• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.3
• /
• pp.757-767
• /
• 2016

Password authentication is the representative user authentication method and particularly text-based passwords are most widely used. Unfortunately, most users select weak passwords and so many web sites provide a password meter that measures password strength to derive the users to select strong passwords. However, some metering results are not consistent and incorrect strength feedbacks are made. In this paper, we tackle these problems regarding password meters and present an improvement direction.

• Asia pacific journal of information systems
• /
• v.18 no.4
• /
• pp.1-26
• /
• 2008

Rapid progress of information technology and widespread use of the personal computers have brought various conveniences in our life. But this also provoked a series of problems such as hacking, malicious programs, illegal exposure of personal information etc. Information security threats are becoming more and more serious due to enhanced connectivity of information systems. Nevertheless, users are not much aware of the severity of the problems. Using appropriate password is supposed to bring out security effects such as preventing misuses and banning illegal users. The purpose of this research is to empirically analyze a research model which includes a series of factors influencing the effectiveness of passwords. The research model incorporates the concept of risk based on information systems risk analysis framework as the core element affecting the selection of passwords by users. The perceived risk is a main factor that influences user's attitude on password security, security awareness, and intention of security behavior. To validate the research model this study relied on questionnaire survey targeted on evening class MBA students. The data was analyzed by AMOS 7.0 which is one of popular tools based on covariance-based structural equation modeling. According to the results of this study, while threat is not related to the risk, information assets and vulnerability are related to the user's awareness of risk. The relationships between the risk, users security awareness, password selection and security effectiveness are all significant. Password exposure may lead to intrusion by hackers, data exposure and destruction. The insignificant relationship between security threat and perceived risk can be explained by user's indetermination of risk exposed due to weak passwords. In other words, information systems users do not consider password exposure as a severe security threat as well as indirect loss caused by inappropriate password. Another plausible explanation is that severity of threat perceived by users may be influenced by individual difference of risk propensity. This study confirms that security vulnerability is positively related to security risk which in turn increases risk of information loss. As the security risk increases so does user's security awareness. Security policies also have positive impact on security awareness. Higher security awareness leads to selection of safer passwords. If users are aware of responsibility of security problems and how to respond to password exposure and to solve security problems of computers, users choose better passwords. All these antecedents influence the effectiveness of passwords. Several implications can be derived from this study. First, this study empirically investigated the effect of user's security awareness on security effectiveness from a point of view based on good password selection practice. Second, information security risk analysis framework is used as a core element of the research model in this study. Risk analysis framework has been used very widely in practice, but very few studies incorporated the framework in the research model and empirically investigated. Third, the research model proposed in this study also focuses on impact of security awareness of information systems users on effectiveness of password from cognitive aspect of information systems users.

• Review of KIISC
• /
• v.28 no.1
• /
• pp.29-35
• /
• 2018

Passphrases are considered to be more secure than passwords since they are longer than passwords. However, users choose predictable word patterns and common phrases to make passphrases memorable, which in turn significantly lowers security. While random passphrases appear to be stronger, surprisingly they are neither strong nor memorable. In this paper, we present the latest passphrase research, and introduce a new way to create a passphrase using mnemonics. Passphrase generation using mnemonics shows promising results in improving both strength and memorability.

• Journal of Korea Multimedia Society
• /
• v.14 no.6
• /
• pp.785-793
• /
• 2011

Since then, with the advance of computing environment, various Internet services are emerging and the importance of user authentication technology is increasing for verifying users authorized to use such services. Along with the advance of authentication technology, research is being made actively on one time password, which is used once in a session and then discarded. In existing one time passwords, however, the values of one time passwords in a created table are stored in serial order, and therefore, if the seed value and the number of one time passwords used are disclosed, one may infer the value of the one time password to be used next. What is more, one time passwords of the S/Key type have the problem that the number of uses is fixed. In this paper, We analysis the existing one time password. Also, We propose one time password methods using elliptic curve cryptography scheme and using enhanced randomness with time value.

• The Journal of the Korea Contents Association
• /
• v.11 no.4
• /
• pp.33-41
• /
• 2011

Although conventional text-based passwords are used as the most common authentication method, they have significant drawbacks such as guess attacks, dictionary attacks, key loggers, and shoulder-surfing. To address the vulnerabilities of traditional text-based passwords, graphical password schemes have been developed as possible alternative solutions, but they have a potential drawback that they are more vulnerable to shoulder-surfing than conventional text-based passwords. In this paper, we present a new Hangul password input method to prevent shoulder-surfing attacks. Our approach uses Hangul as a password, and it requires the users to locate their password in the given wheeling password grid instead of entering the password. Our approach makes it difficult for attackers to observe a user's password since the system shows the users' passwords with decoy characters as the noise on the screen. Also, we provide security analysis for random attacks, dictionary attacks, and shoulder-surfing attacks, and it shows that our password system is robust against these attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1251-1259
• /
• 2017

One-time password has been proposed for the purpose of addressing the security problems of the simple password system: fixed passwords and pre-shared passwords. Since it employs the consecutive hash values after a root hash value is registered at the server, the security weakness of the fixed passwords has been addressed. However, it has a shortcoming of re-registering a new root hash value when the previous hash chain's hash values are exhausted. Even though several one-time password systems not requiring re-registration have been proposed, they all have several problems in terms of constraint conditions and efficiency. In this paper, we propose the one - time password scheme based on a hash chain that generates one - time passwords using only two cryptographic hash functions at each authentication and satisfies the existing constraints without re-registration, Security requirements and efficiency.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.5
• /
• pp.17-30
• /
• 2008

In the paper, we consider password-based authenticated key exchange with different passwords, where the users do not share a password between themselves, but only with the server. The users make a session key using their different passwords with the help of the server. We propose an efficient password-based authenticated key exchange protocol with different passwords which achieves forward secrecy without random oracles. In fact this amount of computation and the number of rounds are comparable to the most efficient password-based authenticated key exchange protocol in the random oracle model. The protocol requires a client only to memorize a human-memorable password, and all other information necessary to run the protocol is made public.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1235-1243
• /
• 2015

The purpose of this study was to find if the password composition of domestic users is affected by the different form of the word 'Password' in the interface of login or password change. In particular, 'Password', foreign notation, and 'Secret Number', notation translated by Korean, have a semantic difference. According to the survey of 200 students in S university, passwords made under the word 'Secret Number' are heavy on numbers than alphabet. Because these passwords make much smaller composition space than another case, they have bad security impact. We expect to make use of this paper as a base line data for study to find how improve domestic user's password security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.1
• /
• pp.17-27
• /
• 2020

Many users are using password managers in order to conveniently manage several usernames and passwords needed to access the web sites. The password manager encrypts and stores several passwords on the server, and the user accesses the server to receive the password information. Thus, if an attacker can sniff a message between the password manager and the server and decrypt the message content, or if an attacker can steal the computer's memory and decrypt the message content, then all the passwords will be exposed to the attacker. In this paper, we analyze the client-server communications and encryption process of password mangers and show there is a serious vulnerability in memory attack.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.10a
• /
• pp.331-332
• /
• 2022

The previously used locking device is a PIN method and has a problem in that the password is exposed by malicious users. In other words, if attackers looks at lock passwords from the side, correct passwords are known. In this paper, we aim to solve these security problems in lock devices resistant to shoulder surfing attacks. The proposed encryption approach is designed so that attackers cannot know lock passwords. To this end, we use a hidden password method instead of directly entering a PIN-type password to prevent the correct password from being exposed to an attacker even if someone steals the lock password.