Password Management Strategies for Online Accounts Gaw & Felten Optional Reading

Background Users often are the enemy Non-compliance with password practices occurs and undermines the system Paper studies broad password practices Proliferation of website logins Quantifies and surveys the factors relating to password reuse

Related Work Some papers have tried to address the problem of poor password practices Some have suggested graphical passwords, i.e. pictures or points in an image Others have looked at password hashing schemes with a ‘master’ password

Study Details, 1 Users were asked to evaluate their likeliehood of attack from different groups How did users justify subverting password policy? This study collected information based on login attempts to websites and then were asked how many passwords they used

Study Details, 2 First pass – Participants were prompted with a list of sites by category Record if they have an account If yes, then 90 seconds to login to the website Success= Write down the password, Failure= User explain why Recorded: # Recorded: # of passwords collected, # of unique passwords, the size of classes of similar passwords, # of password repetitions, and # of passwords with related meanings.

Study Details, 3 The second pass was open, no list Record all other sites that you use a password for Aggregate these statistics from the first pass

Results and Discussion Participants forgot the password or username but not usually both Even though they had a relatively small number of accounts (7-14), reuse still occurred As the number of accounts grows, reuse frequency increases

User Priority and Password Justification, 1 Sites use login information for different things E-commerce vs. New York Times.com Varying level of usage confuses users; they perceive little benefit. Number One reason for password reuse: “It will be easier for me to remember”.

User Priority and Password Justification, 2 Sites were also user categorized, i.e. message boards vs. banking, for strength and reuse Students were motivated to uniqueness when concerned with financial information and personal correspondence

Password Storage Memory was the number one storage tool Some users used cookies, i.e. “remember me” Others used the embedded features of their browser to remember their passwords Still, these methods were far down the list in favor of memory

Who will attack? Participants were asked to rank in terms of ability, then in terms of motivation, then in terms of both One group felt that non-affiliated person would have the most to gain, hence being likely attacker Others felt that those close to them had the interest and the access and hence would be more likely an attacker

Strength of Passwords If those closest are most able to crack us, then this should influence what users perceive as a strong password By asking users to rank the security of 3 different passwords, they attempted to understand the user perception of security This led to the realization that most participants envisioned a human attacker, using a guess-and-check methodology

Conclusions Many password management tools do not facilitate the users main tool – memory Instead of just filling in the user password, management tools could display it in a low contrast background until they learn it, then they can turn it off. Also, websites can use challenge- response for password recovery instead of

Conclusions, 2 Users misunderstand the nature of attacks and attackers Explaining dictionary attacks in password strengthening tips helps. Existing tools are not equipped to deal with the problem of password reuse Users most likely be able to adopt tools to aid them in password management