Password Management Strategies for Online Accounts

1
Password Management Strategies for Online
Accounts

• Gaw Felten Optional Reading

2
Background

• Users often are the enemy
• Non-compliance with password practices occurs and
  undermines the system
• Paper studies broad password practices
• Proliferation of website logins
• Quantifies and surveys the factors relating to
  password reuse

3
Related Work

• Some papers have tried to address the problem of
  poor password practices
• Some have suggested graphical passwords, i.e.
  pictures or points in an image
• Others have looked at password hashing schemes
  with a master password

4
Study Details, 1

• Users were asked to evaluate their likeliehood of
  attack from different groups
• How did users justify subverting password policy?
• This study collected information based on login
  attempts to websites and then were asked how many
  passwords they used

5
Study Details, 2

• First pass Participants were prompted with a
  list of sites by category
• Record if they have an account
• If yes, then 90 seconds to login to the website
• Success Write down the password, Failure User
  explain why
• Recorded of passwords collected, of unique
  passwords, the size of classes of similar
  passwords, of password repetitions, and of
  passwords with related meanings.

6
Study Details, 3

• The second pass was open, no list
• Record all other sites that you use a password
  for
• Aggregate these statistics from the first pass

7
Results and Discussion

• Participants forgot the password or username but
  not usually both
• Even though they had a relatively small number of
  accounts (7-14), reuse still occurred
• As the number of accounts grows, reuse frequency
  increases

8
User Priority and Password Justification, 1

• Sites use login information for different things
• E-commerce vs. New York Times.com
• Varying level of usage confuses users they
  perceive little benefit.
• Number One reason for password reuse It will be
  easier for me to remember.

9
User Priority and Password Justification, 2

• Sites were also user categorized, i.e. message
  boards vs. banking, for strength and reuse
• Students were motivated to uniqueness when
  concerned with financial information and personal
  correspondence

10
Password Storage

• Memory was the number one storage tool
• Some users used cookies, i.e. remember me
• Others used the embedded features of their
  browser to remember their passwords
• Still, these methods were far down the list in
  favor of memory

11
Who will attack?

• Participants were asked to rank in terms of
  ability, then in terms of motivation, then in
  terms of both
• One group felt that non-affiliated person would
  have the most to gain, hence being likely
  attacker
• Others felt that those close to them had the
  interest and the access and hence would be more
  likely an attacker

12
Strength of Passwords

• If those closest are most able to crack us, then
  this should influence what users perceive as a
  strong password
• By asking users to rank the security of 3
  different passwords, they attempted to understand
  the user perception of security
• This led to the realization that most
  participants envisioned a human attacker, using a
  guess-and-check methodology

13
Conclusions

• Many password management tools do not facilitate
  the users main tool memory
• Instead of just filling in the user password,
  management tools could display it in a low
  contrast background until they learn it, then
  they can turn it off.
• Also, websites can use challenge-response for
  password recovery instead of email

14
Conclusions, 2

• Users misunderstand the nature of attacks and
  attackers
• Explaining dictionary attacks in password
  strengthening tips helps.
• Existing tools are not equipped to deal with the
  problem of password reuse
• Users most likely be able to adopt tools to aid
  them in password management