How Secure is Your Password? An Analysis of E-Commerce Passwords and their Crack Time
Full text | |||
Source | Journal of Information Systems Security Volume 2, Number 3 (2006)
Pages 69–82
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Joseph A. Cazier — Appalachian State University, USA
B. Dawn Medlin — Appalachian State University, USA
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
The purpose of this paper is to examine passwords that are created by endusers in relationship to length, strength, and crack times. Examinations of these passwords illustrate the connectivity between password length and strength and the need to educate users as to the importance of their password choices. Through an empirical analysis of actual user passwords from a commercial website, this paper examines whether the passwords created by individuals on an e-commerce site follow “good” or “bad” password practices. Additionally, this paper addresses the issue of crack times (the time it takes to ‘crack’ a password) in relationship to password choice. The results of this study show the actual password practices of current consumers and should indicate to both organizations and endusers the need for further education and the need for more secure password choices. Almost a third of passwords were cracked in less than one minute, and lacked basic features that should be in any secure password.
Keywords
Passwords, Security, Hacking, Cracking, Password Cracking
References
Andrews, L.W. (2004) Passwords Reveal Your Personality. Retrieved February 1, 2005 from http://cms.psychologytoday.com/articles/pto-20020101-000006.html.
Atkinson, R.C. & Shiffrin, R.M. (1968). Human memory: A proposed system and its control processes. In Spence, K.W. & Spence, J.T. (Eds.), The Psychology of Learning and Motivation, New York: Academic Press.
Armstrong, D. and Simonson, J. (1996). “Password Guessing” and “Password Sniffing,” An Intro to Computer Security, School of Engineering & Applied Sciences, University of Rochester, 1996. Retrieved October 1, 2005 from http://www.seas.rochester.edu:8080/CNG/docs/Security/security.html
Cliff, A. (2001). “Password Crackers - Ensuring the Security of Your Password”, Security Focus, Retrieved September 10, 2005 from http://online.securityfocus.com/infocus/1192.
Cons, L. (1996). CERN Security Handbook, Version 1.2, December 1996. Retrieved October 10, 2005 from http://consult.cern.ch/writeups/security/security_3.html.
Department of Defense. (1985) Password Management Guideline. Retrieved September 2004, from http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt.
Donovan, C. (2000). “Strong Passwords,” SANS Institute, June 2, 2000. Retrieved October 12, 2005 from http://www.sans.org/infosecFAQ/policy/password.htm.
Georgetown University Information Security. Retrieved September 2005, from http://security.georgetown.edu/passwords.html.
Kanaley, R. (2001) Login error trouble keeping track of all Your signons? Here’s a place to keep your electronic keys, but you better remember the password. San Jose Mercury News.
MacGregor, T. (2001). “Password Auditing and Password Filtering to Improve Network Security”, SANS Institute, May 13, 2001.Retrieved September 21, 2005 from http://rr.sans.org/authentic/improve.php.
“Password Security: A Guide for Students, Faculty, and Staff of the University of Michigan,” University of Michigan, Information Technology Division, Reference R1192, Revised April 1997. Retrieved on September 28, 2005 from http://www.umich.edu/~policies/pw-security.html.
University of New Mexico. (2004). Password Methodology: How to make, remember and change good passwords. Retrieved October 10, 2004 from http://www.unm.edu/cirt/accts/psswrdmethodology.html.