| With the rapid development of the Internet,more and more Internet applications have emerged.Most of these applications use password authentication as the method of identity authentication.Password authentication proves the user's identity through information that the user knows.It is simple,effective,practical and convenient.Therefore,many systems prefer to use this authentication method.However,the security of passwords is a big flaw in password authentication.In order to memorize passwords,users often choose wea:k passwords,and attackers can easily guess weak passwords through online or offline attacks.To ensure the security of password authentication,an important condition is to encourage users to choose strong passwords.Therefore,the password composition policies which can help users create passwords have been a research hotspot.This paper studies the security and usability of the password composition policies.The main work is summarized as follows:1.According to research problems and methods from the existing password composition policies,this paper divides the password composition policies into four categories:general password composition policy,mnemonic password policy,random password policy and dynamic password composition policy.The classification of password composition policies helps to understand the password composition policies better.2.Different from the previous research conducted in the laboratory or on the network by recruiting participants,this paper starts from the reality and studies the impacts of password composition policies which used on lots of websites on the user's choice of password by using the real passwords leaked from the websites.We study whether these password composition policies could help users create strong passwords.This paper mainly compares some features of the real passwords in three scenes:no password composition policy,basic6 policy and 2class6 policy,and analyzes the security of these passwords.The results show that password composition policies affect the length and character type of the password selected by the user.Policies which require multiple character classes increase the length of the password.The number of character classes includes in the password selected by the user just meets the requirements of the password composition policies.In addition,we also find that the above three scenes were not good for users to create strong passwords.3.This paper selects four mnemonic password creation tips that are commonly used by users when creating passwords,and analyzes the security of these tips under unknown attacks through experiments,analyzes the security of these tips under known attacks by calculating the search space of different tips.This paper also analyzes the usability of these tips from password creation time,password recall time and the login success rate of using the password.The results show that under unknown attacks,passwords create by UsForm are more robust to common password guessing tools;KbCg and SenSub are more resistant to online guessing attacks;KbCg is more resistant to offline guessing;under known attacks,SenSub is more secure than other three password tips;the password creation time is the shortest when using SpIns;the password recall time is the shortest when using Sensub;the password success rate is the highest when using UsFrom.4.Based on the results of this paper,some suggestions for users to create passwords using mnemonic passwords are given. |
PDF Full Text Request