Sanam Ghorbani Lyastani,Michael Schilling,Sascha Fahl,Sven Bugiel,Michael Backes

DOI: https://doi.org/10.48550/arXiv.1712.08940

2017-12-24

Abstract:Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.

Cryptography and Security

Eryn Ma,Summer Hasama,Eshaan Lumba,Eleanor Birrell

DOI: https://doi.org/10.48550/arXiv.2201.01350

2022-01-04

Cryptography and Security

Abstract:User-chosen passwords remain essential to online security, and yet people continue to choose weak, insecure passwords. In this work, we investigate whether prospect theory, a behavioral model of how people evaluate risk, can provide insights into how users choose passwords and whether it can motivate new designs for password selection mechanisms that will nudge users to select stronger passwords. We ran a user study with 762 participants, and we found that an intervention guided by prospect theory -- which leverages the reference-dependence effect by framing selecting weak passwords as a loss relative to choosing a stronger password -- causes approximately 25% of users to improve the strength of their password (significantly more than alternative interventions) and reduced the final number of weak passwords by approximately 25%. We also evaluate the relation between user behavior and users' mental models of hacking and password attacks. These results provide guidance for designing and implementing account registration mechanisms that will significantly improve the strength of user-selected passwords, thereby leveraging insights from prospect theory to improve the security of systems that use password-based authentication.

Sean Oesch,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.1908.03296

2019-08-09

Cryptography and Security

Abstract:Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication, however prior research has identified significant vulnerabilities in existing password managers. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they are now ready for broad adoption. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle--password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues, particularly with browser-based password managers; these problems include unencrypted metadata, unsafe defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Naomi Woods,Mikko Siponen

DOI: https://doi.org/10.1016/j.cose.2023.103589

IF: 5.105

2024-02-01

Computers & Security

Abstract:Password reuse and modification are insecure password behaviors that are becoming increasingly prevalent as users are obliged to remember more passwords to access various digital services. Many users adopt these risky behaviors as a memory strategy in the belief that they have too many passwords for their memories to cope with. One important avenue in password research is metamemory, which encompasses the knowledge and understanding of memory capabilities and strategies. Previous research on password metamemory has examined the role that metamemory plays in memory performance (i.e., how well memory performs) and password recall. However, no previous research to date has investigated whether password reuse and modification are adopted as memory strategies due to an increase in knowledge and understanding of metamemory. To address this gap, two survey studies (Study1: N = 50, Study 2: N = 303) were implemented to examine the role that password metamemory plays in reusing and modifying passwords. Our findings suggest that of all metamemory constructs, users’ anxiety regarding their perceived ability to remember passwords can influence them to reuse and modify their passwords. These findings have potentially important implications because with an enhanced understanding of how users’ anxiety towards remembering passwords influences their security behavior, this could identify means of reducing password reuse and modification, thereby increasing password security and ultimately reduce some of the consequences of insecure password behaviors.

computer science, information systems

Hirak Ray,Flynn Wolf,Ravi Kuber,Adam J. Aviv

DOI: https://doi.org/10.48550/arXiv.2010.01973

2020-10-05

Cryptography and Security

Abstract:Password managers (PMs) are considered highly effective tools for increasing security, and a recent study by Pearman et al. (SOUPS'19) highlighted the motivations and barriers to adopting PMs. We expand these findings by replicating Pearman et al.'s protocol and interview instrument applied to a sample of strictly older adults (>60 years of age), as the prior work focused on a predominantly younger cohort. We conducted n=26 semi-structured interviews with PM users, built-in browser/operating system PM users, and non-PM users. The average participant age was 70.4 years. Using the same codebook from Pearman et al., we showcase differences and similarities in PM adoption between the samples, including fears of a single point of failure and the importance of having control over one's private information. Meanwhile, older adults were found to have higher mistrust of cloud storage of passwords and cross-device synchronization. We also highlight PM adoption motivators for older adults, including the power of recommendations from family members and the importance of education and outreach to improve familiarity.

Yiming Zhao,Wenting Li,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1109/BigDataService.2019.00029

2019-01-01

Abstract:Based on the ecological user memory, this paper establishes a security strategy model (SSM) to quantify the memory cost of passwords and the value of accounts to users in assword expiration strategy. This paper introduces the theory of human ecological memory to explain the memory cost of account password to users. We experiment on 304 users to prove that when users modify a single account, the security benefits of modifying a high-value account are greater for users. In the case of modifying multiple accounts, modifying accounts with password reuse will gain greater security for users. Experimental results show that when users modify password accounts, adding personal information can increase password strength to some extent while minimizing memory costs. In this paper, we for the first time use user ecological memory as one of the criteria to evaluate user security benefits, which might be the trend of future research on user behavior creating and password modification policy.

Shivam K. Shinde

DOI: https://doi.org/10.22214/ijraset.2022.39970

2022-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: The growing number of online services needs users to have control over their password management system (generation, storage, recall). But the demand for total randomness and exclusivity of passwords is impractical in day-to-day life. Each component of a password management system comes with its cognitive burden on a user. There are many password management solutions available for users but every one of them has some drawbacks. Password managers have the ability to help users manage their passwords more successfully while also addressing many of the problems about password-based authentication. In this study, We're analyzing various previous studies regarding the effectiveness, usability, and security of password managers of all categories. Also, we're trying to come up with an ideal set of parameters to build the best possible password management system in 2022. This study will help to understand the key parameters and algorithms that we can use while building the ideal password generation, storage, and recall system for the user.

English Else

Yixin Zou,Khue Le,Peter Mayer,Alessandro Acquisti,Adam J. Aviv,Florian Schaub

2024-05-24

Abstract:We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our online experiment ($n$=$1,386$) compared the effectiveness of a threat appeal (highlighting negative consequences of breached passwords) and a coping appeal (providing instructions on how to change the breached password) in a 2x2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords; both comparisons have a small effect size. Participants' password change behaviors are further associated with other factors such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based nudges are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.

Cryptography and Security,Human-Computer Interaction

Anuj Gautam,Tarun Kumar Yadav,Kent Seamons,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.2402.06159

2024-02-09

Abstract:Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.

Cryptography and Security

Ruti Gafni,Tal Pavel,Raz Margolin,Ben Weiss

DOI: https://doi.org/10.36965/ojakm.2017.5(1)27-41

2017-05-04

Online Journal of Applied Knowledge Management

Abstract:Passwords are the standard means of registration and access to Websites, information systems, online services and various social networks. Databases are increasingly breached and social engineering is employed to obtain usernames and passwords for online fraud, therefore, there is a need to secure existing passwords, and to create ones that will be more crack-resistant. This study addresses the issue of personal data, which users enter on social networks, and incorporate in passwords, as well as how tracking and identifying this data assists hackers in cracking these passwords. The study focuses on Facebook, conducting an online anonymous questionnaire among 195 respondents, and an experiment among a voluntary response sample of 72 participants, in which passwords were tried to been deciphered by a custom dictionary attack. The findings confirm a link between the use of accessible online personal data and success rates of password deciphering. The findings underscore the grave threat to users’ information security - not only as a result of their voluntary exposure of personal data on social networks, but also due to the integration of this data into their passwords. The study argues the need to emphasize users' awareness to their password strength, with this vulnerability in mind.

Lu Yu,Li He,Jian Du,Xiaobo Wu

DOI: https://doi.org/10.1007/s10796-024-10531-9

2024-09-03

Information Systems Frontiers

Abstract:Dealing with privacy threats and adopting appropriate strategies to manage personal information have become crucial challenges for internet users. While adaptive problem-focused coping (APFC) has been extensively discussed in the literature on information privacy, little is known about maladaptive emotion-focused coping (MEFC). This paper proposes that individuals employ privacy protection motivation (a form of APFC) and privacy cynicism (a form of MEFC), according to their threat and coping appraisals. These two coping strategies will then influence their behaviour regarding the disclosure of personal information on the internet. Offering an empirical analysis of 346 samples of survey data from China, this paper reveals that privacy cynicism, which is mainly affected by deep concerns about privacy and high self-efficacy but low response efficacy, and inconsistency between users' motivations for protecting their privacy and their actual disclosure behavior are the reasons for the privacy paradox. This study provides crucial theoretical support and practical guidance for the privacy management of internet users' information.

computer science, information systems, theory & methods

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

Philip Menard,Gregory J. Bott,Robert E. Crossler

DOI: https://doi.org/10.1080/07421222.2017.1394083

IF: 7.582

2017-10-02

Journal of Management Information Systems

Abstract:Managers desiring to protect information systems must understand how to most effectively motivate users to engage in secure behaviors. Information security researchers have frequently studied individuals’ performance of secure behaviors in response to threats. Protection motivation theory (PMT) has been used to explain individuals’ propensity to engage in voluntary secure behaviors, but the adaptation of this theory has yielded inconsistent results. Motivation as a measurable construct, as derived from self-determination theory (SDT), has never been included in or compared against PMT. In this study, we construct security messages that appeal to individuals’ intrinsic motivation, rather than fear, as a way to elicit secure responses. Using three sets of respondents, we integrated the SDT and PMT models and compared the native models in the context of security behaviors. We demonstrate that by using data- and individual-focused appeals and providing choices for users, managers may observe greater intention to engage in secure behavior among employees.

information science & library science,management,computer science, information systems

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Moritz Horsch,Johannes Braun,Dominique Metz,Johannes Buchmann

DOI: https://doi.org/10.48550/arXiv.1704.02883

2017-04-26

Abstract:It is practically impossible for users to memorize a large portfolio of strong and individual passwords for their online accounts. A solution is to generate passwords randomly and store them. Yet, storing passwords instead of memorizing them bears the risk of loss, e.g., in situations where the device on which the passwords are stored is damaged, lost, or stolen. This makes the creation of backups of the passwords indispensable. However, placing such backups at secure locations to protect them as well from loss and unauthorized access and keeping them up-to-date at the same time is an unsolved problem in practice. We present PASCO, a backup solution for passwords that solves this challenge. PASCO backups need not to be updated, even when the user's password portfolio is changed. PASCO backups can be revoked without having physical access to them. This prevents password leakage, even when a user loses control over a backup. Additionally, we show how to extend PASCO to enable a fully controllable emergency access. It allows a user to give someone else access to his passwords in urgent situations. We also present a security evaluation and an implementation of PASCO.

Cryptography and Security

Kim-Phuong L. Vu,Robert W. Proctor,Abhilasha Bhargav-Spantzel,Bik-Lam Tai,Joshua Cook,E. Eugene Schultz,Bik-Lam (Belin) Tai

DOI: https://doi.org/10.1016/j.ijhcs.2007.03.007

2007-08-01

Abstract:Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username–password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

computer science, cybernetics,ergonomics,psychology, multidisciplinary

John Sadik,Scott Ruoti

2024-09-05

Abstract:Password managers encourage users to generate passwords to improve their security. However, research has shown that users avoid generating passwords, often giving the rationale that it is difficult to enter generated passwords on devices without a password manager. In this paper, we conduct a survey ($n=999$) of individuals from the US, UK, and Europe, exploring the range of devices on which they enter passwords and the challenges associated with password entry on those devices. We find that password entry on devices without password managers is a common occurrence and comes with significant usability challenges. These usability challenges lead users to weaken their passwords to increase the ease of entry. We conclude this paper with a discussion of how future research could address these challenges and encourage users to adopt generated passwords.

Human-Computer Interaction,Computers and Society

Ali Cherry,Konstantinos Barmpis,Siamak F. Shahandashti

2024-07-12

Abstract:Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. HTML Autofill is not sufficiently expressive, Credential Management API does not support browser extension password managers, and other proposed solutions do not conform to established user mental models. In this paper, we propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications. Two APIs are designed to support Berytus acting as an orchestrator between password managers and web applications. An implementation of the framework in Firefox is developed that fully supports registration and authentication processes. As an orchestrator, Berytus is able to authenticate web applications and facilitate authenticated key exchange between web applications and password managers, which as we show, can provide effective mitigation strategies against phishing, cross-site scripting, inline code injection (e.g., by a malicious browser extension), and TLS proxy in the middle attacks, whereas existing mitigation strategies such as Content Security Policy and credential tokenisation are only partially effective. The framework design also provides desirable functional properties such as support for multi-step, multi-factor, and custom authentication schemes. We provide a comprehensive security and functionality evaluation and discuss possible future directions.

Cryptography and Security

Assaf Morag,Liron David,Eran Toch,Avishai Wool

2024-06-06

Abstract:Passwords are the primary authentication method online, but even with password policies and meters, users still find it hard to create strong and memorable passwords. In this paper, we propose DPAR: a Data-driven PAssword Recommendation system based on a dataset of 905 million leaked passwords. DPAR generates password recommendations by analyzing the user's given password and suggesting specific tweaks that would make it stronger while still keeping it memorable and similar to the original password. We conducted two studies to evaluate our approach: verifying the memorability of generated passwords (n=317), and evaluating the strength and recall of DPAR recommendations against password meters (n=441). In a randomized experiment, we show that DPAR increased password strength by 34.8 bits on average and did not significantly affect the ability to recall their password. Furthermore, 36.6% of users accepted DPAR's recommendations verbatim. We discuss our findings and their implications for enhancing password management with recommendation systems.

Cryptography and Security,Human-Computer Interaction