Computer Security a Second Look

Computer Security

A Second Look at the Usability of Click-Based Graphical Passwords

Authentication techniques have ranged from the anachronistic and difficult-to-use to those entirely customized by users, with the aid of visual imager. In the award-winning analysis a Second Look at the Usability of Click-Based Graphical Passwords, researchers Chiasson, Biddle and Oorschot have completed a thorough field and lab-based analysis of graphical passwords. Included in their methodology have been the options respondents have for creating their own passwords from a combination of images, in any order they choose, delivered in specific sequences as well. The study results showed statistical significance at the .001 level for preference when lab vs. field studies were compared. Easy to create and speed (.01 level of statistical significance) were the second and third most differentiating elements of visually-based passwords. Uniqueness had a .05 level of statistical significance. The results indicate that passwords that are created in lab-based testing have a significantly greater effectiveness level from a personalization and remembrance standpoint. Field test show that the conclusions aren't as clear or obvious, with exogenous, uncontrolled factors impacting the perfect of that specific study. The conclusion of the study is that visually-oriented passwords, when created by users on their own, taking into their preferences, ease of creation and speed of use, are highly effective. The study concludes that there is still a threat of visually-oriented passwords being hacked by intruders guessing the sequence of images to choose to gain access to accounts. There is also the challenge of taking the statistically significant findings of the lab test and making them valid in and open environment.

Part II: The study, completed at Indiana University in April, 2005 successfully shows how contextual phishing strategies are made relative easy to accomplish by the abundance of data on social networks. Using Perl LWP Library scripting and data harvesting tools, data is quickly collected, aggregated and used to launch a phishing attack with a stunning success rate of 72%. The rapid nature of how this attack was planned and executed shows how lethal from a privacy standpoint phishing can be when based on social network-based data. There is an implied higher level of trust with any e-mail originating from social networks, as it is assumed it is from friends and those a respondent or test subject trusted. The impersonation or spoofing of e-mail addresses also made the communications all the more contextual and believable, a key trait of successful phishing programs. More education is definitely needed, in addition to more effective approaches to blocking personal information on social networks as well. All of these deterrents are secondary to strong education on the threats of phishing however.