1 / 14

Password Management Strategies for Online Accounts

Password Management Strategies for Online Accounts . Gaw & Felten Optional Reading. Background. Users often are the enemy Non-compliance with password practices occurs and undermines the system Paper studies broad password practices Proliferation of website logins

slade
Download Presentation

Password Management Strategies for Online Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password Management Strategies for Online Accounts Gaw & Felten Optional Reading

  2. Background • Users often are the enemy • Non-compliance with password practices occurs and undermines the system • Paper studies broad password practices • Proliferation of website logins • Quantifies and surveys the factors relating to password reuse

  3. Related Work • Some papers have tried to address the problem of poor password practices • Some have suggested graphical passwords, i.e. pictures or points in an image • Others have looked at password hashing schemes with a ‘master’ password

  4. Study Details, 1 • Users were asked to evaluate their likeliehood of attack from different groups • How did users justify subverting password policy? • This study collected information based on login attempts to websites and then were asked how many passwords they used

  5. Study Details, 2 • First pass – Participants were prompted with a list of sites by category • Record if they have an account • If yes, then 90 seconds to login to the website • Success= Write down the password, Failure= User explain why • Recorded: # of passwords collected, # of unique passwords, the size of classes of similar passwords, # of password repetitions, and # of passwords with related meanings.

  6. Study Details, 3 • The second pass was open, no list • Record all other sites that you use a password for • Aggregate these statistics from the first pass

  7. Results and Discussion • Participants forgot the password or username but not usually both • Even though they had a relatively small number of accounts (7-14), reuse still occurred • As the number of accounts grows, reuse frequency increases

  8. User Priority and Password Justification, 1 • Sites use login information for different things • E-commerce vs. New York Times.com • Varying level of usage confuses users; they perceive little benefit. • Number One reason for password reuse: “It will be easier for me to remember”.

  9. User Priority and Password Justification, 2 • Sites were also user categorized, i.e. message boards vs. banking, for strength and reuse • Students were motivated to uniqueness when concerned with financial information and personal correspondence

  10. Password Storage • Memory was the number one storage tool • Some users used cookies, i.e. “remember me” • Others used the embedded features of their browser to remember their passwords • Still, these methods were far down the list in favor of memory

  11. Who will attack? • Participants were asked to rank in terms of ability, then in terms of motivation, then in terms of both • One group felt that non-affiliated person would have the most to gain, hence being likely attacker • Others felt that those close to them had the interest and the access and hence would be more likely an attacker

  12. Strength of Passwords • If those closest are most able to crack us, then this should influence what users perceive as a strong password • By asking users to rank the security of 3 different passwords, they attempted to understand the user perception of security • This led to the realization that most participants envisioned a human attacker, using a guess-and-check methodology

  13. Conclusions • Many password management tools do not facilitate the users main tool – memory • Instead of just filling in the user password, management tools could display it in a low contrast background until they learn it, then they can turn it off. • Also, websites can use challenge-response for password recovery instead of email

  14. Conclusions, 2 • Users misunderstand the nature of attacks and attackers • Explaining dictionary attacks in password strengthening tips helps. • Existing tools are not equipped to deal with the problem of password reuse • Users most likely be able to adopt tools to aid them in password management

More Related