Usability and security of recognition-based textual password

Abstract

Knowledge-based passwords are still the most dominant authentication technique for authentications purposes, in spite of the emergence of alternative systems such as token-based and biometric systems. This approach has remained the most popular one mostly because of its user familiarity, compatibility, usability, affordability. Nevertheless, the main challenge of knowledge-based password schemes based on creating passwords that deliver a balance between usability and security. This dissertation will be focused on the recent researches related to textual and graphical password to have an overview of their usability and security features and drawbacks. The literature review of this dissertation studied the main challenges of textual password schemes (text-based, passphrase, mnemonic, pronounceable, persuasive-text passwords). These schemes have several issues such as memorization, password complexity, password resets, input errors, password reuse and strength against guessing attack. On the other hand, graphical password schemes (recognition, recall, and hybrid passwords) improve the memorability compared to textual password because user experience with interacting with images result in better memorability rate. Graphical passwords have their own issues which are require a huge storage space(costly), complex setup and enrollment, long time to log in, limited password space, and vulnerability to shoulder surfing attack. After a deep investigation done in the literature review, this dissertation will have a thoughtful examination related the major features and drawbacks of recognition-based textual passwords because it provides the usability and security benefits of graphical passwords with the familiarity of textual passwords. Also, this dissertation studied the recognition textual password and its types to have a clear vision to build a usable and secure authentication system. This approach is categorized into two main aspects user and system generated method. Previous researches deeply studied the system-generated recognition textual password for both nouns and passphrase in term of avoiding weak users’ choices of password creation however, researchers found that users had difficulty in memorization in long term memory. On the other hand, user chosen recognition textual password provides high memorability rate compared to system generated but it’s not secure enough because users tend to select predictable words. This dissertation will be focused on user chosen recognition textual password. Third chapter showed a study compares the usability of recognition and recall textual password for nouns and passphrase to distinguish the user’s behaviors of password creation, system design, wordlist, memorability rate, and login time. The study discovered that recognition textual password of passphrase has higher memorability rate compared to recognition nouns, recall nouns and recall passphrase because some users select their password in unmeaningful structure. Also, the login time for recognition passphrase is less than others conditions. The wordlist and system design play an important role storing and retrieving performance. Overall, this result will help to establish a new method that avoiding these issues. Previous studies have not built a recognition textual password method with a high entropy space, and mitigating common attacks. Moreover, enhancing the system design by considering word types, word presentation, and phycological stimulus. These factors can influence the users’ performance in the storing and retrieving processes. Therefore, a novel authentication method called Word Pattern Recognition Textual Password (WPRTP) was proposed, which is based on drawing a pattern on a grid with a specific security requirement to balance between usability and security. This work aims to compare WPRTP with a recall textual password to explore its potential for enhancing user experience, usability, and security. The WPRTP results indicating that it is significantly more memorable in long-term memory (over a three-week period), and required less time to register compared to a recall passphrase. Thus, WPRTP is a potential alternative to traditional textual password.