120 likes | 270 Views
A Usability Study and Critique of Two Password Managers. Sonia Chiasson, PC van Oorschot , and Robert Biddle. Overview. Introduce PwdHash and Password Multiplier Usability Testing Study Details and Results Lessons Learned - Usability Lessons Learned - Security. 2/11. Password Managers.
E N D
A Usability Study and Critique of Two Password Managers Sonia Chiasson, PC van Oorschot , and Robert Biddle
Overview • Introduce PwdHash and Password Multiplier • Usability Testing • Study Details and Results • Lessons Learned - Usability • Lessons Learned - Security 2/11
Password Managers • Shift the burden of creating and remembering strong passwords away from users • easier for users • better protection • eg. • PwdHash (USENIX Security 2005) • Password Multiplier(WWW2005) 3/11
PwdHash Password Multiplier • one master password, only need to remember one password and it generates the others • activate with Alt+P or double-clicking • @@ in front of passwords you want to protect • potentially different user passwords for each site hash(pwd, dom) = PRFpwd(dom) V = fk1(username,master_pwd) site_pwd=fk2(dom,master_pwd,V) 4/11
Usability Testing • Is this usable? Are there problems? • Need to observe real users • a few may not be enough • Cannot just ask for users’ opinion • “the user is not the weakest link – but your interface might be!” 5/11
Study Details • 26 participants • various degree programs, only 4 with technical backgrounds • data collection • observational data • recording task outcomes, difficulties, obvious misconceptions, quotes • questionnaire data • initial attitudes, opinion after each task, post questionnaires • 5 tasks for each plug-in • balanced order • written instructions • think-aloud protocol 6/11
Questionnaire Responses positive neutral negative 8/11
Lessons Learned - Usability • activation • “well I think it did something” • once is not enough • lack of feedback, invisibility/transparency • complete tasks without activation • frustration and misconceptions • gave up on tasks • how system deals with passwords 9/11
Lessons Learned - Security • Usability problems lead to security vulnerabilities • False sense of security • Benefits rely on correct operation 10/11
Conclusion • Usability is a concern because it can directly lead to security vulnerabilities • Systems must be tested with real users • transparency not always good • must support users’ mental models 11/11
For more info: http://www.scs.carleton.ca/~schiasso/