Using Gamification and Fear Appeal Instead of Password Strength Meters to Increase Password Entropy

[1] Bishop M., Klein D. V., Improving system security via proactive password checking, ‘Computers & Security’, 1995, 14(3), pp. 233–249.10.1016/0167-4048(95)00003-QSearch in Google Scholar

[2] Bonneau J., Herley C., Oorschot P. C. van, Stajano F., Passwords and the evolution of imperfect authentication, ‘Communications of the ACM’, 2015, 58(7), pp. 78–87.10.1145/2699390Search in Google Scholar

[3] Bonneau J., The science of guessing: analyzing an anonymized corpus of 70 million passwords, Security and Privacy (SP), IEEE, Symposium, 2012, pp. 538–552.10.1109/SP.2012.49Search in Google Scholar

[4] Carné de Carnavalet de X., Mohammad M., From Very Weak to Very Strong: Analyzing Password-Strength Meters 2014, Conference ‘Network and Distributed System Security Symposium’, DOI: 10.14722/ndss.2014.23268 10.14722/ndss.2014.23268.10.14722/ndss.2014.2326810.14722/ndss.2014.23268Open DOISearch in Google Scholar

[5] Das A., Bonneau J., Caesar M., Borisov N., Wang X., The tangled web of password reuse, Symposium on Network and Distributed System Security, 2014, Vol. 14, pp. 23–26.10.14722/ndss.2014.23357Search in Google Scholar

[6] Dell’Amico M., Michiardi P., Roudier Y., Password strength: An empirical analysis, Proceedings IEEE, INFOCOM, 2010, pp. 1–9.10.1109/INFCOM.2010.5461951Search in Google Scholar

[7] Deterding S., Dixon D., Khaled R., Nacke L., From game design elements to gamefulness: defining gamification, Proceedings of the 15th International Academic MindTrek Conference ‘Envisioning future media environments’, 2011, pp. 9–15.10.1145/2181037.2181040Search in Google Scholar

[8] Deterding S., Sicart M., Nacke L., O’Hara K., Dixon D., Gamification. using game-design elements in non-gaming contexts, CHI’11 — Extended abstracts on human factors in computing systems, 2011, pp. 2425–2428.10.1145/1979742.1979575Search in Google Scholar

[9] Egelman S., Sotirakopoulos A., Muslukhov I., Beznosov K., Herley C., Does my password go up to eleven? The impact of password meters on password selection, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2013, pp. 2379–2388.10.1145/2470654.2481329Search in Google Scholar

[10] Furnell S., An assessment of website password practices, ‘Computers & Security’, 2007, Vol. 26(7–8), pp. 445–451.10.1016/j.cose.2007.09.001Search in Google Scholar

[11] Hamari J., Koivisto J., Sarsa H., Does gamification work? A literature review of empirical studies on gamification, IEEE, System Sciences (HICSS), 47th Hawaii International Conference, 2014, pp. 3025–3034.10.1109/HICSS.2014.377Search in Google Scholar

[12] Huang X., Xiang Y., Bertino E., Zhou J., Xu L., Robust multifactor authentication for fragile communications, IEEE, ‘Transactions on Dependable and Secure Computing’, 2014, Vol. 11, No. 6, pp. 568–581, DOI: 10.1109/TDSC.2013.2297110.10.1109/TDSC.2013.2297110Open DOISearch in Google Scholar

[13] Johnston A. C., Warkentin M., Fear appeals and information security behaviors: an empirical study, ‘MIS Quarterly’, 2010, pp. 549–566.10.2307/25750691Open DOISearch in Google Scholar

[14] Kelley P. G., Komanduri S., Mazurek M. L., Shay R., Vidas T., Bauer L., Lopez J., Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms, Security and Privacy (SP), IEEE, Symposium, 2012, pp. 523–537.10.1109/SP.2012.38Search in Google Scholar

[15] Melicher W., Ur B., Segreti S. M., Komanduri S., Bauer L., Christin N., Cranor L. F., Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks, USENIX Security Symposium, 2016, pp. 175–191.Search in Google Scholar

[16] Naiakshina A., Danilova A., Tiefenau C., Herzog M., Dechand S., Smith M., Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study, ACM, Proceedings of the SIGSAC Conference on Computer and Communications Security, 2017, pp. 311–328.10.1145/3133956.3134082Search in Google Scholar

[17] Rodwald P., Biernacik B., Password protection in IT systems, ‘Bulletin of the Military University of Technology’, 2018, Vol. 67, pp. 73–92, DOI: 10.5604/01.3001.0011.8036.10.5604/01.3001.0011.8036Open DOISearch in Google Scholar

[18] Seitz T., Hussmann H., PASDJO: quantifying password strength perceptions with an online game, ACM, Proceedings of the 29th Australian Conference on Computer-Human Interaction, 2017, pp. 117–125.10.1145/3152771.3152784Search in Google Scholar

[19] Shannon C. E., A mathematical theory of communication, ‘Bell System Technical Journal’, 1948, Vol. 27, pp. 379–423, 623–656.10.1002/j.1538-7305.1948.tb01338.xOpen DOISearch in Google Scholar

[20] Shannon C. E., Prediction and Entropy of Printed English, ‘Bell System Technical Journal’, 1951, Vol. 30, No. 1, pp. 50–64.10.1002/j.1538-7305.1951.tb01366.xSearch in Google Scholar

[21] Sotirakopoulos A., Influencing User Password Choice Through Peer Pressure, master thesis, The University of British Columbia, Vancouver 2011.Search in Google Scholar

[22] Stobert E., Biddle R., The password life cycle: user behavior in managing passwords, Proceedings SOUPS, 2014.Search in Google Scholar

[23] Ur B., Alfieri F., Aung M., Bauer L., Christin N., Colnago J., Johnson N., Design and evaluation of a data-driven password meter, Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017, pp. 3775–3786.10.1145/3025453.3026050Search in Google Scholar

[24] Ur B., Kelley P. G., Komanduri S., Lee J., Maass M., Mazurek M. L., Christin N., How does your password measure up? The effect of strength meters on password creation, USENIX Security Symposium, 2012, pp. 65–80.Search in Google Scholar

[25] Vance A., Eargle D., Ouimet K., Straub D., Enhancing password security through interactive fear appeals: A web-based field experiment, IEEE, System Sciences (HICSS), 46th Hawaii International Conference, 2013, pp. 2988–2997.10.1109/HICSS.2013.196Search in Google Scholar

[26] Weir M., Aggarwal S., Collins M., Stern H., Testing metrics for password creation policies by attacking large sets of revealed passwords, Proceedings of the 17th ACM conference on Computer and communications security, 2010, pp. 162–175.10.1145/1866307.1866327Search in Google Scholar

[27] Zezschwitz E. von, Luca A. de, Hussmann H., Survival of the shortest: A retrospective analysis of influencing factors on password composition, ‘Proceedings of the IFIP Conference on Human-Computer Interaction’, 2013, Publ. Springer, Berlin, Heidelberg, 2013, pp. 460–467.10.1007/978-3-642-40477-1_28Search in Google Scholar

[28] Zhang-Kennedy L., Chiasson S., Biddle R., Password advice shouldn’t be boring: Visualizing password guessing attacks, IEEE, ‘eCrime Researchers Summit’, 2013, pp. 1–11.10.1109/eCRS.2013.6805770Search in Google Scholar

[29] Zhao Z., Ahn G.-J., Hu H., Picture gesture authentication: Empirical analysis, automated attacks, and scheme evaluation, ACM, ‘Transactions on Information and System Security (TISSEC)’, 2015, Vol. 17, No. 4, pp. 1–37.10.1145/2701423Search in Google Scholar

[30] Zhu B., Yan J., Bao G., Mao M., Xu N., Captcha as graphical passwords–a new security primitive based on hard AI problems, IEEE, ‘Transactions on Information Forensics and Security’, 2014, Vol. 9, No. 6, pp. 891–904, DOI: 10.1109/TIFS.2014.2312547.10.1109/TIFS.2014.2312547Open DOISearch in Google Scholar

[31] Castelluccia C., Dürmuth M., Perito D., Adaptive Password-Strength Meters from Markov Models, Symposium on Network and Distributed System Security, 2012, [online], https://www.ei.ruhr-uni-bochum.de/media/ei/veroeffentlichungen/2016/01/15/2012-ndss-pwd-strength.pdf [access 02.11.2018].Search in Google Scholar

[32] Habib H., Colnago J., Melicher W., Ur B., Segreti S., Bauer L., Cranor L., Password creation in the presence of blacklists, Proceedings USEC, 2017, [online], https://www.archive.ece.cmu.edu/~lbauer/papers/2017/usec2017-blacklists.pdf [access 02.11.2018].10.14722/usec.2017.23043Search in Google Scholar

[33] Reilly M., Google Has a Plan to Kill Off Passwords, [online], https://www.technologyreview.com/s/601575/google-has-a-plan-to-kill-off-passwords [access 02.11.2018].Search in Google Scholar

[34] Thomas K., Li F., Zand A., Barrett J., Ranieri J., Invernizzi L., Markov Y., Comanescu O., Eranti, V., Moscicki A., Margolis D., Paxson V., Bursztein E., Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials, 2017, [online], https://research.google.com/pubs/pub46437.html [access 02.11.2018].10.1145/3133956.3134067Search in Google Scholar

[35] 2016 Data Security Incident, Uber Newsroom, [online], www.uber.com/newsroom/2016-data-incident/ [access 02.11.2018].Search in Google Scholar

[36] Adobe breach impacted at least 38 million users, Krebs on Security, [online], https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/ [access 02.11.2018].Search in Google Scholar

[37] Advanced password recovery, Hashcat, [online] www.hashcat.net/hashcat/ [access 02.11.2018].Search in Google Scholar

[38] AntMiner S9, BITMAIN, [online], https://shop.bitmain.com/antminer_s9_asic_bitcoin_miner.htm [access 02.11.2018].Search in Google Scholar

[39] Digital Identity Guidelines Authentication and Lifecycle Management, NIST Special Publication 800-63B [online], https://pages.nist.gov/800-63-3/sp800-63b.html, DOI: 10.6028/NIST.SP.800-63-3 [access 02.11.2018].10.6028/NIST.SP.800-63-3[access02.11.2018]Open DOISearch in Google Scholar

[40] Dropbox hack leads to leaking of 68m user passwords on the internet, The Guardian, [online], https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach [access 02.11.2018].Search in Google Scholar

[41] Hacker tries to sell 427 million stolen myspace passwords for $2,800, Vice, [online], https://motherboard.vice.com/en_us/article/427-million-myspace-passwords-emails-data-breach [access 02.11.2018].Search in Google Scholar

[42] Have I been pwned, API, [online], https://haveibeenpwned.com/API/v2 [access 02.11.2018].Search in Google Scholar

[43] LinkedIn lost 167 million account credentials in data breach, Fortune, [online], http://fortune.com/2016/05/18/linkedin-data-breach-email-password/ [access 02.11.2018].Search in Google Scholar

[44] Mobile Push Authentication, RSA, [online], https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/mobile-push-authentication [access 02.11.2018].Search in Google Scholar

[45] Password cracker, John the Ripper, [online], www.openwall.com/john/ [access 02.11.2018].Search in Google Scholar

[46] Special Publication 800-63-2 Electronic Authentication Guideline, NIST, [online], https://csrc.nist.gov/publications/detail/sp/800-63/2/archive/2013-08-29, DOI: 10.6028/NIST.SP.800-63-2 [access 02.11.2018].10.6028/NIST.SP.800-63-2[access02.11.2018]Open DOISearch in Google Scholar

[47] Visualizing Data Breaches, Center Mast, [online], https://centermast.com/2017/03/17/visualizing-data-breaches/ [access 02.11.2018].Search in Google Scholar

[48] Web Authentication: An API for accessing Public Key Credentials, WC3, [online], https://www.w3.org/TR/2018/CR-webauthn-20180320 [access 02.11.2018].Search in Google Scholar

[49] Yahoo hacked, 450,000 passwords posted online, CNN, [online], www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked [access 02.11.2018].Search in Google Scholar