Password management strategies for online accounts
1 / 14

Password Management Strategies for Online Accounts - PowerPoint PPT Presentation

  • Uploaded on

Password Management Strategies for Online Accounts . Gaw & Felten Optional Reading. Background. Users often are the enemy Non-compliance with password practices occurs and undermines the system Paper studies broad password practices Proliferation of website logins

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Password Management Strategies for Online Accounts' - slade

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  • Users often are the enemy

  • Non-compliance with password practices occurs and undermines the system

  • Paper studies broad password practices

  • Proliferation of website logins

  • Quantifies and surveys the factors relating to password reuse

Related work
Related Work

  • Some papers have tried to address the problem of poor password practices

  • Some have suggested graphical passwords, i.e. pictures or points in an image

  • Others have looked at password hashing schemes with a ‘master’ password

Study details 1
Study Details, 1

  • Users were asked to evaluate their likeliehood of attack from different groups

  • How did users justify subverting password policy?

  • This study collected information based on login attempts to websites and then were asked how many passwords they used

Study details 2
Study Details, 2

  • First pass – Participants were prompted with a list of sites by category

  • Record if they have an account

  • If yes, then 90 seconds to login to the website

  • Success= Write down the password, Failure= User explain why

  • Recorded: # of passwords collected, # of unique passwords, the size of classes of similar passwords, # of password repetitions, and # of passwords with related meanings.

Study details 3
Study Details, 3

  • The second pass was open, no list

  • Record all other sites that you use a password for

  • Aggregate these statistics from the first pass

Results and discussion
Results and Discussion

  • Participants forgot the password or username but not usually both

  • Even though they had a relatively small number of accounts (7-14), reuse still occurred

  • As the number of accounts grows, reuse frequency increases

User priority and password justification 1
User Priority and Password Justification, 1

  • Sites use login information for different things

  • E-commerce vs. New York

  • Varying level of usage confuses users; they perceive little benefit.

  • Number One reason for password reuse: “It will be easier for me to remember”.

User priority and password justification 2
User Priority and Password Justification, 2

  • Sites were also user categorized, i.e. message boards vs. banking, for strength and reuse

  • Students were motivated to uniqueness when concerned with financial information and personal correspondence

Password storage
Password Storage

  • Memory was the number one storage tool

  • Some users used cookies, i.e. “remember me”

  • Others used the embedded features of their browser to remember their passwords

  • Still, these methods were far down the list in favor of memory

Who will attack
Who will attack?

  • Participants were asked to rank in terms of ability, then in terms of motivation, then in terms of both

  • One group felt that non-affiliated person would have the most to gain, hence being likely attacker

  • Others felt that those close to them had the interest and the access and hence would be more likely an attacker

Strength of passwords
Strength of Passwords

  • If those closest are most able to crack us, then this should influence what users perceive as a strong password

  • By asking users to rank the security of 3 different passwords, they attempted to understand the user perception of security

  • This led to the realization that most participants envisioned a human attacker, using a guess-and-check methodology


  • Many password management tools do not facilitate the users main tool – memory

  • Instead of just filling in the user password, management tools could display it in a low contrast background until they learn it, then they can turn it off.

  • Also, websites can use challenge-response for password recovery instead of email

Conclusions 2
Conclusions, 2

  • Users misunderstand the nature of attacks and attackers

  • Explaining dictionary attacks in password strengthening tips helps.

  • Existing tools are not equipped to deal with the problem of password reuse

  • Users most likely be able to adopt tools to aid them in password management