Why Johnny Can't Log In

Why Johnny Can't Log In

A Usability Study and Critique of Two Password Managers Sonia Chiasson, PC van Oorschot , and Robert Biddle Overview Introduce PwdHash and Password Multiplier Usability Testing Study Details and Results Lessons Learned - Usability Lessons Learned - Security 2/11 Password Managers Shift the burden of creating and remembering strong passwords away from users easier for users better protection

eg. PwdHash (USENIX Security 2005) Password Multiplier(WWW2005) 3/11 PwdHash @@ in front of passwords you want to protect potentially different user passwords for each site Password Multiplier one master password, only need to remember one password and it generates the others activate with Alt+P or doubleclicking hash(pwd, dom) = PRFpwd(dom) V = fk1(username,master_pwd) site_pwd=fk2(dom,master_pwd,V) 4/11

Usability Testing Is this usable? Are there problems? Need to observe real users a few may not be enough Cannot just ask for users opinion the user is not the weakest link but your interface might be! 5/11 Study Details 26 participants various degree programs, only 4 with technical backgrounds data collection observational data recording task outcomes, difficulties, obvious misconceptions, quotes questionnaire data initial attitudes, opinion after each task, post questionnaires

5 tasks for each plug-in balanced order written instructions think-aloud protocol 6/11 Task Completion Results Success Potentially Causing Security Exposures Dangerous Success Failures Failure False Completion Failed due to Previous

PwdHash Log In 48% 44% 8% 0% N/A Migrate Pwd 42% 35% 11% 11%

N/A Remote Login 27% 42% 31% 0% N/A Update Pwd 19% 65% 8% 8%

N/A Second Login 52% 28% 4% 0% 16% Password Multiplier Log In 48% 44% 8%

0% N/A Migrate Pwd 16% 32% 28% 20% N/A Remote Login N/A N/A

N/A N/A N/A Update Pwd 16% 4% 44% 28% N/A Second Login 16% 4%

16% 0% 16% 7/11 Questionnaire Responses positive 5 4 PwdHash neutral 3 Password Multiplier 2 negative 1 Perceived

Security Giving Control Ease of Use Perceived Necessity 8/11 Lessons Learned - Usability activation well I think it did something once is not enough lack of feedback, invisibility/transparency complete tasks without activation frustration and misconceptions gave up on tasks how system deals with passwords 9/11

Lessons Learned - Security Usability problems lead to security vulnerabilities False sense of security Benefits rely on correct operation 10/11 Conclusion Usability is a concern because it can directly lead to security vulnerabilities Systems must be tested with real users transparency not always good must support users mental models 11/11 For more info: http://www.scs.carleton.ca/~schiasso/

Recently Viewed Presentations

  • Performance Management Workday Module September, 2018 Agenda Performance

    Performance Management Workday Module September, 2018 Agenda Performance

    Submit Organizational Goals to Workday Solutions. Phase 2: Mid-Year Calibration (six weeks) ... People Managers Complete Employee Year-End Reviews ... Leverage Workday reporting business process expertise to identify metrics and reporting options for recruitment. Seeks assignments that stretch ...
  • Calling the Phones - Linguist Sticks

    Calling the Phones - Linguist Sticks

    Read the description given at the left of your screen. Then say which phoneme is described. When giving your answer you will be awarded - 1 pt for the SOUND
  • How to Build a Budget - UNM Health Sciences Center

    How to Build a Budget - UNM Health Sciences Center

    The Main Campus/HSC F&A Split Form is used when the F&A costs for a project will be split amongst UNM Main Campus or Branch Campus and the Health Sciences Center. Before submitting to SPO, be sure to have Dr. Larson...
  • South Haven Park District

    South Haven Park District

    Planning the message. Occurs in the prefrontal cortex. What can go wrong? Dynamic Aphasia: inability to plan a message. In its pure form no other area of language production or comprehension is impaired.
  • INDEX Section 1 Firm Overview & History Section

    INDEX Section 1 Firm Overview & History Section

    FIRM OVERVIEW. Birling Capital is a boutique corporate advisory & consulting firm that offers broad corporate finance & advisory services to institutional, government, corporate, middle-market companies, family corporations and their owners, in identifying and resolving organizational finance-related issues.
  • Chapter 15: Russia and The Republics

    Chapter 15: Russia and The Republics

    SECTION 1: LANDFORMS AND RESOURCES NORTHERN LANDFORMS Northern European Plain Chernozem: black earth; some of the world's richest soils Large cities: Moscow, St. Petersburg NORTHERN LANDFORMS CONTINUED West Siberian Plain Begins at Ural Mountains and stretches to the Yenisey River...
  • Emergency Coordinator (guidance document section C, page 3)

    Emergency Coordinator (guidance document section C, page 3)

    fire department (maybe they already visit?) emergency response contractors (who can you call to help or clean up spills?) Police. local hospitals. Familiarize the local authorities with the layout, waste located at you facility, and the types of injuries or...
  • EEE4084F Digital Systems - University of Cape Town

    EEE4084F Digital Systems - University of Cape Town

    Problems where any one piece is highly interrelated to others (e.g., having to look at relations between neighboring gas molecules to determine how a cloud of gas molecules behaves) Sometimes, attempts to parallelize fine-grained solutions increased the solution time.