We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byWilliam Combs
Modified over 4 years ago
© 2006 Richard M. Conlan Interface Designs to Help Users Choose Better Passwords (study design) Richard M. Conlan, Peter Tarasewich Northeastern University College of Computer & Information Science
© 2006 Richard M. Conlan Study Summary Implemented four password selection applets Each applet offers real-time feedback on password quality based on a continuously updated Password Quality Score (PQS) which it submits to the server along with the new password
© 2006 Richard M. Conlan Study Summary (cont.) Embedded applets into Dropbox-Online.com homework submission system Homework submission system implemented in PHP with MySQL database HTTPS site Be careful with SSL certs – browser support doesnt mean it is supported by Java, etc.
© 2006 Richard M. Conlan Study Summary (cont.) Decided to do a between-user study due to concern about confusion / learning effects Evenly distributed the password selection applets over the user population Forced users to change their passwords at three points in the semester Informed users of the study and got consent at the end of the semester
© 2006 Richard M. Conlan Help How should the Help be worded? Should it be specific to the applet? We decided to use the same Help across accounts, and based it on standard Help messages found on various web sites Might the users confusion at the password applet cause a problem that might be remedied by adequate help?
© 2006 Richard M. Conlan Structural Decisions Students were not informed of the study in advance because we felt that informing them that we were focusing on password quality would affect password choice We chose a classroom rather than a lab setting because in the lab it is hard to know if people are choosing realistic passwords and to get a genuine sense of whether people will remember the chosen passwords in a real-world usage setting
© 2006 Richard M. Conlan What to store? Password Quality Score
© 2006 Richard M. Conlan What to store? Password Quality Score Password
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password? How many times did the user fail to login because of a bad password entry?
© 2006 Richard M. Conlan Storing Data Secure method of data storage? How to store reversible password? Considered depersonalized database on a separate computer – but realized that this is easy to brute force Considered encrypting under reversible encryption – but software needs key to encrypt/access data Ended up using MySQLs PASSWORD() hash to store password for login purposes and 4096-bit RSA encryption to store the reversible password
© 2006 Richard M. Conlan Other considerations? Trade-off between study results and security of user accounts? Should we require a minimum PQS? Minimum password length? Concern that applets could lead to worse passwords and have an adverse affect on security? Concern that requiring Java could be a problem? Concern that study database could be compromised to harvest data other than password data?
© 2006 Richard M. Conlan IRB We decided to meet with the IRB personal to describe the purpose of the study and why we needed to not divulge information beforehand. Found approval pretty easy once we had adequately explained the purpose of the study, justified the need for deception, and made it clear we were protecting user data. Note that the above was mostly verbal – once we had thoroughly explained it the paperwork just formalized the above in a rather compressed manner Lesson? Go talk to the IRB people.
© 2006 Richard M. Conlan IRB – Multi-tiered Participation We decided to try a multi-tiered consent form that offered students two levels of participation: –I grant the researchers permission to include my Password Quality Score (PQS) data in the study. –I grant the researchers permission to include all of my password data in the study (including my PQS). This turned out to be an excellent idea. Out of ~75 subjects 39 granted PQS access and less than 20 granted full access. Had we just asked for full access we probably would not have ended up with a useful body of data.
© 2006 Richard M. Conlan Soliciting Student Participation Rather than meeting with each student individually to go over debriefing we gave out consent forms, presented an explanation of the study to the class during a normal classroom period allowing for questions and answers, and then collected them after about ten minutes Only about half the subjects gave any sort of consent… …why? We tried to make sure students did not feel compelled to participate and explicitly stated that they would be offered no extra credit. Perhaps we should have offered an alternative incentive? Or given the students more time to decide? Or?
© 2006 Richard M. Conlan Soliciting YOUR Participation We are planning on doing a larger version of the study this fall involving a diverse student population, drawing users from different universities and programs The intent is to make the Dropbox-Online homework submission system available for other classes, and for the collaborating professors/TAs to get IRB approval and solicit student consent for their respective institutions The hopeful outcome will be enough data to draw strong conclusions on password selection UI design and a research paper for CHI2007
© 2006 Richard M. Conlan Questions?
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Welcome to IRBManager! To access IRBManager, type the following address in your web browser:
Is it Research?. Is It Research? 2 Elements –The project involves a systematic investigation –The design (meaning goal, purpose, or intent) of the investigation.
The Open Ended Response
How to Say “No” and Keep a Good Relationship
May 12, 2015 XSEDE New User Tutorials and User Support: Lessons Learned Marcela Madrid.
Presenter: Kay Fenton UNITEC Institute of Technology Auckland, New Zealand.
Peer assessment of group work using WebPA Neil Gordon Symposium on the Benefits of eLearning Technologies University of Manchester, in conjunction with.
Earth Science With Mrs. Locke. This year! A general overview O All about Earth and Space this year! O We do a lot of labs, group work, art project, notes,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Agenda Survey service transition and retirement Examining your survey needs Evaluating application features Service providers.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
1 Psych 5500/6500 The t Test for a Single Group Mean (Part 5): Outliers Fall, 2008.
PHP: HYPERTEXT PRE PROCESSOR BY: KAILA ULINE, HILARY PETROKUBI, HAIDAN HU, EMILY MARTIN.
Chapter 5 Database Application Security Models
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Strategies for Great Classroom Management
August 15 click! 1 Basics Kitsap Regional Library.
Writing Intensive Statistics Course Dr. Renan Sezer LaGuardia Community College.
© 2018 SlidePlayer.com Inc. All rights reserved.