, external pressure, removal of sensitive information, etc. The practitioners of social engineering adopt certain specialized techniques to extract information from the victims. These techniques include impersonation, shoulder surfing, bating, conducting surveys, tailgating or piggybacking, and dumpster diving. One important factor that is common to most of these techniques is the direct contact between the victim and the attacker (Pelgrin, 2008).

Shoulder Surfing

Shoulder surfing, as a form of ‘social engineering,’ in its simplest meaning, is to look over someone’s shoulder to get passwords, PINs, and other sensitive personal information (Kumar, Garfinkel, Boneh, & Winograd, 2007). Shoulder surfing is an attack on password authentication, which is done remotely using binoculars and cameras or by using keyboard acoustics (Zhuang, Zhou, & Tygar, 2005). This method of attack also uses electromagnetic emanations from the display (Kuhn, 2004).

This way of accessing the user’s password by observing the user using various methods while they are entering the password undermines grossly all the efforts taken to encrypt the passwords and other protocols observed for secured authentication. It is to be recognized that the errors in human activity also have to be considered as the weakest link in this chain leading to the misuse of passwords.

According to Tari et al. (2006), researches so far undertaken failed to look at both the usability and security of electronic authentication solutions that can mitigate the shoulder surfing problem associated with either alphanumeric or graphical passwords. It is observed in general, approaches to overcoming shoulder surfing have relied on “increasing the noise” for the observer so that it becomes difficult for the observer to disambiguate the actions or the words/text that the user inputs for accessing the system (Kumar et al., 2007).

Biometric methods of authentication where physiological or behavioral characteristics of individuals are used for authenticating the individuals are not prone to shoulder surfing attacks (Kumar et al., 2007). Biometric methods suffer from the shortcoming of being non-revocable. While users can easily change the password, it would be rather a painful procedure to change the fingerprint or retinal scan. Another method that can be used to overcome the attack from shoulder surfing is to make use of a secured ID token (RSASecurity, 2005). This method also cannot be considered a better one since it requires the user to carry a physical access token, which runs the risk of the token being stolen or lost.

The Scramble Keypad Reader is another method that uses a LED display, and the location of digits on the keypad is randomized with each trail. This greatly reduces the risk of shoulder surfing. In order to overcome the perils of shoulder surfing, Wiedenbeck et al. (2005) introduce a graphical password scheme, which is shoulder surfing resistant.

In the context of studying the security of passwords as an authentication mechanism, it becomes relevant and important to study the impact of shoulder surfing along with other social engineering methods that are employed to break into information security. It becomes relevant as no development has so far taken place to substantiate the security of any kind of passwords against their vulnerabilities. In order to assess the merits and demerits of each kind of password, it is relevant to study the extent to which the different passwords are prone to attacks by these methods of obtaining the system access information.

Kinds of Passwords

Due to the increased threats to the networked computer systems, system-centric security features have taken the central focus of many security practitioners to protect the data stored in the systems. Until recently, security has been perceived as a mere technical problem with no considerations for human-computer interaction issues. When the users interact with the computers, they have to take into account the security technologies inbuilt into the computers. They have to interact with the security aspects passively with an understanding of the basics. For their active interaction with the security technologies, people need aspects other than security like “ease of use, memorability, efficiency, effectiveness and satisfaction” (Wiedenbeck et al., 2005). As reported by Widenbeck et al. (2005), the problems associated with the passwords arise mainly due to the following conflicting requirements the passwords are expected to meet.

passwords should be capable of being remembered easily and enable the user authentication protocol to be carried out quickly and swiftly by humans,
passwords should be random in nature and possess the characteristics of being hard to crack down,
passwords should be different for different accounts of the same user, and
passwords should not be written down or stored in someplace where

Selection of passwords, which are commonly used methods for accessing the computer systems, therefore, has to possess these characteristics from the purview of the users. A typical password consists of a combination of letters and numerals, which in this case is referred to as an ‘alphanumeric’ password.

Alphanumeric Password

Alphanumeric passwords first came into vogue during the 1960s at the point of time when the multi-user operating systems entered the computing environment. Alphanumeric passwords were considered as the solution to the security issues that were evident in the multi-user environment. As the name implies, an alphanumeric password is constructed as a string of letters and digits. Even though any string of words or numbers can serve as a valid password, the passwords which are complicated enough to make them undetectable and beyond guessing are considered to be offering good security to the data and the systems. Ideally, the general characteristics of an alphanumeric password can be described as that the password should

contain at least eight characters,
not be related to the user,
not contain a word that can be found in a dictionary or public directory.

It is advisable when the user combines upper and lower case letters and digits when generating an alphanumeric password. Random passwords are generated by users adopting a common word and performing some actions on the word like combining numbers and letters, altering upper and lower case of the letters contained in the word, by shuffling the order of the letters in the word, or by simply reversing the orders of the letters (Sobrado & Birget, 2002).

One major drawback with alphanumeric passwords is their vulnerability to dictionary attacks. Due to the problem in remembering complex letters and numbers, people tend to choose some most common names or words that they can recall easily. There are sophisticated software tools that enable an individual to crack the passwords of others by automatically testing all the words contained in a dictionary or public directory. Even though it is not possible to uncover the passwords constructed strongly, this tool has the ability to find valid passwords of some users of a particular system (Sobrado & Birget, 2002).

Biometric Passwords

These are not exactly words or graphics entered into a computer, but an authentication system that uses certain physiological characteristics of the user as a password. The physical characteristics include but are not limited to face, fingerprints, hand geometry, handwriting, iris, and voice. One advantage of this kind of password is that the “social engineering” problem can be eliminated to the most extent (Agarwal, 2006).

Biometric-based authentication has been seriously considered as a future solution for systems that require a high level of security. “There are two biometric authentication methods: biometric verification and biometric identification of identity. Biometric identification is also sometimes referred to as pure biometrics because it is based only on biometric data and is more difficult to design and operate” (Danielyan, 2004). But we cannot consider pure biometrics as the most secure, useful, or efficient system. It is also to be noted that it is not possible to use both methods with all biometrics applications. Certain biometrics can function only in verification mode because of the intrinsic properties possessed by them (Danielyan, 2004).

Dictionary Passwords

Users, in their efforts to simplify passwords, sometimes tend to select words or a combination of words from the dictionary to be used as passwords. Such passwords have high usability but are vulnerable to threats from dictionary-based attacks. It is possible for a dictionary, which contains up to one million words, to crack such dictionary passwords in as little time as twenty minutes (Bryant & Campbell, 2006).

Graphical Passwords

The human brain is genetically programmed in such a way that it can recall images more easily than textual representation. Text is single-dimensional, whereas pictures are two-dimensional. Even when we are babies, our visual senses develop much earlier than our capacity to understand and process text (Ohsuga, 1992). Due to the proliferation of systems-based security through the internet and otherwise, users are now faced with the task of remembering multiple user ids and passwords (Summers & Bosworth, 2004).

This situation is further compounded by the fact that security systems urge users to create complicated alphanumeric passwords. People under such situations tend to use the same password across multiple security systems or prefer to write them down. Both these practices are considered security flaws. It was precisely this predicament, which gave rise to the concept of a password authentication system based on images rather than on text-based passwords. The pioneer in the field of graphical password authentication was Greg Blonder, who first developed and patented a graphics-based password system in 1996 (Magalhães, de, Santos, Henrique, Nunes, & Viegas, 2006).

The graphic password system of Blonder was based on clicking predetermined points on an image, which would authenticate the user to access the system. His system required the user to click on predetermined points of a single image. Clicking on the correct points would authenticate the user (Wiedenbeck et al., 2005).

The weaknesses that are found in the current username-password solutions have led the researchers to generate solutions that combine the familiarity and usability of passwords and the security of cryptographic solutions. One of the methods developed in this direction is the ‘graphical password.’ Graphical passwords are used in the place of alphanumeric passwords. Generally, graphical passwords require users to select a predetermined image or a set of images. The images are to be found on visual display. Graphical passwords enable the users to get access to the system by requiring them to select the images in a particular sequence (Jermyn, Mayer, Monrose, Reiter, & Rubin, 1999).

Graphical passwords have been found to be having better familiarity and usability based on the innate ability of the users to recognize faces (Chellappa, Wilson, & Sirohey, 1995; Turk, 2001). Earlier researches conducted in this direction focused on much of the security aspects ignoring the usability factor. Recent developments include graphical passwords containing designs that depend on the choice of the user to select the design more specifically faces. These passwords also suffer from the same shortcomings as those of self-selected passwords. Davis, Monrose, and Reiter (2004) have observed that users generally select graphical passwords in a more predictable pattern.

They select faces based on ethnic background, attractive faces from the opposite gender, or faces similar to that of the user. This kind of selection of graphical passwords has a larger probability of getting cracked easily. Because of this reason, ‘Passfaces,’ one of the available commercial implementers of graphical passwords, does not allow the users to have their own choice of faces as graphical passwords (RealUserCorporation, 2005).

Brostoff and Sasse (2000), out of their study on the use of graphical passwords promoted by Passfaces, found the usability of graphical passwords to be better with a lot lesser resets and higher memorability on the part of the users as compared to regular passwords. The study also reported that the authentication process was found to be slow as compared to the normal passwords, as the users had to pass through a number of screens that show different faces.

The lesser speed was stated to be the result of using relatively old hardware and software platforms that were used for the experiments conducted over a period of over five months. There was evidence to prove the improved memorability of the graphical passwords as compared to other alphanumerical passwords. This lower rate of performance in the case of graphical passwords as against the alphanumerical passwords was corroborated by further researches on the field. The later researches also evolved mixed results on memorability and ease of use (Ozok & Holden, 2005; Wiedenbeck et al., 2005).

Graphical passwords have two other advantages apart from usability. Firstly, memory loss due to aging will not affect recalling images as much as text. The second advantage is that cultural and language barriers are not an impediment to grasping pictures (Jutila, Wideman, & Verbal, 2006).

In other words, pictures mean the same (unless they are abstract images) to anyone viewing them regardless of where they are from or what their background is. A disadvantage of such passwords is that it could take longer to reproduce the correct password sequence when compared to traditional systems of authentication. Pictures occupy more onscreen space than text, effectively reducing the number of images that can appear on the screen. A relatively long graphic password would need multiple screens before being authenticated.

Graphical passwords can also be classified according to the technology used in the authentication. There are three techniques used commonly in graphical password security systems. They are known as loci metric, drawmetric and cognometric systems. Loci metric system involves clicking on certain predetermined points on a single image, whereas cognometric system selects multiple predetermined images. Draw metric system is more creative in the sense that the password is actually a simple picture or a doodle drawn through a grid on the screen. The disadvantage is that users may find it difficult to recreate the password if the drawing or picture is complicated (Moncur & Leplatre, 2007).

Necessity for Graphical Passwords

In order to obviate the issues connected with the alphanumeric passwords, graphical passwords were introduced. The first description of graphical passwords by Blonder (1996) contained the requirement that the user would click on some chosen regions of the graphics. When the user clicks on the correct region, the user can get access to the system. Graphical passwords are based on the efficiency of human memory. It is an established fact that memory of passwords and efficiency of their input is mainly human factors that needs consideration in the generation of any password (Wiedenbeck et al., 2005).

The memorability of the password by the user is influenced by the manner in which the user chooses the password and the task undertaken by the user when he retrieves the password. While adopting a graphical password system, it is important that the user choose memorable locations in a picture. Again choosing a memorable location depends on the nature of the image and the sequence, which the user would like to follow in clicking chosen locations. Norman (1988) is of the view that in order to be memorable, the images should possess the character of being semantically meaningful in their content.

This becomes necessary because there can be no meaning assigned to things chosen arbitrarily. This gives rise to the concept that jumble or abstract images would make it difficult for the user to remember them. On the other hand, concrete and real-world situations would pass for better graphical passwords. Although the long-term human memory does not store a replica of the image, it is capable of storing a meaningful interpretation covering the image (Mandler & Ritchey, 1977). In order to retrieve graphical passwords, the user has to depend on the encoding that they used while learning to use the password. When the user has done a poor encoding, it will result in failure to distinguish between similar objects and consequently will hamper the retrieval.

Tasks Associated with Retrieval of Graphical Passwords

The users for retrieving the graphical passwords are provided with instructions to perform either a recognition task or a cued recall task. The choice of the task depends on the system of graphical passwords being used. In a recognition-based graphical password system, the user will be required to recognize some previously seen images. The user adopts a binary choice irrespective of the fact that whether the image is known or unknown.

Norman (1988) is of the opinion that the recognition task is an easier memory task than a pure recalling task. In the case of a graphical password system, an intermediary method of recollection that falls between recognition and pure recall method is used. This is known as cued recall method. In the cued recall method, scanning of previously chosen locations is being used by viewing the image. The user is able to get reminded or cued about the click areas. Psychology studies have proved that images become more memorable with recognition and recall tasks than words or text (Shepard, 1967; Standing, 1973).

Security of Graphical Passwords

The security of passwords, in general, depends roughly on the size of the password space. The password space is given by the number of possible passwords that could be generated given the password parameters. The security of the passwords also depends on the manner in which the passwords are being used by the users. The parameters that determine the size of the graphical password space are the safety parameters, number of click points, image size, and the resolution of the image. Usually, no control can be exercised on these parameters. The effective password space is therefore determined by the human use of such a password scheme, which in turn depends on the number of passwords the user is likely to use.

Graphical passwords are subjected to a dictionary attack against the collection of all the users of a system and an individual attack against a particular user. In the case of alphanumeric passwords, the dictionary attack is a known threat to password security.

Just as in the case of alphanumeric passwords, in the case of graphical passwords also there could be a possible attack by using a known set of password candidates, which can be denoted as a dictionary. However, this set cannot be expected to be large enough for an exhaustive search. This threat also has a non-negligible probability of intersecting with the set of actual passwords that are in actual use by the users (Sobrado & Birget, 2002).

It is to be noted that there are no dictionaries of click point sequences in existence for the graphical passwords. For constructing such a dictionary, it is essential for the attacker to discover the regularities in human click patterns. It is possible for the attacker to find only a good approximation of the password space, which may not really help him to accomplish his objective as such space, may not be large enough to be searched exhaustively (Birget, Hong, & Memon, 2006).

Recent studies have pointed out that there is a large collection of click points used by graphical password users. Therefore, there may not be any possibility that can evolve a possible subset of memorable click points that are chosen with a high probability (Wiedenbeck et al., 2005). These studies have a shortcoming in that they focused mainly on the usability of the graphical passwords and not on the security aspects.

In the attack against the individuals, the objective is to find out the password of a particular individual user. Here it is assumed that the attacker has got hold of the password record of the victim obviously from the password file. It is also assumed that the attacker has some personal information about the user but not specifically about the password. Normally for carrying out this attack, there should be the aid of a computer along with the human effort. It is possible by using experience and human testing to guess the sequence of click points precisely that is being used by a particular user if the attacker knows the user well (Birget et al., 2005).

Graphical Passwords and Shoulder Surfing

Shoulder surfing refers to the action of watching over other peoples’ shoulders while they perform some action with reference to the processing of the information. An example of shoulder surfing can be found in observing the keyboard as one is typing the password entering a PIN number, or viewing their personal information. Since the graphical passwords contain icons or symbols, they are more vulnerable to shoulder surfing. It is observed that most of the currently operating graphical passwords do not recognize the issue of shoulder surfing, but they move away from the issue by stating that the graphical passwords are to be used only from handheld devices or workstations which are set up in such a way that only one person can operate by seeing the screen, at the time they log in to the system.

Normally it is possible to operate on systems while no one is watching over the shoulder, but it is highly impractical to use the graphical passwords in an environment set up, especially to prevent shoulder surfing. This, in a way, diminishes the utility of graphical passwords as compared to alphanumeric passwords (Tari et al., 2006).

Despite the distinct advantage of improved memorability that graphical passwords carry in comparison with the traditional alphanumerical passwords, the graphical passwords cannot stand the attack of shoulder surfing. Systems of graphical passwords that make use of graphics or pictures like PassFaces, Jiminy, VIP, Déjà vu, Pass points or even those systems like AVAP that use a combination of graphics and audio are all susceptible to shoulder surfing unless the users take care to protect these while implementing the passwords (Tari et al., 2006).

Literature that reviews computer science is not abundant on the issue of shoulder surfing. The act of social surfing as a form of social engineering has gained prominence in recent periods. Various methods like ‘dumpster diving,’ ‘persuasion,’ and ‘observation’ are adopted for the practice of shoulder surfing (Orgill et al., 2004). In a study conducted to assess the users’ perceptions regarding the strength of alternative password mechanisms like answers to cognitive questions and ImagePINs, 77 percent of the respondents believed that the answers to cognitive questions, when used as passwords, are difficult to guess or crack.

Forty-five percent of them believed in the strength of the ImgaePINs as more secure. Since there were no empirical data available on the study, these results cannot be taken as authentic for analysis. In yet another study, a graphical identification system in which the icons or pictures move while the user has to select them as they move was developed to mitigate the vulnerability of attacks from malicious code that could monitor the activity stream of the user for hacking. The authors who developed the system still are of the opinion that such a system of moving icons is still open to attacks from shoulder surfing using direct observation methods or video recordings (Sobrado & Birget, 2002).

Man, Hong, Hayes, and Matthews (2004) have developed another variation of the graphical passwords having a number of variations, which defy the ability of the attacker to pinpoint the exact password graphics. The authors are working on the improvement to the system whereby they would be able to produce a mathematical proof for the resistance of the system against shoulder surfing. These studies are devoid of any commercial viability of the graphical passwords they have developed. Further, the studies have not produced any comparable observations of the vulnerability of these graphical passwords against the traditional alphanumerical passwords.

Conclusion

The review of literature on the issue of passwords and their security reveals that, despite the emergence of sophistication in information technology, the password security issue remains unsolved. Users who do not possess extensive knowledge of data security are still making the data security vulnerable by using passwords that are subject to easy cracking or guessing. The problem with many of the graphical password schemes is that they are mostly used in studies or have been developed by the researchers themselves (PassPoints, Cued Click Points). Therefore, they remain as prototypes without being converted as practical applications in a strictly commercial sense.

Passfaces seems to be the only commercially successful application. Social engineering is yet another concern that needs to be addressed. “Insider threat” security concerns are of equal importance. To reiterate the objectives of this study, the ultimate aims of this study are threefold. The first is to redefine the concept of security in the authentication process, the second is to change the perceptions that exist today about the so-called secure passwords, and the third is to determine whether or how graphical password authentication can be used to enhance the security of computer systems. This will be dealt with in the next section, where research questions are hypothesized, and the research methodology adopted to conduct the research is discussed in detail.

References

Abadi, M. A., Lomas, T. M., & Needham, R. (1997). Strengthening Passwords. SRC Technical Note 1997-033 Digital System Research Centre. California.

Ackerman, M. S., & Mainwaring, S. D. (2005). Privacy issues and human-computer inteaction. O’Reily, Sebastipol CA: Seucrity and Usability.

Adams, A., & Sasse, M. A. (1999). Users are not the enemy: Why users compromise computer security mechanisms and how to take remedial measures. Communications of the ACM, 42 (12), 41-46.

Adams, A., Sasse, M. A., & Lunt, P. (1997). Making Passwords Secure and Usable. Proceedings of Human Computer Interaction, (pp. 1-19). Bristol.

Agarwal, A. (2006). Biometric authentication replacing passwords: Does authentication get better or worse? Web.

Allen, M. (2007). Social engineering: A means to violate a computer system: The cycle. Sans Institute, 5-13.

Anne, & Wheeler, L. (2004). Passwords. Web.

Bergadano, F., & Crispo, B. R. (1998). High dictionary compression for proactive password checking. ACM Transactions on Information and System Security, 1, 3-25.

Bidgoli. (2004). Preface. In: Bidgoli, H. (Ed.), “The internet encyclopedia”. NJ: Wiley, Hoboken.

Bidgoli, H. (2006). Handbook of information security. NJ: Wiley, Hoboken.

Birget, Hong, J. C., & Memon, N. (2006). Graphical passwords based on robust discretization. IEEE Transactions on Information Forensics and Security, 1 (3), 395-399.

Blonder, G. E. (1996). Patent No. 5559961. United States.

Brostoff, S., & Sasse, A. (2000). Are passfaces more usable than passwords? A field trial investigation. Sunderland University, People and Computers XIV – Usability or Else! Proceedings of HCI 2000.

Bryant, K., & Campbell, J. (2006). User behaviors associated with password security and management: Conclusion. Australian Journal of Information Systems, 14, 96.

Bunting, M. (2006). Proactive interference and item similarity in working memory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 32, 183-196.

Carstens, D. S., & McCauley-Bell, P. (2000). Importance of Human error on Logistics information security. Proceedings of the International Society of Logistics Engineer Congress. Orlando Florida.

Chellappa, Wilson, R. C., & Sirohey, S. (1995). Human and machine recognition of faces: A survey. Proceedings of the IEEE, 83, 705-741.

Conlan, R. M., & PeterTarasewich. (2005). Improving the Password Selection Mechanism. Web.

Craik, F. I., & Lockhart, R. S. (1972). Levels of processing: A framework for memory research. Journal of Verbal Learning and Verbal Behavior, 11, 671-684.

Cranor, L., & Garfinkel, S. (2005). Security and Usability. O’Reilly and Associates.

Danielyan, E. (2004). The Lures of Biometrics. The Internet protocol Journal, 7 (1).

Davis, D., Monrose, F., & Reiter, M. (2004). On User Choice in Graphical Password Schemes. presented at 13th Usenix Security Symposium. San Diego, CA.

Deborah, S. C., Pamela, R. M., Linda, C. M., & Ronald, F. D. (2004). Evaluation of the human impact of password authentication Practices on Information, Security. Informing Science Journal, 7, 67-85.

Dutta, A., & McCrohan, K. (2002). Management’s Role in information security in a cyber company. California Management Review, 45 (1), 67-88.

Halderman, J. A., Waters, B., & Felten, E. W. (2005). Security through the eyes of users: A convenient method for securely managing passwords. New York: In: Proceedings of the 14th International Conference on World Wide Web ACM Press.

Ives, B., Walsh, K. R., & Schneider, H. (2004). The domino effect of password reuse. Communications of the ACM, 47, 75-78.

Jacoby, L. L., & Craik, F. I. (1979). Effects of elaboration of processing at encoding and retrieval: trace distinctiveness and recovery of initial context. In: Cermak, L.S., Craik, F.I.M. (Eds.), Levels of Processing in Human Memory. Lawrence Erlbaum Assoc. NJ: Hillsdale.

Jermyn, I., Mayer, A., Monrose, F., Reiter, M., & Rubin, A. (1999). The design and analysis of graphical passwords. Washington,DC: presented at 8th USENIX Security Symposium.

Johnson, G. J. (1991). Pyschological Review. 98 (2), 204-217.

Jutila, C., Wideman, J., & Verbal, P. (2006). Children’s Ministry in the 21st Century: The Encyclopaedia of Practical Ideas. Group Publishers.

Klein, D. (1990). Foiling the cracker: A survey of, and improvements to password security. Proceedings of the Second USENIX Security Workshop.

Kuhn, M. G. (2004). Electromagnetic Eavesdropping Risks of Flat Panel Displays. 4th Workshop on Privacy Enhancing Technologies (pp. 23-25). Berlin-Heidelberg: LNCS.

Kumar, M., Garfinkel, T., Boneh, D., & Winograd, T. (2007). Reducing Shoulder-surfing by Using Gaze-based Password Entry. Web.

Luis-Garcia, R. D., Alberola-Lopez, C., Aghzout, O., & Ruiz-Alzola, J. (2003). Biometric identification systems. Signal Processing, 83, 2539–2557.

Magalhães, de, S. T., Santos, Henrique, Nunes, & Viegas, P. (2006). Critical aspects in authentication graphic keys, Proceedings of The 5th European Conference on Information Warfare and Security Held at the National Defense College. Academic Conferences International, (pp. 231-236). Helsinki.

Man, S., Hong, D., Hayes, B., & Matthews, M. (2004). A password scheme strongly resistent to spyware. Las Vegas: International Conference on Security and Management.

Mandler, J. M., & Ritchey, G. H. (1977). Long-term memory for pictures. Journal of Experimental Psychology: Human Learning and Memory, 3, 386-396.

McCauley-Bell, P., & Crumpton, L. Y. (1998). The human factors issues in information security: Whatare they and do they matter? Proceedings of the Human Factors and Ergonomics Society 42 Meeting. Chicago Illinois.

Miller, G. A. (1956). The Magical number seven plus or minus two: Limits on our capacity for Processing Information. Psychological Review, 63, 81-87.

Moncur, W., & Leplatre, G. (2007). Pictures at the ATM: Exploring the usability of multiple graphical passwords. CHI 07 Proceedings of the SIGCHI conference on Human Factors in Computing Systems. ACM.

Morris, R., & Thompson, K. (1979). Password security: A case history. Communications of the ACM, 22, 594-597.

Nasscom. (2006). Human Error Responsible for 60 percent of its breaches. Web.

Neath, I. (1998). Human memory: An introduction to research, data, and theory. Pacific Grove, CA: Brooks/Cole.

Norman, D. A. (1988). The design of everyday things. New York: Basic Books, New York.

Ohsuga, S. (1992). Information modeling and knowledge bases: Motivational for concept visualization. IOS Press.

Olufemi. (2008). The Importance of Information Security. Web.

Orgill, G., Romney, W., & Orgill, P. M. (2004). The urgency for effective user privacy education to counter social engineering attacks on secure computer systems. Salt Lake City, Utah: presented at 5th Conference on Information Technology Education (SIGITE ’04).

Ozok, & Holden, S. H. (2005). Alphanumeric and Graphical Authentication Solutions: A Comparative Evaluation. presented at HCI International 2005. Las Vegas, NV.

Parkin, A. J. (1984). Levels of processing, context, and facilitation of pronunciation. Acta Psychologia, 55, 19-29.

Patterson, B. (2000). Letter. Communication of the ACM Vol 43 no 4.

Pavio, A. (1983). The Empirical Case for Dual Coding in Imagery, Memory and Cognition: Essasys in honor of Allan Pavio. Hillsdale NJ: Erlbaum.

Pelgrin, W. F. (2008). Social engineering – are you at risk? Cyber security tips newsletter, Multi-state information sharing and analysis center, MS-ISAC, 3 (4).

Pinkas, B., & Sander, T. (2002). Securing passwords against dictionary attacks. Washington, DC: In: Proceedings of the Ninth ACM Conference on Computer and Communications Security. ACM.

Poulsen, K. (2000). Mimick to lawmakers: People, phones and weakest links. Web.

Proctor, R. W., Lien, M. C., Vu, K. P., Schultz, E. E., & Salvendy, G. (2002). Improving computer security for authentication of users: influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers, 34, 163-169.

RealUserCorporation. (2005). How the Passface™ System Works.

Renaud, K., & Smith, E. (2001). Renaud K & E Smith, (2001) “Helping users to remember their passwords. Pretoria, South Africa: presented at Annual Conference of the South African Institute of Computer Scientists and Information Technologists.

RSASecurity. (2005). RSA security survey reveals multiple passwords creating security risks and end user frustration. Web.

Sasse, M. A., Brnstoft, S., & Weirich, D. (2001). Transforming the “weakest link”: A human-computer interaction approach to usable and effective security. BT Technical Journal, 19 (3), 122-131.

Schultz, E. E., Proctor, R. W., Lien, M. C., & Salvendy, G. (2001).., (2001) Usability and security: An appraisal of usability issues in information security methods. Computers & Security, 20, 620-634.

Shepard, R. N. (1967). Recognition memory for words, sentences, and pictures. Journal of Verbal Learning and Verbal Behavior, 6, 156-163.

Sobrado, L., & Birget, J.-C. (2002). Graphical Passwords. Web.

Standing, L. P. (1973). Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25, 207-222.

Summers, W. C., & Bosworth, E. (2004). Password policy: The good, the bad, and the ugly: Introduction. Columbus State University Published paper,1.

Tamil, E. M., Othman, A. H., Abidin, S. A., & Zackaria, O. (2007). Password Practices: A Study on Attitudes towards Password Usage among Undergraduate Students in Klang Valley,Malaysia. Web.

Tari, F., Ozok, A. A., & Holden, S. H. (2006). (2006) A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. Pittsburg PA USA: Symposium on Usable Privacy and Security (SOUPS).

Turk, M. (2001). A random walk through eigenspace. IEICE Transactions of Information and Systems, 1586-1595.

Vasiu, L., & Vasiu, I. (2004). Dissecting computer fraud: From definitional issues to a taxonomy. Hawaii: presented at 37th Hawaii International Conferences on System Sciences,.

Viega, J. (2005). Solutions to many of our security problems already exist, so why are we still so vulnerable? Queue.

Vu, K.-P. L., Proctor, R. W., Spantzel, A. B., Tai, B.-L. (., Cook, J., & Schultz, E. E. (2007). Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65, 744-757.

Wiedenbeck, S., Birget, J. C., Broditskiy, A., & Memon, N. (2005). Authentication using graphical passwords.

Winstanley, P. A., & Bjork, E. L. (2004). Processing strategies and the generation effect: Implications for making a better reader. Memory & Cognition, 32, 945-955.

Wood, C., & Banks, W. (1993). Human error: An overlook but significant information security problem. Computers & Security, 12, 51-60.

Yan, J., Blackwell, A., Anderson, R., & Grant, A. (2004). Password memorability and security: empirical results. IEEE Privacy & Security, 2, 25-31.

Zhuang, L., Zhou, F., & Tygar, J. D. (2005). Keyboard Acoustic Emanations Revisited. Proceedings of Computers and Communication Security (pp. 373-382). Alexandria Virginia: ACM.

Zurko, M. E., & Simon, R. T. (1996). User-centered security. New Security Paradigms Workshop, CA.

Zviran, M., & Haga, W. J. (1993). A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal, 227-237.