000000309 001__ 309
000000309 005__ 20151203070532.0
000000309 037__ $$aLERSSE-RefConfPaper-2015-006
000000309 100__ $$aJun Ho Huh
000000309 245__ $$aSurpass: System-initiated User-replaceable Passwords
000000309 260__ $$c2015-10-14
000000309 300__ $$a12
000000309 520__ $$aSystem-generated random passwords have maximum pass- word security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system- initiated password scheme called “Surpass” that lets users re- place few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked pass- words. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.
000000309 6531_ $$aPasswords
000000309 6531_ $$aUsability
000000309 6531_ $$aAuthentication
000000309 6531_ $$aUsable Security
000000309 700__ $$aSeongyeol Oh
000000309 700__ $$aHyoungshick Kim
000000309 700__ $$aKonstantin Beznosov
000000309 8560_ $$flersse-it@ece.ubc.ca
000000309 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/309/files/p170.pdf
000000309 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/309/files/p170.pdf?subformat=pdfa$$xpdfa
000000309 909C4 $$pJun Ho Huh, Seongyeol Oh, Hyoungshick Kim and Konstantin Beznosov. Surpass: System-initiated User-replaceable Passwords. In Proceedings of ACM Conference on Computer and Communications Security (CCS'15), October 2015.
000000309 980__ $$aRefConfPaper