We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byWilliam Combs
Modified over 2 years ago
© 2006 Richard M. Conlan Interface Designs to Help Users Choose Better Passwords (study design) Richard M. Conlan, Peter Tarasewich Northeastern University College of Computer & Information Science
© 2006 Richard M. Conlan Study Summary Implemented four password selection applets Each applet offers real-time feedback on password quality based on a continuously updated Password Quality Score (PQS) which it submits to the server along with the new password
© 2006 Richard M. Conlan Study Summary (cont.) Embedded applets into Dropbox-Online.com homework submission system Homework submission system implemented in PHP with MySQL database HTTPS site Be careful with SSL certs – browser support doesnt mean it is supported by Java, etc.
© 2006 Richard M. Conlan Study Summary (cont.) Decided to do a between-user study due to concern about confusion / learning effects Evenly distributed the password selection applets over the user population Forced users to change their passwords at three points in the semester Informed users of the study and got consent at the end of the semester
© 2006 Richard M. Conlan Help How should the Help be worded? Should it be specific to the applet? We decided to use the same Help across accounts, and based it on standard Help messages found on various web sites Might the users confusion at the password applet cause a problem that might be remedied by adequate help?
© 2006 Richard M. Conlan Structural Decisions Students were not informed of the study in advance because we felt that informing them that we were focusing on password quality would affect password choice We chose a classroom rather than a lab setting because in the lab it is hard to know if people are choosing realistic passwords and to get a genuine sense of whether people will remember the chosen passwords in a real-world usage setting
© 2006 Richard M. Conlan What to store? Password Quality Score
© 2006 Richard M. Conlan What to store? Password Quality Score Password
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password? How many times did the user fail to login because of a bad password entry?
© 2006 Richard M. Conlan Storing Data Secure method of data storage? How to store reversible password? Considered depersonalized database on a separate computer – but realized that this is easy to brute force Considered encrypting under reversible encryption – but software needs key to encrypt/access data Ended up using MySQLs PASSWORD() hash to store password for login purposes and 4096-bit RSA encryption to store the reversible password
© 2006 Richard M. Conlan Other considerations? Trade-off between study results and security of user accounts? Should we require a minimum PQS? Minimum password length? Concern that applets could lead to worse passwords and have an adverse affect on security? Concern that requiring Java could be a problem? Concern that study database could be compromised to harvest data other than password data?
© 2006 Richard M. Conlan IRB We decided to meet with the IRB personal to describe the purpose of the study and why we needed to not divulge information beforehand. Found approval pretty easy once we had adequately explained the purpose of the study, justified the need for deception, and made it clear we were protecting user data. Note that the above was mostly verbal – once we had thoroughly explained it the paperwork just formalized the above in a rather compressed manner Lesson? Go talk to the IRB people.
© 2006 Richard M. Conlan IRB – Multi-tiered Participation We decided to try a multi-tiered consent form that offered students two levels of participation: –I grant the researchers permission to include my Password Quality Score (PQS) data in the study. –I grant the researchers permission to include all of my password data in the study (including my PQS). This turned out to be an excellent idea. Out of ~75 subjects 39 granted PQS access and less than 20 granted full access. Had we just asked for full access we probably would not have ended up with a useful body of data.
© 2006 Richard M. Conlan Soliciting Student Participation Rather than meeting with each student individually to go over debriefing we gave out consent forms, presented an explanation of the study to the class during a normal classroom period allowing for questions and answers, and then collected them after about ten minutes Only about half the subjects gave any sort of consent… …why? We tried to make sure students did not feel compelled to participate and explicitly stated that they would be offered no extra credit. Perhaps we should have offered an alternative incentive? Or given the students more time to decide? Or?
© 2006 Richard M. Conlan Soliciting YOUR Participation We are planning on doing a larger version of the study this fall involving a diverse student population, drawing users from different universities and programs The intent is to make the Dropbox-Online homework submission system available for other classes, and for the collaborating professors/TAs to get IRB approval and solicit student consent for their respective institutions The hopeful outcome will be enough data to draw strong conclusions on password selection UI design and a research paper for CHI2007
© 2006 Richard M. Conlan Questions?
Teachers as researchers and the development of teacher professionalism Dr Ken Chow.
Improving Students Learning Through Internships: An Outcomes-Based Approach Michael S. Miller, Dean of Student Affairs Joseph Coyne, Assistant Dean and.
Qualitative methods - conversation analysis Week 4: More information on writing up a qualitative method study.
Valid or Invalid – Biased or Unbiased An investigation into whether students choose internet search results based on quality and validity of information.
Tom Lewis, Director, Ed-Tech Development Group Educational Partnerships & Learning Technologies Scott Macklin, Director Program for Educational Transformation.
Lesson 8 Data Toss. Key Vocabulary Data: Factual information derived from scientific experiments Hypothesis A possible explanation for observations, facts,
OBAMA ACADEMY. What are my RESPONSIBILITIES??? It is REQUIRED that students: - Choose a topic that fits into one of the subjects on the approved extended.
Android 11: Google Play for Education Kirk Scott 1.
By: Mandi Schumacher. When writing an essay/ paper you spend a lot of time sitting at the computer by yourself, so some people don’t find the point.
Michigan Region of Narcotics Anonymous Regional Phone Line Proposal – August 2007 Is it folly Click to continue… a practical undertaking whose time has.
Selecting Outstanding Teachers for Level 4 Schools Spring 2010 Massachusetts Department of Elementary and Secondary Education.
High School vs. College Bridging the Gap between Disability Services in HS and College.
Quality Tools and Techniques in the School and Classroom.
Data Collection and Aggregation 2/8/2014 Data Collection and Aggregation 1 Presented by AmeriCorps Program Staff and JBS International.
TESOL 2008 Creating and Maintaining A Classroom Community through Writing Online Mary Lee Wholey Miriam Horne Concordia University Continuing Education.
A.MANN ADAPTED FROM HAMILTON AP STATS Chapter 5 Producing Data.
Advanced Topics in Computer Systems (ACS, R01) 12 th October 2010 Steven Hand.
Assessment Photo Album All Subjects Kindergarten.
1 Data Handling at Purdue. Section I The Importance of Data Security (slides 4 – 5) Laws and Policies (Slides 7 – 18) - Federal - State - Purdue Section.
BREVARD EFFECTIVE STRATEGIES FOR TEACHING (B.E.S.T.) Module IV.
1 Experimentation in Software Engineering: an introduction Mariano Ceccato FBK Fondazione Bruno Kessler
Conflict Resolution The Win/Win Approach. The Handshake Exercise Each student will choose a partner roughly the same size as themselves. Each student.
TIPS FOR COMPLETING THE NEW PROTOCOL SUBMISSION The Nova Southeastern University Institutional Review Office has created this guide to facilitate completion.
2012 SQA Central Training (New Centers) Venue – BISU, Beijing 9, Sept am– 5:00 pm Mary Gao.
How to Write a Review Article. Step One: Choose a Good Topic Experienced Chemists would likely choose an area of research they are actively working in.
The. of and a to in is you that it he for.
1 © 2009 University of Wisconsin-Extension, Cooperative Extension, Program Development and Evaluation Surveys.
Introduction to Technology in Student Affairs Course Proposal Fall 2004.
Students managing their learning: an investigation into perspectives and patterns of behaviour of students using the Education Guidance Service (Cal Weatherald;
MASTERING THE ART OF ARGUMENT THROUGH COLLABORATION AND QUESTIONING Leadership, Respect,Teamwork Evaluating Effectiveness Projects/Assignments 1.
© 2016 SlidePlayer.com Inc. All rights reserved.