1 / 38

Password Management Strategies for Online Accounts

Password Management Strategies for Online Accounts. Shirley Gaw , Edward W. Felten Princeton University. Abstract. Average number of unique passwords. 3.31 (n = 49, SD = 1.76). …and average reuse 3.18 ( SD = 2.71). People will reuse passwords more as they acquire more accounts.

malory
Download Presentation

Password Management Strategies for Online Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password Management Strategies for Online Accounts Shirley Gaw, Edward W. Felten Princeton University

  2. Abstract Average number of unique passwords 3.31 (n = 49, SD = 1.76) …and average reuse 3.18 (SD = 2.71) People will reusepasswords more as they acquire more accounts

  3. Abstract (continued) Why reuse? The reused ones were easier to remember People rely on their memory rather than store passwords

  4. Abstract (continued) Friends have the greatest ability to attack passwords Participants ranked those closest to them as having the greatest ability to compromise their passwords

  5. Abstract (continued) Knowing personal information about a victim was seen as advantageous People worry more about humanguessing than automated guessing tools

  6. Outline People will reusepasswords more as they acquire more accounts Password Reuse People rely on their memory rather than store passwords Reasons for Reuse Participants ranked those closest to them as having the greatest ability to compromise their passwords Perceptions of Attackers People worry more about humanguessing than automated guessing tools Perceptions of Attacks

  7. 49 58 18 16 40 33 Participants

  8. Outline • Password Reuse • Reasons for Reuse • Perceptions of Attackers • Perceptions of Attack

  9. Password Reuse: Method First Pass: • Select from 139 websites • Login to each website • Self-report summary statistics Second Pass: • List other websites used personally • Re-report summary statistics (n = 49)

  10. Password Reuse: Results Unique passwords M = 3.31, SD = 1.76 (n = 49) Passwords reuse rate M = 3.18, SD = 2.71

  11. Password Reuse: Results People will reusepasswords more as they acquire more accounts

  12. Outline • Password Reuse • Reasons for Reuse • Perceptions of Attackers • Perceptions of Attack

  13. Reasons for Reuse: Method 115 question survey • Demographic information • Explanations of password reuse/avoidance • Descriptions of password creation/storage • Descriptions of password management (n = 58)

  14. Reasons for Reuse: Results Why use a different password? • Security (12) • Website has credit card, etc (11) • Website restricts password format (10) • Website is important (7) • Website is in a particular category (4) • Other (12) Why use a different password? • Security (12) • Website has credit card, etc (11) • Website restricts password format (10) • Website is important (7) • Website is in a particular category (4) • Other (12) I don’t like to think that if someone has access to one of my passwords, she or he could access all of my information for all of the pages I log into.

  15. Reasons for Reuse: Results Why use the same password? It is easier to remember (35)

  16. Reasons for Reuse: Results Why use the same password? It is easier to remember (35) People rely on their memory rather than store passwords

  17. Outline • Password Reuse • Reasons for Reuse • Perceptions of Attackers • Perceptions of Attack

  18. Perceptions of Attackers: Method • Who could compromise password? Rank • Ability • Motivation • Likelihood • Categories of people • Friend • Acquaintance (tech & non-tech) • Competitor • Insider • Hacker (n = 56)

  19. Most Able Attackers (n = 56)

  20. Least Able Attackers (n = 54)

  21. Most Motivated Attackers (n = 56)

  22. Least Motivated Attackers (n = 56)

  23. Most Likely Attackers (n = 56)

  24. Least Likely Attackers (n = 55)

  25. Likely attackers:Motivated or Able? • Logit regression on ranking responses* • Odds on ranking someone as likely • Motivation: 6.28 x • Ability: 3.82 x *Thanks to Pierre-Antoine Kremp

  26. Perceptions of Attackers: Results Participants ranked those closest to them as having the greatest ability to compromise their passwords

  27. Outline • Password Reuse • Reasons for Reuse • Perceptions of Attackers • Perceptions of Attack

  28. Perceptions of Attacks: Method Given: 13 tips for creating strong passwords • 3 passwords • Password construction method Task: • Rank passwords by strength • Explain ranking (n = 56)

  29. Perceptions of Attacks: Results PrincetonNJ is too easy for someone to guess if they know whereyou live One would have to know her decently well to know her favorite novel

  30. Perceptions of Attacks: Results People worry more about humanguessing than automated guessing tools

  31. GoodNews / BadNews • Goodnews: Participants understood the threat posed by those closest to them • Badnews: They didn’t understand the threat of dictionary attacks

  32. GoodNews / BadNews • Goodnews: Participants were concerned about the weakness of poor passwords • Goodnews: They relied on their memory rather than poorly secured storage (ie., paper) • Badnews: They feel and act as if they do not have any better tools or strategies

  33. GoodNews / BadNews • Goodnews: Participants had few accounts with password authentication • Badnews: They had even fewer passwords

  34. Outline • Password Reuse • Reasons for Reuse • Perceptions of Attackers • Perceptions of Attack

More Related