Whiting 1

Brandon Whiting
English 1010-024
Dr. Paul Anderson
Exploratory Research Paper
December 6, 2015
Examination of Modern Online Authentication Theory

The Prevailing Incumbent

Passwords predate the personal computer. Currently, they play such a pivotal role in
our day-to-day lives that one would assume that they would be evolving as quickly
as the technology behind our daily tech. Unfortunately, this is not the case. The
theory driving commonly-accepted password characteristics has remained largely
unchanged for three decades while the technology that they protect and tactics
assailants utilize have evolved at a much faster rate. This has led some to speculate
that reexamination of those theories is very much needed, especially in light of the
plethora of online security compromises that have plagued users in the recent past.
Much of the reason that the concept of the username and password have
persevered unchanged is due to the monopoly they hold over modern-day system
administrators. They are extremely pliable and in use on nearly every platform
requiring cybersecurity. In addition to their incumbency, other obstacles obstructing
meaningful progress range from the monetary to privacy concerns.
As an aspiring computer engineer, new developments in online
authentication theory directly affect the design behind hardware and software
necessities in contemporary technology. For example, if the industry begins to
implement an electronic ID card in addition to the username and password, newly
produced computers will need to be manufactured with card readers to interpret

Whiting 2
that ID card. My purpose in writing this work is to publicize and compare five of the
more recent and pertinent theories that different lines of research have unearthed.
In summation, the prevailing interrogatory driving my research is simply: What
modern solutions have been presented to quell the recent outbreak of online
database compromises?
The Passwords Legacy
In the early-1960s, researchers had designed and manufactured a colossal
mainframe computer called the Compatible Time-Sharing System, hitherto referred
to as the CTSS. This system consisted of multiple terminals which were to be used
by multiple persons but with each person having his own private set of files
(McMillan 7). Due to the number of people and places to access the system, the
concept of the password was implemented in an attempt to verify that a person
attempting to access the system had the authority to do so and had not used up his
or her allotted time on the machine. The password was chosen mainly because, at
the time, there were no other alternatives that could rival its efficiency.
Not long after its inception, in 1962, a Ph.D. researcher by the name of Allan
Scherr was trying to find a way to raise the amount of time he was allotted on CTSS.
His answer to the dilemma: he had the password file printed. There was a way to
request files to be printed offline by submitting a punched card, Scherr confessed
in 1987. Late one Friday night, I submitted a request to print the password files and
very early Saturday morning went to the file cabinet where printouts were placed
and took the listing (McMillan 13). This is possibly the first documented occurrence
of password theft.
Fast-forward twenty-or-so years to 1985, the Department of Defense (DoD)
has adopted computers on a large-scale. They saw fit to engineer and publish a set

Whiting 3
of password guidelines. This published work is known as the Green Book1 (DoD
Computer Security Center Publication). The Green Book specified detailed policies
for mitigating the risk of password guessing, including rate limiting, hashing
passwords at rest, and limiting the lifetime of passwords (Oorschot et al. 80). It is
from this publication that most modern password security aphorisms are derived.
Regrettably, despite utilization of many of the included guidelines, there have been
both wide-scale and personally-targeted security compromises, ranging from
celebrity pictures being stolen from their personal devices to large portions of
databases being taken from companies such as eBay, JP Morgan and Target. These
failures have thrown into question the guidelines laid out by the aforementioned
Green Book. Again, my intention is to find several different possible solutions to
these attacks and compare them for feasibility of use.
Argument for Physical Object-Driven Second-Factor Authentication
To find my initial source, I conducted a Boolean search through the Academic Search
Premier for the term password, limiting search results to only scholarly (peerreviewed) articles of which, the full text was available for viewing. From the 383
results returned, I looked for a title that related to cyber-security, was relatively
broad in scope, and didnt have an over-abundance technological jargon. I identified
the second search result as one such article titled, Passwords and the Evolution of
Imperfect Authentication (academic journal article), that seemed to fit my
parameters. I found the title to be interesting in that it implies that our current
1 The DoDs Password Management Guideline, or Green Book, examines the
connection between the length and lifetime of passwords. Understanding
assumptions made and restrictions they imposed will net a greater understanding of
the reasoning behind many of todays password methods.

Whiting 4
computer authentication scheme is inherently imperfect. Upon closer scrutiny of the
articles provided abstract, I found the subject-matter to, indeed, be wide in scope,
yet simple enough for me to analyze and condense. It was authored in July 2015 by
Oorschot, Bonneau, Herley, and Stajano and published in Communications of the
ACM (academic journal). I viewed the electronic version of the article, rather than
the physically-printed version.
The authors goal in writing the article is to show current and future
students/researchers of cyber-security that modern research is, by and large,
inaccurate and draws administrators into a false sense of security. Oorschot et al.
postulate that regardless of password strength, passwords are still static secrets
that can be replayed and are equally vulnerable to phishing, theft, and
eavesdropping (Oorschot et al. 82). With enough time and effort, any password will
eventually fail. They showcase second-factor authentication via some sort of
physical token as their recommended solution to the alleged security hole that userselected passwords create. However, they concede that it is unlikely that such a
system would be incorporated on a large scale due to the costs of implementation.
The industrys current alternative is to increase the security of the storage and
transmission of passwords. Unfortunately, this still leaves users open to those same
attacks mentioned by the authors in the quote above.
I agree with this article that a physical card or USB device in conjunction with
the current username/password is the most user-friendly way to universally boost
online security. However, it severely complicates situations in which a user has lost
his or her credentials. The provider of said credentials would then have to ship a
replacement, most likely with a fee, and the user would remain without access until
the new device arrives.

Whiting 5
My last takeaway from this article is that research in the field is lagging
behind modern cyber threats. Without accurate and/or realistic research, it will be
difficult for the engineering community to provide lasting solutions to todays
issues. By bringing this fact into the limelight, the authors seek to encourage their
peers to refocus their efforts to produce more legitimate resolution. This article,
however operates under the strict assumption that users are at fault for the most
glaring of security breaches. Being aware that other theories found cyber-securitys
Achilles heel to be other than the users, I sought out one such theory to compare
against this article.
Poor User Behavior is a Symptom
I returned to the Academic Search Premier for a second time in search of an answer
to my newfound query. Using the same search terms I initially selected and careful
examination of the results abstracts, I was able to select the next stop in my
journey to better understand the current status of cyber security. Users Are Not the
Enemy (academic journal article) is an article from December 1999 issue of
Communications of the ACM (academic journal) written by Anne Adams and Martina
Angela Sasse, both PhDs from the Department of Computer Science at the
University College London. I, again, view the electronic version of the article, in lieu
of the original print.
The article, once again, is intended for current and future researchers of
cybersecurity. The main idea orbits around the suggestion that, while users do
engage in unsafe online behaviors, their decision to do so is driven by poor
implementation of administrators chosen password requirements; that unsecure
user behavior is a product of the methods put in place by administrators to fill the
perceived gap in security. This is contrary to the hypothesis from the first article.

Whiting 6
These password requirements, when viewed from the users perspective, are seen
as inconvenient if the user does not view that account as valuable. This disparity
elicits an unfavorable response. These responses vary from feeble password
creation to password reuse. The authors propose that opening communication with
their users through clearer website design is paramount in reigning in their users
maverick behaviors, thereby more efficiently closing the security gap. In their
words, we found that users may indeed compromise computer security
mechanisms, such as password authentication, both knowing and unknowingly. A
closer analysis, however, revealed that such behavior is often caused by the way in
which security mechanisms are implemented, and users lack of knowledge. We
argue that to change this state of affairs, security departments need to
communicate more with users, and adopt a user-centered design approach (Adams
and Sasse 40).
From this article, I learned and agree that some administrators are a mite
heavy-handed in the implementation of their chosen password restriction strategies
which may encourage their clients to lash out. My opinion is that while website
design changes and better communication may relieve part of the
user/administrator conflict and may make the passwords more secure, as I learned
from the first article, passwords are stationary, rarely-changing secrets that, given
enough time, will eventually be compromised. The strategy presented here does
nothing to prevent that. However, it brings value in that these tactics may be viable
in conjunction with other bolsters in security.
My last remaining question is: What would stop their users from disregarding
security recommendations from the website? I consigned myself to the hunt for a
document that can provide a response to this question.

Whiting 7
Power to the People or Users
Rethinking Passwords (academic journal article) is written by William Cheswick
and was published in Communications of the ACM (academic journal) in February
2013. Similar to the two previous articles Ive showcased, I found it via judicious
screening of the search results from Academic Search Premier utilizing the term
password. For convenience, I digested the electronic version of this article, as well.
Mr. Cheswick is a renowned consultant and pioneer in information technology
security. He has published several books on the subject and has over a dozen
related patents. He, too, addresses current and future information security
researchers here and in his article, addresses the concept of user training, alluded
to in the previous article. Unfortunately, his diagnosis is quite grim. In short, User
training does not work (Cheswick 43). The author echoes Oorschot et al. in
Passwords and the Evolution of Imperfect Authentication (academic journal article)
saying that many of our password aphorisms come from dated assumptions about
threats and technology (Cheswick 40). As technology evolves so, too, do the
strategies and technologies that threaten it.
Unfortunately, many of those aphorisms are, either by themselves or in
combination, unreasonable. To expect a human being to be able to remember
multiple machine-generated passwords without writing them down and to change
those on a regular basis to other completely unique machine-generated passwords
is setting those users up for failure. In Cheswicks words, It is simply poor
engineering to expect people to choose and remember passwords that are resistant
to dictionary attacks (Cheswick 43). He expounds upon the issue further, informing
his audience that once one users account has been compromised, due to flagrant
password reuse and/or association of accounts with one another (e.g. multiple

Whiting 8
website accounts utilizing a single email account for communication), it is likely that
more of that users accounts will succumb to the attacker.
Cheswick also concurs with Oorschot et al. that change to the currentlyaccepted practices will be slow, at best. In addition to the cost factor holding
meaningful change back and incumbency resisting change, its seen as a strong
legal defense to say, We do the same thing as everybody else (Cheswick 44).
In Cheswicks ideal world, he would like to see a less-restrictive
username/password system, laying the majority of the responsibility at the users
feet to maintain security of their own accounts. Basically, allowing the user to elect
to use less-secure passwords on less important accounts and more secure
passwords on more important accounts. Personally, I believe that Cheswicks Utopia
is attributing the average user with too much experience in regards to online safety.
I dont trust that the average user will be able to live up to his expectations of them
and very much doubt that giving them that much leash will be their deliverance.
However, Cheswicks Utopia seems to be unique among his peers, and due to his
seniority in the field, stands out as something that merits further examination.
This particular article did much in highlighting the shortcomings of passwords
and user behavior. However, it left me wanting for more information explaining why
users opt to continue using poor security practices. With this void in my
understanding, I, again, submerged myself in the waves of information made
available by the internet and dove deep in search of my coveted treasure.
Mind-Games
This fourth article was sourced the same way as the others were. I fed password to
the trusty Academic Search Premier and, again, sifted through the 383 results that
were returned. When I emerged, Id found an article that investigated the

Whiting 9
psychological elements leading up to the decision some make to sabotage their own
online security. It is titled The Psychology of Password Management: A Tradeoff
between Security and Convenience (academic journal article) and published in
Behavior and Information Technology (academic journal) in the May-June 2010
issue. The title gives a decent summary of the articles substance. However, truth
be told, much of the article was beyond my meager understanding of the human
psyche. The authors, L. Tam, M. Glassman, and M. Vandenwauver dont seem to
stray into the realm of the technical too often as their focus seems to be in
marketing and sales. However, their perspective is unique, so, in true technophilic
fashion, I opened the electronic version and muddled through their document the
best that I could.
Upon deciphering the articles abstract, it became clear that it was written for
a much more diverse audience that its predecessors. In addition to students of
psychology and computer sciences, the information in this article would be
beneficial to those in management positions, as well.
Tam et al. indicate that humans (users) remain the weakest link in online
security. Despite most having sufficient knowledge of what constitutes a secure
password, they continue to employ bad practices. Again, I paused to inquire why.
Fortunately, the authors were more than happy to share their insight. They
introduce an idea called the security-convenience tradeoff.

Whiting 10

Figure 1 The "Tradeoff perspective of password-management behaviour" (Tam, Glassman and

Vandenwauver 241).

In essence, users assign each of their accounts an arbitrary value based on

their personal experience. They compare that with the password requirements,
including length, required characters and time interval between password changes,
and determine the amount of effort theyre willing to put into creating a password
for the account. The authors sum it up quite nicely. They engaged in these
activities because they made password management more convenient (Tam,
Glassman and Vandenwauver 237). This directly effects the quality of the password
created. It was also concluded that imposing a distant-future password change
requirement had a favorable effect on their users behavior, more so on high-value
accounts.
While, I agree that most users, either consciously or otherwise,
prioritize their accounts and, the higher the priority the more likely they are
to use a strong, unique password. I disagree that a time-interval can be
implemented on only high-value accounts as people prioritize their
accounts differently. Granted, there are relatively safe bets, such as bank
accounts. But there are other types of accounts with a huge difference in
value, depending on the user and/or the other accounts associated with it.

Whiting 11
I was surprised to learn that despite top managers in companies
having knowledge that users do not adhere to strong password practices,
they continue to devote a large amount of resources to the technology
behind storing and transmitting user passwords rather than focusing on
adjusting their tactics to extract better behaviors from their users.
This articles peek into the human-aspect of user-machine
authentication is priceless in contrast with the over-abundance of other
articles whose concentration is on the technology. It also gives an alternative
to the more-expensive second-factor authentication and the less-effective
heavy-handed bludgeoning of users with unreasonable password restrictions.
But what other alternatives are available?
With that question rooted firmly in my mind, I returned to the
seemingly bottomless pit of online information to find out.
When in Doubt, Scare Them
I typed password once more into the Academic Search Premier, again
limiting results to peer-reviewed/scholarly articles with full-text versions
available and began my tumble down the gaping chasm. As I fell, I happened
upon an article that coincided nicely with the four that have been previously
presented. I secured it, found purchase and hauled myself from the scholarly
abyss. When I emerged, I began my trek through the electronic version of
Improving Password Cybersecurity through Inexpensive and Minimally
Invasive Means: Detecting and Deterring Password Reuse through KeystrokeDynamics Monitoring and Just-in-Time Fear Appeals (academic journal
article) from the April 2014 issue of Information Technology for Development
(academic journal). The article emanated from the combined intellect of

Whiting 12
Jenkins, Grimes, Proudfoot, and Lowry. I noticed Jenkins et al. took special
care in framing their solutions as unobtrusive and low-cost. They state that
they propose a cost-effective methodology for mitigating password reuse by
detecting when it occurs, and then displaying just-in-time fear appeals. By
implementing these warnings on an as needed basis, we intend to target
users who are likely reusing passwords while not inconveniencing those who
are likely creating unique passwords (Jenkins 198). This caused me to take a
moment to reexamine its predecessors against those criteria.
My first source touted a physical object used in conjunction with
usernames and passwords. This was both expensive due to the high cost of
startup/upkeep and invasive in that a user must maintain possession of said
physical object or risk losing access to all accounts until it can be replaced.
This is as near a polar-opposite from the Jenkins et al. solution as possible.
The second promoted crystallizing communication with their users and
more judicious use of password requirements. This method carries a low price
tag and doesnt interfere with the user beyond changes to website interface
and a potential increase in messages from the website. As such it
complements Jenkinss et al. position quite nicely.
Tertiary, was Cheswicks article. This authors only solution was giving
users the ability and responsibility to manage their accounts as securely as
they saw fit, based on their self-assigned value. This was, by far, the least
invasive and least expensive approach to password security as it lifts nearly
all restrictions on the user and abolishes costly internal mechanisms forcing
passwords to contain only certain characters, a minimum character count
and, in some cases, a time frame after which a user would be forced to

Whiting 13
change their password. As such, it surpassed even Jenkins et al. in minimizing
inconvenience to users.
In the fourth article, Tam et al. somewhat contradict Cheswicks
position. They concur that higher-value accounts should be subject to more
restrictive security components. However, they deviate from Cheswick in that
they support giving that discerning power to the administrators rather than
the users. This makes it difficult to assess the cost/inconvenience
ramifications as its possible that administrators would over-value their
accounts in the interest of self-preservation, thereby causing cost to either
remain the same or increase, while simultaneously further inconveniencing
their users. Its also possible that the opposite could occur, causing cost to
decrease. However, in either case the users are subject to the administrators
deciding what constitutes proper security measures and imposing those
decisions on the user. Due to these dynamics, it was not possible to draw a
direct correlation between Tams et al. and Jenkinss et al. positions.
In the findings of Jenkins et al., they argue that by creating algorithms
that monitor the characteristics of a users keystrokes, it can be determined
with high probability whether or not a user is creating a password that has
been used previously. They then argue that once it has been concluded that a
potential password has been previously used, a just-in-time fear appeal can
be applied to impart knowledge and a sense of urgency on the user and
manipulate them to select a unique password. Based on tests administered,
this greatly increased the probability that a unique password was created and
at little cost to the system administrators.

Whiting 14
By directing their argument(s) at those individuals, in cyber-security
and/or information technology fields, the authors hope to increase visibility
on and amass support for their proposed solution. I tend to agree with Jenkins
et al. Keystroke analysis/fear appeals should be implemented on all accounts
as they are both minimally-invasive and low-cost. However, this still does not
account for the inherent weakness posited by Oorschot et al. that passwords
are always going to be vulnerable to online attacks designed to manipulate
and/or mislead the human element present in the authentication process.
That being said, Jenkinss et al. position is still of substantial import in that, I
believe, it is the most efficient way bolster to security without being
detrimental to either user behavior or the companys budget.
In Summation
This journey has been enlightening. I initiated my quest with little-to-no knowledge
regarding the history behind and efficacy of the modern username/password union.
Through careful study of the above five articles, alongside several other sources,
Ive come to the conclusion that there is no one-size-fits-all solution to the
authentication dilemma that the present-day online environment faces. However,
removing the financial aspect from the situation, Oorschots et al. physical secondfactor authentication is the only offering that solves the difficulty that social
engineers, such as phishers and piggy-backers, present. By limiting access to
accounts to only persons who possess a valid token, the username and password
could be compromised and an attacker would still be unable access the account.
That said, the financial aspect must be accounted for. No company or entity
will agree to implement a system that diverts what otherwise would be profit to a
problem that the majority of users dont care about. Taking into account the

Whiting 15
financial facet and realizing that users will still be vulnerable to social engineering
scammers, I believe that Jenkin et al. presented the most resource-conservative
solution while affecting positive change on user behavior.
As the world trends more and more towards an e-commerce-driven society,
the importance of protecting user accounts and information will continue to
increase. Without meaningful change affecting the scenario, the gap between
attackers technology/techniques will continue to widen and he severity of the
attacks will be worse.
At this point, my technical knowledge is still in its infancy. I plan to continue
my institutional education in Computer Engineering and self-study of emerging
research contributions in the field. As my education and skills advance I intend to
engage my peers in sculpting a workable solution and to petition companies such as
Google, Microsoft, Apple, etc. to implement purposeful revision to authentication
practices that will provide ample protection for both company and user, alike. I urge
those either currently working in the field or studying to join it to do the same.

Whiting 16
Appendix A

Note from the Author

The below articles were those that were considered for this exploratory paper but
were abandoned because I deemed them either too specific, their content was
covered in another article used previously or their content was too technical for my
intended audience. However, those that wish to research this issue further may find
them to be enlightening.

Whiting 17
Appendix B

An Efficient Client-Client Password-Based Authentication Scheme with Provable

Security (academic journal article) by Mohammad Sabzinejad Farash and Mahmoud
Ahmadian Attari

Figure 2 First Page of An Efficient Client-Client Password-Based Authentication Scheme with Provable
Security

This article was set aside due to its overly technical nature. In this article, the
authors go on an in-depth exploration of a client-client authentication scheme called
Tsos 3PAKE protocol. They conclude that this protocol on its own merits does not
truly accomplish security or privacy. However, they propose some improvements on
the protocol that would remedy those concerns as well as make it run more
efficiently.

Whiting 18
Appendix C

Elastic Password Authentication Scheme using the Passcell-Based Virtual Scroll

Wheel (academic journal article) by HyunyiYi, Siwan Kim, Gunil Ma and Jeong
HyunYi

Figure 3 First page of "Elastic Password Authentication Scheme using the Passcell-Based Virtual Scroll
Wheel

This document was not selected as it was based solely on an authentication scheme
specifically designed for mobile platforms such as cell phones and tablets. As I
wanted to explore online security that affected all devices, I elected not to include it
in the main body. That being said, the authors present an interesting twist to the
traditional password. Most passwords are input in a linear text field. This makes it
easy for any nosey shoulder-surfer to cherry pick your passwords on the fly. In this
article, they theorize that rather than input a password into a text field, it would be
more secure to input it into a grid-based field, where each character has its own

Whiting 19
specific position on a grid, making it much more difficult to glean due to the
attacker having to remember both the characters and the positions that they
occupy.
Appendix D

Manage Your Passwords Securely (academic journal article) by Brian Betts

Figure 4 First Page of "Manage Your Passwords Securely"

Much of this articles content was touched on by my first source. Still, Mr. Bettss
article is interesting in that, in addition to concurring that common password
maxims are unfeasible, he goes into much more detail as to the alternatives
available to assist the average user in creating and safely storing their passwords.

Whiting 20
Works Cited

Adams, Anne and Martina Angela Sasse. "Users Are Not the Enemy."
Communications of the ACM (1999): 40-46. Academic Journal Article.
Cheswick, William. "Rethinking Passwords." Communications of the ACM (2013): 4044. Academic Journal Article.
Jenkins, J.L. et al. "Improving Password Cybersecurity Through Inexpensive and
Minimally Invasive Means: Detecting and Deterring Password Reuse Through
Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals." Information
Technology for Development (2014): 196-213. Academic Journal Article.
McMillan, Robert. "The World's First Computer Password? It was Worthless Too |
WIRED." 27 January 2012. Wired Website. Online Article. 6 December 2015.
Oorschot et al. "Passwords and the Evolution of Imperfect Authentication."
Communications of the ACM July 2015: 78-87. Academic Journal.
Tam, L., M. Glassman and M. Vandenwauver. "The Psychology of Password
Management: A Tradeoff between Security and Convenience." Behaviour &
Information Technology (2010): 233-244. Academic Journal Article.