Abstract
In this paper, we describe and evaluate how the learning framework ContextBased MicroTraining (CBMT) can be used to assist users to create strong passwords. Rather than a technical enforcing measure, CBMT is a framework that provides information security training to users when they are in a situation where the training is directly relevant. The study is carried out in two steps. First, a survey is used to measure how well users understand password guidelines that are presented in different ways. The second part measures how using CBMT to present password guidelines affect the strength of the passwords created. This experiment was carried out by implementing CBMT at the account registration page of a local internet service provider and observing the results on user-created passwords. The results of the study show that users presented with passwords creation guidelines using a CBMT learning module do understand the password creation guidelines to a higher degree than other users. Further, the experiment shows that users presented with password guidelines in the form of a CBMT learning module do create passwords that are longer and more secure than other users. The assessment of password security was performed using the zxcvbn tool, developed by Dropbox, that measures password entropy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Kävrestad, J., Eriksson, F., Nohlberg, M.: Understanding passwords–a taxonomy of password creation strategies. Inf. Comput. Secur. 27(3), 453–467 (2019)
Wang, C., Jan, S.T., Hu, H., Bossart, D., Wang, G.: The next domino to fall: empirical analysis of user passwords across online services. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM (2018)
Woods, N., Siponen, M.: Too many passwords? How understanding our memory can increase password memorability. Int. J. Hum. Comput. Stud. 111, 36–48 (2018)
Brumen, B.: Security analysis of game changer password system. Int. J. Hum. Comput. Stud. 126, 44–52 (2019)
Shay, R., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. 18(4), 1–34 (2016)
Petsas, T., Tsirantonakis, G., Athanasopoulos, E., Ioannidis, S.: Two-factor authentication: is the world ready?: Quantifying 2FA adoption. In: Proceedings of the Eighth European Workshop on System Security. ACM (2015)
Das, S., Dingman, A., Camp, L.J.: Why Johnny doesn’t use two factor a two-phase usability study of the FIDO U2F security key. In: Meiklejohn, S., Sako, K. (eds.) FC 2018. LNCS, vol. 10957, pp. 160–179. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6_9
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: USENIX Security Symposium (1999)
Weirich, D., Sasse, M.A.: Pretty good persuasion: a first step towards effective password security in the real world. In: Proceedings of the 2001 Workshop on New Security Paradigms. ACM (2001)
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A., Herawan, T.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015)
Kävrestad, J., Skärgård, M., Nohlberg, M.: Users perception of using CBMT for information security training. In: Human Aspects of Information Security & Assurance (HAISA 2019) Nicosia (2019)
Kävrestad, J., Nohlberg, M.: Using context based micro training to develop OER for the benefit of all. In: Proceedings of the 15th International Symposium on Open Collaboration. ACM (2019)
Hedin, A.: Lärande på hög nivå. Uppsala Universitet (2006)
Knowles, M.S.: Andragogy in Action: Applying Principles of Adult Learning. Jossey-Bass, San Farancisco (1984)
Herrington, J., Oliver, R.: Critical characteristics of situated learning: implications for the instructional design of multimedia (1995)
Parsons, K., Butavicius, M., Lillie, M., Calic, D., McCormac, A., Pattinson, M.: Which individual, cultural, organisational and inerventional factors explain phishing resilience? In: Twelfth International Symposium on Human Aspects of Information Security & Assurance, Dundee, Scotland, UK. University of Plymouth (2018)
Wang, M., Xiao, J., Chen, Y., Min, W.: Mobile learning design: the LTCS model. In: 2014 International Conference on Intelligent Environments (IE). IEEE (2014)
McLoughlin, C., Lee, M.: Mapping the digital terrain: new media and social software as catalysts for pedagogical change. Ascilite Melbourne (2008)
Bruck, P.A., Motiwalla, L., Foerster, F.: Mobile learning with micro-content: a framework and evaluation. In: Bled eConference, vol. 25 (2012)
Koedinger, K.R., Kim, J., Jia, J.Z., McLaughlin, E.A., Bier, N.L.: Learning is not a spectator sport: doing is better than watching for learning from a MOOC. In: 2015 Proceedings of the Second ACM Conference on Learning@ Scale. ACM (2015)
Boud, D., Feletti, G.: The Challenge of Problem-Based Learning. Psychology Press, Routledge (2013)
Kävrestad, J., Nohlberg, M.: Online fraud defence by context based micro training. In: HAISA (2015)
Werme, J.: Security awareness through micro-training: an initial evaluation of a context based micro-training framework (2014)
Furnell, S., Esmael, R., Yang, W., Li, N.: Enhancing security behaviour by supporting the user. Comput. Secur. 75, 1–9 (2018)
Microsoft. Security Identifier (2019). https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers#security-identifier-architecture. Accessed 2019
Yahoo: Password tips (n.d.). https://safety.yahoo.com/Security/STRONG-PASSWORD.html
Apple. Security and your Apple ID. (n.d.) https://support.apple.com/en-us/HT201303. Accessed 12 Sept 2019
Grassi, P., et al.: NIST special publication 800–63b: digital identity guidelines. National Institute of Standards and Technology (NIST) (2017)
ENISA. Authentication Methods (n.d.). https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/authentication-methods. Accessed 04 Oct 2019
ISO/IEC, Information technology - Security techniques - Code of practice for information security controls. ISO/IEC (2017)
Kävrestad, J., Lennartsson, M., Birath, M., Nohlberg, M.: Constructing secure and memorable passwords. Inf. Comput. Secur. https://doi.org/10.1108/ICS-07-2019-0077
Lincoln, Y.S., Guba, E.G.: Naturalistic Inquiry, vol. 75. Sage (1985)
Schrittwieser, S., Mulazzani, M., Weippl, E.: Ethics in security research which lines should not be crossed? In: Security and Privacy Workshops (SPW), IEEE (2013)
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: USENIX Security Symposium (2016)
XDCD Carnavalet, Mannan, M.: A large-scale evaluation of high-impact password strength meters. ACM Trans. Inf. Syst. Secur. (TISSEC) 18(1), 1 (2015)
Dropbox: Low-Budget Password Strength Estimation (2019). https://github.com/dropbox/zxcvbn. Accessed 07 Oct 2019
Siponen, M.T.: Five dimensions of information security awareness. SIGCAS Comput. Soc. 31(2), 24–29 (2001)
Mendes, M., Pala, A.: Type I error rate and power of three normality tests. Pak. J. Inf. Technol. 2(2), 135–139 (2003)
McKnight, P.E., Najab, J.: Mann-Whitney U test. Corsini Encycl. Psychol. 1 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kävrestad, J., Nohlberg, M. (2020). Assisting Users to Create Stronger Passwords Using ContextBased MicroTraining. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-58201-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58200-5
Online ISBN: 978-3-030-58201-2
eBook Packages: Computer ScienceComputer Science (R0)