publication . Article . 2018

guidelines for ethical nudging in password authentication

Renaud, Karen; Zimmermann, Verena;
Open Access
  • Published: 01 Jun 2018 Journal: SAIEE Africa Research Journal, volume 109, pages 102-118 (issn: 1991-1696, Copyright policy)
  • Publisher: Institute of Electrical and Electronics Engineers (IEEE)
Abstract
Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to r...
Subjects
ACM Computing Classification System: GeneralLiterature_MISCELLANEOUS
free text keywords: nudge, ethics, autonomy, Software deployment, Password authentication protocol, computer.internet_protocol, computer, Password, Internet privacy, business.industry, business, Computer science, Information security
Related Organizations
100 references, page 1 of 7

[1] D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proceedings of the 16th international conference on World Wide Web. ACM, 2007, pp. 657-666. [OpenAIRE]

[2] E. H. Spafford, “Opus: Preventing weak password choices,” Computers & Security, vol. 11, no. 3, pp. 273-278, 1992. [OpenAIRE]

[3] --, “Preventing weak password choices,” Computer Science Technical Reports, Tech. Rep. Paper 875, 1991, http://docs.lib.purdue.edu/cstech/875.

[4] S. Chiasson and P. C. Van Oorschot, “Quantifying the security advantage of password expiration policies,” Designs, Codes and Cryptography, vol. 77, no. 2-3, pp. 401-408, 2015.

[5] Y. Zhang, F. Monrose, and M. K. Reiter, “The security of modern password expiration: An algorithmic framework and empirical analysis,” in Proceedings of the 17th ACM conference on Computer and Communications Security. ACM, 2010, pp. 176-186.

[6] T. Seitz, E. von Zezschwitz, S. Meitner, and H. Hussmann, “Influencing Self-Selected Passwords Through Suggestions and the Decoy Effect,” in EuroUSEC. Darmstadt: Internet Society, 2016.

[7] G. R. Walters, “Variable expiration of passwords,” USA Patent US 7 200 754 B2, US20040177272, https://www.google.com/patents/US7200754.

[8] R. Childress, I. Goldberg, M. Lechtman, and Y. Medini, “User policy manageable strength-based password aging,” USA Patent, Feb. 5, 2013. [Online]. Available: https: //www.google.com/patents/US8370925

[9] The British Psychological Society, “Code of human research ethics,” 2014, http://www. bps.org.uk/publications/policy-and-guidelines/ research-guidelines-policy-documents/ research-guidelines-poli.

[10] D. A. Curry, Unix system security: a guide for users and system administrators. Addison-Wesley Longman Publishing Co., Inc., 1992.

[11] SANS Institute, “Password protection policy,” https://www.sans.org/security-resources/policies/ general/pdf/password-protection-policy.

[12] W. Cheswick, “Rethinking passwords,” Queue, vol. 10, no. 12, pp. 50:50-50:56, Dec. 2012.

[13] C. Herley and P. Van Oorschot, “A research agenda acknowledging the persistence of passwords,” IEEE Security & Privacy, vol. 10, no. 1, pp. 28-36, 2012.

[14] M. Bishop, “Best practices and worst assumptions,” in Proceedings of the 2005 Colloquium on Information Systems Security Education (CISSE) pp, 2005, pp. 18-25.

[15] L. Cranor, “Time to rethink mandatory password changes,” 2016, https://www. ftc.gov/news-events/blogs/techftc/2016/03/ time-rethink-mandatory-password-changes.

100 references, page 1 of 7
Abstract
Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to r...
Subjects
ACM Computing Classification System: GeneralLiterature_MISCELLANEOUS
free text keywords: nudge, ethics, autonomy, Software deployment, Password authentication protocol, computer.internet_protocol, computer, Password, Internet privacy, business.industry, business, Computer science, Information security
Related Organizations
100 references, page 1 of 7

[1] D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proceedings of the 16th international conference on World Wide Web. ACM, 2007, pp. 657-666. [OpenAIRE]

[2] E. H. Spafford, “Opus: Preventing weak password choices,” Computers & Security, vol. 11, no. 3, pp. 273-278, 1992. [OpenAIRE]

[3] --, “Preventing weak password choices,” Computer Science Technical Reports, Tech. Rep. Paper 875, 1991, http://docs.lib.purdue.edu/cstech/875.

[4] S. Chiasson and P. C. Van Oorschot, “Quantifying the security advantage of password expiration policies,” Designs, Codes and Cryptography, vol. 77, no. 2-3, pp. 401-408, 2015.

[5] Y. Zhang, F. Monrose, and M. K. Reiter, “The security of modern password expiration: An algorithmic framework and empirical analysis,” in Proceedings of the 17th ACM conference on Computer and Communications Security. ACM, 2010, pp. 176-186.

[6] T. Seitz, E. von Zezschwitz, S. Meitner, and H. Hussmann, “Influencing Self-Selected Passwords Through Suggestions and the Decoy Effect,” in EuroUSEC. Darmstadt: Internet Society, 2016.

[7] G. R. Walters, “Variable expiration of passwords,” USA Patent US 7 200 754 B2, US20040177272, https://www.google.com/patents/US7200754.

[8] R. Childress, I. Goldberg, M. Lechtman, and Y. Medini, “User policy manageable strength-based password aging,” USA Patent, Feb. 5, 2013. [Online]. Available: https: //www.google.com/patents/US8370925

[9] The British Psychological Society, “Code of human research ethics,” 2014, http://www. bps.org.uk/publications/policy-and-guidelines/ research-guidelines-policy-documents/ research-guidelines-poli.

[10] D. A. Curry, Unix system security: a guide for users and system administrators. Addison-Wesley Longman Publishing Co., Inc., 1992.

[11] SANS Institute, “Password protection policy,” https://www.sans.org/security-resources/policies/ general/pdf/password-protection-policy.

[12] W. Cheswick, “Rethinking passwords,” Queue, vol. 10, no. 12, pp. 50:50-50:56, Dec. 2012.

[13] C. Herley and P. Van Oorschot, “A research agenda acknowledging the persistence of passwords,” IEEE Security & Privacy, vol. 10, no. 1, pp. 28-36, 2012.

[14] M. Bishop, “Best practices and worst assumptions,” in Proceedings of the 2005 Colloquium on Information Systems Security Education (CISSE) pp, 2005, pp. 18-25.

[15] L. Cranor, “Time to rethink mandatory password changes,” 2016, https://www. ftc.gov/news-events/blogs/techftc/2016/03/ time-rethink-mandatory-password-changes.

100 references, page 1 of 7
Powered by OpenAIRE Open Research Graph
Any information missing or wrong?Report an Issue
publication . Article . 2018

guidelines for ethical nudging in password authentication

Renaud, Karen; Zimmermann, Verena;