Primary Objective of Information Security

Primary Objective of Information Security

Confidentiality is a primary Information Security objective. Confidentiality refers to how we can protect information from being accessed by unauthorized parties (persons or other programs) [6]. Confidentiality can be achieved in three different ways: authentication, encryption, and using hash functions. According to [9], authentication is the most popular wherein users are expected to provide a valid user id and password in order to gain access to and use digital services like email or online banking. Despite the popular usage of password authentication, some weaknesses have been identified [2]. It is expected that user passwords should be easily memorized, yet hard to crack. An attack that is common to all passwords is the brute force attack. In brute force, the attacker uses software like John-the-Ripper to try all possible character combinations until a match is found. A dictionary attack uses a password database that an attacker downloads from the internet and tries each of the passwords for a match.

Some students prefer shorter and easily-memorized passwords, but those passwords are susceptible to the aforementioned attacks. A password survey study by [7] revealed that user passwords comprised only lowercase letters. Another study showed that users simply added an uppercase letter or a number at the end of the password. One other weakness in password creation is the use of something favorite or personally identifiable information like names and birth dates. These factors contribute to easy password attacks. Some other password-related terms and practices include the following.

  • Mnemonic Passwords: Such passwords appear to be complex. This is because they are formed from a memorable phrase by changing some letters into upper/lowercase or to numbers or other characters. For E.g. a mnemonic password from the phrase ‘My Two Secrets’ could be ‘My2SeKret5’.
  • Passphrase: This is a password created from a short sentence by modifying the letter casing and white spacing. E.g. ‘MyPetsNameIsFredo’. The intention is to make it easier to remember the structure and long and difficult to crack.
  • Keyloggers: This is hardware or software installed by an attacker with the aim of capturing and logging keyboard keystrokes. The log file is later extracted and inspected for any identifiable password strings. Even complex-structured passwords are vulnerable here. Keyloggers are hard to detect in computer systems.
  • Password Reuse: Many organizations now have online services which require a username and password for authentication. A study in 2007 revealed that average, an online service user has 25 password accounts and they type 8 different passwords per day [7]. Hence, it might be difficult to match passwords with accounts. Having to deal with many passwords might force users to write them down or use one password for several accounts. There can be serious consequences if such a password is cracked. According to [10] in 2014, 96% reused passwords and some passwords contained the matching username as a reminder. Some users now prefer a password manager. The user saves all passwords in the manager and only remembers the manager’s login password.
  • Password Policy: For information security purposes, an organization may impose a password policy on users. The affected features could be password length, constituent characters, and casing. It may be mandatory that the password should be at least 8 characters long, comprising alphanumeric characters with at least one uppercase and one non-alphanumeric symbol. Such policies may affect user ability to retain passwords mentally and so they will tend to write them down.

Literature Review

Most people are aware of the importance of passwords in transactions. Passwords are unavoidable and sometimes it is difficult to choose a secure one. According to [1], users are aware that attackers may easily guess easily memorized passwords. As explained above, users already have many passwords each of which is expected to be unique, and strong, and also know how to match passwords with accounts. Since experts advocate strong and unique passwords, I seek to know whether users’ mentally-saved passwords are strong, each unique and several.

Another password management technique is password reuse on several accounts. Florencio [7] and Hayashi [8] observed that this is common-user practice. The security downside is that if the password is exposed, the attacker can access all the corresponding accounts. 43% of respondents in a study by Das [5], reused passwords on several accounts. The study proved that the reuse of passwords can efficiently influence password attacks.

In order to curb password security issues, some organizations resort to other authentication methods like biometry but equipment and running costs are high. In some cases, password manager software is used to store the passwords and the user is spared from having to memorize the many passwords possessed. Web browsers also have the ability to save passwords of webpages that require login credentials. The password is automatically loaded when the webpage is revisited.

From this study, simply memorizing a password does not make it secure. Creating a weak password because we want to memorize it makes the password easy to hack. Students have many login accounts and they are struggling with how to manage the different passwords. From item 1, students who have five passwords or fewer are likely to be reused each password on several login accounts. Security-conscious students may safely write passwords elsewhere.

As online services continue to increase, there will be a need to create accounts and as the passwords increase, the ability to store them mentally reduces, and hence writing them down or reusing them becomes inevitable.

Research in the area of password management should be geared towards better authentication techniques not requiring the constant recall of passwords e.g. the use of biometric features, multifactor authentication, and the use of password manager software.