140 likes | 291 Views
Password Management Strategies for Online Accounts . Gaw & Felten Optional Reading. Background. Users often are the enemy Non-compliance with password practices occurs and undermines the system Paper studies broad password practices Proliferation of website logins
E N D
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading
Background • Users often are the enemy • Non-compliance with password practices occurs and undermines the system • Paper studies broad password practices • Proliferation of website logins • Quantifies and surveys the factors relating to password reuse
Related Work • Some papers have tried to address the problem of poor password practices • Some have suggested graphical passwords, i.e. pictures or points in an image • Others have looked at password hashing schemes with a ‘master’ password
Study Details, 1 • Users were asked to evaluate their likeliehood of attack from different groups • How did users justify subverting password policy? • This study collected information based on login attempts to websites and then were asked how many passwords they used
Study Details, 2 • First pass – Participants were prompted with a list of sites by category • Record if they have an account • If yes, then 90 seconds to login to the website • Success= Write down the password, Failure= User explain why • Recorded: # of passwords collected, # of unique passwords, the size of classes of similar passwords, # of password repetitions, and # of passwords with related meanings.
Study Details, 3 • The second pass was open, no list • Record all other sites that you use a password for • Aggregate these statistics from the first pass
Results and Discussion • Participants forgot the password or username but not usually both • Even though they had a relatively small number of accounts (7-14), reuse still occurred • As the number of accounts grows, reuse frequency increases
User Priority and Password Justification, 1 • Sites use login information for different things • E-commerce vs. New York Times.com • Varying level of usage confuses users; they perceive little benefit. • Number One reason for password reuse: “It will be easier for me to remember”.
User Priority and Password Justification, 2 • Sites were also user categorized, i.e. message boards vs. banking, for strength and reuse • Students were motivated to uniqueness when concerned with financial information and personal correspondence
Password Storage • Memory was the number one storage tool • Some users used cookies, i.e. “remember me” • Others used the embedded features of their browser to remember their passwords • Still, these methods were far down the list in favor of memory
Who will attack? • Participants were asked to rank in terms of ability, then in terms of motivation, then in terms of both • One group felt that non-affiliated person would have the most to gain, hence being likely attacker • Others felt that those close to them had the interest and the access and hence would be more likely an attacker
Strength of Passwords • If those closest are most able to crack us, then this should influence what users perceive as a strong password • By asking users to rank the security of 3 different passwords, they attempted to understand the user perception of security • This led to the realization that most participants envisioned a human attacker, using a guess-and-check methodology
Conclusions • Many password management tools do not facilitate the users main tool – memory • Instead of just filling in the user password, management tools could display it in a low contrast background until they learn it, then they can turn it off. • Also, websites can use challenge-response for password recovery instead of email
Conclusions, 2 • Users misunderstand the nature of attacks and attackers • Explaining dictionary attacks in password strengthening tips helps. • Existing tools are not equipped to deal with the problem of password reuse • Users most likely be able to adopt tools to aid them in password management