password management strategies for online accounts
Download
Skip this Video
Download Presentation
Password Management Strategies for Online Accounts

Loading in 2 Seconds...

play fullscreen
1 / 14

Password Management Strategies for Online Accounts - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Password Management Strategies for Online Accounts . Gaw & Felten Optional Reading. Background. Users often are the enemy Non-compliance with password practices occurs and undermines the system Paper studies broad password practices Proliferation of website logins

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Password Management Strategies for Online Accounts' - slade


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
background
Background
  • Users often are the enemy
  • Non-compliance with password practices occurs and undermines the system
  • Paper studies broad password practices
  • Proliferation of website logins
  • Quantifies and surveys the factors relating to password reuse
related work
Related Work
  • Some papers have tried to address the problem of poor password practices
  • Some have suggested graphical passwords, i.e. pictures or points in an image
  • Others have looked at password hashing schemes with a ‘master’ password
study details 1
Study Details, 1
  • Users were asked to evaluate their likeliehood of attack from different groups
  • How did users justify subverting password policy?
  • This study collected information based on login attempts to websites and then were asked how many passwords they used
study details 2
Study Details, 2
  • First pass – Participants were prompted with a list of sites by category
  • Record if they have an account
  • If yes, then 90 seconds to login to the website
  • Success= Write down the password, Failure= User explain why
  • Recorded: # of passwords collected, # of unique passwords, the size of classes of similar passwords, # of password repetitions, and # of passwords with related meanings.
study details 3
Study Details, 3
  • The second pass was open, no list
  • Record all other sites that you use a password for
  • Aggregate these statistics from the first pass
results and discussion
Results and Discussion
  • Participants forgot the password or username but not usually both
  • Even though they had a relatively small number of accounts (7-14), reuse still occurred
  • As the number of accounts grows, reuse frequency increases
user priority and password justification 1
User Priority and Password Justification, 1
  • Sites use login information for different things
  • E-commerce vs. New York Times.com
  • Varying level of usage confuses users; they perceive little benefit.
  • Number One reason for password reuse: “It will be easier for me to remember”.
user priority and password justification 2
User Priority and Password Justification, 2
  • Sites were also user categorized, i.e. message boards vs. banking, for strength and reuse
  • Students were motivated to uniqueness when concerned with financial information and personal correspondence
password storage
Password Storage
  • Memory was the number one storage tool
  • Some users used cookies, i.e. “remember me”
  • Others used the embedded features of their browser to remember their passwords
  • Still, these methods were far down the list in favor of memory
who will attack
Who will attack?
  • Participants were asked to rank in terms of ability, then in terms of motivation, then in terms of both
  • One group felt that non-affiliated person would have the most to gain, hence being likely attacker
  • Others felt that those close to them had the interest and the access and hence would be more likely an attacker
strength of passwords
Strength of Passwords
  • If those closest are most able to crack us, then this should influence what users perceive as a strong password
  • By asking users to rank the security of 3 different passwords, they attempted to understand the user perception of security
  • This led to the realization that most participants envisioned a human attacker, using a guess-and-check methodology
conclusions
Conclusions
  • Many password management tools do not facilitate the users main tool – memory
  • Instead of just filling in the user password, management tools could display it in a low contrast background until they learn it, then they can turn it off.
  • Also, websites can use challenge-response for password recovery instead of email
conclusions 2
Conclusions, 2
  • Users misunderstand the nature of attacks and attackers
  • Explaining dictionary attacks in password strengthening tips helps.
  • Existing tools are not equipped to deal with the problem of password reuse
  • Users most likely be able to adopt tools to aid them in password management
ad