210 likes | 328 Views
How Does Y our Password M easure Up. The Effect of Strength Meters on Password Creation. Rui Xie. Password Meters. Users could receive feedback when creating password Users could create “STRONG” password by password meters Widely used Different shapes and sizes.
E N D
How Does Your Password Measure Up The Effect of Strength Meters on Password Creation Rui Xie
Password Meters • Users could receive feedback when creating password • Users could create “STRONG” password by password meters • Widely used • Different shapes and sizes
Primary Research Questions • The affection of password on: • Composition • Guessability • Creation Process • Memorability • User Sentiment • Important elements of meter design
Methodology • 2931 participants online study • Between-subjects design • Study in 2 parts, last 2 more days • Part 1: create a password and take a survey about creation(48hours) • Part 2: re-enter password and answer a survey on remembering password
Conditions • Control conditions • Visualdifferences • Scoringdifferences • Both Visual & Scoringdifferences
Control Conditions • Conditions to which all others were compared • No meter: no feedback • Baseline meter: stand password meter
Visual Differences • Three-segment • Green • Tiny • Huge • No suggestions • Text-only • Bunny condition
Scoring differences • Half-score • One-third-score • Nudge-16 • Nudge-comp8
Visual & Scoring differences • Text-only-half • Bold-text-only-half
Stringent Meters • Half-score • One-third-score • Text-only-half • Bold text-only-half
Metrics for Results • Composition • Guessability • Creation process • Memorability • Sentiment
Composition • Password length
Guessability • Threat model: offline attack • Weak adversary: 500 million guesses • Medium adversary: 50 billion guesses • Strong adversary: 5 trillion guesses
Process of Creating Password • Time of creating password • Changing mind during creating password Time of creating password Change mind
Memorability • After 5 minutes still remember and 2 days later has the same effect • Return rate • Write password down or use electronic devices to record it
Sentiment • Different level of agreement with 14 statements on password creation and password meter • Results • Stringent meters a bit more annoying • Stringent meters violate expections
Meters Matter • Meters leads to longer password • Stringent meters reduce guessability • Memorability will not be affect by maters • Overly stringent meters don’t add benefits