1 / 12

A Usability Study and Critique of Two Password Managers

A Usability Study and Critique of Two Password Managers. Sonia Chiasson, PC van Oorschot , and Robert Biddle. Overview. Introduce PwdHash and Password Multiplier Usability Testing Study Details and Results Lessons Learned - Usability Lessons Learned - Security. 2/11. Password Managers.

dexter-koch
Download Presentation

A Usability Study and Critique of Two Password Managers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Usability Study and Critique of Two Password Managers Sonia Chiasson, PC van Oorschot , and Robert Biddle

  2. Overview • Introduce PwdHash and Password Multiplier • Usability Testing • Study Details and Results • Lessons Learned - Usability • Lessons Learned - Security 2/11

  3. Password Managers • Shift the burden of creating and remembering strong passwords away from users • easier for users • better protection • eg. • PwdHash (USENIX Security 2005) • Password Multiplier(WWW2005) 3/11

  4. PwdHash Password Multiplier • one master password, only need to remember one password and it generates the others • activate with Alt+P or double-clicking • @@ in front of passwords you want to protect • potentially different user passwords for each site hash(pwd, dom) = PRFpwd(dom) V = fk1(username,master_pwd) site_pwd=fk2(dom,master_pwd,V) 4/11

  5. Usability Testing • Is this usable? Are there problems? • Need to observe real users • a few may not be enough • Cannot just ask for users’ opinion • “the user is not the weakest link – but your interface might be!” 5/11

  6. Study Details • 26 participants • various degree programs, only 4 with technical backgrounds • data collection • observational data • recording task outcomes, difficulties, obvious misconceptions, quotes • questionnaire data • initial attitudes, opinion after each task, post questionnaires • 5 tasks for each plug-in • balanced order • written instructions • think-aloud protocol 6/11

  7. Task Completion Results 7/11

  8. Questionnaire Responses positive neutral negative 8/11

  9. Lessons Learned - Usability • activation • “well I think it did something” • once is not enough • lack of feedback, invisibility/transparency • complete tasks without activation • frustration and misconceptions • gave up on tasks • how system deals with passwords 9/11

  10. Lessons Learned - Security • Usability problems lead to security vulnerabilities • False sense of security • Benefits rely on correct operation 10/11

  11. Conclusion • Usability is a concern because it can directly lead to security vulnerabilities • Systems must be tested with real users • transparency not always good • must support users’ mental models 11/11

  12. For more info: http://www.scs.carleton.ca/~schiasso/

More Related