The security of most password authentication
mechanisms hinges on the secrecy of only a single word – if an adversary
obtains knowledge of a victim’s password, the adversary will be able to
impersonate the victim and gain access to the resources to which the victim is
entitled. Although cryptographic means and protocols offer some degree of
protection during the transmission and storage of passwords, users are often
left unprotected by nothing but security policies and guidelines which are
often neglected. Various literatures have shown that users are the ‘weakest
link’ in any password authentication mechanism, due to their propensity to
create weak passwords and reuse passwords on multiple accounts. While various
identity management solutions have been developed to address the prevalence of
users’ insecure password practices, these solutions still suffer from their own
problems and drawbacks.
Before we could work towards a more
appropriate solution to users’ insecure password practices, it would be
necessary to study the underlying cause of these practices, which lies within
users’ perceptions of their accounts and passwords. In this thesis, we present
the findings from our exploratory, survey-based study, which investigated how
user’s perceptions of their accounts and passwords influence their password
selection. Our findings revealed that our participants mentally classified
their accounts and passwords in several groups based on various perceived
similarities. We also discovered that they tended to use passwords that they
perceived to be stronger and did not reuse passwords as often in account groups
which they considered important.
Appendix A: Application to University of Auckland Human
Participants Ethics Committee
Appendix B: Survey Instrument
Appendix C: Dataset