<!DOCTYPE html><html lang="en" dir="ltr"><head> <meta charset="utf-8">

1. <!DOCTYPE html>
2. <html lang="en" dir="ltr">
3.  
4. <head>
5. <meta charset="utf-8">
6. <link rel="stylesheet" title="MywebsiteStyle" href="mywebsitestyle.css" type="text/css">
7. <title>Literature Review</title>
8. </head>
9.  
10. <body>
11.  
12. <nav class="topnav">
13. <a href="index.html">Home</a>
14. <a href="literaturereview.html">Literature review</a>
15. <a href="discoverylog.html">Discovery Log</a>
16. </nav>
17.  
18. <h1>Mitigating Personal Information Exposure on The Web</h1>
19.  
20. <div class="content">
21. <h1>Content</h1>
22. <ol>
23. <li><a href="#intro">Introduction</a></li>
24. <li>
25. <p class="normal"><a href="#Users">Account access caused by users</a></p>
26. <ul>
27. <li><a href="#Users1">2.1</a></li>
28. <li><a href="#Users2">2.2</a></li>
29. <li><a href="#Users3">2.3</a></li>
30. </ul>
31. </li>
32. <li>
33. <p><a href="#Company">Account access through company systems</a></p>
34. <ul>
35. <li><a href="#Company1">3.1</a></li>
36. <li><a href="#Company2">3.2</a></li>
37. </ul>
38. </li>
39. <li><a href="#Graphical">Graphical Passwords</a></li>
40. <li><a href="#Conclusion">Conclusion</a></li>
41. <li><a href="#ref">Reference List</a></li>
42. </ol>
43. </div>
44.  
45. <main>
46. <h2 id="intro">Introduction</h2>
47. <p>The topic that will be discussed in depth is password security.
48. This is because there are many cases which show that there has been a lack of
49. proper password security, leading to a significant amount of cases where people
50. have been hacked or had personal information leaked on to the web. I will base
51. this review on issues preventing increased password security and then discussing
52. methods or solutions for the issues.</p>
53. <h2 id="Users">Account access caused by users</h2>
54. <p id="Users1">Many users cause their own information to be be leaked due to minimal
55. effort put in their own password security. Sometimes the issue comes from
56. being uneducated about cyber security. One case states that this is a more
57. occurring issue with elderly people (Pfleeger, 2010, p.597). This is
58. because information about technology has changed and developed a lot
59. over the years. Pfleeger also argues that people know of how easily
60. password breaching can happen and the consequences, however they do not
61. want to put the extra effort in to take accurate measures. Examples of
62. this would be situations such as using the same password for multiple
63. websites; not filling in optional security questions and not making a
64. complex password. Poor protection measures like the ones stated above
65. can cause someone to hack even the higher security websites by stealing
66. information from lower security websites that may have similar
67. information or passwords stored on them.
68. </p>
69. <p id="Users2">(Pfleeger p.598) He discusses a possible solution for the lack of people
70. implementing good e-safety. It is to teach kids early and then trust them to
71. do it on their own. When this was practices in public, a report from ofsted
72. said “the provision for e-safety was outstanding” and that it helped kids gain
73. good security skills from a young age. It also helped them to practice this in
74. unsupervised situations. This approach would be more likely to provide better
75. results as opposed to making it compulsory for the public to practice correct
76. protection measures. This is because it could have a negative effect on people
77. in ways such as removing freedom from the public.
78. </p>
79. <p id="Users3">One study came up with a method to deal with situations such as password
80. reuse (Jeffrey L. Jenkins 2013, p.196). He came up with a hypothesis using
81. just-in-time fear appeals. This states that if password reuse is being
82. detected, a just-in-time fear appeal will pop up to scare the user into taking
83. the time and effort to make a different and more secure password. Jenkins also
84. released his findings which states that 88.41% of users made their password
85. unique after receiving a just-in-time fear appeal. An approach like this would
86. be likely to affect the section of the public that does not care too much
87. about password protection or people who procrastinate as it signifies how
88. important making a secure password is and that you can be hacked at any time.
89. </p>
90. <h2 id="Company">Account access through company systems</h2>
91. <p id="Company1">Other Studies argue that it is not always the users fault. Some systems are
92. built in a way that makes it easy for a hacker to gain access. One study
93. (Gauvin, verse 1) discusses about how easy it is to use “forgotten password”
94. to gain access to an account. If a hacker uses the forgotten password link
95. that a website would have, there would be security questions which could be
96. something such as “what is your mother’s maiden name?”. They could find this
97. information through places such as social media where a person can find
98. people’s relationships, find out their mother and their maiden name. Doing
99. this would give them access to their account with minimal effort.
100. </p>
101. <p id="Company2">Gauvin presents an invention (verse 15-16) that considers social media and
102. other methods of access to your information when making an account. This means
103. that when making security questions it notifies the user of the level or risk
104. based on the amount of information available about the user on the web. Based
105. on this, it will take actions such as notifying the user through another
106. method, requesting more verification or even blocking the forgotten password
107. transaction. This idea for an invention would make a user’s accounts more
108. protected against other hacking methods, such as making phone calls to the
109. company, that require information they could easily access through other
110. sources on the internet.
111. </p>
112. <h2 id="Graphical">Graphical passwords</h2>
113. <p>One method that can improve password security is graphical passwords.
114. A graphical password is an authentication system where the user selects from
115. images in a certain sequence presented by an interface. However there is a
116. disagreement in the community on whether graphical passwords are better than
117. normal passwords where you type in characters. One source
118. (Lashkari, et al., 2009, p.145) states that graphical password schemes are
119. more vulnerable to shoulder surfing than alphanumeric text passwords. Shoulder
120. surfing is a social engineering tactic where someone spies on a person
121. inputting important information such as passwords or ID. Another article
122. argues that graphical passwords are better than alphanumeric passwords.
123. This article researches how easy it is for people to memorise graphical
124. passwords compared to alphanumeric and how secure it is against shoulder
125. surfing. There was a laboratory experiment where 20 participants had to
126. shoulder surf basic passwords vs PassFace (Tari, et al., p.56) with mouse
127. and PassFace with a keyboard, which is a graphical password interface.
128. Tari shows evidence of the experiment (p.62) in the form of a table suggesting
129. that Passface with a mouse is the most memorable on average while dictionary
130. and non-dictionary alphanumeric passwords are easier to hack than PassFace.
131. </p>
132. <h2 id="Conclusion">Conclusion</h2>
133. <p>To sum up the discussion above, there are many ways for hackers to get into a
134. user’s account however, more methods and inventions for systems are coming
135. out. Teaching kids proper e-safety would seem to be a very good method to
136. mitigate personal exposure but only for long term as it does not affect the
137. current adults in society. Graphical passwords also seems like it could be a
138. major help but more evidence is required before justifying the usage of it.
139. This is because of the amount of effort the user will put into taking accurate
140. measures. The methods would need to be in a version where it is simple and
141. efficient for any user, to reach this part of the public that put minimal
142. effort into security.</p>
143.  
144.  
145. <h2 id="ref">References</h2>
146. <ul>
147. <li><a href="https://www.sciencedirect.com/science/article/pii/S0167404811001659">
148. Shari Lawrence Pfleeger, Deanna D. Caputo. (2012). Leveraging behavioral science to mitigate cyber security risk
149. </a>
150. </li>
151. <li>Arash Habibi Lashkari, Samaneh Farmand, Dr. Rosli Saleh, Dr. Omar Bin Zakaria. (2009). Shoulder Surfing attack in graphical password authentication
152. Referenced from:
153. <a href="https://arxiv.org/ftp/arxiv/papers/0912/0912.0951.pdf">
154. https://arxiv.org/ftp/arxiv/papers/0912/0912.0951.pdf
155. </a>
156. </li>
157. <li>William Gauvin. (2011). Techniques for mititgating forgotten password attacks
158. Referenced from:
159. <a href="https://patents.google.com/patent/US8555357B1/en">
160. https://patents.google.com/patent/US8555357B1/en
161. </a>
162. </li>
163. <li>
164. Jeffrey L. Jenkins, Mark Grimes, Jeffrey Gainer Proudfoot, Paul Benjamin Lowry. (2013). Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics
165. Monitoring and Just-in-Time Fear Appeals
166. Referenced from:
167. <a href="https://www.tandfonline.com/doi/abs/10.1080/02681102.2013.814040">
168. https://www.tandfonline.com/doi/abs/10.1080/02681102.2013.814040
169. </a>
170. </li>
171. <li>Furkan Tari, A. Ant Ozok, Stephen H. Holden. (2006). A Comparison of Perceived and Real Shoulder-surfing Risks between Alphanumeric and Graphical Passwords
172. Referenced from:
173. <a href="http://cups.cs.cmu.edu/soups/2006/proceedings/p56_tari.pdf">
174. http://cups.cs.cmu.edu/soups/2006/proceedings/p56_tari.pdf
175. </a>
176. </li>
177. </ul>
178. </main>
179. </body>
180.  
181. </html>