Research Paper - Wordpress Wordpress

Document Sample
Research Paper - Wordpress Wordpress Powered By Docstoc
					Passwords & Personal Identity Safety, A.Largent                                 1

  Passwords & Personal Identity

                                         Andrew P. Largent
                    Indiana University of Pennsylvania, Department of English
                                  ENG-202-016 Research Writing
                                       MR. Marlen Harrison
                                         Indiana, PA 15705
                                           SID: 02137623
                                           Date: 11/12/09
Passwords & Personal Identity Safety, A.Largent                                                   2

Abstract- Millions of data breaches into personal information occur each year, which puts

people’s personal identities on the internet at risk. Identity theft is becoming more and

more popular within cybercrime. It is my goal to try and educate college students about the

threats and risks of having weak password policies and how it relates to the Internet. With

this research I hope to better understand college student’s ideology with regards to

passwords and personal safety on the Internet. The results of my research contribute

towards the goals of educating college students about password security and policy plus

some of the threats and risks on the Internet.

Key Terms- Cybercrime, Cryptography, Hacking & Cracking, College students.

                                                  I.   Introduction

       Personal Identities on the internet are at risk, and one of the most basic problems is weak

passwords. As more people put their personal information on the internet, identities will be in

danger as this writer points out, “According to the Privacy Rights Clearinghouse

(;itaBreaches.htni), more than 220 million data breaches of

personal information occurred between January 10. 2005, and March 24, 2008. Nearly 160

million of which involved hacking, these breaches occurred at a variety of organizations, from

schools and financial institutions to government agencies. (Garrison)”

When reading this I was startled, and couldn‟t help but wonder if my fellow college students

knew how at risk their personal identities were and if they had strong secure passwords?

       But where do these security threats come from? Anywhere on the internet personal

information is uploaded, that information can be hacked into and used by the hacker as they
Passwords & Personal Identity Safety, A.Largent                                                    3

wish. These threats can show up on emails a tactic called phishing, spamming emails out to

individuals requesting personal information with malicious intent. Social networking (MySpace,

Facebook, Online-dating-sites, etc.) has become a large target and easy prey for experienced

hackers. Social interaction in everyday life can also lead to security problems, for example; I sit

down in a public internet café getting ready to log into my online web-bank account unaware

someone before me has left a thumb-drive plugged into the computer with key logger detection

software on it, which logs all key strokes giving the person access to my bank account. Another

scenario could be as easy as someone sitting next to or behind me watching my key strokes.

Perhaps the biggest common personal security threat is leaving usernames and passwords written

down in a physical form displayed openly, for example a Post-it note on the computer monitor.

       When thinking about methods of creating a password, I think of methods in relation to

password strength. But what are some of the methods college students use to make passwords?

Commonly people use passwords that are easy to remember and are related to them personally.

For instance, common passwords include the following: First/last names, phone number, social

security number, initials, birthday, relatives‟ names, pet‟s names, nicknames, mother‟s maiden

name, favorite sports team, favorite book/movie/band, or anything related to a favorite hobby or

maybe a person‟s job. What makes these choices so dangerous is any word in the dictionary is

very susceptible to dictionary attacks and very easily hacked. An important thing to remember

when making a strong password is to have a random arrangement of upper/lower case letters,

numbers and symbols with a minimum length of 12 characters.

       Re-use of passwords on the internet is a slippery slope. I think it is alright to use one

password for many applications, but then again I usually encrypt my passwords or files on the

internet. But I do agree using one password for many applications is a bad habit and could lead
Passwords & Personal Identity Safety, A.Largent                                                     4

to security threats. With that said, do college students use one password for many applications?

The problem with using one password for many applications is the risk of overlap or a more

commonly used term called the „domino effect‟, as this quote illustrates, “If users have many

password-protected accounts and they reuse a password across more than one account, a hacker

gaining access to one account may be able to gain access to others… As e-commerce grows, the

likelihood increases that a hacker who obtains access to passwords at a popular site might be able

to use those user-IDs and passwords at another site. For example, there is an obvious and

probably sizeable overlap between AOL and Citibank or BankOne and customers.

A domino effect can result as one site‟s password file falls prey to a hacker who then uses it to

infiltrate other systems, potentially revealing additional password files that could lead to the

failure of other systems. (Ives, 2004)”

       Using a different password for each online application could be difficult. Just thinking

about remembering a different password for each online application gives me a headache. So, I

wonder if college students use different passwords for each application, and if they do, do they

have trouble remembering their passwords? Using different passwords for each application is a

great security tactic to prevent identity theft, but how easy is it to remember all those passwords.

Kanaley thinks that this kind of memory goes against the brains memory attributes. “In fact, the

requirements to remember long and complicated passwords are contrary to the way the human

memory functions. First, the capacity of human memory in its capacity to remember a sequence

of items is temporally limited, with a short-term capacity of around seven items plus or minus

two (Kanaley, 2001). Second, when humans remember a sequence of items, those items cannot

be drawn from an arbitrary and unfamiliar range but must be familiar 'chunks' such as words or

familiar symbols. Third, the human memory thrives on redundancy. (Medlin, 2005)”. Being able
Passwords & Personal Identity Safety, A.Largent                                                   5

to remember usernames and passwords is important, but I still think having a strong secure

password is more important than memory.

       When dealing with personal information on the internet there are a few important things

to remember; making sure all online applications have good strong passwords behind them is

only one step in the right direction. The ultimate goal of this paper is to educate college students

about the seriousness of passwords and keeping their online identities safe from cyber criminals.

                                           II.    Literature Review

       Garrison (2008) talks about Password Characteristics, Password Crackers, and Cracking

Passwords; his overall outlook is just to let people know the required minimum length of a

password which he says should be 8 characters long. I used information from this source first

because I felt that the facts were strong and had great impact to help prove my point. The author

talks about a couple key points when it comes to passwords such as; “Do not use dictionary

words, acronyms, or common permutations in any language,” “Require passwords to contain

upper-and lower-case letters, numbers, and symbols,” “Do not use personal information,” “Limit

the number of times a person can incorrectly enter a password,” and the last password tip the

author gives is, “Restrict document access”. Ives, Walsh & Schneider (2004) talk about why the

re-use of passwords is a bad idea and how it could create a Domino Effect of sorts, which means

if someone would hack one password the hacker could possibly gain access everywhere that

passwords was used. Ives recommended some good practices when creating passwords such as;

improving password guidelines to include limiting repetition of passwords across sensitive

systems. I used this source in my introduction to show some downfalls with poor password

usage. Medlin & Cazier (2005) talk about effective passwords and how they are essential to the

security of any e-commerce site. The results of the study show the actual password practices
Passwords & Personal Identity Safety, A.Largent                                                  6

from an e-commerce site currently in use. The results showed that males sampled had slightly

more secure passwords than females in the study. I haven‟t decided if I will be using this in my

research yet, But I will however be using some of the research done on the e-commerce to

highlight some examples of where weak passwords could put credit cards at risk. Helkala &

Snekkenes (2009) studied how humans design passwords. They put the passwords designs into

three categories; Non-word passwords, Mixture passwords, and Word passwords. From their

studies they found that all three categories have the possibility of making good strong passwords

within those sub-categories. Within my research I am going to use those password categories to

relate good password making methods. The authors also go on to discuss that password strength

depends on the password design and that each symbol or character is drown independently from

each other. Which basically means each character is randomly chosen and arranged in a random

order. Renaud & Ramsay (2007) studied memory and how it affects senior citizens but they also

talk about how traditional passwords are created and remembered; it is this part of their research

that I am going to use in my paper. The topics include; Memory, Hearing, Attention, Dexterity,

Vision, Special Requirements, and Learning. The authors go on to explain how a smart card

could be a better way to authenticated different application as opposed to password

authentication. Along with talking about authentication the authors go on to talk about

identification which is like having a user name and maybe improvising with smart cards or a

personal identification and authentication serves. Kuo, Romanosky, & Cranor use Mnemonic

phrases, password selection, password cracking and user studies to describe how a hacker

searches commonly used passwords or looks up personal information or background information

on a person to use in a dictionary attack. This is a good article to help describe some of the

methods hackers use to gain access to peoples personal information. The authors also came up
Passwords & Personal Identity Safety, A.Largent                                                   7

with some easy steps to create a password, the first being to think of a memorable sentence or

phrase containing at least seven or eight words. The second is to select a letter, number or special

character to represent each word in that password. But try and stay away from the common

method to use the first letter of every word. The last step should contain a mixture of lower and

upper case letters, numbers, punctuation, and special character. But ultimately the last step is to

remember the phrase plus the password. Weir, Aggarwal, & Mederiors developed a new method

to generate password structures in the highest probability order. They talk about how their tools

and techniques will help secure passwords and or crack passwords. This information could be

used to help with explaining more of the risks to weak passwords in my paper. Also this article

has great factual information about passwords and the success rate of cracking passwords.

Monrose, Reiter, & Wetzel (2002) discuss creating stronger passwords based on dynamic

keystrokes and how random keystroke passwords work. The part of this paper that I am thinking

of using in my paper is the part about Biometrics as an alternative to passwords. I would be using

the information in the future tense to talk about what might be available for average college

students in the future. For example, A college students wanting to get into his/her dorm room

would use biometrics by using a thumb print or and hand print. Fordham talks about the

difference between strong and weak passwords. Fordham discusses the differences in safe and

unsafe password usage; plus how the use of passwords should determine the strength of a

password such as a password to forums versus a password to an online bank account. This

information and research done by Fordham is on the weaker side of most the resources but I

think I can find a way to use this in my paper. The author also goes on to talk about changing

passwords frequently. He gives the analogy, “A good password is like the oil in your car. The

more you use it, the more frequently it should be changed.” Which basically means the more a
Passwords & Personal Identity Safety, A.Largent                                                    8

single password is used online without change the larger the chance or more at risk that password

is of being cracked or hacked into. Filipek‟s (2006) research on unmanaged privileged passwords

is a great piece of information, that facts are strong and to the point and the research done shows

in his writing. I am going to use this research towards the end of my paper to show my readers

the power behind passwords and the potential risk in having privileged passwords means in

terms of risk towards identity theft. A privileged password provides a powerful entry point to a

system. An administrator‟s password is an example of a privileged password. Any password with

authority over a system is a privileged password. But how does this pertain to college students?

Most college students I know have online bank account and along with that bank account comes

a password, that password is another form of a privileged password. I think this is good

information to end my paper because I think this will serve to inform and help relate to college


                                                  III.   Methods

       This analysis utilizes questionnaire data collected by friends and classmates at Indiana

University of Pennsylvania. The questionnaire offers a broad spectrum that, I feel, can be

considered representative of IUP college students‟ (ages 18 and older) thoughts about passwords.

This examination of the comprehensible notion of password understanding will hopefully be

realized with the help of the 100 participants of the questionnaire. The questionnaire will include

multiple answer questions surrounding and encompassing password methods, strength, and

overall knowledge. This will help the researcher analyze and make a conclusion to the ideology

of password knowledge within the college student community. Following is a brief description of

the considered method variable and a hypothesis to this variable.
Passwords & Personal Identity Safety, A.Largent                                                   9

       When I think about the method of a questionnaire and how it might affect the outcome of

my research, I think about the validity of the questions I might ask. The first questions will

probably have to do with password strength. For example “What is the standard length for a

strong password?”, then with that question I will supply some answers such as, “6 characters, 8

characters, 12 characters, or 24 characters”. With this question I would hope that most of the

participants would pick the highest number, that whenever given the chance to pick the size of

your passwords to always choose the maximum length. After asking basic strength questions I

will ask a methods questions, such as “Which password design method is the best?” Followed

closely by the answers “All numbers, All alphabetic characters, All special characters (such as

!@#$%^&*), All upper and lower case alphabetic characters, A mixture of all the above”, With

this questions I think there will be a wide range of answers. I will also ask loaded questions. The

last set of questions will be related to overall password knowledge. Each question within the last

set will be harder than the one before it, to evaluate the participants overall knowledge.

       With the time constraints I am only able to do one research method to gather information.

With this time constraint a questionnaire seemed to be the best way to gather the information I

require for my research. My hypothesis of this questionnaire is that most college students don‟t

possess the general knowledge to provide sufficient passwords to their online applications,

putting them at risk for identity theft or fraudulent criminal acts.

                                        IV.       Results & Discussion

       The results of my research produced some interesting information; I also found my

pervious conclusions seem to be somewhat true based upon the results of my questionnaire. In

the questionnaire, when asked “When creating a password, do: (answers: use only upper/lower
Passwords & Personal Identity Safety, A.Largent                                                   10

case letters, use only numbers, use only special characters, all of the above)” 37% of the

participants answered they use only upper/lower case letters which is to be expected. From my

initial research I found that most people only use regular upper/lower case letters to create their

passwords, for the simple reason they are easier to remember. On the other hand, when asked the

same question 63% answered that they use all the above, meaning they use upper/lower case

letters along with numbers and special characters. This result was unexpected but correct, the

best way to create a password is to use upper/lower case letters along with numbers and special

characters ( For example !@#$%^&*()<>{}|[]\ etc.).

       When asked, “Do you generally use the same password for all online applications?

(answers: yes, no)” I figured that the majority of participants would say yes, and they did, 63%

of the participants answered yes, they do use one password for all online applications, this is

ultimately a poor usage of passwords and puts personal information and safety at risk. If for

instance, someone, most likely a hacker, were to learn of the password, that hacker would have

unrestricted access to all applications where that password is used, this occurrence is more

commonly known as the Domino Effect.

       When asked “If no, (to last question) Do you find it difficult to remember passwords to

your applications? (answer: yes, no) A reasonable amount of participants, 60%, answered yes. I

found that this is the primary reason people resort to when giving a reason why they use the same

password for all application, because they can‟t remember multiple passwords for multiple

application. The answer to this problem is one of two ways I have some up with, people could

use a smartcard to remember their passwords or they could create a stronger password and still

use one password for all applications. The down side to using the same password for all

application is still the same, if someone were to gain access to that password; they would have
Passwords & Personal Identity Safety, A.Largent                                                     11

unrestricted access to all applications where that password is used. I can‟t tell people which is

better or what to do, I can only suggest using better password methodology practices to create

passwords. 40% of participants answered no, this result proves that people have the power to

remember multiple passwords for multiple applications, but the majority either doesn‟t have the

patience or don‟t want to be bothered with remembering. I see the point of both sides to this

question and I can sympathize with not wanting to remember a multitude of passwords, makes

online exploits easier and more convenient.

       Another important question asked on the questionnaire was, “When designing your

passwords, do you use: (answers: names of family members/pets, hobbies, dictionary words,

random combination of characters)” a predictable 56% of participants answered names of family

members/pets. The reason using names of family members/pets is considered bad password

practice is that hackers can easily guess those passwords. The hackers can also use a dictionary

attack which is a brute force method that checks dictionary words against the user‟s password,

this is a timely process but proves effective with lackluster passwords or weak passwords.

Amazingly only 25% of participants answered that they use random combination of characters

when designing their passwords. As far as I can find this is the best method when designing

passwords with proper security in mind. The benefits of a random combination of characters

design method is that it is much harder to crack using brute force methods of hacking.

       When asked in the questionnaire, “What do you think the recommended length for a

password is? (answers: 8 characters, 4 characters, 24 characters, 12 characters)”, this question

was designed to be a basic information assurance question just to find out the basic password

knowledge of college students. I found that 63% of participants answered 8 characters, this

would be a good length for a password five or ten years ago, but the suggested length of a
Passwords & Personal Identity Safety, A.Largent                                                    12

password is 12 or more characters in length which 31% of participants answered in the

questionnaire. A small minority of participants 6% answered 24 characters, this is a great length

and is not wrong in any manner, but most people probably can‟t come up with a 24 character

password if they were asked, so my suggestion would be to try and make all passwords at least

12 characters long an above. This is a great start to making sure passwords are strong and secure.

       The next questioned asked was, “ Have you ever been a victim of a cybercrime?” A

predictable 88% of participants said no while a surprising 12% said yes, I know that if this

questionnaire was given to a larger group of participants these numbers wouldn‟t mean much,

but it was only given to my classmates, so to have 12% of them been a victim of a cybercrime,

this is a big eye opener, my question to them of course would be; what was the crime and what

happened after, If I was to guess I would think it too of been some kind of fraudulent criminal act

perpetrated on the 12% of participants.

       When asked, “Do you consider your online personal information safe? (answers: yes,

no)”, little more than half (56%) of the participants said yes. This is not surprising, because most

people on the internet don‟t worry or just don‟t have enough knowledge about the risks and

threats on the internet to worry about such things. This is the reason this research means so much

to me, If I can make just one person more aware about the risks of poor password usage, and the

benefits of good password methodology. With the other 44% of participants answering no, it

means that at least some of the participants of this questionnaire are at least aware of the threats

on the internet, the majority of them being viruses, worms, Trojans, or phishing attacks.

       The last multiple choice question was designed to see how informed college students are.

“Did you know that more than 220million data breaches of personal information occurred
Passwords & Personal Identity Safety, A.Largent                                                       13

between January/05 and March/08 (answers: yes, no)” 94% of the participants answered no. I

had predicted that most of the participants would not have known that and I was right. The last

question was an open-ended question, not all participants commented on the question which was,

“Do you have any additional ideas or comments about passwords & online information? Please

Explain.” But some of the participants did have something to say, for example; “I honestly think

that anyone who had the right technological equipment, they can figure out anyone‟s password”.

What this comment means to me, is that this participant has no trust in the intrusion protection,

but this participant also has a good point. It is true that if someone is willing to hack personal

information, there is always a way.

       Another comment given by a participant was, “I only make sure my passwords for very

important things are secure. The less I really care about getting something hacked, the more

simple a password I will use. For important things like my email and bank account I use unique

passwords with combinations of letters/numbers etc., but I have few passwords I use for multiple

things.” This participant is basically saying that they only care about protecting important

information on the internet, what they fail to realize is that if a hacker was to gain access to even

one password that hacker could potentially have a way into that person‟s applications or


       The next participant had this to say, “Interesting topic, I am just so trust worthy that I

never consider making new passwords for things. If I had a bunch of different passwords I would

definitely forget them all!!!” This comment proves my point that it seems people are too

trustworthy when it comes to the internet and online application. I believe this is where most of

the student population sits on the subject of the internet, either they are just too trustworthy or

they just don‟t care.
Passwords & Personal Identity Safety, A.Largent                                                    14

       The last comment provided by one of the participants of my questionnaire said, “I‟m sick

of creating passwords and trying to remember them, especially for online shopping. That‟s why I

use the same one for everything.” This is probably the main reason behind all decisions to use

only one password for all applications. People find it to hard to remember multiple passwords for

multiple applications, and I believe this to be one of the main problems behind poor password

usage. With that in mind I decided to come up with a method of creating multiple passwords to

hopefully help out my fellow college students. When creating passwords, try and make them a

random arrangement of upper/lower case letters along with numbers and special characters

ranging from 12 to 24 characters, for instance (Mj$8qT3!x&9f). Now that the first password is

created, all that needs to be done to create a password for another application is to modify the

original by one or two characters. This will help with memory problems a user might have and

will insure password strength and security. I would like to take this time to thank all the

participants of my questionnaire for their help with my research and with helping to formulate

my conclusion.

                                              V.    Conclusion

       In conclusion I found that college students don‟t possess the knowledge of the threats and

risks to Internet use and proper password usage and design methods. I feel that college students

don‟t really care about the risks of weak password usage to waste their valuable time researching

better password design method nor waste time learning to remember a multitude of passwords

for their various applications. I urge any and all readers of this paper to take the time and think

about their passwords length, design method, and strength before creating a password for its

simplicity. I hope that this paper has been a good informational read and I wish all who read this

well and safe computing.
Passwords & Personal Identity Safety, A.Largent                                             15

                                             VI.   Work Cited

Filipek, R. (2006). Unmanaged Privileged Passwords Pose Security Risks. Internal Auditor,

       63(6), p22-25. Retrieved from


Fordham, D. (n.d.). How strong are your passwords? Retrieved from EBSCOhost Web site:


Garrison, C. (n.d.). An Evaluation of Passwords [Document Management Increases the Need for

       Secure Passwords]. Retrieved from EBSCOhost Web site:


Helkala, K., & Snekkenes, E. (n.d.). Password Generation and Search Space. Retrieved from

       EBSCOhost Web site:


Ives, B., Walsh, K., & Schneider, H. (2004). The Domino Effect of Password Reuse.

       Communications of the ACM, 47(4), p75-78. Retrieved from
Passwords & Personal Identity Safety, A.Largent                                             16



Kuo, C., Romanosky, S., & Cranor, L. (n.d.). Human Selection of Mnemonic Phrase-based

       Passwords. Retrieved from ACM Digital Library Web site:



Medlin, D., & Cazier, J. (2005). An Investigaitve Study: Consumers Password Choices on an E-

       Commerce Site. Journal of Information Privacy & Security, 1(4), p33-52. Retrieved from



Monrose, F., Reiter, M., & Wetzel, S. (2002). Password hardening based on keystroke dynamics.

       International Journal of Information Security, 1(2), p69-83. Retrieved from


Renaud, K., & Ramsay, J. (2007). Now what was that password again? A more flexible way of

       identifying and authenticating our seniors. Behaviour & Information Technology, 26(4),

       p309-322. Retrieved from

Passwords & Personal Identity Safety, A.Largent                                       17

Weir, M., Aggarwal, S., Mederiors, B., & Glodek, B. (n.d.). Password Cracking Using

       Probabilistic Context-Free Grammars. Retrieved from EBSCOhost Web site:



Shared By: