Password-based authentication: a system perspective

User authentication in computer systems has been a cornerstone of computer security for decades. The concept of a user id and password is a cost effective and efficient method of maintaining a shared secret between a user and a computer system. One of the key elements in the password solution for security is a reliance on human cognitive ability to remember the shared secret. In early computing days with only a few computer systems and a small select group of users, this model proved effective. With the advent of the Internet, e-commerce, and the proliferation of PCs in offices and schools, the user base has grown both in number and in demographic base. Individual users no longer have single passwords for single systems, but are presented with the challenge of remembering numerous passwords for numerous systems, from email, to web accounts, to banking and financial services. This paper presents a conceptual model depicting how users and systems work together in this function and examines the consequences of the expanding user base and the use of password memory aids. A system model of the risks associated with password-based authentication is presented from a user centric point of view including the construct of user password memory aids. When confronted with too much data to remember, users develop memory aids to assist them in the task of remembering important pieces of information. These user password memory aids form a bridge between otherwise unconnected systems and have an effect on system level security across multiple systems interconnected by the user. A preliminary analysis of the implications of this user centric interconnection of security models is presented.