Researchers find new ways to help computer users protect their passwords

Clemson University team develops two new systems

CLEMSON, SC – Computers can be fortified with firewalls and the latest anti-virus software, but even the best security programs might be for nothing if hackers can get their hands on your password.

Sometimes all it takes is for a hacker to peek over your shoulder while you’re logging into an account. Some computer users make hackers’ jobs even easier by writing down passwords and sticking them to the edge of their screens.

It’s a minefield that has inspired a team of Clemson University researchers to find new ways of protecting passwords without making it too difficult for computer users to remember and type them.

“The traditional focus in computer security has been on hardening the computer systems themselves,” Dr. Kevin Juang said. “But humans remain the weakest link in computer security.”

Juang and his dissertation advisor, Dr. Joel Greenstein, led a team that came up with two new systems.

One system is inspired by the Edgar Allan Poe story, “The Purloined Letter,” and uses decoy text to throw off anyone who might be trying to snag a password by peeking over a shoulder.

Another system gives computer users fun phrases to help them remember passwords made up of random letters. Users are also asked to draw pictures that later appear on the login page to help trigger their memories.

Juang played a leading role in developing the new methods while studying for his doctoral degree. He received his Ph.D. in industrial engineering in August.

The methods are described in two separate papers that have received new attention since Juang’s advisor and co-author, Dr. Joel Greenstein, was named fellow in the Human Factors and Ergonomics Society.

“It started with us bemoaning the state of affairs with passwords and then realizing we’re usability people,” said Greenstein, an associate professor of industrial engineering. “We design things to be easier. But the world as it is designs things to be harder. They’re considering the attacker, not the user.”

Purloin

The “Purloin” system is designed to defend passwords from physically present “shoulder surfers” who spy on computer users as they type.

In its current form, Purloin’s login screen has 10 lines. When the user begins typing a password, text appears on all 10 lines. Nine lines of text show decoys, while one shows the actual password for the user’s benefit.

The researchers recruited 14 engineering students to test Purloin against four other systems. The students took turns typing their passwords and playing the role of shoulder surfer.

Purloin captured “the best of both worlds,” ranking near the top for security and usability, the researchers found.

Meanwhile, “interval-masked input” performed poorly in both security and usability. Interval-masked input is common on mobile devices. Each character is shown on the screen for about a second and then turns into a bullet point.

Showing all bullet points or no text at all was secure but led users to make typos, Juang said. Allowing text to appear on the screen without being hidden and without decoys was easy to use but also the least secure, he said.

While Purloin did well in the study, the researchers continued to improve on it after discovering a key vulnerability.

They found that a computer user’s finger often hovers over the first key before beginning to type, which left an opening for shoulder surfers to figure out which row contained the password. Purloin was modified so that the same initial character was displayed on each row.

Researchers also found that the original version of Purloin “did not handle readable text gracefully.” If a password was a readable word and all the other lines came out as random text, it was easy to pick out which one was the password.

A dictionary was added to Purloin so that readable words would be included in the decoy text when appropriate.

Memory aids

The second system the researchers developed was designed to make it easier for computer users to remember passwords.

The system assigned a random mix of letters, such as “jpwjaop,” with a phrase to help computer users remember the letters.

For “jpwjaop,” it might be “Jill’s pet wolf just ate our pizza.” Users would then draw a picture to help cue their memories later.

“We tried to come up with a way to assign a person a secure, random password that they can actually remember,” Juang said.

The researchers tested the system by recruiting 54 college students and asking each to create three passwords.

Students were asked not to use any mnemonic aid for one password. For another password, students created their own mnemonic aid based on guidelines from the National Institute of Standards and Technology.

The new system’s password came with a phrase to help students remember it and a window in which to paste images or draw a visual reminder.

Students were distracted with arithmetic problems for five minutes and were then prompted to try signing back in. They had five chances to sign in before a failure was recorded.

Students were asked not to rehearse or write down the passwords and to come back a week later to try again.

Researchers found that the students were 1.78 times more likely to recall passwords using the new system than if they came up with the aid themselves. Students using the new system were 2.29 times more likely to succeed than with no mnemonic aid at all.

Twenty-four participants then tried to hack five accounts each. None were able to come close, even when they had access to the pictures.

The paper on Purloin was called “Evaluating the Usability and Security of Input Masking Techniques.” The second paper was called “Using System-Generated Mnemonics to Improve the Usability and Security of Password Authentication.”

Juang and Greenstein authored both papers, with Sanjay Ranganayakulu contributing as a co-author on the study involving the mnemonic aids.

Dr. Cole Smith, chair of the Department of Industrial Engineering, said that the research underscored the passion that Greenstein brings to working with students.

“He’s an expert in user-experience design,” Smith said. “Students from all over the world have come to Clemson and studied under Dr. Greenstein. Dozens have gone on to work for marquee companies, including Google, Apple, Microsoft and Oracle, just to name a few. This research shows why.”