乐胖代购免代理版

{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,11,17]],"date-time":"2023-11-17T00:17:18Z","timestamp":1700180238698},"reference-count":52,"publisher":"Association for Computing Machinery (ACM)","issue":"3","funder":[{"name":"CyberSkills HCI Pillar 3 Project","award":["18364682"]},{"DOI":"10.13039\/501100001602","name":"Science Foundation Ireland","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100001602","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100008530","name":"European Regional Development Fund","doi-asserted-by":"crossref","award":["13\/RC\/2077_P2"],"id":[{"id":"10.13039\/501100008530","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2023,8,30]]},"abstract":"Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this article, a taxonomy of 270 pieces of authentication advice is created, and a survey is conducted to gather information on the costs associated with following or enforcing the advice. Our findings indicate that security advice can be ambiguous and contradictory, with 41% of the advice collected being contradicted by another source. Additionally, users reported high levels of frustration with the advice and identified high usability costs. The study also found that end-users disagreed with each other 71% of the time about whether a piece of advice was valuable or not. We define a formal approach to identifying security benefits of advice. Our research suggests that cost-benefit analysis is essential in understanding the value of enforcing security policies. Furthermore, we find that organisation investment in security seems to have better payoffs than mechanisms with high costs to users.<\/jats:p>","DOI":"10.1145\/3588031","type":"journal-article","created":{"date-parts":[[2023,3,17]],"date-time":"2023-03-17T12:08:35Z","timestamp":1679054915000},"page":"1-35","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Costs and Benefits of Authentication Advice"],"prefix":"10.1145","volume":"26","author":[{"ORCID":"http:\/\/orcid.org\/0000-0002-5349-4011","authenticated-orcid":false,"given":"Hazel","family":"Murray","sequence":"first","affiliation":[{"name":"Munster Technological University, Ireland"}]},{"ORCID":"http:\/\/orcid.org\/0000-0002-6947-586X","authenticated-orcid":false,"given":"David","family":"Malone","sequence":"additional","affiliation":[{"name":"Maynooth University, Maynooth, Ireland"}]}],"member":"320","published-online":{"date-parts":[[2023,5,13]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/322796.322806"},{"key":"e_1_3_2_3_2","volume-title":"Phishing Activity Trends Report 1st Quarter 2018","year":"2018","unstructured":"APWG. 2018. Phishing Activity Trends Report 1st Quarter 2018. Technical Report. Retrieved from https:\/\/docs.apwg.org\/reports\/apwg_trends_report_q1_2018.pdf."},{"key":"e_1_3_2_4_2","volume-title":"International Workshop on Quantitative Aspects in Security Assurance","author":"Arnell Simon","year":"2012","unstructured":"Simon Arnell, Adam Beautement, Philip Inglesant, Brian Monahan, David Pym, and Martina Angela Sasse. 2012. Systematic decision making in security management modelling password usage and support. In International Workshop on Quantitative Aspects in Security Assurance. Citeseer."},{"key":"e_1_3_2_5_2","first-page":"47","volume-title":"Workshop on New Security Paradigms","author":"Beautement Adam","year":"2009","unstructured":"Adam Beautement, Martina Angela Sasse, and Mike Wonham. 2009. The compliance budget: Managing security behaviour in organisations. In Workshop on New Security Paradigms. ACM, 47\u201358."},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74800-7_9"},{"key":"e_1_3_2_7_2","volume-title":"Beyond Fear: Thinking Sensibly about Security in an Uncertain World","author":"Bruce Schneier","year":"2003","unstructured":"Schneier Bruce. 2003. Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Springer-Verlag New York, Inc."},{"key":"e_1_3_2_8_2","unstructured":"Dodson Burr and Polk. 2003. NIST Special Publication 800-63: Electronic Authentication Guidelines. Retrieved from https:\/\/csrc.nist.gov\/csrc\/media\/publications\/sp\/800-63\/ver-10\/archive\/2004-06-30\/documents\/sp800-63-v1-0.pdf."},{"issue":"1","key":"e_1_3_2_9_2","first-page":"247","article-title":"Phishing attacks and defenses","volume":"10","author":"Chaudhry Junaid Ahsenali","year":"2016","unstructured":"Junaid Ahsenali Chaudhry, Shafique Ahmad Chaudhry, and Robert G. Rittenhouse. 2016. Phishing attacks and defenses. Int. J. Secur. Applic. 10, 1 (2016), 247\u2013256.","journal-title":"Int. J. Secur. Applic."},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10623-015-0071-9"},{"key":"e_1_3_2_11_2","unstructured":"Philip Cox. 2016. Password Sanity: Thank You NIST. Retrieved from https:\/\/www.linkedin.com\/pulse\/password-sanity-thank-you-nist-philip-cox."},{"key":"e_1_3_2_12_2","volume-title":"Security and Usability: Designing Secure Systems that People Can Use","author":"Cranor Lorrie Faith","year":"2005","unstructured":"Lorrie Faith Cranor and Simson Garfinkel. 2005. Security and Usability: Designing Secure Systems that People Can Use. O\u2019Reilly Media Inc."},{"key":"e_1_3_2_13_2","first-page":"23","volume-title":"Network and Distributed Security Symposium","author":"Das Anupam","year":"2014","unstructured":"Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In Network and Distributed Security Symposium, Vol. 14. 23\u201326."},{"key":"e_1_3_2_14_2","first-page":"10","volume-title":"6th Symposium on Usable Privacy and Security","author":"Flor\u00eancio Dinei","year":"2010","unstructured":"Dinei Flor\u00eancio and Cormac Herley. 2010. Where do security policies come from? In 6th Symposium on Usable Privacy and Security. ACM, 10."},{"issue":"6","key":"e_1_3_2_15_2","article-title":"Do strong web passwords accomplish anything?","volume":"7","author":"Flor\u00eancio Dinei","year":"2007","unstructured":"Dinei Flor\u00eancio, Cormac Herley, and Baris Coskun. 2007. Do strong web passwords accomplish anything? HotSec 7, 6 (2007).","journal-title":"HotSec"},{"key":"e_1_3_2_16_2","first-page":"575","volume-title":"23rd USENIX Security Symposium","author":"Flor\u00eancio Dinei","year":"2014","unstructured":"Dinei Flor\u00eancio, Cormac Herley, and Paul C. Van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In 23rd USENIX Security Symposium. 575\u2013590."},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/2934663"},{"key":"e_1_3_2_18_2","unstructured":"Google. 2023. Creating a Strong Password. Retrieved from https:\/\/support.google.com\/accounts\/answer\/32040?hl=en."},{"key":"e_1_3_2_19_2","unstructured":"Paul Grassi Michael Garcia and James Fenton. 2016. Draft SP-800-63. Retrieved from https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html."},{"key":"e_1_3_2_20_2","article-title":"SP-800-63","volume":"800","author":"Grassi Paul","year":"2017","unstructured":"Paul Grassi, Michael Garcia, and James Fenton. 2017. SP-800-63. NIST Spec. Public. 800 (2017), 63\u20133. Retrieved from https:\/\/pages.nist.gov\/800-63-3\/.","journal-title":"NIST Spec. Public."},{"key":"e_1_3_2_21_2","unstructured":"Jeffrey Grobaski. 2016. You Hate Changing Your Password and It Doesn\u2019t Help. Retrieved from https:\/\/epicriver.com\/you-hate-changing-your-password-and-it-doesnt-help\/."},{"key":"e_1_3_2_22_2","unstructured":"Hazel Murray. 2018. Advice Is Like Mushrooms the Wrong Kind Can Prove Fatal. Retrieved from https:\/\/passwordscon.org\/2018\/07\/."},{"key":"e_1_3_2_23_2","unstructured":"Hazel Murray. 2018. Password Policies: Recent Developments and Possible Appraise. Retrieved from https:\/\/conferences.heanet.ie\/2018\/talk\/133."},{"key":"e_1_3_2_24_2","first-page":"133","volume-title":"New Security Paradigms Workshop","author":"Herley Cormac","year":"2009","unstructured":"Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In New Security Paradigms Workshop. ACM, 133\u2013144."},{"key":"e_1_3_2_25_2","unstructured":"Troy Hunt. 2014. The \u201cCobra Effect\u201d that Is Disabling Paste on Password Fields. Retrieved from https:\/\/www.troyhunt.com\/the-cobra-effect-that-is-disabling\/."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/1753326.1753384"},{"key":"e_1_3_2_27_2","first-page":"327","volume-title":"11th Symposium on Usable Privacy and Security (SOUPS\u201915)","author":"Ion Iulia","year":"2015","unstructured":"Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. \u201c... No one can hack my Mind\u201d: Comparing expert and Non-Expert security practices. In 11th Symposium on Usable Privacy and Security (SOUPS\u201915). 327\u2013346."},{"key":"e_1_3_2_28_2","first-page":"523","volume-title":"IEEE Symposium on Security and Privacy","author":"Kelley Patrick Gage","year":"2012","unstructured":"Patrick Gage Kelley, S. Komanduri, M. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. Cranor, and J. Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE Symposium on Security and Privacy. IEEE, 523\u2013537."},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/1978942.1979321"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/1592761.1592773"},{"key":"e_1_3_2_31_2","unstructured":"Microsoft TechNet Magazine. 2023. Best Practices for Enforcing Password Policies. Retrieved from https:\/\/technet.microsoft.com\/en-us\/library\/ff741764.aspx."},{"key":"e_1_3_2_32_2","doi-asserted-by":"crossref","unstructured":"Hazel Murray. 2023. GitHub Repository. Costs and Benefits of Authentication Advice. Retrieved from https:\/\/github.com\/HazelMurray\/Costs-and-Benefits-of-authentication-advice.","DOI":"10.1145\/3588031"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSC.2017.7983609"},{"key":"e_1_3_2_34_2","unstructured":"Paypal. 2023. Tips for Creating a Secure Password. Retrieved from https:\/\/www.paypal.com\/ie\/selfhelp\/article\/tips-for-creating-a-secure-password-faq3152."},{"key":"e_1_3_2_35_2","first-page":"215","volume-title":"ACM Conference on Economics and Computation","author":"Redmiles Elissa M.","year":"2018","unstructured":"Elissa M. Redmiles, Michelle L. Mazurek, and John P. Dickerson. 2018. Dancing pigs or externalities? Measuring the rationality of security decisions. In ACM Conference on Economics and Computation. 215\u2013232."},{"key":"e_1_3_2_36_2","first-page":"89","volume-title":"29th USENIX Security Symposium (USENIX Security\u201920)","author":"Redmiles Elissa M.","year":"2020","unstructured":"Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. 2020. A comprehensive quality evaluation of security and privacy advice on the web. In 29th USENIX Security Symposium (USENIX Security\u201920). 89\u2013108."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2017.3681050"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.5555\/2011143.2011146"},{"key":"e_1_3_2_39_2","unstructured":"Karen Renaud. 2005. Evaluating authentication mechanisms. In Security and Usability: Designing Secure Systems that People Can Use Lorrie Faith Cranor and Simson Garfinkel (Eds.). O\u2019Reilly Media Inc. Sebastopol CA Chapter 6 103\u2013128."},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ress.2006.08.008"},{"key":"e_1_3_2_41_2","article-title":"Analysis of minimum and maximum character bounds of password lengths of globally ranked websites","author":"Saini Jatinderkumar R.","year":"2014","unstructured":"Jatinderkumar R. Saini. 2014. Analysis of minimum and maximum character bounds of password lengths of globally ranked websites. Int. J. Adv. Netw. Applic. 0975-0290 (2014).","journal-title":"Int. J. Adv. Netw. Applic."},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-009-0084-3"},{"key":"e_1_3_2_43_2","volume-title":"6th Symposium On Usable Privacy and Security (SOUPS)","author":"Shay Richard","year":"2010","unstructured":"Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In 6th Symposium On Usable Privacy and Security (SOUPS). ACM."},{"key":"e_1_3_2_44_2","first-page":"449","volume-title":"23rd USENIX Security Symposium","author":"Silver David","year":"2014","unstructured":"David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. 2014. Password managers: Attacks and defenses. In 23rd USENIX Security Symposium. 449\u2013464."},{"key":"e_1_3_2_45_2","first-page":"397","volume-title":"21st USENIX Security Symposium","author":"Somorovsky Juraj","year":"2012","unstructured":"Juraj Somorovsky, Andreas Mayer, J\u00f6rg Schwenk, Marco Kampmann, and Meiko Jensen. 2012. On breaking SAML: Be whoever you want to be. In 21st USENIX Security Symposium. 397\u2013412."},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417882"},{"key":"e_1_3_2_47_2","volume-title":"Symposium On Usable Privacy and Security (SOUPS)","author":"Ur Blase","year":"2015","unstructured":"Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. \u201cI added \u2018!\u2019 at the end to make it secure\u201d: Observing password creation in the lab. In Symposium On Usable Privacy and Security (SOUPS)."},{"key":"e_1_3_2_48_2","unstructured":"USENIX Security 2017. Poster Session. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity17\/poster-session."},{"key":"e_1_3_2_49_2","unstructured":"Chad Warner. 2010. Passwords with Simple Character Substitution Are Weak. Retrieved from https:\/\/optimwise.com\/passwords-with-simple-character-substitution-are-weak\/."},{"key":"e_1_3_2_50_2","unstructured":"Matt Weir. 2009. The RockYou 32 Million Password List Top 100. Retrieved from https:\/\/reusablesec.blogspot.com\/2009\/12\/rockyou-32-million-password-list-top.html."},{"key":"e_1_3_2_51_2","unstructured":"XKCD. 2011. Password Strength. Retrieved from https:\/\/xkcd.com\/936\/."},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866328"},{"key":"e_1_3_2_53_2","first-page":"1","volume-title":"APWG Symposium on Electronic Crime Research (eCrime)","author":"Zhang-Kennedy Leah","year":"2016","unstructured":"Leah Zhang-Kennedy, Sonia Chiasson, and Paul van Oorschot. 2016. Revisiting password rules: Facilitating human management of passwords. In APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1\u201310."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3588031","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,16]],"date-time":"2023-11-16T20:13:04Z","timestamp":1700165584000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3588031"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,13]]},"references-count":52,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,8,30]]}},"alternative-id":["10.1145\/3588031"],"URL":"https:\/\/doi.org\/10.1145\/3588031","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,13]]},"assertion":[{"value":"2022-06-22","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-12","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-05-13","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}