Protection of information of departmentary information and telecommunications network using the password system

 

Vitaliy Sobyna

National University of Civil Defence of Ukraine

http://orcid.org/0000-0001-6908-8037

 

Dmytro Taraduda

National University of Civil Defence of Ukraine

http://orcid.org/0000-0001-9167-0058

 

Maksym Dement

National University of Civil Defence of Ukraine

https://orcid.org/0000-0003-4975-384X

 

DOI: https://doi.org/10.52363/2524-0226-2021-34-15

 

Keywords: authentication, password, password strength, Shannon entropy, password strength policy

Аnnotation

The approach to quantitative estimation of stability of password systems taking into account power of space of passwords and length of the password is theoretically substantiated. The formalized idea of information entropy as an approach to measuring the amount of information that is unknown through random variables is determined by the randomness of a variable based on the knowledge contained in another part of the message. It is established that the greater the entropy in a given distribution of passwords, the more difficult it is to guess the password that was chosen from this distribution; passwords with higher entropy values require more expected assumptions, which makes entropy useful as a measure of password strength. Proposals for password management of the departmental information and telecommunication network of the object of critical information infrastructure are given. Studies show that much of the entropy introduced by uppercase and lowercase characters is created by users who exceed the minimum requirements of the password strength policy. Secure password creation is complicated by the trade-off between developing passwords that are both difficult to crack and use. Accordingly, the access control policy is important. Studies show that much of the entropy introduced by large and nonalphanumeric characters is created by users who exceed the minimum requirements of the password strength policy: the use of more digits than necessary, different positions of special characters. It is concluded that text passwords remain the dominant method of authentication in computer systems, despite significant improvements, including smart cards, RFID cards, USB tokens and graphic passwords, which have their advantages and are suitable for use in a particular environment or for a specific program. It is noted that there are few published empirical studies that would examine the strategies used by users under different password policies. Further research is planned in this direction.

 

References

  1. International Organization for Standardization. (2013). International standard ISO/IEC 27001:2013. Information technology. Security techniques. Information security management systems. Retrieved from https://www.iso.org/ru/standard/54534.html
  2. Weir, M., Aggarwal, S., Collins, M., Stern, H. (2010). Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. CCS '10: Proceedings of the 17th ACM conference on Computer and communications security, 62–175. doi: 10.1145/1866307.1866327
  3. Bonneau, J. (2012). Guessing human-chosen secrets (Report No. 819). University of Cambridge, Computer Laboratory. Retrieved from https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-819.pdf
  4. Nayak, A., Bansode, R. (2016). Analysis of Knowledge Based Authentication System Using Persuasive Cued Click Points. 7th International Conference on Communication, Computing and Virtualization 2016, 553–560. doi: 10.1016/j.procs.2016.03.070
  5. Chiasson, S., Stobert, E., Forget, A., Biddle, R., Van Oorschot P. C. (2012). Persuasive Cued Click-Points Design, implementation, and evaluation of a knowledgebased authentication mechanism. IEEE Transactions on Dependable and Secure Computing, 9, 2, 222–235. doi: 10.1109/TDSC.2011.55
  6. Bonneau, J. (2012). Statistical metrics for individual password strength. The 20th international conference on Security Protocols. https://doi.org/10.1007/978-3-642-35694-0_10
  7. Khorev, P. B. (2019). User Authentication Based on Knowledge of Their Work on the Internet. Security, Architectures and Protocols. doi: 10.5772/intechopen.88620
  8. Kelley, P. G., Komanduri, S., Mazurek, M. L., Shay, R., Bauer, T. V. L., Christin, N., … Lopez, J. (2012). Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. IEEE Symposium on Security and Privacy, 523–537. doi: 10.1109/SP.2012.38
  9. Rioul, O. (2015). Shannon's formula and Hartley's rule: A mathematical coincidence? AIP Conference Proceedings. V. 1641. I. 1. doi: 10.1063/1.4905969
  10. Boguslavskaya, K. (2021). Nord Pass nazval 200 samykh populyarnikh paroley 2020 goda. Retrieved from https://vctr.media/samyye-rasprostranennyye-paroli2020-goda-52027