Password management strategies for online accounts
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Password Management Strategies for Online Accounts PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on
  • Presentation posted in: General

Password Management Strategies for Online Accounts. Gaw & Felten Optional Reading. Background. Users often are the enemy Non-compliance with password practices occurs and undermines the system Paper studies broad password practices Proliferation of website logins

Download Presentation

Password Management Strategies for Online Accounts

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Password management strategies for online accounts

Password Management Strategies for Online Accounts

Gaw & Felten Optional Reading


Background

Background

  • Users often are the enemy

  • Non-compliance with password practices occurs and undermines the system

  • Paper studies broad password practices

  • Proliferation of website logins

  • Quantifies and surveys the factors relating to password reuse


Related work

Related Work

  • Some papers have tried to address the problem of poor password practices

  • Some have suggested graphical passwords, i.e. pictures or points in an image

  • Others have looked at password hashing schemes with a ‘master’ password


Study details 1

Study Details, 1

  • Users were asked to evaluate their likeliehood of attack from different groups

  • How did users justify subverting password policy?

  • This study collected information based on login attempts to websites and then were asked how many passwords they used


Study details 2

Study Details, 2

  • First pass – Participants were prompted with a list of sites by category

  • Record if they have an account

  • If yes, then 90 seconds to login to the website

  • Success= Write down the password, Failure= User explain why

  • Recorded: # of passwords collected, # of unique passwords, the size of classes of similar passwords, # of password repetitions, and # of passwords with related meanings.


Study details 3

Study Details, 3

  • The second pass was open, no list

  • Record all other sites that you use a password for

  • Aggregate these statistics from the first pass


Results and discussion

Results and Discussion

  • Participants forgot the password or username but not usually both

  • Even though they had a relatively small number of accounts (7-14), reuse still occurred

  • As the number of accounts grows, reuse frequency increases


User priority and password justification 1

User Priority and Password Justification, 1

  • Sites use login information for different things

  • E-commerce vs. New York Times.com

  • Varying level of usage confuses users; they perceive little benefit.

  • Number One reason for password reuse: “It will be easier for me to remember”.


User priority and password justification 2

User Priority and Password Justification, 2

  • Sites were also user categorized, i.e. message boards vs. banking, for strength and reuse

  • Students were motivated to uniqueness when concerned with financial information and personal correspondence


Password storage

Password Storage

  • Memory was the number one storage tool

  • Some users used cookies, i.e. “remember me”

  • Others used the embedded features of their browser to remember their passwords

  • Still, these methods were far down the list in favor of memory


Who will attack

Who will attack?

  • Participants were asked to rank in terms of ability, then in terms of motivation, then in terms of both

  • One group felt that non-affiliated person would have the most to gain, hence being likely attacker

  • Others felt that those close to them had the interest and the access and hence would be more likely an attacker


Strength of passwords

Strength of Passwords

  • If those closest are most able to crack us, then this should influence what users perceive as a strong password

  • By asking users to rank the security of 3 different passwords, they attempted to understand the user perception of security

  • This led to the realization that most participants envisioned a human attacker, using a guess-and-check methodology


Conclusions

Conclusions

  • Many password management tools do not facilitate the users main tool – memory

  • Instead of just filling in the user password, management tools could display it in a low contrast background until they learn it, then they can turn it off.

  • Also, websites can use challenge-response for password recovery instead of email


Conclusions 2

Conclusions, 2

  • Users misunderstand the nature of attacks and attackers

  • Explaining dictionary attacks in password strengthening tips helps.

  • Existing tools are not equipped to deal with the problem of password reuse

  • Users most likely be able to adopt tools to aid them in password management


  • Login