Abstract
It is considered good practice to lock users out if they enter the wrong password three times. This is applied almost universally by systems across the globe. Three tries was probably considered a good balance originally between allowing the legitimate user to make some genuine errors and foiling an attacker. This rule makes sense intuitively yet there is no empirical evidence that three tries is the most efficacious number. It is entirely possible that the number should not be three, but some other number, such as two, five or even seven. It is very hard to test this since attempts could be either a legitimate user attempting to recall his/her password, or an intruder trying to breach the account. If an attacker is allowed more attempts one could imagine the system's security being compromised. Here we argue for the use of a simulation engine to test the effects of such password-related security measures on the security of the entire eco-system. A simulation approach expedites no-risk empirical testing. We use a simulator called SimPass, which models both user password-related behaviour and potential password-based attacks from within and outside an organization. We provide evidence of the expected security impact of increasing the prevalence of password sharing. That is it will lead to increased use of others' credentials and a lack of accountability. We then test different settings for locking of accounts after a certain number of failed authentication attempts to determine a potentially optimal setting. We find that a three times lockout policy might well be too stringent and deserves further investigation.
Original language | English |
---|---|
Title of host publication | Proceedings of the Eighth International Symposium on Human Aspects of Information Security & Assurance (HAISA) 2014 |
Place of Publication | Plymouth, UK |
Pages | 101-111 |
Number of pages | 11 |
Publication status | Published - 1 Jul 2014 |
Externally published | Yes |
Event | 8th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2014 - Plymouth, United Kingdom Duration: 8 Jul 2014 → 9 Jul 2014 |
Conference
Conference | 8th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2014 |
---|---|
Country/Territory | United Kingdom |
City | Plymouth |
Period | 8/07/14 → 9/07/14 |
Keywords
- passwords
- security policies
- simulation