We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byWilliam Combs
Modified over 3 years ago
© 2006 Richard M. Conlan Interface Designs to Help Users Choose Better Passwords (study design) Richard M. Conlan, Peter Tarasewich Northeastern University College of Computer & Information Science
© 2006 Richard M. Conlan Study Summary Implemented four password selection applets Each applet offers real-time feedback on password quality based on a continuously updated Password Quality Score (PQS) which it submits to the server along with the new password
© 2006 Richard M. Conlan Study Summary (cont.) Embedded applets into Dropbox-Online.com homework submission system Homework submission system implemented in PHP with MySQL database HTTPS site Be careful with SSL certs – browser support doesnt mean it is supported by Java, etc.
© 2006 Richard M. Conlan Study Summary (cont.) Decided to do a between-user study due to concern about confusion / learning effects Evenly distributed the password selection applets over the user population Forced users to change their passwords at three points in the semester Informed users of the study and got consent at the end of the semester
© 2006 Richard M. Conlan Help How should the Help be worded? Should it be specific to the applet? We decided to use the same Help across accounts, and based it on standard Help messages found on various web sites Might the users confusion at the password applet cause a problem that might be remedied by adequate help?
© 2006 Richard M. Conlan Structural Decisions Students were not informed of the study in advance because we felt that informing them that we were focusing on password quality would affect password choice We chose a classroom rather than a lab setting because in the lab it is hard to know if people are choosing realistic passwords and to get a genuine sense of whether people will remember the chosen passwords in a real-world usage setting
© 2006 Richard M. Conlan What to store? Password Quality Score
© 2006 Richard M. Conlan What to store? Password Quality Score Password
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password?
© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password? How many times did the user fail to login because of a bad password entry?
© 2006 Richard M. Conlan Storing Data Secure method of data storage? How to store reversible password? Considered depersonalized database on a separate computer – but realized that this is easy to brute force Considered encrypting under reversible encryption – but software needs key to encrypt/access data Ended up using MySQLs PASSWORD() hash to store password for login purposes and 4096-bit RSA encryption to store the reversible password
© 2006 Richard M. Conlan Other considerations? Trade-off between study results and security of user accounts? Should we require a minimum PQS? Minimum password length? Concern that applets could lead to worse passwords and have an adverse affect on security? Concern that requiring Java could be a problem? Concern that study database could be compromised to harvest data other than password data?
© 2006 Richard M. Conlan IRB We decided to meet with the IRB personal to describe the purpose of the study and why we needed to not divulge information beforehand. Found approval pretty easy once we had adequately explained the purpose of the study, justified the need for deception, and made it clear we were protecting user data. Note that the above was mostly verbal – once we had thoroughly explained it the paperwork just formalized the above in a rather compressed manner Lesson? Go talk to the IRB people.
© 2006 Richard M. Conlan IRB – Multi-tiered Participation We decided to try a multi-tiered consent form that offered students two levels of participation: –I grant the researchers permission to include my Password Quality Score (PQS) data in the study. –I grant the researchers permission to include all of my password data in the study (including my PQS). This turned out to be an excellent idea. Out of ~75 subjects 39 granted PQS access and less than 20 granted full access. Had we just asked for full access we probably would not have ended up with a useful body of data.
© 2006 Richard M. Conlan Soliciting Student Participation Rather than meeting with each student individually to go over debriefing we gave out consent forms, presented an explanation of the study to the class during a normal classroom period allowing for questions and answers, and then collected them after about ten minutes Only about half the subjects gave any sort of consent… …why? We tried to make sure students did not feel compelled to participate and explicitly stated that they would be offered no extra credit. Perhaps we should have offered an alternative incentive? Or given the students more time to decide? Or?
© 2006 Richard M. Conlan Soliciting YOUR Participation We are planning on doing a larger version of the study this fall involving a diverse student population, drawing users from different universities and programs The intent is to make the Dropbox-Online homework submission system available for other classes, and for the collaborating professors/TAs to get IRB approval and solicit student consent for their respective institutions The hopeful outcome will be enough data to draw strong conclusions on password selection UI design and a research paper for CHI2007
© 2006 Richard M. Conlan Questions?
College Level Cooperatively Taught Information Literacy and Subject Area Course Background and Assignments.
May 12, 2015 XSEDE New User Tutorials and User Support: Lessons Learned Marcela Madrid.
Student Preferences For Learning College Algebra in a Web Enhanced Environment Dr. Laura J. Pyzdrowski, Pre-Collegiate Mathematics Coordinator Institute.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
August 15 click! 1 Basics Kitsap Regional Library.
Database Application Security Models Database Application Security Models 1.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Ethics IRB and Animal Care. Subjects (participants) can always withdraw from participation Determine Risk Minimal or not -if not then need permission.
Sampling is the other method of getting data, along with experimentation. It involves looking at a sample from a population with the hope of making inferences.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
How to Register for CITI Online Ethics Training Courses.
Why it matters Your essay reveals something important about you that your grades and test scores can't—your personality. It can give admission officers.
Research Design. Research is based on Scientific Method Propose a hypothesis that is testable Objective observations are collected Results are analyzed.
Scientific Research Assumes that events are governed by some lawful order.
1 © 2009 University of Wisconsin-Extension, Cooperative Extension, Program Development and Evaluation Getting started with evaluation.
Cell City. Introduction This Webquest is designed to aid students in learning the basic parts of the cell. The student will be required to research.
Institutional Review Board (IRB) What’s New? Rebecca Pliske Chair, Dominican University IRB September 2, 2005.
Welcome to IRBManager! To access IRBManager, type the following address in your web browser: https://irbmanager.becirb.com https://irbmanager.becirb.com.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Jay Summet CS 1 with Robots IPRE Evaluation – Data Collection Overview.
REDCap Overview Institute for Clinical and Translational Science Heath Davis Fred McClurg Brian Finley.
Math 010 online work that is due today at the start of class: Gateway Homework #3 (turn in worksheet now, while I take roll) Section 1.2/1.8 Online Homework.
ACIFA Front of Room Welcome!!!!! Discussion New to “Flipping” Where did you hear about it? What 3 things intrigue you the most? Expectations? Have.
REFUSAL SKILLS How to Say “No” and Keep a Good Relationship.
Welcome to the BAA/Fenway Library I am Kathy Lowe, the library director. Your teacher preparation or experience in other schools may not have given you.
Eman Al Abdullah 2007 Prepared by Eman A. Al Abdullah ©
Writing For Researchers 2006 NSF Minority Faculty Development Workshop Jul 30-Aug 2 Malcolm J. Andrews National Security Fellow, LANL Professor Mechanical.
1 Psych 5500/6500 The t Test for a Single Group Mean (Part 5): Outliers Fall, 2008.
Language Arts 3, Segment 2 Family Collaboration Learn how to ARGUE with your family and PASS your SEGMENT 2 EXAM!!
How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.
Organizing and Writing a persuasive Essay In this demonstration you will learn four basics steps to writing a persuasive essay. This will provide you with.
Is it Research?. Is It Research? 2 Elements –The project involves a systematic investigation –The design (meaning goal, purpose, or intent) of the investigation.
Agenda Survey service transition and retirement Examining your survey needs Evaluating application features Service providers.
Student Learning Outcomes Assessment Montgomery College Fall 2009 Orientation Workshop.
The Open Ended Response Scoring Guide for Spring 2008.
s By Mollie. Sending an attachment. Explain how you attached the . You attach an by opening a new and writing the subject,
Network and Server Statistics using Cacti. Introduction A tool to monitor, store and present network and system/server statistics Designed around RRDTool.
DIFFERENTIATION STRATEGIES WELCOME Differentiation Strategies: How to Meet the Instructional Needs of Each Student in Your Classroom DOE# IS Brandman.
Web 2.0: Making the Web Work for You - Illustrated Unit C: Collaborating and Sharing Information.
Adrian Ellison Assistant Director, IT Services Wednesday 23 November 2011.
St. Mary’s Catholic School, Mayville Mrs. Kaiser, Technology Teacher.
AmeriCorps Online Payment System Introduction Corporation for National & Community Service (CNCS) AmeriCorps Online Payment System Introduction.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
Negotiating access, ethics and the problems of ‘inside’ research.
© 2017 SlidePlayer.com Inc. All rights reserved.